windows server 2003 bible - r2 and sp1 edition (2006)

3 Chapter 2: Windows Server 2003 and Active Directory.. 785 Chapter 25: Windows Server 2003 High Availability Services.. 19 Chapter 2: Windows Server 2003 and Active Directory.. 108 Part

Windows Server ™

2003 Bible

R2 and SP1 Edition

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS

OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING,

OR OTHER PROFESSIONAL SERVICES IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK

AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR

OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

Windows Server ™ 2003 Bible, R2 and SP1 Edition

Copyright © 2006 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

Trademarks: Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the United States and

other countries, and may not be used without written permission All other trademarks are the property of their respectiveowners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book

About the Authors

Jeffrey R Shapiro (Boca Raton, Florida) has worked in Information Technology for nearly

15 years He has published more than 12 books on IT, network administration, and softwaredevelopment, and has written for numerous publications over the years He also regularlyspeaks at events, and frequently participates in training courses on Microsoft systems

In 2003, he was selected to lead Broward County’s NetWare to Windows Server 2003 migration project His mission was to consolidate hundreds of NetWare Servers to 50 high-performance Windows Server 2003 servers Jeffrey continues to architect and design sys-tems, specializing in the data tier He also writes the Windows Server 2003 column for

serverpipline at www.serverpipeline.com.

Jim Boyce (Rothsay, Minnesota) is a freelance author and former contributing editor

and monthly columnist for WINDOWS magazine Jim has authored and co-authored more

than 45 books about computer software and hardware, and is a frequent contributor to techrepublic.comand other technical publications He has been involved with computerssince the late 1970s as a programmer and systems manager in a variety of capacities He has a wide range of experience in the DOS, Windows, Windows NT, Windows Server 2003, and Unix environments

Credits Executive Editor

Quality Control Technician

Laura Albert

Proofreading and Indexing

TECHBOOKS Production Services

God knows how hard writing a book is and then to get it published We are thankful for theteam that has helped us bring this baby into the world

We would first like to thank our agent, David Fugate, for his effort over the past seven years

in bringing us together with the team at Wiley Publishing If an Olympic team for computerwriters existed, David would surely be the head coach Special honors also go to the WileyPublishing editorial team In particular, we would like to “flag” our development editor, KevinShafer, who did an outstanding job of bringing together the pieces of the puzzle

The technical editor “Oscar” goes to Todd Meister and Chris Thibodeaux, not only for ing our lines, but for reading in between them as well In addition, we would no doubt havegotten no farther than this acknowledgments page without the expert cyber-pencil of ourcopy editor, Luann Rouff

read-For every hour spent writing these words, at least ten were spent testing and toying withWindows Server 2003 How do a bunch of authors get this far? Simple—you gather aroundyou a team of dedicated professionals who help you build a killer lab and then help you testeverything from the logon screen to the shutdown command

Much of this book was written throughout 2002 on the foundation laid down by the Windows

2000 Server Bible, published in 2000; it was revised in 2003 and then revised again in 2005,

during the release of SP1 and the much anticipated R2 It would not have been survivable for us without two special souls that we worked with Omar Martinez takes the gold foralways being available for advice on just about any subject that involves a PC or a server hardware or software He is the best Microsoft engineer we have worked with and redefinesthe meaning of “operating system.”

The “home” team always gets the last mention, but without their support, input, and love, thesoul in this work would not have taken flight Special thanks to Kim and Kevin Shapiro andthe ever-expanding Boyce clan

