Managing and Maintaining a Microsoft Windows
Server 2003 Environment The four different
versions of Windows Server 2003 are:
- Web edition - which supports one or two processors
- Standard Edition - which supports two processors
- Enterprise Edition - will support up to 8 processors
- Datacenter Edition - can work with up to 32 processors
The operating system must be "activated" (with the
exception of volume license versions) in order to be usable.
This is intended to provide copy protection and prevent
piracy.
Setup Manager can be used to create answer files (known as
Uniqueness Database Files, or UDFs) for automatically
providing computer or user information during setup. The
Sysprep (System Preparation Tool) utility has also been
improved, and is used to prepare an ideal machine to have an
image made of it that can be used on other installations.
Microsoft licensed Logical Disk Manager (LDM) from Veritas
and included it with Windows Server 2003 to handle drives and
their operations. The two primary disk types now available
are:
- Basic Master Boot Record (MBR) disks - can utilize up to
four primary partitions, or up to three primary partitions
and one extended partition. You can also use free space on
an extended partition to create logical drives. As opposed
to Windows 2000, basic partitions can now be extended
without needing to convert them to dynamic.
- Dynamic Disks - which are volume-oriented instead of
disk oriented, and first became available with Windows 2000
A third type - Basic GPT disks - are a hybrid that are only
available on Intel 64-bit systems, and they support up to 128
partitions
LDM can be used to create the following types of volumes:
- Simple - the basic choice
- Spanned - this links together free space from disk(s) to
form a single logical drive
- Striped - also known as RAID 0
- Mirrored - also known as RAID 1
- RAID 5 - striping with parity
The Hardware Troubleshooting Wizard is used to walk
through solutions to common problems while the Add/Remove
Hardware Wizard is used for uninstalling (permanent) and
unplugging (temporary) devices. You must stop a device before
removing it in order to prevent error. This wizard can be used
to add IEEE 1394 bus host controllers, imaging devices,
multi-port serial adapters, SCSI controllers, tape devices,
and a plethora of others.
The Disk Defragmenter which first appeared with
Windows 2000 has been enhanced with 2003. It works with NTFS,
FAT, and FAT32 to analyze the amount of fragmentation that
exists. It can take files and rewrite them back to the disk in
contiguous units - thus enhancing read and write performance.
It can now work compressed files, and any cluster size, as
well as be run from the command-line (using the DEFRAG
executable).
The Disk Management console is the graphical
interface used to perform most disk operations, such as
creating or extending partitions, converting basic disks to
dynamic, creating volumes and mirrors. It is also used to
implement RAID 5 arrays.
Driver Signing - Microsoft digitally signs all
drivers that are qualified to run with Windows Server 2003.
You have the option to install only drivers that have been
signed, see a warning when drivers haven't been signed so you
can decide then, or never allow unsigned drivers to be
installed. This can be set from control panel, system on the
hardware tab. SIGVERIF.EXE can look for files that are not
digitally signed. Windows Update is used to keep a list of
known bad drivers current and prevent you from (refuse to
allow you to continue) installing drivers known to cause
problems. The list of known bad drivers is kept in the
drv_protect.htm file.
System File Checker - System File Checker (sfc.exe)
is a command line utility that scans and verifies the versions
of all protected system files after you restart your computer.
If System File Checker discovers that a protected file has
been overwritten, it retrieves the correct version of the file
from the driver cache folder and replaces the incorrect file.
Windows File Protection (WFP) - runs in the
background and watches for applications trying to replace your
system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe
files. If an application attempts to replace a system file
with one that is not signed, Windows file protection replaces
it back with one stored in dllcache and logs the attempt in
the Event log. There are 4 instances where File protection
will allow the files to be replaced:
- Service Packs
that use Update.exe
- Hotfix
distributions using Hotfix.exe
- Operating system
upgrades using Winnt32.exe
- Windows
Update service
Service Packs are self-running programs that modify your
operating system. Upgrades to Windows Server 2003 will come in
the form of Service Packs, with each Service Pack containing
patches and fixes to components and additional features.
