microsoft windows server 2003 inside out (2004)

Microsoft, Microsoft Press, Active Directory, ActiveX, DirectX, Hotmail, JScript, MS-DOS, MSN, Outlook,PowerPoint, Windows, Windows NT, and Windows Server are either registered trademark

Microsoft Press

A Division of Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052-6399

Copyright © 2004 by William Stanek

All rights reserved No part of the contents of this book may be reproduced or transmitted in any form or byany means without the written permission of the publisher

Library of Congress Cataloging-in-Publication Data

Distributed in Canada by H.B Fenn and Company Ltd

A CIP catalogue record for this book is available from the British Library

Microsoft Press books are available through booksellers and distributors worldwide For further informationabout international editions, contact your local Microsoft Corporation office or contact Microsoft Press

International directly at fax (425) 936-7329 Visit our Web site at www.microsoft.com/learning/ Send comments

to nsideout@microsoft.com.

Microsoft, Microsoft Press, Active Directory, ActiveX, DirectX, Hotmail, JScript, MS-DOS, MSN, Outlook,PowerPoint, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries Other product and company names

men-tioned herein may be the trademarks of their respective owners

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places,and events depicted herein are fictitious No association with any real company, organization, product,

domain name, e-mail address, logo, person, place, or event is intended or should be inferred

This book expresses the author’s views and opinions The information contained in this book is providedwithout any express, statutory, or implied warranties Neither the authors, Microsoft Corporation, nor itsresellers or distributors will be held liable for any damages caused or alleged to be caused either directly

or indirectly by this book

Acquisitions Editor: Martin DelRe

Preparing for the Installation

and Getting Started 71

Part 4

Managing Windows Server 2003 Systems

Chapter 10Configuring Windows Server 2003 285Chapter 11

Windows Server 2003 MMC Administration 305Chapter 12

Managing Windows Server 2003 341Chapter 13

Managing and Troubleshooting Hardware 377Chapter 14

Managing the Registry 409Chapter 15

Performance Monitoring and Tuning 449Chapter 16

Comprehensive Performance Analysis and Logging 485

Part 5

Managing Windows Server 2003 Storage and File Systems

Chapter 17Planning for High Availability 523

Part 7

Managing Active Directory and Security

Chapter 32Active Directory Architecture 1085Chapter 33

Designing and Managing the Domain Environment 1105Chapter 34

Organizing Active Directory 1149Chapter 35

Configuring Active Directory Sites and Replication 1167Chapter 36

Implementing Active Directory 1197Chapter 37

Managing Users, Groups, and Computers 1227Chapter 38

Managing Group Policy 1281Chapter 39

Active Directory Site Administration 1327

Part 8

Windows Server 2003 Disaster Planning and Recovery

Chapter 40Disaster Planning 1349Chapter 41

Backup and Recovery 1365

Table of Contents

Acknowledgments xxxi

We’d Like to Hear from You xxxiii

About the CD xxxv

Conventions and Features Used in This Book xxxvii

Part 1 Windows Server 2003 Overview and Planning Chapter 1 Introducing Windows Server 2003 3 What’s New in Windows Server 2003 4

Windows Server 2003, Standard Edition 6

Windows Server 2003, Enterprise Edition 6

Windows Server 2003, Datacenter Edition 7

Windows Server 2003, Web Edition 7

64-Bit Computing 8

.NET Technologies 9

.NET Framework Technologies 10

.NET Framework Layers 10

Windows XP and Windows Server 2003 11

Windows XP Editions 11

Windows XP and Active Directory 11

Installing Windows Server 2003 Administration Tools on Windows XP 12

Increased Support for Standards 12

IPv6 Support 12

IETF Security Standards Support 13

XML Web Services Support 13

Interface and Tool Improvements 13

Simple and Classic Start Menus 13

Improvements for Active Directory Tools 14

Other Tool Improvements 15

Active Directory Improvements 15

Domains Can Be Renamed 16

Active Directory Can Replicate Selectively 16

Active Directory–Integrated DNS Zones Can Forward Conditionally 17

Active Directory Schema Objects Can Be Deleted 18

Active Directory and Global Catalog Are Optimized 18

Active Directory Can Compress and Route Selectively 19

Forest-to-Forest Trusts 20

Active Directory Migration Made Easier 21

Group Policy Improvements 21

Group Policy Management Console 21

Software Restriction Policies in Group Policy 22

Policy Changes for User Profiles 22

Management and Administration Extras 22

Remote Administration Gets a Face-Lift 23

Enhanced File Management by Using DFS 23

Improved Storage and File System Options 24

Changes for Terminal Services 25

Printer Queue Redundancy 26

Remote Installation Services 26

Headless Servers and Out-of-Band Management 26

Security Advances 27

Windows Server 2003 Feature Lock Down 27

IPSec and Wireless Security 28

Microsoft NET Passport Support 29

Reliability and Maintenance Enhancements 29

Automatic System Recovery 29

Automatic Updates 29

Improved Verification and System Protection 30

Chapter 2 Planning for Windows Server 2003 31 Overview of Planning 31

The Microsoft Solutions Framework Process Model 32

Your Plan: The Big Picture 32

Identifying Your Organizational Teams 34

Microsoft Solutions Framework Team Model 34

Your Project Team 35

Assessing Project Goals 36

The Business Perspective 37

Identifying IT Goals 37

Examining IT–Business Interaction 38

Predicting Network Change 39

Analyzing the Existing Network 39

Evaluating the Network Infrastructure 40

Assessing Systems 41

Identify Network Services and Applications 42

Identifying Security Infrastructure 43

Reviewing Network Administration 44

Defining Objectives and Scope 46

Specifying Organizational Objectives 47

Setting the Schedule 48

Table of Contents

Allowing for Contingencies 49

Finalizing Project Scope 50

Defining the New Network Environment 51

Defining Domain and Security Architecture 51

Changing the Administrative Approach 53

Thinking about Active Directory 55

Planning for Server Usage 59

Determining Which Windows Edition to Use 62

Selecting a Software Licensing Program 64

Retail Product Licenses 65

Volume-Licensing Programs 65

Final Considerations for Planning and Deployment 67

Part 2 Windows Server 2003 Installation Chapter 3 Preparing for the Installation and Getting Started 71 Getting a Quick Start 72