Contents at a Glance

Acknowledgments vii

Introduction xxxv

Part I: Windows Server 2003 Architecture 1

Chapter 1: Introducing Windows Server 2003 3

Chapter 2: Windows Server 2003 and Active Directory 21

Chapter 3: Windows Server 2003 Security 57

Chapter 4: NET Framework Services 95

Part II: Planning, Installation, and Configuration 109

Chapter 5: Planning for Windows Server 2003 111

Chapter 6: Installing Windows Server 2003 149

Chapter 7: Configuring Windows Server 2003 185

Part III: Active Directory Services 241

Chapter 8: Planning for Active Directory 243

Chapter 9: Organizing a Logical Domain Structure 263

Chapter 10: Active Directory Physical Architecture 301

Chapter 11: Active Directory Installation and Deployment 345

Chapter 12: Active Directory Management 375

Chapter 13: Managing Users and Groups 403

Chapter 14: Change Control, Group Policy, and Workspace Management 449

Part IV: Networking and Communication Services 499

Chapter 15: Windows Server 2003 Networking 501

Chapter 16: DHCP 547

Chapter 17: DNS and WINS 571

Chapter 18: Routing and Remote Access 617

Part V: Availability Management 677

Chapter 19: Storage Management 679

Chapter 20: Backup and Restore 713

Chapter 21: Disaster Recovery 751

Chapter 22: The Registry 763

Chapter 23: Auditing Windows Server 2003 777

Chapter 24: Service Level 785

Chapter 25: Windows Server 2003 High Availability Services 807

Part VI: File, Print, Web, and Application Services 879

Chapter 26: Windows Server 2003 File Systems 881

Chapter 27: Sharing and Securing Files and Folders 949

Chapter 28: Print Services 1001

Chapter 29: Web, FTP, and Intranet Services 1037

Chapter 30: Terminal Services 1085

Index 1121

Acknowledgments vii

Introduction xxxv

Part I: Windows Server 2003 Architecture 1 Chapter 1: Introducing Windows Server 2003 3

Welcome to Windows Server 2003 3

Understanding the Windows Server 2003 Architecture 4

Operating system modes 4

User mode 5

Kernel mode 7

Windows 2003 processing architecture 9

Windows 2003 memory management 9

Paging in depth 10

The Zero Administration Windows Initiative 11

Active Directory 12

Microsoft Management Console 12

Server and client in unison: IntelliMirror 12

Group Policy 13

Availability services 13

Distributed security 15

Interoperation and integration services 16

Hardware support and plug and play 16

Storage and File System Services 16

Internet Services 18

Communications Services 18

Terminal Services 19

Summary 19

Chapter 2: Windows Server 2003 and Active Directory 21

The Omniscient Active Directory: Dawn of a New Era 22

Why do we need directories? 23

What is Active Directory? 26

The grandfather of the modern directory: The X.500 specification 26

The father of the modern directory: LDAP 28

After X.500 30

The open Active Directory 31

How the registry fits in 31

The Elements of Active Directory 33

Namespaces and naming schemes 33

Active Directory and the Internet 34

Active Directory everywhere 34

Inside Active Directory 35

If it walks like a duck 35

The Active Directory database structure 37

Active Directory objects 38

Active Directory schema 40

Object attributes 41

Walking the Active Directory 41

Naming conventions 42

Domain objects 43

Organizational units 45

Trees 46

Forests 46

Trusts 47

The global catalog 48

My active directory 49

Bridging the Divide: Legacy NT and Windows Server 2003 50

Single point of access and administration 52

Domains and more domains 52

Intra-domain trust relationships 53

Access control lists and access tokens 54

Reality Check 54

Summary 55

Chapter 3: Windows Server 2003 Security 57

An Overview of Windows 2003 Security 57

The Need for Security 58

Data input 58

Data transport 59

Why the threat exists 59

Rising to the Security Challenge 61

Understanding Encryption Basics 62

Getting to Know Cryptography 63

Keys 63

Private keys 64

Public keys 64

Session keys 64

Key certificates 65

Digital signatures 65

Understanding Kerberos 65

Kerberos and the Single Sign-On initiative 67

Psst this is how Kerberos works 67

Time authentication 68

Key distribution 68

Session tickets 69

Kerberos and trusts 70

Locating KDCs 70

Getting to Know IPSec 71

SSL/TLS 73

Understanding Microsoft Certificate Services 73

Public Key Infrastructure 73

Digital certificates 73

Creating the PKI with Microsoft Certificate Services 74

Support for Legacy NTLM 74

Smart Cards 75

Domains 75

Logon and Authentication 76

Windows 2003 logon 76

Bi-factorial and mono-factorial authentication 76

Trusts 77

Access Control 79

Auditing 80

Security Planning 80

Firewalls 80

Active Directory Security Policy 81

Secure Sockets 82

Firewalls, Proxies, and Bastions 82

Introduction to the Public Key Infrastructure 83

Setting up and Configuring a Windows PKI 83

Understanding Certificate Services 84

Setting up and Configuring a Certificate Authority 84

Deploying a PKI 85

Trust model 86

Summary 93

Chapter 4: NET Framework Services 95

Introduction to the NET Framework 95

64-bit platform support 95

Access Control List 96

ADO NET 96

Asynchronous processing 96

Understanding the NET Initiative 96

The Common Language Runtime 97

Common Type System 98

.NET security 99

Application domains 100

Garbage collection 102

.NET vs the JVM 102

Configuring the Global Assembly Cache 103

Administering Web Services 104

Summary 108

Part II: Planning, Installation, and Configuration 109 Chapter 5: Planning for Windows Server 2003 111