The Software Update Service (SUS) is used for centralized
distribution of hotfixes and security updates. Using SUS, a
client updates its software from a server within the internal
network instead of needing to access Microsoft to accomplish
this. This allows administrators to update clients that do not
access the Internet, as well as evaluate and test each update
before making it generally available. Group Policies can be
used to target update servers.
Profiles - can exist for users and hardware. While
every user should have their own profile, under most
circumstances, most desktop computers should have only one
hardware profile since the hardware connected to it will not
deviate greatly. The hardware connected to a laptop/mobile
computer CAN deviate from day to day - based on where it is
being used - and multiple hardware profiles should be
considered. If there are multiple hardware profiles on the
system, a menu of choices will appear during the boot process.
A "roaming profile" allows a user to have the same desktop
regardless of the machine he/she uses. A roaming profile can
be created from the Active Directory Users and Computers
console by a member of the Account Operators group, Domain Admins group, or Enterprise Admins group. A
"mandatory
profile" is a deviation on the roaming theme in which the user
cannot make any permanent changes to their settings. To create
a mandatory profile, the actual file’s name is changed from NTUSER.DAT to NTUSER.MAN.
It is highly recommended to put users into groups and give
permissions to the groups. In Windows Server 2003, the
following types of groups exist:
- Machine local
- Domain local
- Global
- Universal
- Builtin - these are Domain local groups that exists for
compatibility with Windows NT. Be default, the following
groups are found on all Windows Server 2003 systems:
Administrators, Backup Operators, Guests, Network
Configuration Operators, Power Users, Print Operators,
Remote Desktop Users, Replicator, and Users. These built-in
users and groups cannot be deleted.
Account Policies are set at the domain level. The
Account Lockout Policy determines how many unsuccessful
attempts are allowed before an account is locked out and how
long it will remain locked out. There are three settings that
can be configured:
Lockout count - how many invalid attempts are allowed
before locking
Lockout reset time - the amount of time that is allowed
between invalid attempts
Lockout duration - how long the account is locked for.
Windows Server 2003 also has a "Password Reset Disk"
capability that can be used to access a standalone server if
the password has been lost. This is useful in the event an
administrator has left under unfavorable circumstances. This
is created by using the Forgotten Password Wizard.
IAS (Internet Authentication Service) can be used to
enforce (through policies) issues such as: RADIUS clients
allowed, incoming phone numbers to accept, the type of media
used to establish the connection, user membership in security
groups, and the time of allowed access (day, hour, etc.). IAS
is used for centralized administration and to enforce access
policies. It works with PAP, CHAP, MS-CHAP, and EAP. IAS is
useful for centralized auditing, scaling systems for growing
demand, monitoring usage remotely, and working with a
graphical interface through an MMC snap-in.
Remote Access Authentication Protocols:
CHAP - (Challenge Handshake Authentication Protocol) -
uses the industry standard MD5 1-way encryption scheme to
encrypt the response. Highly Secure.
EAP (Extensible Authentication Protocol) - Client and
server negotiate the Authentication method to include MD5
username and password encryption, smart-cards, token cards,
retina or fingerprint scanners and other third party
authentication technologies.
MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)- 1-way encrypted password. This
is enabled by default on a Windows Server 2003 running RAS.
Highly Secure. This differs from CHAP in that client
communication must be between two Microsoft operating systems.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication
Protocol v2)- Strong encryption. Windows clients use this
by default for dialup networking (also known as DUN). Windows
2000,NT4 and Win98 clients use this by default for VPN.
Highly Secure. Version 2 differs from version 1 primarily in
that two-way (mutual) authentication is implemented in version
2.
PAP (Password Authentication Protocol) - uses clear
text passwords. Provides little security.
SPAP - (Shiva Password Authentication Protocol) - more
secure than PAP, it is uses to connect to Shiva LANRover.
Medium Security.
Sharing Data:
One of the main reason networks were created is for the
sharing of data and printers. Windows Server 2003 now also
allows for fax sharing, remote desktop, and WebDAV (Web-based
Distributed Authoring and Versioning).