New Features and Enhancements 72

Setup Methods 73

Setup Programs 74

Tools for Automating Setup 81

Product Licensing 82

Preparing for Windows Server 2003 Installation 83

System Hardware Requirements 83

How a Clean Installation and an Upgrade Differ 84

Supported Upgrade Paths 85

Using Dynamic Update 86

Selecting a Distribution Method 88

Getting Ready for Automated Installations 89

Preinstallation Tasks 90

Chapter 4 Managing Interactive Installations 93 Windows Installation Considerations 93

Installation on x86-Based Systems 93

Installation on 64-Bit Systems 94

Checking System Compatibility 96

Planning Partitions 96

Naming Computers 97

Network and Domain Membership Options 98

Performing an Interactive Installation 100

Installation Sequence 101

Activation Sequence 104

Troubleshooting Installation 106

Start with the Potential Points of Failure 106

Continue Past Lockups and Freezes 108

Configuring Server Roles 112

Installing Additional Components Manually 113

Postinstallation 114

Chapter 5 Managing Unattended Installations 117 Automating Setup 118

Determining the Method of Automation 118

Establishing the Distribution Folders 120

Types of Answer Files 122

Managing Unattended Installations 137

Customizing the Distribution Folder 137

Using CD Media for Automated Installations 146

Using an Answer File 147

Starting the Unattended Installation 148

Chapter 6 Using Remote Installation Services 153 Introduction to RIS 153

Services and Protocols Used by RIS 154

Limitations of RIS 155

Operating Systems Installable by Using RIS 156

Designing the RIS Environment 156

Building a RIS Server: What’s Involved 158

Installing RIS 158

RIS Server Requirements 158

Performing the Install 159

Configuring the RIS Server 160

Controlling Access to RIS Servers 170

Configuring RIS Clients 175

Customizing Installation Options 176

Creating a RIBF Disk 177

Prestaging Clients in Active Directory 178

Preparing RIS-Based Installations 181

Using RIS Images 181

Restricting Access to RIS Images 182

OS Images Created by Using RISetup 182

Installed (File-System-Based) Image by RIPrep 184

Adding “Flat” or “CD-ROM” Images to RIS 190

RIS Answer Files 194

Table of Contents

Using RIS for Automated Installations 199

Installing Windows Using RIS 199

More RIS Customization Tips 202

Working with Sysprep 204

Understanding Sysprep 204

Using Sysprep to Clone a Computer 205

Copying the Administrator Profile 206

Running Sysprep 209

Part 3 Windows Server 2003 Upgrades and Migrations Chapter 7 Preparing for Upgrades and Migration 213 Deciding Between Upgrading and Migrating 215

Verifying Hardware and Software Compatibility 216

Additional Research 217

Preparing for an Upgrade from Windows 2000 to Windows Server 2003 217

Upgrading Windows 2000 Forests and Domains 217

Upgrading Domain Controllers 218

Applications on Upgraded Servers 219

Selecting Upgrade or Migration Path 219

Upgrading vs Migrating 220

Review System Requirements and Compatibility 221

Check Drive Partitioning 221

Choosing Domain and Forest Functional Levels 222

Identify DNS Namespace and Storage 223

Identify Server Roles 224

Preparing for an Upgrade from Windows NT 4 to Windows Server 2003 225

Namespace in Windows NT vs Active Directory 225

Moving from Windows NT Domains to Active Directory 225

Restructuring Domains 226

Upgrading Windows NT 4 Servers 227

Chapter 8 Upgrading to Windows Server 2003 229 General Considerations for Upgrades 229