Steps to Implementation 111

Formulating a plan 112

Implementing in phases 112

Step 1: Establishing timelines 114

Step 2: Understanding the technology 114

Step 3: Understanding how your enterprise is positioned to exploit Windows Server 2003 115

Step 4: Establishing a budget 116

Step 5: Creating a lab 116

Step 6: Designing the logical and physical structures 117

Step 7: Securing the lab 117

Step 8: Testing 117

Step 9: Positioning the enterprise on Windows Server 2003 117

Step 10: Evaluating the project 118

Step 11: Creating pilot projects 118

Step 12: Beginning conversions 118

Analysis and Ramp-up 118

Understanding the technology 119

Focusing on capabilities and not features 120

Needs analyses-needs syntheses 121

Don’t overlook your present needs 121

Assessing your future needs 122

Assessing your strengths and weaknesses 122

Assessing the risks 126

Tinkering in the labs 132

Creating the network infrastructure plan 132

Setting up the lab 133

Lab-management pointers 138

Establishing Sanity Checks 141

Running Pilot Projects 142

Pilot scope 143

Pilot objectives 143

Pilot users 144

Disaster recovery 144

Communication 145

Operating System Conversion 145

Coming to Grips with Windows Server 2003 145

Clean up your old NT domains 146

Standardize on TCP/IP 147

Deploy DHCP 148

Deploy WINS NET 148

Deploy DNS 148

Summary 148

Chapter 6: Installing Windows Server 2003 149

Installation and Configuration Strategy 149

Getting psyched up about installing 150

Server recipes 150

An Overview of Hardware 154

The Hardware Compatibility List (HCL) 154

Motherboards 155

Central processing units (CPUs) 157

Memory 157

Hard-disk drives 157

HDD controllers 159

Network interface cards 159

Plug and play (PnP) 159

Getting Ready to Install 159

Standalone servers 159

Member servers 160

Role servers 160

Domain controller 161

Installing Windows Server 2003 162

Partitioning hard-disk drives 162

Performing a basic install 164

Installing from the network 168

Streamlining setup from the command line by using winnt and winnt32 169

Troubleshooting the Installation 172

Post-Installation 173

Introducing the Boot File 173

Windows Server 2003 as a Communications Server and Microsoft Exchange 174

Internet Information Services integration 174

Active Directory integration 174

Distributed services 175

Security 175

Single-seat and policy-based administration 175

SMTP message routing 175

Internet mail content 176

System Monitoring Using Windows Management Instrumentation 176

Windows Server 2003 for Database Services with SQL Server 177

Windows Server 2003 for IIS and ASP.NET 178

Windows Server 2003 for Application Services 178

Windows Server 2003 Catalogs and Indexes 180

Windows Server 2003 Domain Controllers 180

Windows Server 2003 Active Directory 181

Windows Server 2003 for Resolutions Services 182

DNS 182

DHCP 183

WINS 183

Summary 184

Chapter 7: Configuring Windows Server 2003 185

Using the Microsoft Management Console 185

Understanding the function of the MMC 185

Opening the MMC 188

Using snap-ins 189

Getting to know taskpads 190

Other add-in tools 192

Customizing MMC to suit your needs 193

Control Panel versus MMC 194

Windows Firewall Changes for MMC Tools 195

Getting to Know the MMC Tools 196

Certification Authority 196

Cluster Administrator 196

Component Services 197

Computer Management 198

Event Viewer 210

Monitoring performance 214

Server extensions 214

Configure Your Server Wizard 214

Using the Security Configuration Wizard 215

Manage Your Server Console 219

Working with Data Sources (ODBC) 220

Defining DSNs 221

Viewing Driver Information 225

Tracing 225

Connection Pooling 225

Understanding Control Panel Applets 225

Accessibility options 225

Add or Remove Hardware applet 226

Add or Remove Programs applet 226

Administrative Tools applet 227

Automatic Updates 227

Date and Time applet 228

Display object 229

Folder Options applet 229

Internet Options applet 229

Licensing object 230

Network Connections applet 230

Power Options applet 231

Printers Control Panel applet 231

Scheduled Tasks folder 231

System applet 231

Summary 239

Part III: Active Directory Services 241 Chapter 8: Planning for Active Directory 243