When a folder is shared, permissions are given to users
that need to access the folder. The two types of permissions
are Share level and NTFS permissions, when NTFS is the file
system in use.
Share Level Permissions:
By default, the Everyone group is given read permission when a
file is shared. This differs from earlier operating systems
in which Everyone was assigned full control permissions on all
new shares. Share permissions apply only when a user is
accessing the file or folder across the network. If a user
logs on locally, Share level permissions will have no effect.
Only NTFS permissions - if applicable - will be in effect.
Available Share permissions are:
- Full Control
- Allows user to change permissions, take ownership of NTFS
files, Perform all tasks permitted by change permissions
- Change -
Create folders and add files, Manipulate data in files,
change file attributes, Delete Folders and files, Perform
all tasks permitted by the read permission.
- Read -
Display names of folders and files, Display data and
attributes of files, Run program files, Manipulate
subfolders.
- These permissions
can either be allowed or denied.
Share level permissions can be applied on a user or on a
group level. When a user attempts to access a shared folder,
all of the permissions for that user are combined. If a user
is in one group with Full Control, one group with Change and
the user himself has read, the combined permissions will be
the least restrictive or Full Control. Any time the user is
explicitly denied access whether it is a user or group
permission, this overrides all other permissions. A user can
be in one group with Full Control, one group which is denied
access and the user himself can have Change permissions, the
effective permissions will be no access as this overrides all
of the other permissions. Always assign the most restrictive
permissions you can to a user. You don't want them to be able
to do anything more than they need to.
The easiest and most efficient way to assign permissions is
to do it on a group basis. If everyone in your finance
department needs certain permissions to several folders,
assign the permissions to a group called finance, then when a
new employee joins the team, all you have to do is place this
employee’s user account in the finance group and all of their
permissions will be there.
Windows 2003 shares some folders by default for
administrative purposes. These shares will show up with a $
as the last character of the name. The dollar sign signifies
that the share is hidden from the browse list. These default
administrative shares are only accessible by users with
administrative rights. If you want to hide any of the shares
that you create, you can use a $ as the last character of the
name to make it hidden.
"Shadow copies" can be created to allow users to view the
contents of shared folders as they existed at an earlier point
in time. As such, a shadow copy is essentially a snapshot of a
folder that is stored in a hidden folder - System Volume
Information.
A folder can be shared under an unlimited number of names
after it has been shared the first time. You can also share a
file from the command line using the NET SHARE command locally
or the RMTSHARE command remotely.
Windows Server 2003 addresses the issue of having many
share points on many different servers by implementing DFS -
Distributed File System. DFS allows a user to connect to one
share point, which may contain shares from many different
locations. Dfs replication is journal-based and disabled by
default. Automatic Dfs replication is possible only with the
NTFS file system in use. An improvement over Windows 2000 is
that a server can now host multiple Dfs domain roots.
NTFS Permissions:
When a volume is formatted with the NTFS file system, NTFS
permissions can be used to secure resources. NTFS permissions
allow you to assign permissions at the folder and file level
while Share permissions are limited to the folder level. NTFS
permissions are also a lot more granular than Share level
permissions allowing you to permission such things as traverse
folders, write attributes and much more.
Applying NTFS Permissions:
Users can be assigned permissions directly or can be put
into groups that have permissions assigned. All individual
permissions and group permissions are combined to find out the
users effective permissions. It is highly recommended to put
users into groups and give permissions to the groups.
File permissions take precedence over folder permissions.
Combining Share and NTFS permissions.
When figuring permissions, look at share and NTFS
separately. Take the least restrictive share permission and
the least restrictive NTFS permission. Now take the most
restrictive of the two and that is your effective
permission.
Permissions and Moving/Copying files on NTFS volumes:
When copying folders or files either from one partition to
another or on the same partition, the permissions will be
inherited from the target folder.
When moving files to another partition, the permissions
will be inherited from the target folder.
When moving files or folders on the same partition, the
permissions will remain intact. This is the only time
permissions are retained and not inherited.