Upgrade Issues 230

Verify an Upgrade Recovery Plan 231

Upgrading from Windows 2000 232

General Upgrade Preparation Tools 233

Active Directory Preparation Tool 235

Updating the Active Directory Forest and Domains 236

Upgrading the Windows 2000 Domain Controllers 241

Upgrading Windows 2000 Users and Groups 244

Windows 2000 Member Server Upgrades 244

Upgrading from Windows NT 4 245

Determine Server Hardware Compatibility 245

Upgrading Different Versions of Windows NT 4 246

Managing Disk Partitions 247

Upgrading Domain Controllers 247

Converting Windows NT 4 Groups to Windows Server 2003 Groups 249

Performing the Upgrade from Windows NT 4 249

Chapter 9 Migrating to Windows Server 2003 251 Selecting the Migration Tools 251

ADMT 252

Other Microsoft Migration Tools 252

Third-Party Migration Tools 254

General Considerations for Migrations 254

Determining the Approach to Migration 255

Preparing for Migration 256

Migrating Security Principals 257

Performing the Migration: An Overview 258

Migrating Group Accounts 259

Migrating Local Groups 259

Migrating Global Groups 260

Migrating User Accounts 268

Running the User Account Migration Wizard 268

Migrating Passwords 271

Migrating the Computers 273

Running the Computer Migration Wizard 273

Merging Groups during Migration 275

Migrating Domain Trusts 277

Migrating a Trust 278

Migrating Service Accounts 279

Security Translation 280

Generating Migration Reports 282

Part 4

Managing Windows Server 2003 Systems

Chapter 10

Table of Contents

Customizing the Desktop and the Taskbar 293

Configuring Desktop Items 294

Configuring the Taskbar 296

Optimizing Toolbars 301

Customizing the Quick Launch Toolbar 301

Displaying Other Custom Toolbars 302

Creating Personal Toolbars 303

Chapter 11 Windows Server 2003 MMC Administration 305 Introducing the MMC 305

Using the MMC 306

MMC Snap-Ins 306

MMC Modes 308

MMC Windows and Startup 310

MMC Tool Availability 313

MMC and Remote Computers 314

Building Custom MMCs 316

Step 1: Creating the Console 317

Step 2: Adding Snap-Ins to the Console 318

Step 3: Saving the Finished Console 323

Designing Custom Taskpads for the MMC 327

Getting Started with Taskpads 327

Understanding Taskpad View Styles 328

Creating and Managing Taskpads 330

Creating and Managing Tasks 333

Publishing and Distributing Your Custom Tools 339

Chapter 12 Managing Windows Server 2003 341 Using the Administration Tools 341

Understanding the Administration Tools 341

Using Configure Your Server 344

Using Manage Your Server 346

Using Computer Management 347

Using the Control Panel Utilities 350

Using the Add Hardware Utility 351

Using the Add or Remove Programs Utility 352

Using the Date and Time Utility 352

Using the Display Utility 353

Using the Folder Options Utility 355

Using the Licensing Utility 355

Using the Network Connections Utility 356

Using the Regional and Language Options Utility 357

Using the Scheduled Tasks Utility 357

Using the System Utility 364

Using Support Tools 366

Using Resource Kit Tools 368

Using the Secondary Logon 369

Running Programs Using the Secondary Logon 370

Using the Secondary Logon at the Command Prompt 371

Running a Temporary Administrator’s Desktop 372

Creating Run As Shortcuts for Secondary Logons 373

Chapter 13 Managing and Troubleshooting Hardware 377 Working with Device Drivers 377

Using Windows Device Drivers 378

Using Signed Device Drivers 379

Understanding and Changing Driver Installation Settings 379

Setting Up New Hardware Devices 381

Managing Plug and Play Detection and Installation 381

Installing Non–Plug and Play Devices 385

Obtaining Hardware Device Information 388

Viewing Device and Driver Details 388

Viewing Advanced, Resources, and Other Settings 392

Managing Installed Drivers 394

Updating a Device Driver 395

Rolling Back a Driver 396

Uninstalling and Reinstalling a Device Driver 397

Managing Devices through Hardware Profiles 398

Troubleshooting Hardware Devices and Drivers 400

Resolving Common Device Errors 401

Resolving Resource Conflicts 404

Chapter 14 Managing the Registry 409 Introducing the Registry 410

Understanding the Registry Structure 411

Registry Root Keys 414

HKEY_LOCAL_MACHINE 416

HKEY_USERS 421

HKEY_CLASSES_ROOT 422

HKEY_CURRENT_CONFIG 422

HKEY_CURRENT_USER 422

Registry Data: How It Is Stored and Used 423

Where Registry Data Comes From 423

Table of Contents

Managing the Registry 425

Searching the Registry 426

Modifying the Registry 427

Modifying the Registry of a Remote Machine 429

Importing and Exporting Registry Data 430

Loading and Unloading Hive Files 432

Working with the Registry from the Command Line 433

Backing Up and Restoring the Registry 434

Choosing a Backup Method for the Registry 434

Creating Registry Backups 435

Recovering a System Using the ASR Backup 437

Maintaining the Registry 437

Using the Windows Installer CleanUp Utility 438

Using the Windows Installer Zapper 439

Securing the Registry 441

Preventing Access to the Registry Utilities 441

Applying Permissions to Registry Keys 443

Controlling Remote Registry Access 445

Auditing Registry Access 447

Chapter 15 Performance Monitoring and Tuning 449 Tuning Performance, Memory Usage, and Data Throughput 449

Tuning Windows Operating System Performance 449

Tuning Processor Scheduling and Memory Usage 450

Tuning Data Throughput 452

Tuning Virtual Memory 454

Tracking a System’s General Health 456

Task Manager and Process Resource Monitor Essentials 456

Getting Processor and Memory Usage for Troubleshooting 458

Getting Information on Running Applications 461

Monitoring and Troubleshooting Processes 462

Getting Network Usage Information 466

Getting Information on User and Remote User Sessions 468

Tracking Events and Troubleshooting by Using Event Viewer 470

Understanding the Event Logs 470

Accessing the Event Logs and Viewing Events 472

Viewing Event Logs on Remote Systems 475

Sorting, Finding, and Filtering Events 475

Archiving Event Logs 478

Tracking Events on Multiple Computers 479

Quick Look: Using Eventquery 479

Quick Look: Using EventComb 481

Chapter 16

Establishing Performance Baselines 486

Comprehensive System Monitoring 486

Using System Monitor 487

Selecting Performance Objects and Counters to Monitor 489

Choosing Views and Controlling the Display 490

Monitoring Performance Remotely 494

Resolving Performance Bottlenecks 495

Resolving Memory Bottlenecks 495

Resolving Processor Bottlenecks 498

Resolving Disk I/O Bottlenecks 500

Resolving Network Bottlenecks 501

Performance Logging 503

Creating Performance Logs 503

Using Counter Logs 504

Monitoring Performance from the Command Line 508

Using Trace Logs 510

Analyzing Performance Logs 514

Analyzing Counter Logs 515

Analyzing Trace Logs 516

Creating Performance Alerts 517

Part 5 Managing Windows Server 2003 Storage and File Systems Chapter 17 Planning for High Availability 523 Planning for Software Needs 523

Planning for Hardware Needs 525

Planning for Support Structures and Facilities 527

Planning for Day-to-Day Operations 529

Planning for Deploying Highly Available Servers 534

Chapter 18 Preparing and Deploying Server Clusters 537 Introducing Server Clustering 538

