Welcome
Installing Windows 2000 Professional
2K
Requirements:
Component Recomended Minimum
SuggestedConfiguration
CPU Pentium-based 133MHz
or higher Pentium II or
higher
Memory 64 MB 64 MB or higher
Hard disk space 2 GB with
a minimum of 650 MB of free
space 2 GB or higher
Networking NIC NIC
Display VGA SVGA
CD-ROM needed when notinstalling
overthe network needed when
notinstalling overthe network
Keyboard andmouse required
required
Sound card not required
required for visually impaired
users needing narrativevoice
to guide installation
All hardware should appear
on the Windows 2000 Hardware
Compatibility List (HCL)
Windows 2000 Professional
supports Symetric Multi-processing
with a maximum of two processors,
and up to 4 GB of RAM.
Setup has four stages:
1. Setup Program (text mode)-
preps hard drive for following
stages of install and copies
files needed for running
Setup Wizard. Requires reboot.
2. Setup Wizard (graphical
mode) - prompts for additional
info such as product key,
names, passwords, regional
settings, etc.
3. Install Windows Networking
- detects adapter cards,
installs networking components
(Client for MS Networks,
File & Printer Sharing
for MS Networks), and installs
TCP/IP protocol by default
(other protocols can be
installed later). Choose
to join a workgroup or domain
at this point (must be connected
to network and provide credentials
to join a domain). After
all choices are made components
are configured, additional
files copied, and the system
is rebooted.
4. Setup Completion - installs
Start Menu items, register's
components, saves configuration,
removes temporary files
and system rebooted one
final time.
Installing from CD-ROM:
· Setup disks are
not required if your CD-ROM
is bootable or you are upgrading
a previous version of Windows.
· To make boot floppies,
type makeboot a: in the
\bootdisk directory of your
W2K CD. Creates set of four
1.44 MB boot floppies.
· If installing using
a MS-DOS or Win95/98 boot
floppy, run winnt.exe from
the i/386 to begin Windows
2000 setup.
· Setup will not
prompt the user to specify
the name of an installation
folder unless you are performing
an unattended installation
or using winnt32 to perform
a clean installation.
Installing over a Network:
· Create a distribution
server which has a file
share containing the contents
of the /i386 directory from
the Windows 2000 CD-ROM.
· 685 MB minimum
plus 100 - 200 MB free hard
drive space to hold temporary
files during installation.
· Install a network
client on the target computer
or use a boot floppy that
includes a network client
Run winnt.exe from file
share on distribution server
if installing a new operating
system or winnt32.exe if
upgrading a previous version
of Windows.
· Clean installation
is now possible with Windows
2000. NT 4 required a pre-existing
FAT partition.
Command line switches for
winnt.exe:
Switch Function
/a Enables accessibility
options
/e[:command] Specifies a
command that will be run
at the end of Stage 4 of
setup
/r[:folder] Specifies optional
folder to be installed.
Folder is not removed with
temporary files after installation
/rx[:folder] Specifies optional
folder to be copied. Folder
is deleted after installation
/s[:sourcepath] Specifies
source location of Windows
2000 files. Can either be
a full path or network share
/t[:tempdrive] Specifies
drive to hold temporary
setup files
/u[:answer file] Specifies
unattended setup using answer
file (requires /s)
/udf:id[,UDF_file] Establishes
ID that Setup uses to specify
how a UDF file modifies
an answer file
Modifying Setup using winnt32.exe:
Switch Function
/checkupgradeonly Checks
system for compatibility
with Windows 2000. Creates
reports for upgrade installations.
/copydir:folder_name Creates
additional folder inside
%systemroot% folder. Retained
after setup.
/copysource:folder_name
Same as above except folder
and its contents are deleted
after installation completes
/cmd: command_line Runs
a command before the final
phase of Setup
/cmdcons This adds a Recovery
Console option to the operating
system selection screen
/debug[level][:file_name]
Creates a debug log. 0=Sever
errors only. 1=regular errors.
2=warnings. 3=all messages.
/m:folder_name Forces Setup
to look in specified folder
for setup files first. If
files are not present, Setup
uses files from default
location.
/makelocalsource Forces
Setup to copy all installation
files to local hard drive
so that they will be available
during successive phases
of setup if access to CD
drive or network fails.
/nodownload Used when upgrading
from Win95/98. Forces copying
of winnt32.exe and related
files to local system to
avoid installation problems
associated with network
congestion.
/noreboot Tells system not
to reboot after first stage
of installation.
/s:source_path Specifies
source path of installation
files. Can be used to simultaneously
copy files from multiple
paths if desired (first
path specified must be valid
or setup will fail, though).
/syspart:drive_letter Copies
all Setup startup files
to a hard disk and marks
the drive as active. You
can physically move the
drive to another computer
and have the computer move
to Stage 2 of Setup automatically
when it is started. Requires
/tempdrive switch.
/tempdrive:drive_letter
Setup uses the specified
tempdrive to hold temporary
setup files. Used when there
are drive space concerns
/unattend: [number][:answer_file]
Specifies answer file for
unattended installations.
/udf:id[,udf_file] Establishes
ID that Setup uses to specify
how a UDF file modifies
an answer file.
Unattended installations:
· Unattended installations
rely on an answer file to
provide information during
setup process that is usually
provided through manual
user input
· Answer files can
be created manually using
a text editor or by using
the Setup Manager Wizard
(SMW) (found in the Windows
2000 Resource Kit Deployment
Tools).
· SMW allows for
creation of a shared Distribution
Folder and OEM Branding
· If you had a CD
in drive D: and an unattended
installation answer file
named salesans.txt in C:\,
you could start your install
with this command: D:\i386\winnt32
/s:d:\i386 /unattend:c:\salesans.txt
· When doing a CD-based
install of W2K Pro and are
booting from CD, name your
answer file WINNT.SIF and
make sure it is on a floppy
disk in your floppy drive.
The serial # for the CD
should be entered into the
.SIF file to avoid a need
for manual user input during
the install.
· There are five
levels of user interaction
during unattended installs:
1. Provide Defaults - Administrator
supplies default answers
and user only has to accept
defaults or make changes
where necessary.
2. Fully Automated - Mainly
used for Win2000 Professional
desktop installs. User just
has to sit on their hands
and watch.
3. Hide Pages - Users can
only interact with setup
where Administrator did
not provide default information.
Display of all other dialogs
is supressed.
4. Read Only - Similar to
above, but will display
information to user without
allowing interaction to
pages where Administrator
has provided default information.
5. GUI Attended - User has
some interaction with the
setup program. Text mode
is automated; user must
respond to screens in the
setup wizard.
Deploy Windows 2000 by using
Remote Installation Services
(RIS):
Overview:
Remote Installation Services
(RIS) is used to lower the
Total Cost of Ownership
(TCO) of Windows by simplifying
the process of installing
new client workstations.
Currently only Windows 2000
Professional clients can
be installed using RIS.
RIS Server requirements:
· DHCP Server Service
· Active Directory
· DNS Server Service
· At least 2 GB of
disk space. Hard disk must
have at least two partitions,
one for the Operating System
and one for the images.
Image partition must be
formatted with NTFS. RIS
packages cannot be installed
on either the system or
boot partitions. Also cannot
be on an EFS volume or DFS
shared folder.
Steps for setting up RIS
Server:
· Install Remote
Installation Services using
Control Panel > Add/Remove
Programs > Windows Components.
· Start the RIS Setup
Wizard by running risetup.
Specify the Remote Installation
Folder Location. For Initial
Settings, choose Do not
respond to any client requests
(default setting - RIS Server
must be authorized first).
Specify the location of
the W2K Professional source
files for building the initial
CD-based image. Designate
a folder inside the RIS
folder where the CD image
will be stored. Provide
a friendly text name for
the CD-based image.
· Setup Wizard creates
the folder structure, copies
needed source files to the
server, creates the initial
CD-based W2K Professional
image in its designated
folder along with the default
answer file (Ristandard.sif),
and starts the RIS services
on the server.
· Server must now
be authorized. Open Administrative
Tools > DHCP. Right-click
DHCP in the console tree
and choose Manage authorized
servers. When dialog appears,
click Authorize and enter
name or IP of the RIS server
(user must be a member of
the Enterprise Admins group
to do this).
· You may now configure
your RIS Server to respond
to client requests.
· Assign users/groups
that will be performing
RIS Installations permissions
to Create Computer Objects
in Active Directory.
· The Client Computer
Naming Format is defined
through Active Directory
Users & Computers. Right-click
the RIS Server and click
Properties > Remote Install
> Advanced Settings >
New Clients. Choose a pre-defined
format or create a custom
one. Variables are: %Username
(user logon name), %First
(user first name), %Last
(user last name), %# (incremental
number), %MAC (NIC hardware
address)
· Associate an answer
file (.SIF) with your image.
Creating a RIPrep Image:
· Procure a Source
Computer and install Windows
2000 Professional. Configure
all components and settings
for your desired client
configuration keeping everything
on a single partition (RIPrep
Wizard can only image a
single partition).
· Install your applications
and configure them. Do not
install unnecessary applications
- remember that RIS requires
Active Directory which can
be used to publish or assign
software as needed using
Group Policy.
· As you created
and configured the system
using the Administrator
profile, you will need to
copy your configuration
to the Default User profile
so that your custom settings
will not be lost.
· To launch the RIPrep
Wizard, click Start >
Run and type the following
into the Open box: \\RISServerName\reminst\admin\i386\riprep.exe.
Provide the name of the
RIS Server where the image
will be stored, the folder
that will hold the image
and a friendly text description.
RIS Client requirements:
· Client machine
must meet minimum hardware
requirements for Windows
2000 Professional and must
use the same Hardware Abstraction
Layer (HAL).