Active Directory Overview 243

Basic Design Principles 243

Active Directory Structure 244

A domain plan 244

Site topology 246

A forest plan 247

A trust plan 248

An organizational unit plan 249

Planning for the Active Directory Enterprise 249

Naming strategy plan 249

Domain and organizational units plan 251

Branch office plan 252

Administration Planning 255

Delegating administration 255

Delegating forests, trees, and organizational units 256

Implementing object security 256

Administrative roles 257

Migration Planning 258

Upgrade plan 258

Restructuring plan 259

Migration tools 259

Test-lab plan 260

Backup and recovery plan 261

Deploying the Plan 262

Summary 262

Chapter 9: Organizing a Logical Domain Structure 263

Keepers of the New Order 263

Active Directory Infrastructure Planning 264

Planning for the Logical Domain Structure 264

Preparing yourself mentally 265

Assembling the team 266

The domain planning committee 266

Domain management 267

Change control management 267

Domain security 267

Intradomain communication 268

Education and information 268

Surveying the enterprise 268

Enterprise analysis 269

Enterprise environments 270

Working with organizational charts 272

Identifying the Key Management Entities 273

Strategic drivers 275

Identifying the logical units 275

Identifying the physical units 276

Documentation 276

Administrative modeling 277

Logical Domain Structure: The Blueprint 280

The top-level domain 280

DNS naming practices 287

Second-level domains 288

Partitioning the Domain 293

Organizational units 294

Working with groups 296

Securing the partitions 297

Summary 299

Chapter 10: Active Directory Physical Architecture 301

Past, Present, and Future 301

Forests and Trusts 303

Forest choice design implications 306

Domain Controllers and Global Catalogs 307

Domain controllers 307

Global catalogs 310

The DC and GC locator services 312

Design decisions 313

Sites 314

Replication within sites 315

Site links 316

Site link bridges 317

Connection objects between sites 318

Active Directory Replication 318

How replication works 319

Directory Synchronization 321

Active Directory Site Design and Configuration 322

Topology 322

Creating DC sites 324

Deploying domain controllers 324

Securing domain controllers 325

Deploying GC servers 327

Deploying DNS servers 327

A DDNS architecture 329

Deploying WINS servers 329

Deploying DHCP servers 331

A Site Architecture 334

Architecture 335

Site link cost 337

Time 341

Time service architecture 341

Summary 343

Chapter 11: Active Directory Installation and Deployment 345

Getting Ready to Deploy 345

Millennium City Active Directory Deployment Plan 346

Executive Summary 346

MCITY Network 346

The GENESIS domain 347

The CITYHALL domain 349

The DITT domain 349

The MCPD domain 350

Installing and Testing the Active Directory Domain Controllers 350

Installing the DC machine 351

Promoting to domain controller 352

Establishing in DNS/WINS 360

Creating sites 362

Creating organizational units (OUs) 364

Delegating OU administration 365

Securing the DC and following disaster recovery protocol 366

Implementation 366

Install 367

IP address reservations 368

Installation of the root domain, MCITY.US 368

Quality assurance 372

Summary 373

Chapter 12: Active Directory Management 375

Installing New Directory Services into an Existing Infrastructure 375Replication Management 376Installing New Domain Controllers 376Installing New Catalog Servers 377Protecting Active Directory from Corruption 378Online and offline database defragmentation 378Ensuring database integrity 380Moving Active Directory from Server to Server 381Integrating Active Directory with Other Services 381Active Directory and SQL Server 382Active Directory and Microsoft Exchange 382Trust and Replication Monitoring 382Logon without the Global Catalog 383Active Directory and DNS 384Active Directory Administration Architecture 385Architecture 389Windows Server 2003 group membership 390Network services administration 392Administration of Enterprise Service Servers 393Remote workstation administration architecture 394Terminal Services policy 394Secure administration 395Summary 402