Benefits and Limitations of Clustering 538

Cluster Organization 539

Cluster Operating Modes 541

Multisite Options for Clusters 543

Table of Contents

Using Network Load Balancing 545

Using Network Load Balancing Clusters 546

Network Load Balancing Configuration 547

Network Load Balancing Client Affinity and Port Configurations 549

Planning Network Load Balancing Clusters 550

Managing Network Load Balancing Clusters 551

Creating a New Network Load Balancing Cluster 551

Adding Nodes to a Network Load Balancing Cluster 555

Removing Nodes from a Network Load Balancing Cluster 557

Configuring Event Logging for Network Load Balancing Clusters 557

Controlling Cluster and Host Traffic 557

Component Load Balancing Architecture 558

Using Component Load Balancing Clusters 558

Understanding Application Center 559

Planning Component Load Balancing Clusters 560

Using Server Cluster 561

Server Cluster Configurations 561

Server Cluster Resource Groups 564

Optimizing Hardware for Server Clusters 565

Optimizing Networking for Server Clusters 567

Running Server Clusters 568

The Cluster Service and Cluster Objects 568

The Cluster Heartbeat 569

The Cluster Database 570

The Cluster Quorum Resource 570

The Cluster Interface and Network States 571

Creating Server Clusters 572

Creating a Server Cluster 574

Add a Node to a Cluster 576

Managing Server Clusters and Their Resources 577

Creating Clustered Resources 577

Cluster Resource Types 577

Planning Resource Groups 579

Controlling the Cluster Service 580

Controlling Failover and Failback 582

Creating and Managing Resource Groups 582

Creating and Managing Resources 583

Scenario: Creating a Clustered Print Service 584

Scenario: Creating a Clustered File Share 585

Chapter 19

Essential Storage Technologies 587

Using Internal and External Storage Devices 588

Improving Storage Management 589

Booting from SANs and Using SANs with Clusters 591

Meeting Performance, Capacity, and Availability Requirements 592

Configuring Storage 593

Using the Disk Management Tools 594

Adding New Disks 598

Using the MBR and GPT Partition Styles 599

Using the Basic and Dynamic Storage Types 602

Converting FAT or FAT32 to NTFS 606

Managing MBR Disk Partitions on Basic Disks 608

Creating a Primary or Extended Partition 608

Creating a Logical Drive in an Extended Partition 613

Formatting a Partition, Logical Drive, or Volume 614

Configuring Drive Letters 616

Configuring Mount Points 617

Extending Partitions on Basic Disks 619

Deleting a Partition, Logical Drive, or Volume 620

Managing GPT Disk Partitions on Basic Disks 621

ESP 621

MSR Partitions 622

Primary Partitions 623

LDM Metadata and LDM Data Partitions 624

OEM or Unknown Partitions 624

Managing Volumes on Dynamic Disks 624

Creating a Simple or Spanned Volume 625

Extending a Simple or Spanned Volume 627

Recovering a Failed Simple or Spanned Disk 629

Moving Dynamic Disks 630

Configuring RAID 1: Disk Mirroring 631

Mirroring Boot and System Volumes 633

Configuring RAID 5: Disk Striping with Parity 638

Breaking or Removing a Mirrored Set 639

Resolving Problems with Mirrored Sets 640

Repairing a Mirrored System Volume to Enable Boot 641

Resolving Problems with RAID-5 Sets 642

Table of Contents Chapter 20

Understanding Disk and File System Structure 643

Using FAT 645

File Allocation Table Structure 645

FAT Features 646

Using NTFS 648

NTFS Structures 648

NTFS Features 652

Analyzing NTFS Structure 654

Advanced NTFS Features 656

Hard Links 657

Data Streams 658

Change Journals 659

Object Identifiers 661

Reparse Points 663

Remote Storage 664

Sparse Files 665

Using File-Based Compression 666

NTFS Compression 666

Compressed (Zipped) Folders 669

Managing Disk Quotas 670

How Quota Management Works 670

Configuring Disk Quotas 672

Customizing Quota Entries for Individual Users 674

Managing Disk Quotas After Configuration 677

Exporting and Importing Quota Entries 679

Maintaining File System Integrity 680

How File System Errors Occur 680

Fixing File System Errors by Using Check Disk 680

Analyzing FAT Volumes by Using ChkDsk 683

Analyzing NTFS Volumes by Using ChkDsk 684

Repairing Volumes and Marking Bad Sectors by Using ChkDsk 685

Defragmenting Disks 685

Fixing Fragmentation by Using Disk Defragmenter 686

Understanding the Fragmentation Analysis 688

Chapter 21 File Sharing and Security 691 File Sharing Essentials 691

Using and Finding Shares 691

Hiding and Controlling Share Access 694

Special and Administrative Shares 694

Accessing Shares for Administration 696

Creating and Publishing Shared Folders 697

Creating Shares by Using Windows Explorer 697

Creating Shares by Using Computer Management 699

Publishing Shares in Active Directory 703

Managing Share Permissions 703

Understanding Share Permissions 704

Configuring Share Permissions 705

Managing File and Folder Permissions 707

File and Folder Ownership 707

Permission Inheritance for Files and Folders 709

Configuring File and Folder Permissions 711

Determining Effective Permissions 717

Managing File Shares After Configuration 719

Tracking and Logging File Share Permissions by Using SrvCheck 719

Copying File Share Permissions 720

Sharing Files on the Web 721

Auditing File and Folder Access 723

Enabling Auditing for Files and Folders 724

Specifying Files and Folders to Audit 725

Monitoring the Security Logs 726

Chapter 22 Using Volume Shadow Copy 727 Shadow Copy Essentials 727

Using Shadow Copies of Shared Folders 728

How Shadow Copies Works 728

Implementing Shadow Copies for Shared Folders 730

Managing Shadow Copies in Computer Management 732

Configuring Shadow Copies in Computer Management 733

Maintaining Shadow Copies After Configuration 736

Configuring Shadow Copies at the Command Line 737

Enabling Shadow Copying from the Command Line 737

Create Manual Snapshots from the Command Line 738

Viewing Shadow Copy Information 738

Deleting Snapshot Images from the Command Line 740

Disabling Shadow Copies from the Command Line 741

Using Shadow Copies on Clients 741

Obtaining and Installing the Client 741

Accessing Shadow Copies on Clients 743

