STUDY GUIDE FOR WINDOWS SERVER

INSTALLATION INFORMATION
MINIMUM HARDWARE REQUIREMENTS TO RUN/MAINTAIN WINDOWS SERVER
• 133 MHz processor minimum (550MHz recommended)—for Enterprise Edition
• 128MB RAM (256 recommended), 1.5GB Hard-Drive Space

ACTIVE DIRECTORY CONCEPTS

ACTIVE DIRECTORY
• You must run the dcpromo.exe program to install Active Directory on a Domain Controller
• You can create ‘OU’ (Organization Units) to hold/contain users, computers or printers
• You can highlight more than one user & type: \\SERVER\PROFILES\%USERNAME% in the
profile tab (this will then specifically use each individual person’s name)
• If logon box is now showing your ‘domain’ then add computer as a member of that domain
• Delegation of Control Wizard: use this to give a user power over an container (OU).
Example: Give John Doe ability to create new computer accounts in Computer OU
Example: Give John Doe power to manage Group Policy links over OU

ACTIVE DIRECTORY - COMMANDS

• Dsmod is command used to add new users to a group (or use GUI); while dsadd is used to
add users to Active Directory
• Dsmove command: You can move a group, or use this command to change the name
• Dsquery command; If you need to acquire information
• CSVDE (COMMAND TO IMPORT/EXPORT information in & out of Active Directory)

ACTIVE DIRECTORY – COMPUTER ACCOUNTS

• If your computer hasn’t logged on in over 30 days; then you must reset the computer
account in Active Directory and then have the user log back in again
• PRESTAGING computers is creating a computer account in advance, then adding the
computer to the domain at a later time (if you prestage, then anyone can add PC to domain)

ACTIVE DIRECTORY-ADVANCED FACTS

• When new users login to a domain; they must be able to contact the Global Catalog Server
(if that server is located somewhere else, you better make sure everything is connected)
 USERS/GROUPS, PROFILES PERMISSIONS
USERS & GROUPS : YOU SHOULD KNOW THE FOLLOWING
• You can highlight more than one user & force them to ‘Change password at next logon’
• Group Types: Distribution (Email only) and Security (use to assign permissions to)
Note: If you want to assign permissions to a folder, then it must be a security group
• Group Scopes: Global, Domain Local, Universal (in 2000 native mode or higher)
• Domain Functional Modes: 2000 mixed, 2000 native, Server 2003 mode
• Global Groups: Can assign permissions anywhere, but only add people from same domain
• Domain Local: Can add anyone from anywhere, but only assign permissions locally
• Universal: Can add anyone from anywhere & assign permission anywhere (generally the
answer if you want to add people from everywhere, and assign permissions to anywhere)
• Server Operators are the second most powerful account in a domain setting
• Backup Operators Group exists for users who need rights to backup and restore data
• You are not supposed to create groups with more than 5,000 people in it

USER FACTS
• The account tab in user properties can do all of the following things:

Force users to change password at next logon (User must change password at next logon)

Unlock account (if they have been locked out)

Use multiple UPN names (Example: thand@domain.com, thand@foot.com)

Setup temporary or full-time accounts
• Disabling accounts is the quickest/simplest way to temporary close an account (to copy it
later or to actually re-enable it later)

PROFILES
• Local Profiles are stored in C:\Documents and Settings\
• You have 3 types of profiles: Regular local profile, roaming profile, mandatory profile
• ROAMING and/or MANDATORY Profiles:
1. You have to rename the ntuser.dat file to ntuser.man to make mandatory profile
2. SHARE roaming folder & give Everyone FULL-CONTROL over that folder!
• You can highlight more than one user & type: \\SERVER\PROFILES\%USERNAME%
• New users get the ‘Default User’ profile when login for the first time
 DEVICE MANAGER/DRIVERS/MORE
HARDWARE/DEVICES/DRIVERS
• Device Manager is ultimate tool for checking hardware problems (you can use it to disable
devices, roll-back drivers, update drivers, uninstall devices, and more)

In Device Manager use the ‘Scan for hardware changes’ option to locate/find/add devices

RED-X in device manager means disabled device (you can re-enable it again if needed)

Yellow Question Mark (with Black Exclamation): usually means there is a driver problem

Disable device if it is causing problems (this is quickest solution; don’t uninstall)

DRIVERS – SIGVERIF, ROLL-BACK, DRIVER SIGNING AND MORE

• You have Warn, Ignore and Block driver signing options to block software that has not been
tested properly by Microsoft (My Computer properties, Advanced tab)
• Driver Signing can be configured in Group Policy (LOCAL POLICIES-SECURITY OPTIONS)
• Sigverif.exe (File Signature Verification Tool) can be run on your machine to look for files
without signatures (Sigverif.exe is known as the File Signature Verification Tool)

It is best to scan the main C:\ drive & the System32 subdirectory (where drivers are)
• Sfc.exe scan all protected files (like .dll files) for corruption (repair them if needed)
• Roll-back is the simplest and quickest way to resolve an issue if you just installed something
Note: This is Microsoft first choice if something goes wrong after adding a new driver!
• Update Driver: If you can’t increase resolution, or support multiple monitors; then upgrade
• The best place to get drivers is directly from the manufacturers website

EXAMING HARDWARE DEVICES

• Network Card Properties:

You can examine the properties of your NIC through device manager

You can examine the properties of your NIC through Control Panel-Network Connections

• If you have a modem, you can use the Diagnostics tab to Query the Modem
 DISKS/VOLUMES/ETC…
DISKS: DYNAMIC, BASIC, AND MORE….
• Basic Disk: Primary and Extended partitions (you CANNOT extend them)

• Dynamic Disk: Simple, Spanned, Striped (Spanned & Striped are 2-32 hard drives)

Simple Volume: uses space from one hard-drive but can be expanded; not Fault Tolerant

Uses space from 2-32 hard-drives & can be expanded; but not Fault-Tolerant

• RAID (Redundant Array of Independent Disks)

RAID-0 (Striped): FASTEST; but not fault tolerant (but they are the best performance)

RAID-1 (Mirrored): Fault-tolerant volume between 2 hard-disk drives
 Create RAID-1 (Mirror) volumes for your main C:\ (system drive) for fault tolerance
 If you want ‘Fault Tolerance’ for the operating system, then add a second disk and
create a Mirror volume between them (Mirrors are good choices for operating system
fault tolerance)