· Must have a network
adapter that meets the Pre-boot
Execution Environment standard
(PXE) version 99c and higher
(there is a confirmed problem
with v99j - or a 3 1/2"
floppy drive and PCI network
adapter supported by the
RIS Startup Disk utility's
list of supported adaptors
Comparing RIPrep images
with CD-based images:
RIPrep Image CD-based image
Can only be deployed to
a computer withthe same
HAL as the source computer.
Can be deployed to ANY computer
with a HALsupported by W2K.
Contains the OS and applications
Contains the Operating System
only and applicationsare
deployed separately using
Group Policy.
Created manually Created
automatically upon installation
of RIS Server
Based on a preconfigured
client computer.Cannot be
changed without recreating
theimage. Separate image
required for eachinstallation
type. Based on default settings
of operating system. Animage
file is used to customize
the image. Multipleanswer
(.SIF) files can be used
to customize the sameimage.
Only necessary files and
registry keys arecopied
to the client system. Fastestmethod.
All files are copied to
client hard drive before
Setupprogram is started.
Slower and places and additionalburden
on a network.
Troubleshooting Remote Installations:
· If computer displays
a BootP message but doesn't
display the DHCP message,
check to see if it can obtain
an IP address. If it cannot,
make sure a DHCP server
is online, is authorized,
has a valid IP address scope
and that the DHCP packets
are being routed (you may
need to install a DHCP relay
agent if your DHCP server
is located on a different
network segment than the
RIS client -
· Computer displays
the DHCP message but does
not display the Boot Information
Negotiations Layer (BINL)
message. Make sure the RIS
server is online and authorized
and that DHCP packets are
being routed.
· BINL message is
displayed but system is
unable to connect to RIS
server. Try restarting the
NetPC Boot Service Manager
(BINLSVC) on the RIS Server.
· If the Client cannot
connect to RIS Server using
the Startup disk check to
make sure you used the right
network adapter driver in
rbfg.exe.
· If the installation
options you expected are
not available, there may
be Group Policy conflicts.
Check to make sure another
Group Policy Object did
not take precedence over
your own.
Other considerations:
· You cannot create
RIPrep images on a server
unless it already has an
existing CD-based image.
· The Remote Boot
Floppy Generator utility
(rbfg.exe) only works on
Windows 2000 systems To
create boot floppies, click
Start > Run and then
type:
\\RISServerName\reminst\admin\i386\rbfg.exe
and click OK
· The answer file
(.SIF) supports the new
[RemoteInstall] section.
Setting the repartition
parameter to yes causes
the install to delete all
partitions on the client
computer and reformat the
drive with one NTFS partition.
· Pre-staging images
using the GUID of PXE-based
workstations prevents unauthorized
users from illegally installing
Windows 2000 onto their
systems.
· The MAC address
of the network adapter can
be entered into the GUID
field and padded with zeros.
Working with SYSDIFF:
· Used for installing
applications, usually in
conjuction with an unattended
installation. SYSDIFF allows
you to take a snapshot of
your machine's original
state, install applications,
and then package all of
these changes into a single
file which can be applied
to other machines.
· Install your baseline
system first. Then take
a snapshot of it before
installing any applications.
Syntax is: sysdiff /snap
snap_file
· Next install desired
applications on target system.
Use the SYSDIFF tool to
create a difference file.
Syntax is: sysdiff /diff
snap_file diff_file
· You can now apply
your difference file to
the target system(s). Syntax
is: sysdif /apply \\setupserver\w2k\diff_file
System preparation tool
(SYSPREP.EXE):
· Removes the unique
elements of a fully installed
computer system so that
it can be duplicated using
imaging software such as
Ghost or Drive Image Pro.
Avoids the NT4 problem of
duplicated SIDS , computer
names etc. Installers can
use sysprep to provide an
answer file for "imaged"
installations.
· Must be extracted
from DEPLOY.CAB in the \support\tools
folder on the Windows 2000
Professional CD-ROM.
· Adds a mini-setup
wizard to the image file
which is run the first time
the computer it is applied
to is started. Guides user
through re-entering user
specific data. This process
can be automated by providing
a script file.
· Use Setup Manager
Wizard (SMW) to create a
SYSPREP.INF file. SMW creates
a SYSPREP folder in the
root of the drive image
and places sysprep.inf in
this folder. The mini-setup
wizard checks for this file
when it runs.
· Specifying a CMDLINES.TXT
file in your SYSPREP.INF
file allows an administrator
to run commands or programs
during the mini-Setup portion
of SYSPREP.
· Available switches
for sysprep.exe are: /quiet
(runs without user interaction),
/pnp (forces Setup to detect
PnP devices), /reboot (restarts
computer), and /nosidgen
(will not regenerate SID
on target computer).
Upgrading from a previous
version:
· Run winnt32.exe
to upgrade from a previous
version of Windows.
· Windows 2000 will
upgrade and preserve settings
from the following operating
systems: Windows 95 and
98 (all versions), Windows
NT Workstation 3.51 and
4.0, and Windows NT 3.1
or 3.5 (must be upgraded
to NT 3.51 or 4.0 first,
then Professional).
· Upgrade installations
from a network file share
are not supported in Windows
2000 (this *can* be done,
but only by using SMS).
You must either do a CD-based
upgrade or perform a clean
installation of Windows
2000 and re-install needed
applications.
· Because of registry
and program differences
between Win95/98 and 2000,
upgrade packs (or migration
DLLs) might be needed. Setup
checks for these in the
\i386\Win9xmig folder on
the Windows 2000 CD-ROM
or in a user specified location.
· Run winnt32 /checkupgradeonly
to check for compatible
hardware and software. Generates
a report indicating which
system components are Windows
2000 compatible. Same as
running the chkupgrd.exe
utility from Microsoft's
site.
· All operating system
files associated with Windows
95/98 will be deleted after
an upgrade.
Troubleshooting failed installations:
Common errors:
Problem Possible fix
Cannot contact domain controller
Verify that network cable
is properly connected. Verify
that servers running DNS
and a domain controller
are both on-line. Make sure
your network settings are
correct (IP address, gateway,
etc.). Verify that your
credentials and domain name
are entered correctly.
Error loadingoperating system
Caused when a drive is formatted
with NTFS during setup but
the disk geometry is reported
incorrectly. Try a smaller
partition (less than 4 GB)
or a FAT32 partition instead.
Failure ofdependencyservice
to start Make sure you installed
the correct protocol and
network adapter in the Network
Settings dialog box in the
Windows 2000 Setup Wizard.
Also check to make sure
your network settings are
correct.
Insufficientdisk space Create
a new partition using existing
free space on the hard disk,
delete or create partitions
as needed or reformat an
existing partition to free
up space.
Media errors Maybe the CD-ROM
you are installing from
is dirty or damaged. Try
using a different CD or
trying the affected CD in
a different machine.
NonsupportedCD drive Swap
out the drive for a supported
drive or try a network install
instead.
Log files created during
Setup:
Logfile name Description
setupact.log Action Log
- records setup actions
in a chronological order.
Includes copied files and
registry entries as well
as entries made to the error
log.
setuperr.log Error Log -
records all errors that
occur during setup and includes
severity of error. Log viewer
shows error log at end of
setup if errors occur.
comsetup.log Used for Optional
Component manager and COM+
components.
setupapi.log Logs entries
each time a line from an
.INF file is implemented.
Indicates failures in .INF
file implementations.
netsetup.log Records activity
for joining a domain or
workgroup.
mmdet.log Records detection
of multimedia devices, their
port ranges, etc.
Implementing and Conducting
Administration of Resources:
Choosing a file system:
· NTFS provides optimum
security and reliability
through it's ability to
lock down individual files
and folders on a user by
user basis. Advanced features
such as disk compression,
disk quotas and encryption
make it the file system
recommended by 9 out of
10 MCSEs.
· FAT and FAT32 are
only used for dual-booting
between Windows 2000 and
another operating system
(like DOS 6.22, Win 3.1
or Win 95/98).
· Existing NT 4.0
NTFS system parition will
be upgraded to Windows 2000
NTFS automatically. If you
wish to dual-boot between
NT4.0 and 2000 you must
first install Service Pack
4 on the NT4.0 machine.
This will allow it to read
the upgraded NTFS partition,
but advanced features such
as EFS and Disk Quotas will
be disabled.
· Use convert.exe
to convert a FAT or FAT32
file system to NTFS. NTFS
partitions cannot be converted
to FAT or FAT32 - the partition
must be deleted and recreated
as FAT or FAT32
· You cannot convert
a FAT partition to FAT32
using convert.exe.
NTFS file and folder permissions:
File attributes when copying/moving
within a partition or between
partitions:
Copying within a partition
Creates a new file resembling
the old file. Inherits the
target folder's permissions.
Moving within a partition
Does not create a new file.
Simply updates directory
pointers. File keeps its
original permissions.
Moving across partitions
Creates a new file resembling
the old file, and deletes
the old file. Inherits the
target folders permissions.
Miscellaneous:
· NTFS in Windows
2000 (version 5) features
enhancements not found in
Windows NT 4.0 version 4).
Reparse Points, Encrypting
File System (EFS), Disk
Quotas, Volume Mount Points,
SID Searching, Bulk ACL
Checking, and Sparse File
Support.
· Volume Mount Points
allow new volumes to be
added to the file system
without needing to assign
a drive letter to it. Instead
of mounting a CD-ROM as
drive E:, it can be mounted
and accessed under an existing
drive (e.g., C:\CD-ROM).
As Volume Mount Points are
based on Reparse Points,
they are only available
under NTFS5 using Dynamic
Volumes.
· NTFS4 stored ACLs
on each file. With bulk
ACL checking, NTFS5 uses
unique ACLs only once even
if ten objects share it.