Restoring Shadow Copies from the Command Line 745

Searching for a File and Listing Available Versions 745

Locating and Restoring Previous Versions from the Command Line 747

Table of Contents Chapter 23

Introducing Removable Media 749

Understanding Media Libraries 750

Understanding Media Pools 750

Working with the Removable Storage Snap-In 751

Understanding Media State and Identification 752

Understanding Access Permissions for Removable Storage 754

Managing Media Libraries and Media 755

Inserting Media into a Library 755

Ejecting Media from a Library 757

Mounting and Dismounting Media in Libraries 758

Enabling and Disabling Media 758

Enabling and Disabling Drives 759

Cleaning Drives 759

Working with Library Doors and Ports 759

Configuring Library Inventory 760

Starting Library Inventory 760

Changing Library Media Types 761

Enabling and Disabling Libraries 761

Managing Media Pools 761

Preparing Media for Use in the Free Media Pool 761

Moving Media to a Different Media Pool 762

Creating Application Media Pools 762

Changing the Media Type in a Media Pool 762

Setting Allocation and Deallocation Policies 763

Deleting Application Media Pools 764

Managing Work Queues, Requests, and Security 764

Using the Work Queue 764

Troubleshooting Waiting Operations 765

Changing Mount Operations 766

Controlling When Operations Are Deleted 766

Using the Operator Requests Queue 767

Notifying Operators of Requests 768

Completing or Refusing Requests 769

Controlling When Requests Are Deleted 769

Setting Access Permissions for Removable Storage 769

Part 6

Managing Windows Server 2003 Networking

and Print Services

Chapter 24

Understanding IP Addressing 773

Unicast IP Addresses 774

Multicast IP Addresses 776

Broadcast IP Addresses 777

Special IP Addressing Rules 778

Using Subnets and Subnet Masks 780

Subnet Masks 780

Network Prefix Notation 781

Subnetting 782

Getting and Using IP Addresses 788

Understanding Name Resolution 790

Domain Name System 790

Windows Internet Naming Service (WINS) 792

Configuring TCP/IP Networking 793

Preparing for Installation of TCP/IP Networking 793

Installing TCP/IP Networking 794

Configuring Static IP Addressing 795

Configuring Dynamic IP Addressing 797

Configuring Automatic Private IP Addressing 798

Configuring Advanced TCP/IP Settings 800

Chapter 25 Managing DHCP 807 DHCP Essentials 807

DHCP Security Considerations 809

Planning DHCP Implementations 810

DHCP Messages and Relay Agents 810

DHCP Availability and Fault Tolerance 812

Setting Up DHCP Servers 814

Installing the DHCP Server Service 816

Authorizing DHCP Servers in Active Directory 818

Creating and Configuring Scopes 819

Using Exclusions 826

Using Reservations 827

Activating Scopes 830

Configuring TCP/IP Options 831

Table of Contents

Using User- and Vendor-Specific TCP/IP Options 833

Settings Options for All Clients 835

Settings Options for Routing and Remote Access Clients Only 836

Setting Add-On Options for Directly Connected Clients 837

Defining Classes to Get Different Option Sets 838

Advanced DHCP Configuration and Maintenance 840

Configuring DHCP Audit Logging 840

Binding the DHCP Server Service to a Network Interface 843

Integrating DHCP and DNS 843

Enabling Conflict Detection on DHCP Servers 844

Saving and Restoring the DHCP Configuration 845

Managing and Maintaining the DHCP Database 845

Setting Up DHCP Relay Agents 848

Configuring and Enabling Routing and Remote Access 848

Adding and Configuring the DHCP Relay Agent 849

Chapter 26 Architecting DNS Infrastructure 851 DNS Essentials 851

Planning DNS Implementations 852

Public and Private Namespaces 852

Name Resolution Using DNS 854

DNS Resource Records 856

DNS Zones and Zone Transfers 858

Secondary Zones, Stub Zones, and Conditional Forwarding 862

Security Considerations 864

DNS Queries and Security 864

DNS Dynamic Updates and Security 865

External DNS Name Resolution and Security 867

Architecting a DNS Design 869

Split-Brain Design: Same Internal and External Names 869

Separate-Name Design: Different Internal and External Names 870

Chapter 27 Implementing and Managing DNS 873 Installing the DNS Server Service 873

Using DNS with Active Directory 873

Using DNS Without Active Directory 877

DNS Setup 878

Configuring DNS Using the Wizard 881

Configuring a Small Network Using the Configure A DNS Server Wizard 881

Configuring a Large Network Using the Configure A DNS Server Wizard 885

Configuring DNS Zones, Subdomains, Forwarders, andZone Transfers 890Creating Forward Lookup Zones 890Creating Reverse Lookup Zones 892Configuring Forwarders and Conditional Forwarding 893Configuring Subdomains and Delegating Authority 894Configuring Zone Transfers 897Configuring Secondary Notification 899Adding Resource Records 900Host Address (A) and Pointer (PTR) Records 901Canonical Name (CNAME) Records 903Mail Exchanger (MX) Records 904Name Server (NS) Records 905Start Of Authority (SOA) Records 906Service Location (SRV) Records 907Maintaining and Monitoring DNS 908Configuring Default Application Directory Partitions and

Replication Scope 909Setting Aging and Scavenging 911Configuring Logging and Checking DNS Server Logs 913Troubleshooting DNS Client Service 913Try Reregistering the Client 914Check the Client’s TCP/IP Configuration 914Check the Client’s Resolver Cache 915Perform Lookups for Troubleshooting 916Troubleshooting DNS Server Service 916Check the Server’s TCP/IP Configuration 917Check the Server’s Cache 917Check Replication to Other Name Servers 917Examine the Configuration of the DNS Server 918Examine Zones and Zone Records 924Chapter 28

WINS Essentials 927NetBIOS Namespace and Scope 928NetBIOS Node Types 928WINS Name Registration and Cache 929WINS Implementation Details and New Features 929Setting Up WINS Servers 930Installing WINS 930WINS Postinstallation Tasks 931Configuring Replication Partners 933

Table of ContentsConfiguring and Maintaining WINS 937Configuring Burst Handling 937Checking Server Status and Configuration 938Checking Active Registrations and Scavenging Records 940Maintaining the WINS Database 941Enabling WINS Lookups Through DNS 944Chapter 29