RAID-5 (Disk Striping with Parity) are fault tolerant volumes using three-disk drives
 Create RAID-5 (Disk striping with parity) to store user data (for fault tolerance)

• ADDING HARD-DRIVES TO A COMPUTER (KNOW EACH OF THESE)

1. ADDING BRAND-NEW HARD-DRIVE: Run ‘Rescan’ and then ‘Initialize Disk’
2. ADDING HARD-DRIVE WITH DATA ON IT: Run ‘Rescan’ and then ‘Import Foreign Disk’
EXPANDING VOLUMES
• DISKPART is the command-line tool used to extend volumes (or use the GUI to extend)
• You can only extend simple or spanned volumes, and they must be NTFS to extend them

RECOVERYING RAID VOLUMES

• If a disk fails in RAID-5, then replace disk, initialize it, and REPAIR the volume
• If a cable comes loose in RAID-5, then replace cable and REACTIVATE volume (or if a
controller fails, then replace controller and Reactivate volume)

UNIQUE THINGS TO KNOW

• If you move volumes from old to new system; all hard-drives involved with volume must be
moved, and then you must ‘Rescan Disks’ or and ‘Import Foreign Disk’
• The Logical Disk Manager Administrative service can be restarted through SERVICES if you
are having trouble loading Disk Management

DISK QUOTAS (ONLY ON NTFS VOLUMES)

• Disk Quota’s are used to control how much disk spaces users have on a NTFS volume
• Disk Quota’s were not available in Windows NT – only in 2000 and XP

HARDWARE TOOLS AND PERFORMANCE AND RECOVERY

• Disk cleanup will delete temporary files and unnecessary program files
• Disk defragmenter is used to put files back together that were fragmented
Note: Both of these two options can be used to improve performance on computer
• DEVICE MANAGER: Tool for checking hardware problems, fixing driver issues, etc…
Note: Device Manager is where you upgrade or roll-back drivers (see above)
 PERMISSIONS
PERMISSIONS
• Deny overrides Allow – so be careful about using Deny for anyone!
• ONE EXCEPTION: Deny-Write will leave you READ permission
NTFS AND SHARED: PERMISSIONS SCENARIOS YOU MUST WATCH FOR
• FULL CONTROL = CHANGE PERMISSIONS, TAKE OWNERSHIP, and all others below it
• MODIFY = SAVE, DELETE, CHANGE, RENAME, but can’t change permissions
• WRITE = CREATE and can change folder attributes; BUT nothing above this
• READ = read only – nothing else
SHARED PERMISSIONS
• FULL CONTROL = Change permissions, and everything else
• CHANGE = Do everything (create, delete) but can’t change permissions
Note: CHANGE is a little less powerful than Modify, but more powerful than Write
• READ = read only – nothing else
COMBINING POWER: NTFS AND SHARED
• When you combine same permission (just NTFS or just Shared) take highest power
• When you combine different permissions (NTFS and Shared) take lowest power
• Modify-NTFS and Change-Share are good combination for Read/Create/Edit
ENCRYPTION AND COMPRESSION (NTFS POWERS)
• In a domain, the default DRA (Data Recovery Agent) is the Domain Administrator
• You CANNOT Encrypt and Compress data at same time
• The command cipher.exe can be used to encrypt folders/files (& create certificates also)
• CIPHER /E C:\Folder (encrypts a folder); CIPHER /E /A C:\Folder\Text.txt (encrypts a file)
TAKING OWNERSHIP: CHALLENGE QUESTIONS
• Administrators can take ownership of folders by default!
• Users can take ownership of a folder (if given the Take Ownership permission)
Example: If Susie had sole ownership of FOLDER & Jan replaces her; Administrator must ‘Take Ownership’
then assign Take Ownership advanced permission or NTFS permission

OTHER POWERS (LOCAL OR DOMANI)

• You can assign users/groups the ‘manage auditing and security logs user right’ to allow them
ability to view the security log on a specific machine
 SECURITY
FIVE MAIN CONCEPTS OF SECURITY
• Authentication: Usernames & Passwords (basic authentication), Certificates, Smart Cards or
IIS authentication methods like Anonymous, Basic, Digest or Integrated Windows
• Access Control: NTFS permission, Share permission, Printer Permissions or IIS permissions

Principal of least privilege: grant lowest level of access to resources that users require to
carry out necessary functions

Delegation of Control Wizard: Control users access over an object (like an OU)
• Encryption: EFS (Encrypting File System) is used to encrypt files/folders locally; IPSec can
be used to encrypt the contents of packets sent across a TCP/IP network. SSL can be used
to secure web-based communications (Example: https:\\www.hand.com)
• Security Policies: Group Policy can be used to control a wide range of security settings &
security can be configured in a centralized location.
• Service Packs and Hot Fixes: Through Windows Updates or SUS, you can ensure all
network systems have critical updates and security patches

SECURITY TEMPLATES
• The three big templates are: compatws, securedc and hisecdc

Compatws.inf: Used to relax settings to work with legacy applications

Hisecdc/Hisecws.inf: Ensures computers only communicate with 2000/XP/2003

Setup Security.inf: Default security settings

SECURITY CONFIGURE & ANAYLSIS (SECEDIT.EXE)

• Security Configuration and Analysis: Used to compare templates to actual computer settings

Secedit.exe: command-line tool used to create & apply security templates

Example: Secedit /configure /db C:\database.sdb
Note: /analyze, /configure, /export, /import, /GenerateRollback are used with secedit
 PRINTERS, OFFLINE FILES, DRIVERS, HARDWARE, FIREWALL
NOTES ABOUT PRINTERS: FROM INSTRUCTOR
• Print, Manage Documents and Manage Printers are the 3 big Print permissions
• Print: Just Print (you can manage your own print jobs with just Print)
• Manage Documents: Pause, restart, cancel and manage everyone’s print jobs
• Manage Printers: Control permissions, properties, rename (power over printer itself)
• If you have more than one print device: Enable a Printer Pool
• If you have just one print device: Set printer priorities
• Priority 99 is the highest (1 is the lowest)
• If you print large documents, but they never start printing, move your Spooling location to a
drive with more space! Large documents are spooled to computer first, then sent to printer!
• If a printout comes out garbled; it’s probably something about the printer driver!
• You must install IIS (Internet Information Services) to support printing through Web Site or
through Web Browser (Note: Example: http://printserver/printername)
PRINTER SUMMARY (HOT TOPICS)
• If someone is waiting, then you need ‘2’ printers and set PRIORITIES (99=Highest) of them
• If print queue is high then you need another print device; then you can setup Printer Pooling
• If you print large jobs, but it will not print, then MOVE PRINTER SPOOL LOCATION
• To manage their own print jobs; only PRINT permission is needed!!!
PRINTER (EXTRA)
• If you are having connection errors, you might need to install ‘drivers’ on the print server
• “Do not allow client printer redirection policy” is a Group Policy you can use for printers
• IIS must be installed to provide for Internet Printing