Chapter 13: Managing Users and Groups 403

The Windows Server 2003 Account: A User’s Resource 404What is a user? 404What are contacts? 404Local users and “local users” 404What is a group? 405Exploring the Users and Computers management tools 408Windows Server 2003 user accounts 410Account policy 414Security principals and the logon authentication process 414Security identifiers 415SAM and LSA authentication 415User Accounts in Action 416Getting familiar with RunAs 416Naming user accounts 417Passwords 418Understanding logon 419Granting remote access 419Creating a user account 420Renaming user accounts 427Deleting and disabling user accounts 427Copying accounts 427Computer Accounts 427Group Accounts 428The scope of groups 429The elements of groups 431

Installing predefined groups 432Groups on member servers 434Nesting groups 434Group creation 435Managing groups 438Rights and permissions 438Mixed mode versus native mode 441The Zen of Managing Users and Groups 442Delegating responsibility 443User and Group Management Strategies 444Keep your eye on TCO 445Determine the access and privileges needed 446Determine the security level 446Protect resources and lessen the load by using Local groups 446Delegate with care 447Keep changes to a minimum 447Summary 447

Chapter 14: Change Control, Group Policy, and Workspace Management 449

What Is Change Control? 449Understanding Change Management 450The user 455The computer 455Taking Control 456Applications 457Security 458Operating system environment 458Workstation lockdown 459Getting ready for change-control policy 459Understanding Group Policy 460Types of Group Policy 463The elements of Group Policy 464Where GPOs live 467How Group Policy Works 468Local or nonlocal Group Policy Objects 469Group Policy application 469Filtering policy 472Delegating control of GP 472Security at the local Group Policy Objects 473How Group Policy is processed 473Putting Group Policy to Work 477The software policies 477Security policies 478Group Policy and Change Management: Putting It All Together 478Don’t accept the default policy 479Establishing a GP attack plan 480Dealing with computer accounts 480Getting Started 481Customizing logon/logoff 481Locking down the desktop 481

Controlling the Start menu 482Folder redirection 482Older versions of Windows 483Change Control Management for Group Policy 483From development to production with Group Policy 484Change control for Group Policy 485Planning and troubleshooting GP by using RSoP 485Architecting Group Policy 486Password policy 489Account lockout policy 490Audit policy 491Event log 494Locking down Domain Admins 495Summary 497

Chapter 15: Windows Server 2003 Networking 501

TCP/IP on Windows Server 2003 501TCP/IP Basics (IPv4) 502

IP addressing 503Subnetting 504Classless Interdomain Routing notation 506Obtaining IP addresses 507Gateways and routing 508Dynamic Host Configuration Protocol (DHCP) 509Domains and name resolution 510Preparing for installation 511Setting up TCP/IP 511Configuring TCP/IP 512Understanding and Using IPv6 517IPv6 terms and concepts 518Using IPv6 in Windows Server 2003 521Troubleshooting TCP/IP 523Common troubleshooting concepts 523ping 525ipconfig 527netstat 528hostname 529tracert 530arp 531route 532nbtstat 532Legacy Protocols 533NetBEUI 533IPX/SPX 534DLC 534SNMP 535Understanding how SNMP works 535Installing and configuring SNMP 536

Windows Firewall Configuration and Management 539Overview of Windows Firewall changes 539Configuring Windows Firewall 541Managing Windows Firewall with Group Policy 544Managing Windows Firewall from a console 545Network Access Quarantine Control 545Summary 545

Chapter 16: DHCP 547

Overview of DHCP 547The Windows Server DHCP Service 548Support for dynamic DNS 548Vendor and user classes 549Multicast address allocation 549Unauthorized DHCP server detection 550Automatic client configuration 550Improved monitoring and reporting 550Installing and Configuring the DHCP Server 551Installing DHCP 551Using the DHCP console 551Creating scopes 552Setting general scope options 553Configuring global DHCP options 556Creating reservations 556Setting global scope properties 557Activating and deactivating a scope 558Authorizing the server 558Defining and Implementing User and Vendor Classes 558Vendor classes 558User classes 560Configuring a client to use class IDs 561Creating and Using Superscopes 561Creating a superscope 563Activating and deactivating a superscope 563Removing scopes from a superscope 563Deleting superscopes 564Creating Multicast Scopes 564Configuring Global DHCP Server Properties 565Managing the DHCP Database 567Backing up and restoring the DHCP database 567Moving the DHCP database to another server 568Configuring Windows DHCP Clients 568Configuring DNS options for DHCP 569Summary 570