Understanding Windows Server 2003 Print Services 945Print Services Changes for Windows Server 2003 949Upgrading Windows NT 4 Print Servers to Windows Server 2003 951Migrating Print Servers from One System to Another 952Manually Migrating Print Servers 953Automating Print Server Migration 953Planning for Printer Deployments and Consolidation 957Sizing Print Server Hardware and Optimizing Configuration 957Sizing Printer Hardware and Optimizing Configuration 959Setting Up Printers 961Adding Local Printers 962Adding Network-Attached Printers 967Changing Standard TCP/IP Port Monitor Settings 974Connecting Users to Shared Printers 975Managing Printer Permissions 979Understanding Printer Permissions 979Configuring Printer Permissions 981Assigning Printer Ownership 982Auditing Printer Access 983Managing Print Server Properties 984Viewing and Creating Printer Forms 985Viewing and Configuring Printer Ports 986Viewing and Configuring Print Drivers 987Configuring Print Spool, Logging, and Notification Settings 988Managing Printer Properties 990Setting General Properties, Printing Preferences

and Document Defaults 990Setting Overlays and Watermarks for Documents 992Installing and Updating Print Drivers on Clients 993Configuring Printer Sharing and Publishing 994Optimizing Printing Through Queues and Pooling 995Configuring Print Spooling 999Viewing the Print Processor and Default Data Type 1000Configuring Separator Pages 1001Configuring Color Profiles 1005

Managing Print Jobs 1006Pausing, Starting, and Canceling All Printing 1006Viewing Print Jobs 1006Managing Print Jobs 1007Printer Maintenance and Troubleshooting 1008Monitoring Print Server Performance 1008Preparing for Print Server Failure 1011Solving Printing Problems 1011Chapter 30

Remote Desktop for Administration Essentials 1019Configuring Remote Desktop for Administration 1021Enabling Remote Desktop for Administration on Servers 1021Permitting and Restricting Remote Logon 1022Configuring Remote Desktop for Administration Through

Group Policy 1023Supporting Remote Desktop Connection Clients 1024New Features for the Remote Desktop Connection Client 1024Installing Remote Desktop Connection Clients 1025Running the Remote Desktop Connection Client 1026Running Remote Desktops 1030Tracking Who’s Logged On 1033Chapter 31

Using Terminal Services 1035Terminal Services Clients 1036Terminal Services Servers 1036Terminal Services Licensing 1037Designing the Terminal Services Infrastructure 1040Capacity Planning for Terminal Services 1040Planning Organizational Structure for Terminal Services 1044Deploying Single-Server Environments 1044Deploying Multi-Server Environments 1046Setting Up Terminal Services 1048Installing Terminal Services 1048Installing Applications for Clients to Use 1050Enabling and Joining the Session Directory Service 1055Setting Up a Terminal Services License Server 1059Using the Terminal Services Configuration Tool 1065Configuring Global Connection Settings 1066Configuring Server Settings 1067

Table of ContentsUsing the Terminal Services Manager 1073Connecting to Terminal Servers 1074Getting Terminal Services Information 1075Managing User Sessions in Terminal Services Manager 1075Managing Terminal Services from the Command Line 1076Gathering Terminal Services Information 1076Managing User Sessions from the Command Line 1078Other Useful Terminal Services Commands 1079Configuring Terminal Services Per-User Settings 1079Getting Remote Control of a User’s Session 1079Setting Up the Terminal Services Profile for Users 1080

Part 7

Managing Active Directory and Security

Chapter 32

Active Directory Physical Architecture 1085Active Directory Physical Architecture: A Top-Level View 1085Active Directory Within the Local Security Authority 1086Directory Service Architecture 1089Data Store Architecture 1093Active Directory Logical Architecture 1095Active Directory Objects 1096Active Directory Domains, Trees, and Forests 1096Active Directory Trusts 1099Active Directory Namespaces and Partitions 1101Active Directory Data Distribution 1103Chapter 33

Design Considerations for Active Directory Replication 1106Design Considerations for Active Directory Search

and Global Catalogs 1108Searching the Tree 1108Accessing the Global Catalog 1109Designating Global Catalog Servers 1110Designating Replication Attributes 1112Design Considerations for Compatibility 1114Understanding Domain Functional Level 1115Understanding Forest Functional Level 1116Raising the Domain or Forest Functional Level 1116

Design Considerations for Active Directory Authentication and Trusts 1118Universal Groups and Authentication 1118NTLM and Kerberos Authentication 1120Authentication and Trusts Across Domain Boundaries 1123Authentication and Trusts Across Forest Boundaries 1126Examining Domain and Forest Trusts 1129Establishing External, Shortcut, Realm, and Cross-Forest Trusts 1131Verifying and Troubleshooting Trusts 1135Delegating Authentication 1136Delegated Authentication Essentials 1136Configuring Delegated Authentication 1137Design Considerations for Active Directory Operations Masters 1140Operations Master Roles 1140Using, Locating, and Transferring the Schema Master Role 1142Using, Locating, and Transferring

the Domain Naming Master Role 1143Using, Locating, and Transferring the Relative ID Master Role 1144Using, Locating, and Transferring the PDC Emulator Role 1145Using, Locating, and Transferring the Infrastructure Master Role 1146Chapter 34

Creating an Active Directory Implementation or Update Plan 1149Developing a Forest Plan 1150Forest Namespace 1150Single vs Multiple Forests 1151Forest Administration 1153Developing a Domain Plan 1154Domain Design Considerations 1154Single vs Multiple Domains 1155Forest Root Domain Design Configurations 1157Changing Domain Design 1157Developing an Organizational Unit Plan 1158Using Organizational Units (OUs) 1159Using OUs for Delegation 1160Using OUs for Group Policy 1160Creating an OU Design 1161Chapter 35

Configuring Active Directory Sites and Replication 1167

Working with Active Directory Sites 1167Single Site vs Multiple Sites 1169Replication Within and Between Sites 1170

Table of ContentsUnderstanding Active Directory Replication 1171Replication Enhancements for Windows Server 2003 1171Replication Architecture: An Overview 1173Intrasite Replication Essentials 1175Intersite Replication Essentials 1179Replication Rings and Directory Partitions 1182Developing or Revising a Site Design 1186Mapping Network Infrastructure 1186Creating a Site Design 1188Chapter 36

Preinstallation Considerations for Active Directory 1197Hardware and Configuration Considerations

for Domain Controllers 1198Configuring Active Directory for Fast Recovery

with Storage Area Networks 1200Connecting Clients to Active Directory 1201Installing Active Directory 1202Active Directory Installation Options and Issues 1202Using the Configure Your Server Wizard 1204Using the Active Directory Installation Wizard 1204Using the Active Directory Installation Wizard with Backup Media 1214Uninstalling Active Directory 1217Creating and Managing Organizational Units (OUs) 1220Creating an OU 1220Setting OU Properties 1221Creating or Moving Accounts and Resources for Use with an OU 1222Delegating Administration of Domains and OUs 1223Understanding Delegation of Administration 1223Delegating Administration 1224Chapter 37