ICF (Internet Connection Firewall) and ICS (Internet Connection Sharing)

• By default, Remote Desktop is not enabled!
• Firewalls are generally set to BLOCK RDP (remote desktop protocol)
• Enable Remote Desktop first. Then you must have ports for Remote Desktop services open
(Port 3389); which is blocked by default by the XP Windows Firewall!
• You can set it to allow incoming echo requests on firewall (ICMP – PING); blocked by default
• Enabling ICS makes your computer a DHCP server; starting with 192.168.0.1 for you!

WINDOWS XP TOOLS
• The recovery console can be started with CD, repair option, and you can use commands:

bootcfg/rebuild rescan hard-drive & rebuild the boot.ini.

fixboot can repair boot sector also

Copy: can be used to copy files from a CD to the local hard-drive (such as drivers)
• MSCONFIG: This opens the system configuration utility, used to control startup programs

SAFE MODE OR LAST KNOWN GOOD CONFIGURATION (F8)

• System Restore: Restore points are quick and easy (keeps all recent changes also)
• LKGC (Last Known Good Configuration) restore registry to previous settings (2’nd choice)
Note: Your Registry settings are updated once you have successfully logged into a system!
Note: Just remember that if you boot up successfully, then the LKGC is recorded
• Safe Mode loads with basic driver and configuration settings!
 GROUP POLICY
GROUP POLICY
• You can use Group Policy to do many things, such as: (here are a few things to remember)
1. Password Policies and/or Account Lockout Policies (SHOWN BELOW)
2. Audit Policies
3. Publish and/or Assign Software to computers
• You can install .msi and/or .zap files through group policy (.msi files can be deployed)
• .mst files (transform files) get deployed with .msi files to provide unique customizations
• ASSIGNING OR PUBLISHING SOFTWARE
1. Assign (installs directly into Start menu and is ready immediately)
2. Publish (puts into system but you have to use Add-Remove programs to add)
Note: You can publish to users only (cannot publish to computers)
• GPRESULT (examines the overall effects of all the group policies you are using – For
instance if you have a GPO over the domain & local, you see the overall effects of them all)
• GPUPDATE refreshes active directory group policy changes right on the spot
Example: Gpupdate /target:computer/sync
• MSIEXEC.exe is a program of the Windows installer (msi files)used to install/add packages
• GPEDIT.msc is used to open group policy for a domain machine

GROUP POLICIES (GOOD ONES TO KNOW)

• Account Policies include: Password Policies & Account Lockout Policies

Account Lockout Threshold: # of attempts to allow before locking someone out

Account Lockout Duration: How long to keep someone locked out (0 means until you unlock)

• Local Policies includes Audit Policy, User Rights Assignments & Security Options(know this)

• Audit Policy

Auditing is not enabled by default!

You can monitor ‘Successful’ or ‘Failure’ events

Audit Account Logon Events: Monitor users
logging into the domain!

Audit Logon Events: Monitor users logging into a
specific computer (local computer)

Audit Object Access: Monitor users who are
accessing files/folders

Audit Policy Change: If someone makes a change

• User Rights Assignments:

Configure GPO to allow users to eject removable NTFS media

• Security Options

Set the “Number of previous logons to cache” policy to “0” (no cached credentials)

Manage auditing and security logs user right: Security logs are generally only available
to administrators on the local level (but this is a group policy you could grant)
GROUP POLICIES (GOOD ONES TO KNOW)
• Administrative Templates (Common Scenarios)

Do not allow client printer redirection policy

Delete cached copies of roaming profiles policy setting (to remove roaming profile off a
computer after that user has logged out….so no-one can access his/her information)

Force domain users to log off when their logon hours expire

Group Policy: (Computer, admin templates, Windows Components, Windows update)
point all client computers to central SUS server

Do not allow client printer redirection policy” is a Group Policy you can use for printers

Group Policy: Log on locally user right (must be given for domain controllers)

Group Policy: Set time limit for disconnected sessions to cut-off sessions (or set this
through user properties in Active Directory)

Group Policy: Offer Remote Assistance (to configure users that can do this); or set this
manually through the System Properties of a computer

TROUBLESHOOTING
TROUBLESHOOTING COMMANDS
• IPCONFIG /ALL (show all TCP/IP information like IP address, subnet mask, etc…)
• IPCONFIG /release or IPCONFIG /renew (Used to acquire new IP address from DHCP)
• IPCONFIG /registerdns (will register with DNS)
• IPCONFIG /flushdns (Will empty your DNS name cache)
• PING (tests connectivity)
• TRACERT (checks each hop/router that your signal goes through, to see where problem is)
• NETSTAT (checks all incoming and outgoing connections)
• NBTSTAT -R (Will empty your NetBIOS name cache)
• NSLOOKUP: DNS command that allows you to type in Computer name and get IP address

WIRELESS, REMOTE TECHNOLOGIES

REMOTE ACCESS (DIAL-UP, VPN, AND MORE)
• PPP (Point-to-Point) protocol is used by dial-up to make connections
• PPPoE (Point-to-Point over Ethernet) is used by broadband (DSL/Cable) to make connection
• VPN (Virtual Private Networks) use PPTP and/or L2TP to create connections
• PPTP: Point-to-Point Tunneling Protocol, L2TP (Layer Two Tunneling Protocol)
• L2TP is an open standard (really popular) and use certificates from CA’s; which is good
• EAP (Extensible Authentication Protocol) is used for Smart Card or BIOMETRIC devices
Note: EAP-TLS is newer option for creating encryption key during authentication (Great for
options like RADIUS server for authentication with wireless clients dialing in)
 SOFTWARE UPDATE SERVICES (SUS)
SUS: SOFTWARE UPDATE SERVICES
SUS stands for Software Update Services and includes the ability to setup a server to download
software updates so that you can distribute to the computer systems in your organization