Windows Server 2003 differs from earlier Microsoft
operating systems in that it formats the boot partition as
NTFS during setup. Windows 2000 and others first formatted
this as FAT. The OFORMAT utility is used to configure
FAT boundaries during installation so they can be easily
converted to NTFS at a later time (using the CONVERT
utility).
Anytime after the installation, the CONVERT.EXE utility
allows you to convert a FAT or FAT32 file system to NTFS
without data loss. The syntax for this command is as follows:
CONVERT volume /FS:NTFS
Event Viewer - the primary tool used for viewing log
files. In addition to the three log files that have always
existed (Application, System - which contains information
about services and drivers that fail to start - and
Security), there are now log files for: Directory Services,
File Replication Service, and DNS, if those services are in
use.
System Monitor - an ActiveX tool that can
graphically display performance of various real-time
statistics. Within it, the workstation is divided into a
number of different objects, and each object is divided into
one or more counters. System Monitor appears on the
Performance tool (Start - Programs - Administrative Tools -
Performance) and it is the primary performance tool for the
system. Performance Logs and Alerts enables you to record data
to create and compare with a baseline (to get a long-term look
at how the system is operating) or send administrative alerts
when thresholds are reached.
Optimal performance from a system is what you are always
striving for. Optimal performance is attained when a system is
running (processing, responding, and so on) as fast as it
possibly can, given the resources available to it.
Task Manager - can be used to see the status of
programs that are running (and also stop programs that have
stopped responding). It can be used to assess process activity
(using up to 15 separate parameters), and has a graphical
element that allows you to analyze performance usage. It’s
Application tab shows the status of the programs currently
running on the system, while the Performance tab shows
graphical representations of CPU and memory usage. Task
Manager is the ONLY tool that can be used to change the
priority of a process that is already running. The only way to
start a process at a different priority level than its default
is to use the START.EXE utility.
Licensing is available on a "Per Device or Per User" basis
or a "Per Server" basis. In the first model, every computer
must have a separate Client Access License (CAL); that CAL
allows the computer to access any server that it wants in the
Windows 2003 family. Under the per-server mode, a server is
allowed a certain number of concurrent connections. The
per-server mode is often used by small companies with only one
server, with other companies will benefit from using the other
licensing mode.
Printing can be done to a variety of locations:
- To a local print device
- To a networked print device
- To a Windows server
- To a Unix server
- To a third-party server
- To a device over the Internet (using IPP - Internet
Printing Protocol). To do this, the IIS service must be
loaded.
To, or from, a mainframe host
Windows Server 2003 features built-in disk quota management.
Users can be limited to a certain amount of disk space on the
file server on a volume by volume basis. You can customize
how much space and can configure warnings when a certain
amount is used. You can also not allow the user to save any
additional data when their limit is reached. Disk quotas must
be assigned manually for existing users of a volume if you
enable disk quotas after the volume is already active, but new
users (after enabling this feature) are automatically set for
the fixed quotas. When a user meets their quota, they will
still be able to open files, but not save changes or add new
files.
Common areas of bottlenecks include: memory, processor, disk,
network, and applications/processes.
TCP/IP utilities to know for network performance:
ARP - Address Resolution Protocol - displays a cache of
locally resolved IP addresses to Media Access Control (MAC)
addresses.
Finger - Retrieves system info from a remote computer
that supports the TCP/IP finger service.
FTP - File Transfer Protocol - provides file transfers
between TCP/IP hosts with one running FTP software.
Hostname - returns the local computers host name.
IPCONFIG - Verifies TCP/IP information. with the
"/all" switch, it will give DHCP, DNS and WINS addresses.
WINIPCFG is the utility used in place of IPCONGIG on Win9.x
workstations. The /DISPLAYDNS, /FLUSHDNS, and /REGISTERDNS
options are used to directly interact with Domain Name Service
variables.
LPD - Line Printer Daemon - Services LPR requests and
submits print jobs to a printer device.
LPQ - Line Printer Queue - Obtain status of a print
queue on a host running the LPD Service.
LPR - Line Printer Remote - Prints a file to a host
running the LPD Service.