NTFS can also perform a
volume wide scan for files
using the owner's SID (SID
Searching). Both functions
require installation of
the Indexing Service.
· Sparse File Support
prevents files containing
large consecutive areas
of zero bits from being
allocated corresponding
physical space on the drive
and improves system performance.
· NTFS partitions
can be defragmented in Windows
2000 (as can FAT and FAT32
partitions). Use Start >
Programs > Accessories
> System Tools > Disk
Defragmenter.
· Local security
access can be set on a NTFS
volume.
· Files moved from
an NTFS partition to a FAT
partition do not retain
their attributes or security
descriptors, but will retain
their long filenames.
· Permissions are
cumulative, except for Deny,
which overrides anything.
· File permissions
override the permissions
of its parent folder.
· Anytime a new file
is created, the file will
inherit permissions from
the target folder.
· The cacls.exe utility
is used to modify NTFS volume
permissions. (KB# Q237701)
Windows File Protection
Feature (WFP): (KB# Q222193)
· New to Windows
2000 - prevents the replacement
of certain monitored system
files (important DLLs and
EXEs in the %systemroot%\system32
directory).
· Uses file signatures
and code signing to verify
if protected system files
are the Microsoft versions.
· WFP does not generate
signatures of any type.
· Critical DLLs are
restored from the %systemroot%\system32\dllcache
directory. Default maximum
size for Professional is
50MB. This can be increased
by editing the Registry.
(KB# Q229656)
Local and network print
devices:
· Windows 2000 Professional
supports the following printer
ports: Line Printer (LPT),
COM, USB, IEEE 1394, and
network attached devices.
· Print services
can only be provided for
Windows and UNIX clients
on Windows 2000 Professional
(KB# Q124734)- Windows 2000
Server is required to support
Apple and Novell clients.
· Windows 2000 Professional
automatically downloads
the printer drivers for
clients running Win2000,
WinNT 4, WinNT 3.51 and
Windows 95/98. (KB# Q142667)
· Internet Printing
is a new feature in Windows
2000. You have the option
of entering the URL where
your printer is located.
The print server must be
a Windows 2000 Server running
Internet Information Server
or a Windows 2000 Professional
system running Personal
Web Server - all shared
printers can be viewed at:
http://servername/printers
· Print Pooling allows
two or more identical printers
to be installed as one logical
printer.
· Print Priority
is set by creating multiple
logical printers for one
physical printer and assigning
different priorities to
each. Priority ranges from
1, the lowest (default)
to 99, the highest.
· Enabling "Availability"
option allows Administrator
to specify the hours the
printer is available.
· Use Separater Pages
to separate print jobs at
a shared printer. A template
for the separater page can
be created and saved in
the %systemroot%\system32
directory with a .SEP file
extension
· You can select
Restart in the printer's
menu to reprint a document.
This is useful when a document
is printing and the printer
jams. Resume can be selected
to start printing where
you left off.
· You can change
the directory containing
the print spooler in the
advanced server properties
for the printer
· To remedy a stalled
spooler, you will need to
stop and restart the spooler
services in the Services
applet in Administrative
Tools in the Control Panel.
· Use the fixprnsv.exe
command-line utility to
resolve printer incompatibility
issues. (KB#
Managing file systems:
Windows 2000 supports both
Basic and Dynamic storage.
In basic storage you divide
a hard disk into partitions.
Windows 2000 recognizes
primary and extended partitions.
A disk initialized for basic
storage is called a Basic
disk. It can contain primary
partitions, extended partitions
and logical drives. Basic
volumes cannot be created
on dynamic disks. Basic
volumes should be used when
dual-booting between Windows
2000 and DOS, Windows 3.x,
Windows 95/98 and all version
of Windows NT.
Dynamic storage (Windows
2000 only) allows you to
create a single partition
that includes the entire
hard disk. A disk initialized
for dynamic storage is called
a Dynamic disk. Dynamic
disks are divided into volumes
which can include portions
of one, or many, disks.
These can be resized without
needing to restart the operating
system.
There are three volume types:
· Simple volume -
contains space from a single
disk
· Spanned volume
- contains space from multiple
disks (maximum of 32). First
fills one volume before
going to the next. If a
volume in a spanned set
fails, all data in the spanned
volume set is lost. Performance
is degraded as disks in
spanned volume set are read
sequentially.
· Striped set- contains
free space from multiple
disks (maximum of 32) in
one logical drive. Increases
performance by reading/writing
data from all disks at the
same rate. If a disk in
a stripe set fails, all
data is lost.
Dynamic Volume States:
State Description
Failed Volume cannot be
automatically restarted
and needs to be repaired
Healthy Is accessible and
has no known problems
Healthy(at risk) Accessible,
but I/O errors have been
detected on the disk. Underlying
disk is displayed as Online
(Errors)
Initializing Volume is being
initialized and will be
displayed as healthy when
process is complete
Dynamic Volume Limitations:
· Cannot be directly
accessed by DOS, Win95/98
or any versions of Windows
NT if you are dual-booting
as they do not use the traditional
disk organization scheme
of partitions and logical
volumes. MBR on dynamic
disks contains a pointer
to disk configuration data
stored in the last 1 MB
of space at the end of the
disk.
· Dynamic volumes
which were upgraded from
basic disk partitons cannot
be extended, especially
the system volume which
holds hardware-specific
files required to start
Windows 2000 and the boot
volume. Volumes created
after the disk was upgraded
to dynamic can be extended.
· When installing
Windows 2000, if a dynamic
volume is created from unallocated
space on a dynamic disk,
Windows 2000 cannot be installed
on that volume.
· Not supported on
portable computers or removable
media.
· A boot disk that
has been converted from
basic to dynamic cannot
be converted back to basic.
Translation of terms between
Basic and Dynamic Disks:
Basic Disks Dynamic Disks
Active partition Active
volume
Extended partition Volume
and unallocated space
Logical drive Simple volume
Mirror set Mirrored volume
(Server only)
Primary partition Simple
volume
Stripe set Striped volume
Stripe set with parity RAID-5
volume (Server only)
System and boot partitions
System and boot volumes
Volume set Spanned volumes
There is NO fault-tolerance
with Windows 2000 Professional.
Fault-tolerance (RAID levels
1 and 5) are only available
in the Windows 2000 Server
family.
To manage disks on a remote
computer you must create
a custom console focused
on another computer. Choose
Start > Run and type
mmc. Press Enter. On console
menu click Add/Remove Snap-in.
Click Add. Click Disk Management
then click Add. When Choose
Computer dialog box appears
choose the remote system.
Windows 2000 now supports
disk-based quotas. Quotas
can be set on NTFS volumes,
but not on FAT or FAT32
volumes. Quotas cannot be
set on individual folders
within a NTFS partition.
Disk information is now
stored on the physical disk
itself, facilitating moving
hard drives between systems.
As managing disk numbering
can become quite complex,
the dmdiag.exe utility has
been provided
When using the Disk Management
Snap-in Tool:
· Whenever you add
a new disk in a computer
it is added as Basic Storage
· Every time you
remove or add a new disk
to your computer you must
choose Rescan Disks
· Disks that have
been removed from another
computer will appear labeled
as Foreign. Choose "Import
Foreign Disk" and a
wizard appears to provide
instructions.
· For multiple disks
removed from another computer,
they will appear as a group.
Right-click on any of the
disks and choose "Add
Disk".
· Disks can be upgraded
from Basic to Dynamic storage
at any time but must contain
at least 1 MB of unallocated
space for the upgrade to
work.
Implementing, Managing,
and Troubleshooting Hardware
Devices and Drivers: (KB#
Miscellaneous:
· Windows 2000 now
fully supports Plug and
Play
· Use the "System
Information" snap-in
to view configuration information
about your computer (or
create a custom console
focused on another computer
- powerful tool!!).
· "Hardware
Resources" under System
Information allows you to
view Conflicts/Sharing,
DMAs, IRQs, Forced Hardware,
I/O and Memory.
· Hardware is added
and removed using the "Add/Remove
Hardware" applet in
the Control Panel (can also
be accessed from Control
Panel > System > Hardware
> Hardware Wizard).
· All currently installed
hardware is managed through
the "Device Manager"
snap-in.
· To troubleshoot
a device using Device Manager,
click the "Troubleshoot"
button on the General tab.
Disk devices:
· Managed through
"Computer Management"
under Control Panel >
Administrative tools or
by creating a custom console
and adding the "Disk
Management" snap-in.
Choosing the "Computer
Management" snap-in
for your custom console
gives you the following
tools: Disk Management,
Disk Defragmenter, Logical
Drives and Removable Storage.
There is a separate snap-in
for each of these tools
except for Logical Drives.
· Using Disk Management,
you can create, delete,
and format partitions as
FAT, FAT32 and NTFS. Can
also be used to change volume
labels, reassign drive letters,
check drives for errors
and backup drives.
· Defragment drives
by using "Disk Defragmenter"
under "Computer Management"
or add the "Disk Defragmenter"
snap-in to your own custom
console
· Removable media
are managed through the
"Removable Media"
snap-in.
Display devices:
· Desktop display
properties (software settings)
are managed through the
Display applet in Control
Panel.
· Display adapters
are installed, removed and
have their drivers updated
through "Display Adapters"
under the Device Manager.
· Monitors are installed,
removed, and have their
drivers updated through
"Monitors" under
the Device Manager.
· Windows 2000 Professional
supports multiple monitors
running concurrently.
Mobile computer hardware:
· PCMCIA (PC Card)
adapters, USB ports, IEEE
1394 (FireWire), and Infrared
devices now supported. These
are managed through Device
Manager.
· Hot (computer is
fully powered) and warm
(computer is in suspend
mode) docking and undocking
are now fully supported
for computers with a PnP
BIOS.