• Software Update Services (must have 700MHz, 512MB RAM, 6 GB free disk space), and
(Windows Server 2003, 2000 Server-SP2)
• http://localhost/susadmin (to open SUS admin Web Site to setup SUS options)
• When using SUS, the updates/downloads must be ‘approved’ before sending them out
• The following computers automatically come with Automatic Update software (ability to use
Automatic Updates): Windows XP-SP1(or higher), Windows 2000-SP3(or higher), Windows
Server 2003(all versions): only these systems have Automatic Updates software installed
Note: If you have a Windows 2000-SP2 then you will need to install WUAU22.MSI or update
to Service Pack 3 for this computer to support Automatic Updates
• You must install WUAU22.MSI for automatic updates client software
• You can configure Automatic Updates manually on each computer through the Automatic
Updates tab; or you can do it through Group Policy (quicker and more effective)
• You can use Group Policy to enable Automatic Updates, and you can configure where client
computers where acquire their updates from: (Computer Configuration>Administrative
Templates>Windows Components>Windows update)
• You need to know the following SUS configuration Options:
1. PROXY SERVER SETTINGS:

If you choose to manually use a Proxy Server, you will need a username & password

If you choose the option to ‘Automatically detect Proxy server settings (you will not
need a username & password)
2. NETBIOS NAMING

If you have a client that doesn’t support NetBIOS (something other than a Windows
operating system) you will have to type in a FQDN (fully-qualified domain name)
(Example: pc1.hand.com) instead of just a regular simple NetBIOS name)
3. SYNCHRONIZATION OPTIONS

You can choose to synchronize directly from Windows Update Servers or you can
configure (through group policy) a SUS to update from another local SUS server
4. UPDATES

You can choose to ‘Automatically accept new versions of previously approved
updates’, or you can choose not to do this!
5. SUS STORAGE

You can Store updates locally, or on Windows Server (default is set to local)

If you store locally; remember to remove all locales not needed like Japanese, etc..!
These waste space and bandwidth; so just choose the locale you need!
 TERMINAL SERVICES & REMOTE DESKTOP
Traditionally Terminal Services has been used to allow centralized access to applications for users (where
applications are on a central server), or for remote administration of servers (For older Windows systems you
needed Terminal Services to remotely access and manage a server; but now you have Remote Desktop which will
allow you the ability to remotely access & manage a Server). With Terminal Services, you can simply put a single
application on a central server, and then all clients can use terminal services to connect to server and use
application. However, there are many things you need to know about Remote Desktop and Terminal Services.

REMOTE DESKTOP
• Remote Desktop is installed by default, but not enabled by default!
• Remote Desktop: With servers, this program/tool is used mostly to manage/access servers
• Remote Desktop is generally blocked by default when you enable a ‘Firewall’
• Remote Desktop Properties:

You can configure a variety of options for personal remote desktop connections

You can transfer documents through remote desktop, if you select the ‘Disk Drives’ check
box in Remote Desktop properties (not selected by default)
• Add users to ‘Remote Desktop Group’ so they can connect to servers with Terminal Services
• Remote Desktop Web Connection: If you install IIS (Internet Information Services) users can
connect to servers through Internet Explorer; if this is installed.

TERMINAL SERVICES
• Basic Terminal Services Facts:

Terminal Services must be installed on Windows Server 2003 (not installed by default)

Remote Desktop is installed by default; but not enabled

Terminal Services are usually installed so users can access a central server in order to
run a particular application (application is only on central server)

Terminal Services traffic (also Remote Desktop & Remote Assistance) use Port 3389 so
it might have to be enabled/disabled through your firewall

You must add a user to the ‘Remote Desktop Users’ group or the ‘Administrators’ group if
you want someone to have the ability to use Terminal Services to connect to a Server;
but you also need to grant them either Allow log on locally user right (to access domain
controllers) or Allow log on through Terminal Services user right for other server types
(not domain controllers)

If you plan on using Terminal Services – a Enterprise License Server must be created
(but with Windows Server 2003, you can run 120 days without a Terminal Services
licensing server); but you purchase a certain number of ‘licenses’ for allowed user
connections

• The main problems that occurs with Terminal Services connections is that by default
disconnected sessions will remain active & they will not be closed/ended thus Terminal
Services Server performance will slow down; however, you have three main methods to
configure Terminal Services connection properties:

The first, and most effective method is ‘Group Policy’ to configure Terminal Services-
Sessions (Computer Configuration>Administrative Templates>Windows
Components>Terminal Services>Sessions>Set time limit for disconnected sessions (and
therefore End a disconnected session after a specified period of time)

The second method is to open the Terminal Services tool on the Terminal Server and
under Connections right-click RDP-Tcp & open the properties; then under Session tab
you can End a disconnected session after a specified period of time

The third method is to open a user’s properties and in the Sessions tab you can End a
disconnection session after a specified period of time

GROUP POLICY REGARDING TERMINAL SERVICES

• If you plan on using Group Policy to configure Terminal Services or Remote Desktop, there
are many things you can configure from ‘number of connections allowed’, to ‘how long you
will allow disconnected sessions to stay active’ and much more:

You must add a user to the ‘Remote Desktop Users’ group or the ‘Administrators’ group if
you want someone to have the ability to use Terminal Services to connect to a Server;
but you also need to grant them either Allow log on locally user right (to access domain
controllers) or Allow log on through Terminal Services user right for other server types
(not domain controllers)

If you plan on remotely accessing and managing a domain controller, you must use Group
Policy to grant the: Allow log on locally user right (must be given for domain controllers);
because normally you cannot log on locally to a domain controller.