Managing Domain User Accounts 1227Types of Users 1227Configuring User Account Policies 1229Understanding User Account Capabilities, Privileges, and Rights 1234Assigning User Rights 1238Creating and Configuring Domain User Accounts 1241Configuring Account Options 1244Configuring Profile Options 1248Managing User Profiles 1249Profile Essentials 1249Profile Changes and New Features 1250

Group Policy Changes for User Profiles 1251Implementing and Creating Preconfigured Profiles 1251Configuring Local User Profiles 1254Configuring Roaming User Profiles 1254Implementing Mandatory User Profiles 1255Switching Between a Local and a Roaming User Profile 1256Managing User Data 1256Using Folder Redirection 1257Using Offline Files 1260Managing File Synchronization 1263Maintaining User Accounts 1263Deleting User Accounts 1264Disabling and Enabling User Accounts 1264Moving User Accounts 1264Renaming User Accounts 1265Resetting a User’s Domain Password 1266Unlocking User Accounts 1267Creating a Local User Account Password Backup 1267Managing Groups 1268Understanding Groups 1269Creating a Group 1273Adding Members to Groups 1274Deleting a Group 1274Modifying Groups 1274Managing Computer Accounts 1276Creating a Computer Account in Active Directory 1276Joining Computers to a Domain 1277Moving a Computer Account 1278Disabling a Computer Account 1279Deleting a Computer Account 1279Managing a Computer Account 1279Resetting a Computer Account 1279Configuring Properties of Computer Accounts 1280Chapter 38

Understanding Group Policy 1281Local and Active Directory Group Policy 1282Group Policy Settings 1283Group Policy Architecture 1284Sysvol Replication Using the File Replication Service 1287Implementing Group Policy 1288Working with Local Group Policy 1288

Table of ContentsManaging Group Policy Inheritance and Processing 1299Group Policy Inheritance 1299Modifying Inheritance 1300Filtering Group Policy Application 1302Group Policy Processing 1304Modifying Group Policy Processing 1305Modifying User Policy Preference Using Loopback Processing 1306Using Scripts in Group Policy 1307Configuring Computer Startup and Shutdown Scripts 1307Configuring User Logon and Logoff Scripts 1308Applying Group Policy Through Security Templates 1309Working with Security Templates 1309Applying Security Templates 1310Maintaining and Troubleshooting Group Policy 1311Group Policy Refresh 1311Modifying Group Policy Refresh 1312Viewing Applicable GPOs and Last Refresh 1315 Modeling GPOs for Planning 1317Refreshing Group Policy Manually 1321Backing Up GPOs 1321Restoring GPOs 1323Fixing Default Group Policy 1324Chapter 39

Managing Sites and Subnets 1327Creating an Active Directory Site 1328Creating a Subnet and Associating It with a Site 1329Associating Domain Controllers with a Site 1330Managing Site Links and Intersite Replication 1331Understanding IP and SMTP Replication Transports 1332Creating a Site Link 1333Configuring Site Link Bridges 1336Determining the ISTG 1338Configuring Site Bridgehead Servers 1339Configuring Site Link Replication Options 1342Monitoring and Troubleshooting Replication 1344Using the Replication Administrator 1344Using the Replication Monitor 1345

Developing Backup Strategies 1365Creating Your Backup Strategy 1365Backup Strategy Considerations 1366Selecting the Optimal Backup Techniques 1367Understanding Backup Types 1369Using Media Rotation and Maintaining Additional Media Sets 1370Backing Up and Recovering Your Data 1370Using the Backup Utility 1371Setting Default Options for Backup 1372Backing Up Your Data 1377Recovering Your Data 1384Recovering Configuration Data 1388Backing Up and Restoring Active Directory 1388Backup and Recovery Strategies for Active Directory 1388Performing a Nonauthoritative Restore of Active Directory 1390Performing an Authoritative Restore of Active Directory 1391Performing a Primary Restore of Sysvol Data 1394Restoring a Failed Domain Controller by Installing

a New Domain Controller 1394Troubleshooting Startup and Shutdown 1396Resolving Startup Issues 1396Repairing Missing or Corrupted System Files 1397Resolving Restart or Shutdown Issues 1398

No single project has ever been as challenging or as fun for me as writing Microsoft Windows

Server 2003 Inside Out Why? When I set out to write this book, I had no idea it would take me

more than 1,500 pages to detail every quirk, every insider secret, and every sticky detail that I’ve learned about Windows Server 2003 since I started working with it in late 1999—back when Windows Server 2003 was known as Windows Whistler Yet there it is all the same, and

it is my sincere hope that the book you hold in your hands is the best of its class when it

comes to managing a Windows Server 2003 implementation and handling everyday

admin-istration I also hope the result of all the hard work is that Microsoft Windows Server 2003

Inside Out is something unique It takes into account all the experiences I’ve had while

con-sulting, conducting training courses, and writing books about Windows Server 2003 As this

is my 21st Windows-related book and I’ve helped millions of people learn Windows over my 20+-year career, I hope that counts for an awful lot But no man is an island and this book couldn’t have been written without help from some very special people

Without the support of my wife and children, this book would not have been possible As I literally was writing every day since I signed on to this project—holidays included—my wife had to manage everything else and the little ones had a lot more responsibilities around the house Thank you for your support and your extraordinary ability to put up with the clack-ety-clackety of my keyboard

As I’ve stated in Microsoft Windows Server 2003 Administrator’s Pocket Consultant and in

Microsoft Windows Command-Line Administrator’s Pocket Consultant, the team at Microsoft

Press is top-notch Kristine Haugseth was instrumental throughout the writing process She helped me stay on track and coordinated the materials after I submitted chapters Martin