· Support is provided
for Advanced Power Management
(APM) and Advanced Configuration
and Power Interface (ACPI).
· Hibernation (complete
power down while maintaining
state of open programs and
connected hardware) and
Suspend (deep sleep with
some power) modes are now
supported, extending battery
life.
· When a PC Card,
USB or Infrared device is
installed, Windows 2000
will automatically recognize
and configure it (if it
meets PnP specifications).
If Windows does not have
an entry in its driver base
for the new hardware, you
will be prompted to supply
one.
· Equipping mobile
computers with SmartCards
and Encrypting File System
decreases the likelihood
of confidential corporate
data being compromised if
the computer is stolen or
lost.
· Use hardware profiles
for mobile computers. Accessed
through Control Panel >
System applet > Hardware
tab > Hardware Profiles.
Multiple profiles can be
created and designated as
a docked or undocked portable
computer.
Input and output (I/O) devices:
· Keyboards are installed
under "Keyboards"
in Device Manager.
· Mice, graphics
tablets and other pointing
devices are installed under
"Mice and other pointing
devices" in Device
Manager.
· Troubleshoot I/O
resource conflicts using
the "System Information"
snap-in. Look under Hardware
Resources > I/O for a
list of memory ranges in
use.
Updating drivers:
· Drivers are updated
using Device Manager. Highlight
the device, right-click
and choose Properties. A
properties dialog appears.
Choose the Drivers tab and
then the Update Driver...
button.
· Microsoft recommends
using Microsoft digitally
signed drivers whenever
possible. The Driver.cab
cabinet file on the Windows
2000 CD contains all of
the drivers the OS ships
with. Whenever a driver
is updated, W2K looks here
first. The location of this
file is stored in a registry
key and can be changed:
HKLM\Software\Windows\CurrentVersion\Setup\DriverCachePath
· The Driver Verifier
is used to troubleshoot
and isolate driver problems.
It must be enabled through
changing a Registry setting.
The Driver Verifier Manager,
verifier.exe, provides a
command-line interface for
working with Driver Verifier.
Managing/configuring multiple
CPUs:
· Adding a processor
to your system to improve
performance is called scaling.
Typically done for CPU intensive
applications such as CAD
and graphics rendering.
· Windows 2000 Professional
supports a maximum of two
CPUs. If you need more consider
using Windows 2000 Server
(up to 4 CPUs), Advanced
Server (up to 8 CPUs) and
Datacentre Server (maximum
of 32 CPUs).
· Windows 2000 supports
Symetric Multiprocessing
(SMP). Processor affinity
is also supported. Asymetric
Multiprocessing (ASMP) is
not supported.
· Upgrading to multiple
CPUs might increase the
load on other system resources.
· Update your Windows
driver to convert your system
from a single to multiple
CPUs. This is done through
Device Manager > Computer
> Update Driver.
Install and manage network
adapters:
· Adapters are installed
using the Add/Remove Hardware
applet in Control Panel
· Change the binding
order of protocols and the
Provider order using Advanced
Settings under the Advanced
menu of the Network and
Dial-up Connections window
(accessed by right-clicking
on My Network Places icon)
· Each network adapter
has an icon in Network and
Dial-up connection. Right
click on the icon to set
its properties, install
protocols, change addresses,
etc.
Troubleshooting the boot
process:
Files used in the Windows
2000 boot process: (KB#
Q114841)
File: Location:
Ntldr System partition root
Boot.ini System partition
root (KB# Q99743)
Bootsect.dos System partition
root
Ntdetect.com System partition
root
Ntbootdd.sys* System partition
root
Ntoskrnl.exe %systemroot%\System32
Hal.dll %systemroot%\System32
System %systemroot%\System32\Config
* Optional - only if system
partition is on SCSI disk
with BIOS disabled
ARC paths in BOOT.INI: (KB#
Q113977 & Q119467)
The Advanced Risc Computing
(ARC) path is located in
the BOOT.INI and is used
by NTLDR to determine which
disk contains the operating
system. (KB# Q102873)
multi(x) Specifies SCSI
controller with the BIOS
enabled, or non-SCSI controller.x=ordinal
number of controller.
scsi(x) Defines SCSI controller
with the BIOS disabled.x=ordinal
number of controller.
disk(x) Defines SCSI disk
which the OS resides on.When
multi is used, x=0. When
scsi is used, x= the SCSI
ID number of the disk with
the OS.
rdisk(x) Defines disk which
the OS resides on. Used
when OS does not reside
on a SCSI disk.x=0-1 if
on primary controller. x=2-3
if on multi-channel EIDE
controller.
partition(x) Specifies partition
number which the OS resides
on.x=cardinal number of
partition, and the lowest
possible value is 1.
multi(0)disk(0)rdisk(0)partition(1).
These are the lowest numbers
that an ARC path can have.
BOOT.INI switches: (KB#
Q239780)
· /basevideo - boots
using standard VGA driver
· /fastdetect=[comx,y,z]
- disables serial mouse
detection or all COM ports
if port not specified. Included
by default
· /maxmem:n - specifies
amount of RAM used - use
when a memory chip may be
bad
· /noguiboot - boots
Windows without displaying
graphical startup screen
· /sos - displays
device driver names as they
load
· /bootlog - enable
boot logging
· /safeboot:minimal
- boot in safe mode
· /safeboot:minimal(alternateshell)
- safe mode with command
prompt
· /safeboot:network
- safe mode with networking
support (KB# Q236346)
Booting in Safe Mode: (KB#
Q202485)
· Enter safe mode
by pressing F8 during operating
system selection phase
· Safe mode loads
basic files/drivers, VGA
monitor, keyboard, mouse,
mass storage and default
system services. Networking
is not started in safe mode.
(KB# Q199175)
· Enable Boot Logging
- logs loading of drivers
and services to ntbtlog.txt
in the windir folder
· Enable VGA Mode
- boots Windows with VGA
driver
· Last Known Good
Configuration - uses registry
info from previous boot.
Used to recover from botched
driver installs and registry
changes.
· Recovery Console
- only appears if it was
installed using winnt32
/cmdcons or specified in
the unattended setup file.
· Directory Services
Restore Mode - only in Server
for restoring Active Directory
information to domain controllers,
not applicable to Win2000
Professional.
· Debugging Mode
- again, only in Server
· Boot Normally -
lets you boot, uh, normally.
;-)
Windows 2000 Control Sets:
(KB# Q142033)
· Found under HKEY_LOCAL_MACHINE\System\Select
- has four entries
· Current- CurrentControlSet.
Any changes made to the
registry modify information
in CurrentControlSet
· Default - control
set to be used next time
Windows 2000 starts. Default
and current contain the
same control set number
· Failed - control
set marked as failed when
the computer was last started
using the LastKnownGood
control set
· LastKnownGood -
after a successful logon,
the Clone control set is
copied here
Running the Recovery Console:
(KB# Q229716)
· Insert Windows
2000 CD into drive, change
to i386 folder and run winnt32
/cmdcons (KB# Q216417)
· After it is installed,
it can be selected from
the "Please Select
Operating System to Start"
menu
· When starting Recovery
Console, you must log on
as Administrator. (KB# Q239803)
· Can also be run
from Windows 2000 Setup,
repair option.
· Allows you to boot
to a "DOS Prompt"
when your file system is
formatted with NTFS.
· Looks like DOS,
but is very limited. By
default, you can copy from
removable media to hard
disk, but not vice versa
- console can't be used
to copy files to other media
(KB# Q240831). As well,
by default, the wildcards
in the copy command don't
work (KB# Q235364). You
can't read or list files
on any partition except
for system partition.
· Can be used to
disable services that prevent
Windows from booting properly
(KB# Q244905)
Command Description
attrib changes attributes
of selected file or folder
cd or chdir displays current
directory or changes directories.
chkdsk run CheckDisk
cls clears screen
copy copies from removable
media to system folders
on hard disk. No wildcards
del or delete deletes service
or folder
dir lists contents of selected
directory on system partition
only
disable disables service
or driver
diskpart replaces FDISK
- creates/deletes partitions
enable enables service or
driver
extract extracts components
from .CAB files
fixboot writes new partition
boot sector on system partition
fixmbr writes new MBR for
partition boot sector
format formats selected
disk
listsvc lists all services
on W2K workstation
logon lets you choose which
W2K installation to logon
to if you have more than
one
map displays current drive
letter mappings
md or mkdir creates a directory
more or type displays contents
of text file
rd or rmdir removes a directory
ren or rename renames a
single file
systemroot makes current
directory system root of
drive you're logged into
Startup and Recovery Settings:
· Accessed through
Control Panel > System
applet > Advanced tab
> Startup and Recovery
· Memory dumps are
always saved with the filename
memory.dmp (KB# Q192463)
· Small memory dump
needs 64K of space. Found
in %systemroot%\minidump
· A paging file must
be on the system partition
and the pagefile itself
at least 1 MB larger than
the amount of RAM installed
for Write debugging information
option to work
· Use dumpchk.exe
to examine contents of memory.dmp
(KB# Q156280)
Windows Report Tool: (KB#
Q188104)
· Used to gather
information from your computer
to assist support providers
in troubleshooting issues.
Reports are composed in
Windows 98 and Windows 2000
and then uploaded to a server
provided by the support
provider using HTTP protocol.
· Reports are stored
in a compressed .CAB format
and include a Microsoft
System Information (.NFO)
file.
· The report generated
by Windows Report Tool (winrep.exe)
includes a snapshot of complete
system software and hardware
settings. Useful for diagnosing
software and hardware resource
conflicts.
Emergency Repair Disk:
· Windows NT 4 users
- the RDISK utility is gone,
ERDs are now made exclusively
with the backup utility.