If you plan on remotely accessing and managing any other type of server (File Server,
etc..) then you simply have to grant the: Allow log on through Terminal Services user right

You can use Group Policy to configure Terminal Services Sessions such as “Set time limit
for disconnected sessions” to end disconnected sessions (or you can use Terminal
Service Configuration tool on main Terminal Services server, or use user properties)

You can go into a users properties and in the Terminal Services Profile tab, you can check
the option to ‘Deny this user permissions to log on to any Terminal Server’; which would
override other settings and basically disable Terminal Services ability for a user

TERMINAL SERVICES (ADVANCED GROUP POLICY SETTINGS)

• Group Policy – Terminal Services (Advanced Facts):

Session Directory: You can configure one of your servers as the Session Directory
Server, which can direct incoming Terminal Services connections to a Terminal Server
cluster (set of Terminal Services servers connected together for load balancing); and this
directory can track user sessions and thus allow a Terminal Server the ability to locate
and connect a user back to an existing session

Join Session Directory: You can enable this in Group Policy to store user session
information in a Session Directory

DOMAIN
• Runas /user:nameofuser: command used to run as another user
• A computer must be apart of a domain to get access to resources on that domain.
 PERFORMANCE MONITORING
PERFORMANCE MONITORING
• Task Manager and System Monitor are the best ‘2’ tools for monitoring performance
• A user must be added to the ‘local administrators’ group to view Security Logs in Event
Viewer on a File Server (or grant group policy power to view logs)
• Event Viewer is one of Microsoft’s strongest troubleshooting tools, allowing you to view
System, Application and/or Security log files
TASK MANAGER
• You can use the Task Manager to view a quick snapshot of the server’s performance (CPU
Activity, Page File usage)

You can change priorities of running applications (RealTime, High, AboveNormal,
Average, BelowNormal, Low) (Example: If you don’t want to impact other programs that
much, set a process to run at BelowNormal priority)

You can set ‘Processor Affinity’ (to configure a program to run on one, two or more
processors) (Note: 16-bit legacy programs can only run off of one CPU)

At the bottom of the Processes tab, there is an option to: Show processes from all users
(should be checked if you have more than one user to view all running processes)
SYSTEM MONITOR
• SYSTEM MONITOR: View real-time data about machine (better idea of what’s going on)
• System Monitor is the best tool available (monitoring real-time performance)
• System Monitor Counters you need to know (see below):
COUNTER MAX SETTING
Processor>%Processor 80% or higher (add a new processor)
Memory>Pages/Sec 20 or higher (add more RAM)
PhysicalDisk>Avg. Disk Queue 2 or higher (Defrag or add new drive)
PhysicalDisk>%DiskTime 90% or higher (Defrag or add new drive)
Other Counters to Know
%Free Space counter used to measure available free space
Network Interface> Network Adapter counters are important to know
• LogicalDisk is a counter used to measure partition/volume capacity
• PhysicalDisk is a counter used to measure an entire hard-drive (all volumes on a disk)
• You can save System Monitor Counters as an .HTML file for viewing data later

PERFORMANCE LOGS AND ALERTS

• Performance Logs & Alerts includes: Counter Logs, Trace Logs and Alerts

Counter Logs: Measure performance over a specific length of time (perfect for creating
Baselines and setting forecast information)

Trace Logs: Start measuring performance once an event occurs (threshold passed)

You can configure ‘Alerts’ to warn you when a threshold has been passed (Alerts will be
recorded in the application log of Event Viewer so you can view such information)
• You can actually monitor other computers and collect data at a ‘centralized’ computer
EVENT VIEWER
• One of the most effective monitoring/troubleshooting tools
• You can view one of many types of logs in Event Viewer including:

Application Log: Information, warnings or errors generated by programs (or Alerts)

Security Log: Events pertaining to the audit policy (Auditing is not enabled by default, but
you can use Group Policy to enable it)

System Log: Information, warnings or errors generated by Windows Server 2003 system
components such as drivers and services
• By default anyone can view the contents of the application and system log, but only
administrators can view the security log
• You can use Group Policy to assign a user the Manage Auditing and Security Log user right
if you want someone other than administrators to have the ability to view Security Logs

SUMMARY: PERFORMANCE NOTES:

• If PAGING ACTIVITY (PAGES/SEC) IS HIGH then ADD MORE RAM
• If PROCESSOR ACTIVITY IS HIGH then add second processor or upgrade current one
• If %DISKTIME (90%) or CURRENT DISK QUEUE LENGTH (2) are problems, then either
run Disk Defragmenter, or upgrade hard-drives OR move the ‘spool’ location or ‘paging file’
to a new location on another disk.

PERFORMANCE MONITORING
• You can perform ‘memory dumps’ when companies require ‘debugging information’
• The ‘Network Monitor’ is a tool you can use to monitor traffic

GROUP POLICY CONFIGURATIONS – PERFORMANCE MONITORING

• Manage auditing and security logs user right: Security logs are generally only available to
administrators on the local level (but this is a group policy you could grant if you want)
 BACKUPS AND MORE
BACKUP/DISASTER RECOVERY TOOLS (PRE-STEPS)
• Create RAID-1 (Mirror) volumes for your main C:\ (system drive) for fault tolerance
• Create RAID-5 (Disk striping with parity) to store user data (for fault tolerance)
• Use the Backup Utility (ntbackup.exe) to back-up things like your Operating System Files
and User Data files and the System State!

BACKUP USERS/GROUPS
• By default members of Administrators, Backup Operators and Server Operators groups will
have permissions to back-up files and folders
• Add a user to the Backup Operators group if you want them to be able to do backups, or
have ability to work with removable storage devices (like tape drives)
• If a user is not a member of the groups above, they can still back-up a folder/file if they are
listed as the owner of the file, or have Read, Modify or Full Control permissions
• You can use Group Policy to give someone the ability to Back up or Restore files and
directories (Computer Configuration>Windows Settings>Local Policies>User Rights Assignment)

BACKUP UTILITY (NTBACKUP.EXE)

• You should backup the System State on computers (Registry settings & Active Directory)
• The System State includes all of the following important things:

Registry (Most important thing to remember)

Boot files (boot.ini, ntdetect.com, ntldr, bootsect.dos, ntbootdd.sys)

System files protected by the Windows File Protection service

Certificate Services (If you are a Certificate Authority Server),

Active Directory (if you are a domain controller) and the Sysvol folder as well

IIS metabase (if IIS is installed)

BACKUP INFORMATION
• Full (normal) backs up everything selected (no matter what)

Backs up all files & sets the archive bit to mark them as backed up

Requires only ‘1’ tape for backup & restoration process (which is the least amount of
tapes of all methods you can use)