DelRe was the acquisitions editor for the project He believed in the book and my unique

approach and was really great to work with Completing and publishing the book wouldn't have been possible without their help! Susan McClung headed up the editorial process for

nSight, Inc As the project manager for this and many other books I’ve written, she wears

many hats and always helps out in many ways Thank you! I’d also like to add that Kristine, Martin, and Susan were very understanding—writing a book of this length is very fun but also very exhausting

Unfortunately for the writer (but fortunately for readers), writing is only one part of the lishing process Next came editing and author review I must say, Microsoft Press has the

pub-most thorough editorial and technical review process I’ve seen anywhere—and I’ve written a lot of books for many different publishers Mitch Tulloch was the technical editor for the

book I believe this was the first time we worked together and it turned out to be a wonderful experience He was very thorough and helped out every step of the way to ensure things

worked as expected

As ever I would also like to thank Michael Bolinger, Anne Hamilton, and Juliana Aldous Atkinson They’ve helped out at many points of my writing career and been there when I needed them the most Thank you also for shepherding my many projects through the pub-lishing process!

Thanks also to Studio B literary agency and my agents, David Rogelberg and Neil Salkind David and Neil are great to work with Finally, I want to thank David Stanley David, I hope

we get to work together in the future!

Hopefully, I haven’t forgotten anyone but if I have, it was an oversight Honest ;-)

We’d Like to Hear from You!

Our goal at Microsoft Press is to create books that help you find the information you need to get the most out of your software

The INSIDE OUT series was created with you in mind As part of our ongoing effort to

ensure that we’re creating the books that meet your learning needs, we’d like to hear from

you Let us know what you think Tell us what you like about this book and what we can do

to make it better When you write, please include the title and author of this books in your

e-mail, as well as your name and contact information We look forward to hearing from you!How to Reach Us

E-mail: nsideout@microsoft.com

Mail: Inside Out Series Editor

Microsoft PressOne Microsoft WayRedmond, WA 98052

Note: Unfortunately, we can’t provide support for any software problems you might experience Please go to http://support.microsoft.com for help with any software issues.

About the CD

The companion CD that ships with this book contains many tools and resources to help you

get the most out of your Inside Out book.

What’s on the CD

Your Inside Out CD includes the following:

● eBook In this section you’ll find the electronic version of Microsoft Windows Server

2003 Inside Out

● Resource Kit Tools This section contains resource kit tools for Windows Server 2003

● Miscellaneous Tools This section contains several tools used to manage Windows Server 2003, including Application Compatibility Analyzer, Microsoft Baseline Secu-rity Analyzer, and Windows System Resource Manager

● IIS Tools A variety of tools and other resources for migrating and enhancing

Microsoft Internet Information Services (IIS) 6 form this section

● FRS Tools The tools in this section are used to manage File Replication Service They include continuous monitoring tools and snapshot troubleshooting tools

● MOM Tools This section contains a variety of tools relating to Microsoft Operations Manager

● MSA v2.0 Doc Set The documentation in this section comprises enterprise-class

architectural blueprints and implementation guidance associated with Microsoft tems Architecture version 2

Sys-● Windows Server Documentation This section contains technical documents and

white papers about implementing and administering Windows Server 2003

The companion CD provides detailed information about the files on the CD and links to

Microsoft and third-party sites on the Internet

Microsoft is therefore not responsible for their content, nor should their inclusion on this

CD be construed as an endorsement of the product or the site

Software provided on this CD is only in the English language and may be incompatible with

non-English-language operating systems and software

Using the CD

To use this companion CD, insert it into your CD-ROM drive Accept the license agreement that is presented to access the Start menu If AutoRun is not enabled on your system, run StartCD.exe in the root of the CD or refer to the Readme.txt file The menu provides you with links to all the resources available on the CD and also to the Microsoft Learning Sup-port Web site

Caution The electronic version of the book and some of the other documentation

included on this CD is provided in Portable Document Format (PDF) To view these files, you will need Adobe Acrobat or Acrobat Reader For more information about these products or

to download the Acrobat Reader, visit the Adobe Web site at http://www.adobe.com.

Support Information

Every effort has been made to ensure the accuracy of the book and the contents of this panion CD For feedback on the book content or this companion CD, please contact us by using any of the addresses listed in the “We’d Like to Hear from You” section

com-Microsoft Press provides corrections for books through the World Wide Web at http://

www.microsoft.com/learning/support/ To connect directly to the Microsoft Press Knowledge

Base and enter a query regarding a question or issue that you may have, go to http://

www.microsoft.com/learning/support/search.asp.

For support information regarding Windows Server 2003, you can connect to Microsoft

Technical Support on the Web at http://support.microsoft.com/.

Conventions and Features

Used in this Book

This book uses special text and design conventions to make it easier for you to find the mation you need

infor-Text Conventions

Design Conventions

This icon identifies a new or significantly updated feature in this version of the software

Inside Out

This statement illustrates an example of an “Inside Out” problem statement

These are the book’s signature tips In these tips, you’ll get the straight scoop on what’s

going on with the software—inside information about why a feature works the way it does

You’ll also find handy workarounds to deal with software problems

commands For example, “Click Tools, Track Changes, Highlight Changes” means that you should click the Tools menu, point to Track Changes, and click the High-light Changes command

type

dialog box elements, and commands are capitalized

Example: the Save As dialog box

sep-arating two key names For example, Ctrl+Alt+Delete means that you press the Ctrl, Alt, and Delete keys at the same time

Tip Tips provide helpful hints, timesaving tricks, or alternative procedures related to the task being discussed.

Troubleshooting

This statement illustrates an example of a “Troubleshooting” problem statementLook for these sidebars to find solutions to common problems you might encounter Trou-bleshooting sidebars appear next to related information in the chapters You can also use the Troubleshooting Topics index at the back of the book to look up problems by topic

Cross-references point you to other locations in the book that offer additional information about the topic being discussed.

This icon indicates information or text found on the companion CD

Caution Cautions identify potential problems that you should look out for when you’re completing a task or problems that you must address before you can complete a task

Sidebars

The sidebars sprinkled throughout these chapters provide ancillary information on the topic being discussed Go to sidebars to learn more about the technology or a feature

Part 1

Windows Server 2003

Overview and Planning