Before accessing this disk
to run repair tools on the
CD, you first need to boot
to the CD (if your hardware
supports this) or to the
installation floppies and
then choose repair. (Ask
the Windows 2000 Dev Team;
KB# Q216337)
· To make an ERD,
run ntbackup, choose Emergency
Repair Disk and insert a
blank formatted floppy into
the A: drive. You will also
have the option to copy
registry files to the repair
directory - it's a good
idea to do so (%systemroot%\repair\regback).
Also use backup to copy
these registry files to
a tape or Zip disk. (KB#
Q231777)
· ERD contains the
following files: autoexec.nt,
config.nt and setup.log
Monitoring and Optmizing
System Performance and Reliability:
Driver signing: (KB# Q224404)
Configuring Driver Signing:
(KB# Q236029)
· Open System applet
in Control Panel and click
Hardware tab. Then in the
Device Manager box, click
Driver Signing to display
options:
· Ignore - Install
all files, regardless of
file signature
· Warn- Display a
message before installing
an unsigned file
· Block- Prevent
installation of unsigned
files
· The Apply Setting
As System Default checkbox
is only accessible to Administrators
Using System File Checker
(sfc.exe): (KB# Q222471)
· /scannow - scans
all protected system files
immediately
· /scanonce - scans
all protected system files
at next startup
· /scanboot- scans
all protected system files
at every restart
· /cancel- cancels
all pending scans
· /quiet - replaces
incorrect files without
prompting
· /enable - sets
Windows File Protection
back to defaults
· /purgecache - purges
file cache and forces immediate
rescan
· /cachesize=x- sets
file cache size
Windows Signature Verification
(sigverif.exe):
· running sigverif
launches File Signature
Verification
· checks system files
by default, but non-system
files can also be checked
· saves search results
to Sigverif.txt
Task scheduler: (KB# Q235536
& Q226262)
· used to automate
events such as batch files,
scripts and system backups
· tasks are stored
in the Scheduled Tasks folder
in Control Panel
· running task with
a user name and password
allows an account with the
required rights to perform
the task instead of an administrative
account
· set security for
a task by group or user
Using offline files:
Offline files replaces My
Briefcase and works a lot
like Offline Browsing in
IE5. By default, offline
files are stored in the
%systemroot%\CSC (Client
Side Caching) directory.
Share a folder and set its
caching to make it available
offline - three types of
caching:
· manual caching
for documents - default
setting. Users must specify
which docs they want available
when working offline
· automatic caching
for documents - all files
opened by a user are cached
on his local hard disk for
offline use - older versions
on users machine automatically
replaced by newer versions
from the file share when
they exist
· automatic caching
for programs -same as above,
but for programs
When synchronizing, if you
have edited an offline file
and another user has also
edited the same file you
will be prompted to keep
and rename your copy, overwrite
your copy with the network
version, or to overwrite
the network version and
lose the other user's changes
(a wise SysAdmin will give
only a few key people write
access to this folder or
everyone's work will get
messed up).
Using Synchronization Manager,
you can specify which items
are synchronized, using
which network connection
and when synchronization
occurs (at logon, logoff,
and when computer is idle).
Encrypted files (EFS) are
NOT encrypted in the offline
cache. You must be a member
of the Administrators group
to view the offline cache
(on an NTFS volume). File
and folder permissions still
apply in the offline cache,
even when it is located
on a FAT or FAT32 volume.
Performance Console: (KB#
Q146005)
· Important objects
are cache (file system cache
used to buffer physical
device data), memory (physical
and virtual/paged memory
on system), physicaldisk
(monitors hard disk as a
whole), logicaldisk (logical
drives, stripe sets and
spanned volumes), and processor
(monitors CPU load)
· Processor - % Processor
Time counter measures time
CPU spends executing a non-idle
thread. If it is continually
at or above 80%, CPU upgrade
is recommended
· Processor - Processor
Queue Length - more than
2 threads in queue indicates
CPU is a bottleneck for
system performance
· Processor - % CPU
DPC Time (deferred procedure
call) measures software
interrupts.
· Processor - % CPU
Interrupts/Sec measures
hardware interrupts. If
processor time exceeds 90%
and interrupts/time exceeds
15%, check for a poorly
written driver (bad drivers
can generate excessive interrupts)
or upgrade CPU.
· Logical disk -
Disk Queue Length - If averaging
more than 2, drive access
is a bottleneck. Upgrade
disk, hard drive controller,
or implement stripe set
· Physical disk -
Disk Queue Length - same
as above
· Physical disk -
% Disk Time- If above 90%,
move data/pagefile to another
drive or upgrade drive
· Memory - Pages/sec
- more than 20 pages per
second is a lot of paging
- add more RAM
· Memory - Commited
bytes - should be less than
amount of RAM in computer
· diskperf command
for activating disk counters
has been modified in Windows
2000. Physical disk counters
are now enabled by default,
but you will have to type
diskperf -yv at a command
prompt to enable logical
disk counters for logical
drives or storage volumes.
(KB# Q253251)
Performance Alerts and Logs:
(KB# Q244640)
· Alert logs are
like trace logs, but they
only log an event, send
a message or run a program
when a user-defined threshold
has been exceeded
· Counter logs record
data from local/remote systems
on hardware usage and system
service activity
· Trace logs are
event driven and record
monitored data such as disk
I/O or page faults
· By default, log
files are stored in the
\Perflogs folder in the
system's boot partition
· Save logs in CSV
(comma separated value)
or TSV (tab separated value)
format for import into programs
like Excel
· CSV and TSV must
be written all at once,
they do not support logs
that stop and start. Use
Binary (.BLG) for logging
that is written intermittantly
· Logging is used
to create a baseline for
future reference
Virtual memory/Paging file:
· Recommended minimum
paging file size is 1.5
times the amount of RAM
installed. A system with
64 MB should have a 96 MB
page file. Maximum page
file size should not exceed
2.5 times the amount of
RAM installed
· Set through Control
Panel > System applet
> Advanced tab > Performance
Options > Change
· The most efficient
paging file is spread across
several drives, but is not
on the system or boot partitions.
(KB# Q123747)
· Maximum registry
size can also be changed
through the Virtual Memory
dialog box
Hardware profiles:
· Created to store
different sets of configuration
settings to meet a user's
different needs (usually
used with portables) such
as whether a computer is
docked or undocked.
· User selects the
desired profile at Windows
2000 startup
· Profiles are created
through Control Panel >
System applet > Hardware
tab > Hardware Profiles
· Devices are enabled
and disabled in particular
profiles through their properties
in the Device Manager snap-in
Data recovery:
· Windows 2000 Backup
is launched through Control
Panel > System applet
> Backup or by running
ntbackup from the Start
menu (KB# Q241007)
· Users can back
up their own files and files
they have read, execute,
modify, or full control
permission for
· Users can restore
files they have write, modify
or full control permission
for
· Administrators
and Backup Operators can
backup and restore all files
regardless of permissions
Backup type Description
Normal All selected files
and folders are backed up.
Archive attribute is cleared
if it exists (fast for restoring)
Copy All selected files
and folders are backed up.
Archive attribute is not
cleared (fast for restoring)
Incremental Only selected
files and folders that have
their archive attribute
set are backed up and then
archive markers are cleared
Differential Only selected
files and folders that have
their archive attribute
set are backed up but archive
attributes are not cleared
Daily All selected files
and folders that have changed
throughout the day are backed
up. Archive attributes are
ignored during the backup
and are not cleared afterwards
The Windows 2000 Registry:
Database that stores Windows
2000 configuration information
for all installed software,
hardware and users in a
hierarchical structure.
Consists of five main subtrees:
· HKEY_CLASSES_ROOT
- holds software configuration
data, file associations
and object linking and embedding
(OLE) data
· HKEY_CURRENT_CONFIG
- holds data on active hardware
profile extracted from SOFTWARE
and SYSTEM hives
· HKEY_CURRENT_USER
- contains data about current
user extracted from HKEY_USERS
and additional info pulled
down from Windows authentication
· HKEY_LOCAL_MACHINE
- contains all local computer
hardware, software, device
driver and startup information.
Remains constant regardless
of the user
· HKEY_USERS - holds
data for user identities
and environments, custom
settings, etc
The Registry Editor (Regedt32.exe)
has a read-only mode, a
security menu, and supports
the REG_EXPAND_SZ and REG_MULTI_SZ
data types. Regedit.exe
(another registry editing
tool installed by Windows
2000) does not. Registry
Editor automatically saves
changes as they are made.
Secondary Logon Service
(Run As): (KB# Q225035)
· Similar to the
SU (Super User) command
in UNIX
· Used to test settings
using a particular user
account while logged in
with a different account
· Select the application
icon using a single left-click,
hold down the Shift key
and right-click the icon.
When the pop-up menu appears,
click Run As. This brings
up a dialog box titled "Run
program as other user"
- enter your credentials
and click OK
Configuring and Troubleshooting
the Desktop Environment:
User profiles:
· Is a collection
of data and folders that
store the user's desktop
environment and application
settings along with personal
data.
· When a user logs
onto a client computer running
W2K Pro, he/she always receives
his/her individualized desktop
settings and all of his/her
network connections regardless
of how many users share
the same computer.
· A user can change
their user profile by changing
their desktop settings -
when they log off, Windows
2000 incorporates the changes
into their user profile.
· Setting a profile
as mandatory forces Windows
to discard any changes made
during the session so the
next time the user logs
on, the session remains
unchanged from their last
login.
· User profiles are
stored in the %systemroot%\Documents
and Settings\%username%
folder in a fresh install
of W2K. When upgraded from
NT4, they are stored in
%systemroot%\Profiles\%username%
· Roaming profiles
are used in Windows 2000
domains for users who move
from one computer to another
but require a consistent
desktop environment.