NBTstat - Checks the state of current NetBIOS over
TCP/IP connections, updates LMHOSTS cache, determines
registered name.
Netdiag - Tests the network functions and provides a
report of the results.
Netsh - Network Shell. This utility can be used to
interact with most services from the command-line.
Netstat - Displays Protocol statistics and the
current state of TCP/IP connections. The -a option is used to
see all information.
NSlookup - examines entries in the DNS database
pertaining to a particular host or domain.
Pathping -acts as combination of ping and tracert. It
sends echoes requests out and identifies the host that hears
them.
PING - Packet Internet Groper - Verifies that TCP/IP
is configured correctly and that another host is available.
REXEC - Remote Execution - Runs a process on a remote
computer.
Route - views or modifies the local routing table.
RSH - Remote Shell - runs commands on a UNIX host.
Telnet - Provides Terminal Emulation to a TCP/IP host
running Telnet server software.
Tracert - verifies the route used from the local host
to the remote host. This is superior to PING in that it also
shows the route taken to reach the remote host.
The RunAs utility has can now be told to use current
environment variables (with the /env switch), or save
credentials (/savecred), as well as use smartcards
(/smartcard) or run across the network only (/netonly). The
Secondary Logon Service (SLS) has been added to Windows
Server 2003 to allow a user to log in as a normal user, then
access higher-level functions when they need to.
File compression can be done from the command-line using
the COMPACT utility. You cannot compress a file that
is encrypted, or encrypt a file that is compressed - these
operations are mutually exclusive.
EFS file encryption now remains on files in offline
storage. EFS files can now also be shared across the network
and warnings are given when a user attempts to copy a file to
a device that will not protect the file. The CIPHER utility is
used to interact with encrypted files from the command-line.
Several utilities can be used to assist with system
maintenance. These include:
AUTOCHK - a version of CHKDSK that can run during startup
Automatic System Recovery (ASR) - acts as an easier method
of restoring after a failure by saving a catalog and
configuration information on a floppy
CHKDSK - looks for file system problems, such as
corruption, and corrects them
CHKNTFS - checks the NTFS file system
Disk Cleanup - this rids a system of temporary files,
Recycle Bin contents, and other old data
The four tabs of the Windows Server 2003 Backup Utility
are:
- Welcome
- Backup
- Restore and Manage Media
- Schedule Jobs
An incremental backup includes up all files that
have the archive bit on, and then turns that bit off. A
normal/full backup gets all files, regardless of the
status of the archive bit, and then turns the bit off (if it
was on). A differential backup gets all files with the
archive bit on, and then leaves it on. A daily backup
is valid only for the day (as the name implies). A copy
backup backs up files and leaves the archive bit on.
A backup log can be configured from the options of the
Backup Utility. You can choose either "Detailed" or "Summary"
log files. A detailed file includes the name of every file
backed up, while a summary only offers a file count and
indicates any files that were skipped.
To start Windows Server 2003 in Safe mode, press F8 when
the Please Select The Operating System To Start message
appears. Safe mode enables you to start the system with a
minimal set of device drivers and services. Choices appearing
on the option menu are:
- Safe mode
- Safe mode with networking
- Safe mode with command prompt
- Enable boot logging (which sends the output to
ntbtlog.txt)
- Enable VGA mode
- Last Known Good configuration
- Debugging mode
- Directory Service Restore mode (on domain controllers
only)
Recovery Console - Windows Server 2003 has a
Recovery Console to help when you have trouble booting. The
Recovery Console is not installed by default. Install the
Recovery Console by booting from the Windows Server 2003 CD
and choosing Repair, or running winnt32.exe /cmdcons
from the I386 directory of the CD. This copies the files
locally and you will now see an option to enter the Recovery
Console at boot up.
The Recovery Console is limited to administrators, and you
must give the Administrator password when choosing it. This
utility will allow you to do such things as:
- Use, copy, rename
or replace operating system files and folders.
- Enable or disable
services or devices from starting when you next start your
computer.
- Repair the file
system boot sector or the Master Boot Record (MBR).
- Create and format partitions on
drives.
|