Chapter 17: DNS and WINS 571

Overview of the Domain Name Service 571Understanding domain names 572Today’s DNS system 573Resolvers, name servers, and forward lookup 574Domain records and zone files 577

Reverse lookup 579Delegation 581Caching, forwarders, and slaves 582Recursion, iteration, and referrals 583Microsoft Domain Name Services 585Installing DNS 585Overview of the DNS console 585Creating forward-lookup zones 586Creating reverse-lookup zones 587Creating resource records 587Configuring zone properties 590Managing DNS Server Options and Behavior 592Configuring multiple addresses on a DNS server 592Using a forwarder 592Configuring advanced settings 593Setting root hints 594Configuring logging 595Monitoring and testing 596Applying security 597Managing the server and cache 598Configuring Subdomains and Delegation 598Setting up subdomains 599Delegating a subdomain 599DNS and Active Directory 600Dynamic DNS 600Configuring DDNS 601Configuring scavenging 602Windows Internet Name Service (WINS) 603How WINS Works 605WINS registration 605Mapping renewal 606The New WINS 606Persistent connections 607Manual tombstoning 607WINS Installation and Configuration 608Installing WINS 608Configuring WINS 608Configuring Windows Clients for DNS and WINS 610Using Hosts and LMHOSTS Files for Name Resolution 613Using a Hosts file for name resolution 613Using the LMHOSTS file for name resolution 614Summary 615

Chapter 18: Routing and Remote Access 617

Windows Server 2003 RAS and Telephony Services 617Overview of Windows Server 2003 RRAS 617New features of Windows Server 2003 RRAS 619The Routing and Remote Access Management Console 621RAS Connection Types and Protocols 622Serial Line Internet Protocol 622Point-to-Point Protocol 622Point-to-Point Multilink Protocol and BAP 623

Point-to-Point Tunneling Protocol 623Layer Two Tunneling Protocol 624Transport protocols 624Enabling and Configuring RRAS 625

IP Routing 626

IP routing overview 626Routing with RRAS 629Configuring a basic router 629Dynamic routing 634Adding and configuring RIP 634Adding and configuring OSPF 637DHCP relay agent 640IGMP — multicast forwarding 641Network Address Translation 643Configuring NAT 644Configuring Services and ICMP Messages 645Configuring a Basic Firewall 648Configuring RAS for Inbound Connections 648Enabling RRAS 649Configuring modems and ports 650Configuring protocols 651Configuring authentication 654Disabling routing (Remote Access Server only) 659RRAS logging and accounting 659Configuring a VPN Server 661Configuring VPN ports 662Enabling L2TP for VPN 662Using Multilink and BAP 664Remote Access Policy 665Creating a new policy 666Prioritizing policies 668Using RADIUS 669Installing and managing IAS 669Configuring IAS to accept connections 669Configuring IAS global options 670Configuring logging 670Configuring Outgoing Dial-Up Networking Connections 671Creating a connection 671Configuring connection properties 671Configuring dial-up networking to connect to the Internet 675Summary 676

Chapter 19: Storage Management 679

Overview of Windows Server 2003 Storage 679Storage Management 680Performance and capacity 680High availability 682Recoverability 683Issues with legacy systems 683

Disk Management Service 684Partition Styles 685MBR disks 685GPT disks 685Removable Storage 686Remote Storage and HSM 686The Disk Management Snap-in 687Basic Storage 688Primary partitions 688Extended partitions 688Basic volumes 688Dynamic Volumes and Fault Tolerance 689Dynamic disks 689RAID-1: Disk mirroring 691RAID-5: Fault-tolerant striping with parity 692Hardware RAID 693Dynamic Storage Management 694Converting basic disks to dynamic 694Creating simple volumes 696Extending simple volumes and spanned volumes 697Creating and managing RAID-0 volumes (striping) 699Creating and managing RAID-1 volumes 699Creating and managing RAID-5 volumes 700Importing disks 701Managing Storage with Disk Quotas 702Why you need disk quotas 702Ownership 703Setting disk quotas 705Common-sense disk quota management 706Troubleshooting 708Disk and volume states 708Fixing RAID redundancy failures 709Storage Manager for SANS 710Summary 711