Multiple languages and locations:
Changed through the Regional
Options applet in Control
Panel. Open Region Options
and click Input Locale tab
to add more locales. Check
each locale or language
you want your system to
support. (KB# Q177561)
On the Regional Options
applet General tab, scroll
through the items in the
box labelled "Your
System is Configured to
Read and Write Documents
in Multiple Languages"
to see the available languages
as well as the current default.
Manage and troubleshoot
software by using Group
Policy:
Deploy software by using
Group Policy:
· Replaces setup.exe.
Windows Installer packages
are recognized by their
.MSI file extension.
· Integrates software
installation into Windows
2000 so that it is now centrally
controlled, distributed,
and managed from a central-point.
· The software life
cycle consists of four phases,
Preparation, Deployment,
Maintenance, and Removal.
Maintain software by using
Group Policy:
· Software package
is installed on a Windows
2000 Server in a shared
directory. A Group Policy
Object (GPO) is created.
Behavior filters are set
in the GPO to determine
who gets the software. Then
the package is added to
the GPO under User Configuration
> Software Settings >
Software Installation (this
is done on the server).
You are prompted for a publishing
method - choose it and say
OK.
· Set up Application
Categories in Group Policy
> computer or user config
> Software Settings >
Software Installation (right-click)
> Properties > Categories
> Add. Creating logical
categories helps users locate
the software they need under
Add/Remove Programs on their
client computer. Windows
does not ship with any categories
by default.
· When upgrading
deployed software, AD can
either uninstall the old
application first or upgrade
over top of it.
· When publishing
upgrades, they can be option
or mandatory for users but
are mandatory when assigned
to computers.
· When applications
are no longer supported,
they can be removed from
Software Installation without
having to be removed from
the systems of users who
are using them. They can
continue using the software
until they remove it themselves,
but no one else will be
able to install the software
through the Start menu,
Add/Remove Programs, or
by invocation.
· Applications that
are no longer used can have
their removal forced by
an administrator. Software
assigned to the user is
automatically removed the
next time that user logs
on. When software is assigned
to a computer, it is automatically
removed at start up. Users
cannot re-install the software.
· Selecting the "Uninstall
this application when it
falls out of the scope of
management" option
forces removal of software
when a GPO no longer applies.
Configure deployment options:
· You can assign
or publish software packages.
· Software that is
assigned to a user has a
shortcut appear on a user's
Start > Programs menu,
but is not installed until
the first time they use
it. Software assigned to
a computer is installed
the next time the user logs
on regardless of whether
or not they run it.
· When software is
assigned to a user, the
new program is advertised
when a user logs on, but
is not installed until the
user starts the application
from an icon or double-clicks
a file-type associated with
the icon. Software assigned
to a computer is not advertised
- the software is installed
automatically. When software
is assigned to a computer
it can only be removed by
a local administrator -
users can repair software
assigned to computers, but
not remove it.
· The software settings
of a Group Policy is not
refreshed like the rest
of the settings. The user
may need to logoff/logon
or the system may need to
be restarted for the new
settings to take place (depending
on type of software installation).
· Published applications
are not advertised. They
are only installed through
Add/Remove Programs in the
Control Panel or through
invocation. Published applications
lack resiliency (do not
self-repair or re-install
if deleted by the user).
Finally, applications can
only be published to users,
not computers.
· With invocation,
when a user double-clicks
on an unknown file type,
the client computer queries
Active Directory to see
what is associated with
the file extension. If an
application is registered,
AD checks to see if it has
been published to the user.
If it has, it checks for
the auto-install permission.
If all conditions are met,
the application is invoked
(installed).
· Non-MSI programs
are published as .ZAP files.
They cannot take advantage
of MSI features such as
elevated installation priveleges,
rolling back an unsuccessful
installation, installing
on first use of software
or feature, etc. (KB# Q231747)
.ZAP files can only be published,
not assigned.
· Non-MSI programs
can be repackaged using
a 3rd party tool on the
W2K Server CD called WinINSTALL
LE. It works like SYSDIFF
as it lets you take a snapshot
of a system, install your
application, take another
snapshot and create a difference
file that becomes your MSI
install package. If you
wish to assign a non-MSI
program to a user or computer,
you must first repackage
it as an MSI file. (KB#
Q236573)
· When software requires
a CD key during installation,
it can be pushed down with
the installer package by
typing misexec /a <path
to .msi file> PIDKEY="[CD-Key]"
(KB# Q223393)
· Modifications are
created using tools provided
by the software manufacturer
and produce .MST files which
tell the Windows Installer
what is being modified during
the installation. .MST files
must be assigned to .MSI
packages at the time of
deployment. (KB# Q236943)
· Patches are deployed
as .MSP files. (KB# Q226936)
Configure and troubleshoot
desktop settings:
Desktop settings can be
configured using the Display
applet in Control Panel
or by right-clicking on
a blank area of the desktop
and selecting properties.
User can change the appearance
of the desktop, desktop
wallpaper, screen saver
settings and more.
Fax support:
· If a fax device
(modem) is installed, the
Fax applet appears in Control
Panel. Does not appear when
no fax device installed
· If the Advanced
Options tab is not available
in the Fax applet log off
then log back on as Administrator
· Use the Fax applet
to setup rules for how device
receives faxes, number or
retries when sending, where
to store retrieved and sent
faxes, user security permissions,
etc.
· The Fax printer
in your printer folder cannot
be shared
Accessibility services:
(KB# Q210894)
· Accessibility Wizard
is used for deploying accessibility
features to users who require
them. Using the wizard,
define the settings you
want to deploy and, on the
Save Settings to File page,
save them to a file that
has the .acw extension.
Place the file on a network
share and modify each user's
login script so that it
imports the settings. The
command to import the file
is this: %SystemRoot%\System32\Accwiz.exe
filename. (KB# Q256956)
· Utility Manager
enables users to check an
Accessibility program's
status, and start or stop
an Accessibility program.
Users with administrator-level
access can designate to
have the program start when
Windows 2000 starts. The
built-in programs accessible
from the Utility Manager
are Magnifier, Narrator,
and On-Screen Keyboard.
· By default, automatic
reset for accessibility
options is disabled. When
enabled, accessibilty options
will be turned off if they
have not be used for a pre-defined
period of time. MS recommends
enabling automatic reset
on systems that are shared
by more than one user.
· StickyKeys allows
you to press multiple key
combinations (CTRL-ALT-DEL)
one key at a time
· FilterKeys tells
the keyboard to ignore brief
or repeated keystrokes
· SoundSentry displays
visual warnings when your
computer makes a sound (for
aurally impaired)
· ShowSounds forces
programs to display captions
for the speech and sounds
they make
· MouseKeys lets
you control the mouse pointer
with the numeric keypad
· Magnifier magnifies
a portion of the desktop
(for visually impaired)
- available during GUI phases
of OS installation (KB#
Q231843)
· Narrator reads
menu options aloud using
speech synthesis (for visually
impaired) - available during
GUI phases of OS installation.
Implementing, Managing,
and Troubleshooting Network
Protocols and Services:
TCP/IP protocol:
Miscellaneous:
· Is an industry-standard
suite of protocols
· It is routable
and works over most network
topologies
· It is the protocol
that forms the foundation
of the Internet
· Installed by default
in Windows 2000
· Can be used to
connect dissimilar systems
· Uses Microsoft
Windows Sockets interface
(Winsock)
· IP addresses can
be entered manually or provided
automatically by a DHCP
server
· DNS is used to
resolve computer hostnames
to IP addresses
· WINS is used to
resolve a NetBIOS name to
an IP address
· Subnet mask - A
value that is used to distinguish
the network ID portion of
the IP address from the
host ID.
· Default gateway
- A TCP/IP address for the
host (typically a router)
which you would send packets
for routing elsewhere on
the network.
Automatic Private IP Addressing:
Windows 98 and Windows 2000
support this new feature.
When "Obtain An IP
Address Automatically"
is enabled, but the client
cannot obtain an IP address,
Automatic Private IP addressing
takes over:
· IP address is generated
in the form of 169.254.x.y
(where x.y is the computer's
identifier) and a 16-bit
subnet mask (255.255.0.0)
· The computer broadcasts
this address to its local
subnet
· If no other computer
responds to the address,
the first system assigns
this address to itself
· When using the
Auto Private IP, it can
only communicate with other
computers on the same subnet
that also use the 169.254.x.y
range with a 16-bit mask.
· The 169.254.0.0
- 169.254.255.255 range
has been set aside for this
purpose by the Internet
Assigned Numbers Authority
TCP/IP Server Utilities:
· Telnet server -
Windows 2000 includes a
telnet server service (net
start tlntsvr) which is
limited to a command line
text interface and two concurrent
users. Set security on your
telnet server by running
the admin tool, tlntadmn.
(KB# Q225233)
· Web Server - stripped
version of IIS5 Web server.
Limited to 10 connections.
Must be installed and service
started before sharing your
printers using Web printing
or Internet printing. Can
be managed using IIS snap-in
or Personal Web Manager,
a "dumbed-down"
GUI for novice users.
· FTP Server - stripped
version of Internet Information
Server 5 (IIS5) FTP server.
Limited to 10 connections
but is adminstered just
like the server version
using IIS snap-in or the
Personal Web Manager.
· FrontPage 2000
Server Extensions - extends
the functionality of the
Web server and included
in W2K Pro for developing
and testing Web sites before
deploying them to a production
server.
· SMTP Server - does
not appear to have limitations
on connections but this
is most likely due to its
integration with LDAP and
Active Directory replication.
Also works with the form
handlers in FrontPage Server
Extensions.