You can schedule normal backups on a daily basis (not a bad choice); but you should
know that you could combine a normal/full backup with other methods for quick backups
throughout the week (Full & Incremental) or for a full recovery (Full & Differentail)
• Incremental Backups:

Backs up files that have been changed/altered since the last Full/Normal backup

Removes archive bit (marked when file was changed) to show it’s been backed up

Backups each nights data only ---short backups

Full & Incremental backups: Restore full tape, and each incremental tapes (lots of tapes)

Full/Normal with Incremental backups: Quick backups --- Long Recovery

• Differential Backups:

Backs up files that have been changed/altered since the last Full/Normal backup

DOES NOT REMOVE BIT – will backup file and leave archive bit marked

Backups each nights data (and previous nights data)—long time

Full & Different backups: Restore full tape, and last differential tape (just 2 tapes)

Full/Normal with Differential backups: Long backups ---- Quick Recovery
• Restoration of Data:

Full & Different backups: Restore full tape, and last differential tape (just 2 tapes)

Full & Incremental backups: Restore full tape, and each incremental tapes (lots of tapes)

SCHEDULED TASKS/SCHEDULED BACKUPS

• You can use ‘Scheduled Tasks’ to create a scheduled backup to occur
• You can easily add, disable, or change the properties of scheduled backups
• Schtasks is a command-line command use to create scheduled tasks
• You must provide a ‘username’ and ‘password’ to schedule tasks (like backups); if you
change that persons password, you must reconfigure scheduled tasks with new information

BACKUP/RECOVERY METHODS
• F8 – ADVANCED STARTUP METHODS

Safe Mode: Loads basic drivers

Last Known Good Configuration: Boots to last successful logon (Note: Please note that
when you officially logon; that is when the registry gets marked/updated)

Directory Services Restore Mode: F8 startup choice – allows you to boot computer and
restore the Active Directory database
1. Authoritative Restorations: Domain Controller is restored and will replicate
information to other domain controllers (overriding them)
2. Non-authoritative: Domain Controller restored but no replication will occur!

• ASR BACKUP:

You can create an ASR (Automated System Recovery) floppy disk using backup utility

The ASR floppy disk is simply a copy of the operating system configuration information

You can backup user data using backup utility

Note: You must have an ASR floppy disk & regular user data backup

• ASR RESTORE:

To restore; Boot from XP CD, press F2 during install process which starts ASR wizard

First; use ASR floppy disk to restore operating system configuration data

Second; restore the regular user data from tape (or whatever)

• RECOVERY CONSOLE:

The Recovery Console is an advanced (command-line) tools that can be used to restore
your server to a fully functional state

You can open Recovery Console (Boot from CD, select R=repair)

Or you can install Recovery console using winnt32 /cmdcons command)

Includes Copy command: Copy files from CD to hard-drive if you need them (Example:
Copy ntldr file from CD to local hard drive)

Includes fixmbr and/or fixboot commands: fix master boot records on hard-drives

Includes a variety of other commands such as Enable/Disable if you want to start/stop
services, or Format/Dispart to format drives or control volumes, and more!

BACKUP: GROUP POLICY

• You can use Group Policy to give someone the ability to Back up or Restore files and
directories (Computer Configuration>Windows Settings>Local Policies>User Rights Assignment)
SHADOW COPIES
• Shadow Copies are a new Windows Server 2003 feature that allow users to access previous
versions of files in shared folders when older versions need to be restored, when a file is
accidently deleted, or when they simply want to compare the current version of a file to an
older version
• The default schedule used for Shadow Copies is: Monday-Friday, 7:00 a.m. & 12:00 p.m.
• By default Shadow Copies uses 10% of available disk space on a volume (therefore, if disk
space limits are reached, older shadow copies will be deleted)
• You can support up to a maximum of 64 shadow copies on a volume
• You must install Shadow Copies on Servers, & Previous Versions software on clients
• Previous Versions Software Location: \\Windows\system32\clients\twclient\x86\twcli32.msi
• You can use Group Policy to install Previous Versions software on all clients using .msi file
• When you open a ‘Previous Versions’ file; it comes up as Read-Only; you must choose to
save it to a different location with a different name so you can edit & change the file; or you
can choose the option to ‘Restore’ copy and restore the original document
• If you enable ‘Shadow Copies’ then backup programs will back-up any open files; if Shadow
Copies is disabled then backup programs will not back-up open files (interesting fact)
• To officially move Shadow Copies: Backup data, then delete shadow copies volume; then
move to another volume and restore backup
 IIS (INTERNET INFORMATION SERVICES): WEB, FTP & MORE
INSTALLING IIS (INTERNET INFORMATION SERVICES)
• Install IIS (Internet Information Services) to support HTTP(World Wide Web services), FTP,
SMTP, NNTP or Internet Printing (IPP-Internet Printing Protocol)
Note: IIS is found under Application Server (you can use Configure Server Wizard to do this)
• World Wide Services is a subcomponent of IIS, and must be checked when you install IIS.
Note: When you install IIS, a new tab appears for folders called WEB SHARE
Note: Windows XP (if you install IIS) only supports 1 web page, while Server multiple web-pages
Note: IIS 5.1& above now allows remote desktop through the Web (cool huh); Server 2003 uses IIS 6.0
• After installing IIS, three folders will be created:

\system32\inetsrv: Contains all program files & dll files needed for IIS to function
(including the IIS metabase; which needs to backed up & is through System State)

C:\inetpub: Contains content used by Web-site (or FTP site)

C:\Windows\help\iishelp: Contains the IIS documenatation
• The IIS Metabase (MetaBase.xml & MBSchema.xml) are the Metabase files (IIS
configuration information) that you must backup if you need to restore IIS (Note: When you
backup the System State, it includes the IIS Metabase)
IIS MANAGER (INTERNET INFORMATION SERVICES)
• Server’s IIS has the ability to host a large number of Web-Sites or virtual servers
• A default web-site is created for you in the IIS Manager (tool used to control/manage IIS)
• Port 80 is the default port, but if you set it to Port 81 or something you must type in
http://servername.hand.com:81 (something like that)
• The default Web site uses the name default.html (but you can add and/or change names)
• Whatever website you create, it needs to be STARTED to be used! (Literally right-click, start)
• If you have more than one web-site on your IIS Server and they are both configured to use
the same IP Address of 10.1.13.90 (your first NIC), then you can:

Configure each web-site with a different host header (fully qualified DNS name)

Configure each web-site to use a different port number

Configure each web-site to use different IP Addresses for each website
• With the IIS Manager tool (in Administrative Tools) you can control:

Web sites: Holds all web-sites, including default web site (port 80)

FTP sites: Holds all FTP sites, including default FTP site (port 21)

Application Pools: Applications assigned to one or more web-sites
(Normal Active Server Pages is disabled by default, but can be activated if you need it)
IIS MANAGER (PICTURES OF THE PROPERTIES OF A WEBSITE)
IIS MANAGER (INTERNET INFORMATION SERVICES) AUTHENTICATION OPTIONS
• There are many authentication options for IIS:

By default, ‘Anonymous’ access is allowed to a web site (Installing IIS adds the
IUSR_servername account (used for Anonymous access) to IIS websites)

Basic Authentication: prompts for username & password (but they are not encrypted)

Digest Authentication: prompts for username & password, & they are encrypted (must
have Active Directory & a domain setup to work properly)

Integrated Windows Authentication: Uses the client’s logged-on credentials to allow a
user access to IIS (will not use this option if Anonymous access is selected)

.NET Passport Authentication: Newest authentication option

SECURITY & BACKUP IIS (INTERNET INFORMATION SERVICES)

• You must backup the IIS metabase, default web site and content storage location (which is
inetpub by default)
• You can restart IIS (default website) if you need to get things started again.
• IIS includes a variety of Web Folder Access Permissions:

Read & Write (users can modify contents)

Script source access (view scripts) & Directory browsing (view files & subfolders)
• IIS includes a variety of Application Permissions:

None, Scripts, Execute (run scripts or applications)
• Along with IIS, you can also use NTFS permissions over the folder! (suggested)

ACCESSING RESOURCES WITH IIS (INTERNET INFORMATION SERVICES)

• With FTP you type ftp://name:password@ftp.domain.comfor url
• To access file using a web-browser: file://hand1/foldername/filename.txt
• http://printerservername/printers (This will show you printers if you have IIS or IPP installed)

REGISTRY QUESTIONS – BE ON THE LOOK FOR SOME WEIRD ONES!

• You can EDIT THE REGISTRY to stop or start things (BUT YOU SHOULDN’T)
• Using editor you can modify the HKEY_USERS\DEFAULT to use Background image

ROUTING, SUBNETTING AND MORE

ROUTING AND SUBNETTING
• Make sure you understand that your computer must have the same network ID as your
default gateway, so you can communicate with other computers in your LAN!
(Ex: 10.100.5.7 /24 is on same network as 10.100.5.250)
• 169.254.100.1 (169.254.X.X) is APIPA (automatic Private IP address) means that you
cannot connect to DHCP to get an address!
• For laptops, you can configure Alternate Configuration tab (in local area connections) to
point to static IP if DHCP dynamic IP doesn’t work!
MCP CHALLENGE QUESTIONS: ROUTING AND SUBNETTING

ROUTER ROUTER
10.10.20.1 172.16.1.1
/24 /24
CLIENT A CLIENT B SERVER 1 SERVER 2
10.10.20.2 /24 10.10.20.3 /24 DHCP SERVER RIS SERVER
172.16.1.2 /24 172.16.1.3 /24
 SIMULATIONS TO PREPARE FOR

SIMULATION: USERS/GROUPS/SHARES
You have two domains: domain.com and foot.com (Windows 2000 native mode)
You are the network administrator for domain.com
You have a group named Sales in the main domain.com that you use to send email messages.
You have a Sales folder on your file server (\\SERVER1\SALES) in domain.com!

You are told to configure Sales group to include users from domain.com and foot.com

You are told to configure Sales group to control access to SALES folder

You must add a user named ‘John’ to the Sales group

Hints
1. Open Active Directory (Control Panel, then Administrative tools)
2. Change Sales group to be a Universal-Security group (instead of distribution group).
3. Add the user John to the Sales group
Note: Be prepared to edit a ‘Group’ account to change scope and add users to it!

SIMULATION: USERS/GROUPS/SHARES/PERMISSIONS
You are the network administrator for domain.com.
You have a Salesgroup and a Businessgroup in domain.com.
You have a file server (\\SERVER1\SALES) in domain.com.

You have created the following shared folders:

• C:\SALES (for Salesgroup)
• C:\BUSINESS (for Businessgroup)

Users of the Salesgroup must be able to create and edit documents, and be able to change
permissions on all files in the SALES folder

Users of the Businessgroup must be able to Read files in the BUSINESS folder.

Ensure that the BUSINESS folder is only point of access for everyone (no other shares)

Hints
1. Open properties of SALES (change permissions to FULL CONTROL for Salesgroup)---but
take ownership power away (BE SURE REMOVE THIS POWER IN ALL SCENARIOS)

2. Make sure the Businessgroup has only READ power over BUSINESS

3. Open Computer Management SHARES and ensure only one share exists for BUSINESS
folder

Note: Be prepared to edit a ‘Folder’ properties and edit permissions, etc…

SIMULATION: USERS/GROUPS/SHARES
You are the network administrator for domain.com and foot.com (Forest).

John Doe has been on leave and has not had access to the network. He comes back but has
forgotten his password, and he accidently locks himself out through bad password attempts.

Jane Smith is a contractor who worked for your domain.com for her temporary 3 months. She is
hired as a full-time employee for foot.com, but when she tries to login on her first day, she finds
out her account has expired and she can’t login.

You are told about the following policies:

• Passwords are reset by help desk technicians & should be set to Password12 on requests.
• Users must change password immediately after logging on – that is the security policy!
• Configure John Doe so he can login again (Adjust user account)
• Configure Jane Smith so she can login again (Change her UPN as well)

Hints:
1. Open control panel, admin tools, active directory and open OU with people
2. Reset password first for John, and type Password12 & also unlock his account (because it
was locked out)….don’t forget to also choose Account option “User must change password
at next logon”
3. Change Janes properties and the account expires to ‘NEVER’ (she was just a contractor)
and change her UPN to include foot.com (because it was domain.com and must be
changed)

Note: Be prepared to make changes to users and edit their accounts in Account tab!

SIMULATION: SUS
You are the network administrator for domain.com!