TCP/IP Client Utilities:
· Telnet client -
Can be used to open a text
based console on UNIX, Linux
and Windows 2000 systems
(run telnet servername)
· FTP client - Command
line based - simple and
powerful (run ftp servername)
· Internet Explorer
5 - Microsoft's powerful
and thoroughly integrated
Web browser (see IE5 Cramsession
for details)
· Outlook Express
5 - SMTP, POP3, IMAP4, NNTP,
HTTP, and LDAP complaint
E-mail package.
Services for UNIX 2.0:
Miscellaneous:
· TCP/IP protocol
is required for communicationg
with UNIX hosts
· Windows 2000 uses
CIFS (Common Internet File
System) which is an enhanced
version of the SMB (Server
Message Block) protocol
· UNIX uses NFS (Network
File System)
· FTP support has
been added to Windows Explorer
and to Internet Explorer
5.0 allowing users to browse
FTP directories as if they
were a local resource.
· Install SNMP for
Network Management (HP OpenView,
Tivoli and SMS).
· Print Services
for UNIX allows connectivity
to UNIX controlled Printers
(LPR)
· Simple TCP/IP Services
provides Echo, Quote of
Day, Discard, Daytime and
Character Generator..
Client for NFS:
· Installs a full
Network File System (NFS)
client that integrates with
Windows Explorer. Available
for both W2K Professional
and Server.
· Places a second,
more powerful Telnet client
on your system in the %windir%\system32\%sfudir%
directory. This new client
has been optimized for Windows
NT Telnet server and can
use NTLM authentication
instead of clear text. (KB#
Q250879)
· Users can browse
and map drives to NFS volumes
and access NFS resources
through My Network Places.
Microsoft recommends this
over installing Samba (SMB
file services for Windows
clients) on your UNIX server.
· NFS shares can
be accessed using standard
NFS syntax (servername:/pathname)
or standard UNC syntax (\\servername\pathname)
· If users' UNIX
username/password differ
from Windows username/password,
click "Connect Using
A Different User Name"
option and provide new credentials.
· The following popular
UNIX utilities are installed
along with the Client for
NFS (not a complete list):
Utility Description
grep Searches files for
patterns and displays results
containing that pattern
ps Lists processes and their
status
sed Copies files named to
a standard output; edits
according to a script of
commands
sh Invokes the Korn shell
tar Used to create tape
archives or add/extract
files from archives
vi Invokes vi text editor
· The nfsadmin command-line
utility is used for configuration
and administration of the
Client for NFS. Its options
are:
Option Description
fileaccess UNIX file permissions
for reading, writing, and
executing
mapsvr Computer name of
the mapping server
mtype Mount type, HARD or
SOFT
perf Method for determining
performance parameters (MANUAL
or DEFAULT)
preferTCP Indicates whether
to use TCP (YES or NO)
retry Number of retries
for a soft mount - default
value is 5
rsize Size of read buffer
in KB
timeout Timeout in seconds
for an RPC call
wsize Size of write buffer
in KB
Server for NFS:
· Allows NFS clients
(think UNIX/Linux here)
to access files on a Windows
2000 Professional or Server
computer.
· Integrates with
Server for PCNFS or Server
for NIS to provide user
authentication
· Managed using the
UNIX Admin Snap-in (sfumgmt.msc)
Gateway for NFS:
· Allows non-NFS
Windows clients to access
NFS resources by connecting
thru an NFS-enabled Windows
Server to NFS resources.
· Acts as a gateway/translator
between the NFS protocol
used by UNIX/Linux and the
CIFS protocol used by Windows
2000.
· Not available on
W2K Professional - Server
only.
Server for PCNFS:
· Can be installed
on either W2K Professional
or Server
· Provides authentication
services for NFS clients
(UNIX) needing to access
NFS files. Works with the
mapping server.
Server for NIS:
· Must be installed
on a Windows 2000 Server
that is configured as a
Domain Controller.
· Allows server to
act as the NIS master for
a particular UNIX domain.
· Can authenticate
requests for NFS shares.
Troubleshooting: (KB# Q102908)
· Ipconfig and Ipconfig
/all - displays current
TCP/IP configuration
· Nbtstat - displays
statistics for connections
using NetBIOS over TCP/IP
· Netstat - displays
statistics and connections
for TCP/IP protocol
· Ping - tests connections
and verifies configurations
· Tracert - check
a route to a remote system
· Common TCP/IP problems
are caused by incorrect
subnet masks and gateways
· If an IP address
works but a hostname won't
check DNS settings
NWLink (IPX/SPX) and NetWare
Interoperability:
· NWLink (MS's version
of the IPX/SPX protocol)
is the protocol used by
NT to allow Netware systems
to access its resources.
(KB# Q203051)
· NWLink is all that
you need to run in order
to allow an NT system to
run client/server applications
from a NetWare server.
· To allow file and
print sharing between NT
and a NetWare server, CSNW
(Client Services for NetWare)
must be installed on the
NT system. In a Netware
5 environment, the Microsoft
client does not support
connection to a Netware
Server over TCP/IP. You
will have to use IPX/SPX
or install the Novell NetWare
client. (KB# Q235225)
· W2K Setup upgrades
all Intel x86 based computers
running version 4.7 or earlier
of a Novell client to version
4.51.
· Gateway Services
for NetWare can be implemented
on your NT Server to provide
a MS client system to access
your NetWare server by using
the NT Server as a gateway.
(KB# Q121394)
· Frame types for
the NWLink protocol must
match the computer that
the NT system is trying
to connect with. Unmatching
frame types will cause connectivity
problems between the two
systems.
· When NWLink is
set to autodetect the frame
type, it will only detect
one type and will go in
this order: 802.2, 802.3,
ETHERNET_II and 802.5 (Token
Ring).
· Netware 3 servers
uses Bindery Emulation (Preferred
Server in CSNW). Netware
4.x and higher servers use
NDS (Default Tree and Context.)
· There are two ways
to change a password on
a Netware server - SETPASS.EXE
and the Change Password
option (from the CTRL-ALT-DEL
dialog box). The Change
Password option is only
available to Netware 4.x
and higher servers using
NDS.
Other protocols:
· DLC is a special-purpose,
non-routable protocol used
by Windows 2000 to talk
with IBM mainframes, AS400s
and Hewlett Packard printers.
· Appletalk must
be installed to allow Windows
2000 Professional to communicate
with Apple printers. Do
not confuse this with File
and Print Services for Macintosh
which allow Apple Clients
to use resources on a Microsoft
Network (only available
on Server).
· NetBEUI is used
soley by Microsoft operating
systems and is non-routable
(it is broadcast-based)
Remote Access Services (RAS):
Authentication protocols:
· EAP - Extensible
Authentication Protocol.
A set of APIs in Windows
for developing new security
protocols as needed to accomodate
new technologies. MD5-CHAP
and EAP-TLS are two examples
of EAP
· EAP-TLS - Transport
Level Security. Primarily
used for digital certificates
and smart cards
· MD5-CHAP - Message
Digest 5 Challenge Handshake
Authentication Protocol.
Encrypts usernames and passwords
with an MD5 algorithm
· RADIUS - Remote
Authentication Dial-in User
Service. Specification for
vendor-independant remote
user authentication. Windows
2000 Professional can act
as a RADIUS client only.
· MS-CHAP (v1 and
2) - Microsoft Challenge
Handshake Authentication
Protocol. Encrypts entire
session, not just username
and password. v2 is supported
in Windows 2000 and NT4
and Win 95/98 (with DUN
1.3 upgrade) for VPN connections.
MS-CHAP cannot be used with
non-Microsoft clients
· SPAP - Shiva Password
Authentication Protocol.
Used by Shiva LAN Rover
clients. Encrypts password,
but not data
· CHAP - Challenge
Handshake Authentication
Protocol - encrypts user
names and passwords, but
not session data. Works
with non-Microsoft clients
· PAP - Password
Authentication Protocol.
Sends username and password
in clear text
Virtual Private Networks
(VPNs):
· PPTP - Point to
Point Tunneling Protocol.
Creates an encrypted tunnel
through an untrusted network.
· L2TP - Layer Two
Tunneling Protocol. Works
like PPTP as it creates
a tunnel, but it does not
provide data encryption.
Security is provided by
using an encryption technology
like IPSec
Feature PPTP L2TP
Header compression No Yes
Tunnel authentication No
Yes
Built-in encryption Yes
No
Transmits over IP-basedinternetwork
Yes Yes
Transmits over UDP, FrameRelay,
X.25 or ATM No Yes
Multilink Support: (KB#
Q235610)
· Multilinking allows
you to combine two or more
modems or ISDN adapters
into one logical link with
increased bandwidth. (KB#
Q233171)
· BAP (Bandwidth
Allocation Protocol) and
BACP (Bandwidth Allocation
Control Protocol) enhance
multilinking by dynamically
adding or dropping links
on demand. Settings are
configured through RAS policies.
(KB# Q244071)
· Enabled from the
PPP tab of a RAS server's
Properties dialog box. (KB#
Q233151)
Setting Callback Security:
· Using callback
allows you to have the bill
charged to your phone number
instead of the number of
the user calling in. Also
used to increase security
· For roving users
like a sales force, choose
"Allow Caller to Set
The Callback Number"
(less secure)
Dial-up networking:
· Microsoft technical
documentation generally
refers to dial-up networking
when describing outbound
connections. Inbound connections
are usually associated with
Remote Access Services (RAS).
· All new connections
are added using the "Make
New Connection" wizard.
· To create a VPN
connection, choose Dial-Up
To A Private Network Through
The Internet, specify whether
you need to establish a
connection with an ISP first,
enter the host name or IP
address of the computer/network
you are connecting to, and
select whether connection
is for yourself or all users.
· Dial-up networking
entries can be created for
modem connections, LAN connections,
direct cable connections
and Infrared connections.
· PPP is generally
prefered because it supports
multiple protocols, encryption,
and dynamic assignment of
IP addresses (KB# Q124036).
SLIP is an older protocol
that only supports TCP/IP
and is used for dialing
into legacy UNIX systems.
· All network connections,
inbound and outbound, are
represented by separate
icons under Dial-up networking
and properties, protocols,
addresses and services can
be individually configured
for each.
Using shared resources on
a Microsoft Network:
The Administrators and Power
Users groups can create
shared folders on a Windows
2000 Professional workstation
Windows 2000 creates administrative
shared folders for administrative
reasons. These shares are
appended with dollar sign
($) which hides the share
from users browsing the
computer. The system folder
(Admin$), the location of
the printer drivers (Print$)
and the root of each volume
(C$, D$, etc.) are all hidden
shared folders.
Shared folder permissions
apply only when the folder
is accessed via the network.
By default, the Everyone
group is assigned Full Control
for all new shared folders.
Share level permissions
can be applied to FAT, FAT32
and NTFS file systems.
Security levels for network
access to shared folders:
Full Control · Is
assigned to the Everyone
group by default. ·
Allows user to take ownership
of files and folders. ·
Users can change file access
rights. · Grants
user all permissions assigned
by the Change and Read levels.
Change · User can
add and create files. ·
Grants ability to modify
files. · User can
change the attributes of
the file. · User
can delete files. ·
Grants user all permissions
assigned by the Read level.
Read · User can display
and open files. ·
User can display the attributes
of the file. · User
can execute program files.
The "No Access"
permission has not been
carried over from Windows
NT. You can, however, choose
to allow or deny shared
folder permissions. If you
want to deny complete access
to a shared folder for a
particular user you would
grant the user the deny
Full Control permission.
Microsoft recommends using
the Deny functionality sparingly.
When a resource has both
File-Level (NTFS) and Share-Level
Securities enabled, you
combine the highest two
securities (assuming that
there is not a "deny
") and use the most
restrictive of the two.
Windows 2000 Professional
is limited to 10 concurrent
connections for file and
print services.
Implementing, Monitoring,
and Troubleshooting Security:
Active Directory Overview:
Active Directory (AD) srevices
provide a single point of
network management, allowing
you to add, remove, and
relocate resources easily.
It offers significant enhancements
over the limitations of
the older Windows NT domain
based security model. It's
features are:
· Simplified Administration
- AD provides a single point
of logon for *all* network
resources - an administrator
can logon to one computer
and administer objects on
any computer in the network.
· Scalability - NT
4 domains had a practical
limitation of about 40,000
objects. AD scales to millions
of objects, if needed.
· Open standards
support - uses DNS as it's
domain naming and location
service so Windows 2000
domain names are also DNS
domain names. Support for
LDAP v2 and v3 makes AD
interoperable with other
directory services that
support the same, such as
Novell's NDS. HTTP support
means that AD can be searched
using a Web browser. Kerberos
5 support provides interoperability
with other products that
use the same authentication
mechanism.
Active Directory Structure:
· Object - distinct
named set of attributes
that represents a network
resource such as a computer
or a user account.
· Classes - logical
groupings of objects such
as user accounts, computers,
domains or organizational
units.
· Organizational
Unit (OU) - container used
to organize objects inside
a domain into logical administrative
groups such as computers,
printers, user accounts,
file shares, applications
and even other OUs.
· Domain - all network
objects exist within a domain
with each domain storing
information only about the
objects it contains. A domain
is a security boundry -
access to objects is controlled
by Access Control Lists
(ACLs). ACLs contain the
permissions associated with
objects that control which
users or types of users
can access them. In Windows
2000, all security policies
and settings (like Administrative
rights) do not cross from
one domain to another. The
domain admin only has the
right to set policies within
his/her domain.
· Tree - a grouping
or hierarchical arrangement
of one or more Windows 2000
domains that share a contiguous
names space (e.g. cramsession.brainbuzz.com,
sales.brainbuzz.com, and
jobs.brainbuzz.com). All
domains inside a single
tree share a common schema
(formal definition of all
object types that can be
stored in an AD deployment)
and share a common Global
Catalog.
· Forest - a grouping
or hierarchical arrangement
of one or more domain trees
that form a disjointed namespace
(e.g. cramsession.com and
brainbuzz.com). All trees
in the forest share a common
schema and Global Catalog,
but have different naming
structures. Domains in a
forest operate independently
of each other, but the forest
enables communication across
the domains.
· Sites - combination
of one or more IP subnets
connected by high-speed
links. Not part of the AD
namespace, and contains
only computer objects and
connection objects used
to configure replication
between sites.
Site Replication:
· Active Directory
information is replicated
between Domain Controllers
(DCs) and ensures that changes
to a domain controller are
reflected in all DCs within
a domain. A DC is a computer
running Windows 2000 server
which contains a replica
of the domain directory
(member servers do not).
· DCs store a copy
of all AD information for
their domain, manage changes
to it and copy those changes
to other DCs in the same
domain. DCs in a domain
automatically copy all objects
in the domain to each other.
When you change information
in AD, you are making the
change on one of the DCs.
· Administrators
can specify how often replication
occurs, at what times, and
how much data can be sent.
· DCs immediately
replicate important changes
to AD like a user account
being disabled.
· AD uses multimaster
replication meaning that
no one DC is the master
domain controller - all
DCs within a domain are
peers (however there are
still some roles called
Operations Master roles
that can only be held by
one DC at a time).
· Having more than
one DC in a domain provides
fault-tolerance. If a DC
goes down, another is able
to continue authenticating
logins and providing required
services using it's copy
of AD.
· Replication automatically
generates a ring topology
for replication in the same
domain and site. The ring
ensures that if one DC goes
down, it still has an available
path to replicate it's information
to other DCs.
Active Directory Concepts:
Schema - contains a formal
definition of contents and
structure of AD such as
attributes, classes and
class properties. For an
object class, the schema
defines what attributes
an instance of a class must
have, additional attributes
that are allowed and which
object class can be it's
parent. Installing AD on
the first computer in a
network creates the domain
and default schema which
contains commonly used objects.
Extensions can be made to
the schema whenever needed.
By default, write access
to the schema is limited
to members of the Administrators
group. (KB# Q229691)
Global Catalog - central
repository of info abouts
object in a tree or forest.
AD automatically creates
a global catalog from the
domains that make up AD
through the replication
process. Attributes stored
in the global catalog are
usually those most often
used in Search operations
(like user names, logon
names, etc.) and are used
to locate a full replica
of the object. Because of
this, the global catalog
can be used to find objects
anywhere in the network
without replication of all
information between DCs.
Active Directory Naming
Conventions:
· Distinguished Name
(DN) - every object in AD
has one. Uniquely identifies
object and contains sufficient
info for an AD client to
retrieve it from the Directory.
Includes the name of the
domain that holds the object
and also the complete path
through the container hierarchy
to it. DNs must be unique
- AD will not allow duplicates.
· Relative Distingushed
Name (RDN) - if the DN is
unknown, you can still query
an object by it's attributes.
The RDN is a part of the
name that is an attribute
of the object itself (e.g.
a user's first name and
location).
· Globally Unique
Identifier (GUID) - unique
128-bit number assigned
to objects when they are
created. The GUID never
changes so even if the object
is renamed or moved, the
GUID can be used to locate
it.
· User Principal
Name (UPN) - "friendly
name" given to a user
account (e.g. johndoe@brainbuzz.com).
Local user accounts: (KB#
Q217050)
· Resides only on
the computer where the account
was created in it's local
security database. If computer
is part of a peer-to-peer
workgroup, accounts for
that user will have to be
created on each additional
machine that they wish to
log onto locally. Local
accounts cannot access Windows
2000 domain resources and
should not be created on
computers that are part
of a domain.
· Domain user accounts
reside in AD on domain controllers
and can access all resources
on a network that they have
been accorded priveleges
for.
· Built in user accounts
are Administrator (used
for managing the local system)
and Guest (for occasional
users - disabled by default)
· Usernames cannot
be longer than 20 characters
and cannot contain the following
illegal characters: "
/ \ [ ] : ; | = , + * ?
< >
· User logon names
are not case sensitive.
You can use alphanumeric
combinations to increase
security, if desired.
· Passwords can be
up to 128 characters in
Active Directory (we're
not kidding!!) but only
14 characters for a local
user account. In either
case, Microsoft recommends
limiting the length to about
eight characters. Read Microsoft's
advice on creating strong
passwords.
· User accounts are
added and configured through
the Computer Management
snap-in.
· MS recommends that
users be encouraged to store
their data in their My Documents
folder which is automatically
created within their profile
folder and is the default
location that Microsoft
applications use for storing
data. This folder should
not be used with roaming
profiles unless it has been
redirected to a network
file share.
· Creating and duplicating
accounts requires only two
pieces of information: username
and password. Disabling
an account is typically
used when someone else will
take the user's place or
when the user might return.
· Delete an account
only when absolutely necessary
for space or organization
purposes.
· When copying a
user account, the new user
will stay in the same groups
that the old user was a
member of. The user will
keep all group rights that
were granted through groups,
but lose all individual
rights that were granted
specifically for that user.
Local user authentication:
Built-in local groups:
Local Group Description
Administrators Can perform
all administrative tasks
on the local system. The
built-in Administrator account
is made a member of this
group by default.
Backup Operators Can use
Windows Backup to back up
and restore data on the
computer
Guests Used for gaining
temporary access to resources
for which the Administrator
has assigned permissions.
Members can't make permanent
changes to their desktop
environment. When a computer
or member server running
Client for MS Networks joins
a domain, Windows 2000 adds
Domain Guests to the local
Guests group.
Power Users Can create and
modify local user accounts
on the compute