Server1 is running SUS (Software Update Services). Server2 is additional SUS you add later.

You are told to:

• Ensure new SUS server will automatically synchronize with Server1 (main SUS)
• Ensure you will Approve the current list of updates that are available for new SUS Server
• All revised updates are automatically approved

Hints:
1. Open SUS icon on desktop of SERVER2 to officially open SUS admin
2. Select Set Options in SUS
3. Select Synchronize from local SUS and type in SERVER1 (to automatic synchronization)
4. Select option underneath to Synchronize list of approved items
5. Select option to automatically approve new versions of previously approved updates

Note: Be prepared to edit and adjust SUS (Software Update Services).

SIMULATION: PROFILES
You are the network administrator for domain.com!

Each user is allowed to customize their desktop in your organization.

You create a shared folder named Users on SERVER1 which has been created to store user’s
folder’s for customized desktop settings.

You are told to:

• Use AD to set SALES users to keep their customized desktop settings no matter where they
login from
• Use John’s user profile to make it the default profile for any new user who logs on to
SERVER4

You must:
1. Open control panel, admin tools, active directory and open OU with people
2. Highlight all users in SALES OU & configure their profile tabs to say:
\\SERVER4\users\%username%
3. Open control panel, system icon, then advanced tab & user profiles; then select John’s
account and browse to default user folder, add everyone and yes to finish

SIMULATION: PROFILES
You are the network administrator for domain.com!

A shared folder \\SERVER1\SHAREDFOLDER has been created to store user folder for
customized desktop settings.

You have been told to:

• Set all users accounts in BUSINESS OU to use this folder location
• Use John Doe’s (jdoe) user account as the default profile for new users that login

HINTS:
• Highlight all users in BUSINESS OU and set their profile tab to:
\\SERVER1\SHAREDFOLDER\%username%
• Open Control panel, System icon and select Settings under User Profiles in Advanced tab
• Know how to use the advanced tool to copy users account to Default User folder and permit
‘Everyone’ to use it (KNOW HOW TO USE THIS TOOL)

Note: Expect to do a ‘Profile’ changing scenario!

SIMULATION: PERMISSIONS
You are the network administrator for domain.com!

SERVER1 has C:\BUSINESS AND C:\SALES on it (shares)

• SalesGroup must be able to read files in BUSINESS folder
• John Doe must be able to Modify files in SALES folder
• Admins get FULL CONTROL over BUSINESS folder

HINTS:
1. For BUSINESS FOLDER, open the properties and:

First change the Share permissions: Change Everyone to have Full-Control (this way
you can adjust NTFS permissions to control power)

Second change the NTFS permissions: Add SalesGroup and give them read power, and
add Administrators and give them FULL CONTROL

2. For SALES FOLDER, open the properties and:

First change the Share permissions: Change Everyone to have Full-Control

Second change the NTFS permissions: Add John Doe and give him Modify power

Note: Don’t worry about giving Everyone Full-Control Share permissions – because Users
automatically are added with Read power thus restricting permissions.

Note: Be ready to adjust permissions on multiple scenarios!

SIMULATION: COMPUTER/SERVER ACCOUNTS (ACTIVE DIRECTORY)

You are the network administrator for domain.com!

Your have four clients: SERVER1, SERVER2, SERVER3 and SERVER4

• Obsolete computer account SERVERA must be deleted
• Reset computer for SERVER2
• SERVER3 and 4 objects should be moved from Computers container to the Sales OU
• SERVER1 should be added to the Windows XP SALES global security group

You must:
1. Open control panel, admin tools, active directory and open OU with people
2. Open Computer Container OU, right-click on SERVERA and delete it
3. Reset SERVER 2
4. Move SERVER3 and 4 to SALES OU (right-click Move)
5. Double-click SERVER1 and add to SALES global security group
SIMULATION: DISKS
You are the network administrator for domain.com!

Your main hard-drive (DISK0) holds all data with database that is used and added to daily.

DISK0 is near full capacity and you are told to move data from DISK0 to newly added DISK1.

DISK1 has a single partition that is formatted as FAT32 (no data on it though).
• Configure Disk1 so that it can be extended in the future to increase disk space without
moving or deleting data
• Configure Disk1 for optimum write performance

HINTS:
1. Use control panel, admin tools, computer management, DISK MANAGEMENT
2. Delete any previous partitions on DISK1 to clear space
3. Convert Disk1 to Dynamic disk; then create new volume using maximum space and ensure it
is set to use NTFS

Note: Be prepared to make a disk

SIMULATION: SHARES/PERMISSIONS
You are the network administrator for domain.com!

You manage SERVER7 in domain.com

• Create a share named MARKETING (C:\MARKETING)
• Assign SalesGroup allow-read share permission to MARKETING
• No other groups should have access to Marketing share
• Modify existing share named FINANCE (C:\FINANCE) so share is hidden (create and then
do this)
• Assign admins group allow-full control share permission for hidden share
• No other groups get access to the share

HINTS:
1. Create share folder named MARKETING and add SalesGroup with read share power---then
remove the Everyone group in share permissions (THIS IS QUICKEST METHOD)
2. Open FINANCE folder and select option to create a ‘NEW SHARE’ and add FINANCE$ as
the new share; then remove the regular FINANCE share
3. Add Admins and give full-control SHARE permission and remove everyone

Note: Be prepared to do some scenarios using only share permission.

SIMULATION: NORMAL
You are the network administrator for domain.com!
• New employees must create new personal and confidential passwords for initial logon
• Employee’s user accounts in SALES OU have to be changed to 555-5555.

You must:
• Create a user account for Bill in SALES OU that contains same information as Jane Smith
(username=BillB and password should be Password12, only login to SERVER1)
• Ensure all employees in SALES OU have new fax number

HINTS:
1. Open control panel, admin tools, active directory and open OU with people
2. Open Sales OU and copy Anna’s account to create BillB account, use Password12
password and BillB username, and select “user must change password at next logon”
checkbox-----open his properties and configure Log On To box to SERVER1
3. Highlight all users in SALES and give new fax number

SIMULATION: TERMINAL SERVICES

You have 100 disconnection sessions and 50 that have been idle for 2 hours
• Disconnection sessions remain on server for a max of 1 minutes
• Idle sessions idle for max of 30 minutes
• Sessions idle for more than 30 minutes should be reset