Chapter 20: Backup and Restore 713

Why Back Up Data? 713What to Back Up 714Understanding Backup 714Understanding archive bits 714What is a backup? 715What is a restore? 716Understanding how a backup works 716Introducing Removable Storage and Media Pools 716The Removable Storage Service 717The Removable Storage database 718Physical locations 718Media pools 720Work Queue and Operator Requests 721Labeling media 723Practicing scratch and save 723

Establishing Quality of Support Baselines for Data Backup/Restore 723Establishing Quality of Capture 727Best backup time of the day 727Length of backup 728Backup of servers and workstations 729The open files dilemma 730Backup Procedure 732Performing a Backup 733Creating a media pool 734Understanding rights and permissions 734Understanding source and destination 735Setting up schedules 736Backup batch files and Backup scripts 736Another NTBackup backup script 737Rotation Schemes 739Restoring Data 741Tape Location 742Backup Bandwidth 743Hardware and Media Formats 7434mm Digital Audiotape 7448mm Digital Audiotape 744Digital Linear Tape 744Advanced Intelligent Tape 745Quarter-Inch Cartridge (QIC) 745Linear Tape-Open (LTO) 745Working with Shadow Copies 746Summary 749

Chapter 21: Disaster Recovery 751

Disaster Recovery Planning 751Policy and protocol 751Documentation 751Disaster recovery training and action planning 753Identifying Resources 753Developing Response Plans 754Testing Response Plans 754Mock Disaster Programs 755Understanding Fault Tolerance 756Identifying Weak Links 757Recovery from Backup 757Recovery of base operating systems 758Recovery of configuration 759Mirrored Services, Data, and Hardware 760Recovery of Key Services 760Active Directory 760DNS 760Registry 761Crash Analysis 761Summary 761

Chapter 22: The Registry 763

The Purpose of the Registry 763The Registry Structure 765Registry hive files 767Keys and values 769The Registry Editor 769Regedit.exe 770Modifying the registry 770Importing and exporting keys 771Editing a remote registry 772Loading and unloading hives 773Securing the Registry 773Preventing access to the registry 773Applying permissions to registry keys 773Auditing registry access 774Securing remote registry access 775Summary 776

Chapter 23: Auditing Windows Server 2003 777

Auditing Overview 777Configuring Auditing 778Enabling audit policies 778Auditing object access 780Examining the Audit Reports 781Using the Event Viewer 782Using other tools 782Strategies for Auditing 783Leaving auditing off 783Turning all auditing on 783Auditing problem users 784Auditing administrators 784Auditing critical files and folders 784Summary 784

Chapter 24: Service Level 785

Understanding Service Level 785Service level: Example 1 786Service level: Example 2 786The service level agreement 786Service Level Management 787Problem detection 787Performance management 787Availability 788SLM by design 788SLM and Windows Server 2003 789Windows Server 2003 System Monitoring Architecture 790Understanding rate and throughput 791Understanding queue 791Understanding response time 791How performance objects work 792System monitoring tools 793

Task Manager 793Performance Console 794System Monitor 795Performance Logs and Alerts 798Using Logs and Alerts 799Getting to Know Your Servers 800Monitoring for bottlenecks 801Understanding server workload 803Performance Monitoring Overhead 804Service Level with Microsoft Operations Manager 804Summary 805

Chapter 25: Windows Server 2003 High Availability Services 807

Analyzing Scalability and Availability Issues 807Scaling out vs scaling up 807Load balancing vs failover 808Fault tolerance vs high availability 808Concept of a cluster 809Server Clusters 809Server cluster concepts 810Server cluster requirements 816Server cluster design and capacity planning 820Step-by-step server cluster installation and configuration 826Server cluster management 834Troubleshooting server cluster 837Network Load Balancing Clusters 839NLB cluster concepts 839NLB cluster requirements 845NLB cluster design and capacity planning 847Step-by-step NLB cluster installation and configuration 851NLB cluster management 857Troubleshooting an NLB cluster 860Component Load Balancing Clusters and Application Center 2000 860CLB cluster concepts 860CLB cluster requirements 865CLB cluster design and capacity planning 865CLB cluster installation and configuration 866Hybrid Clustering Solutions 866Clustering Network Services (WINS, DHCP) 867Clustering File Services and DFS 868Clustering Print Services 868Clustering Applications 869Generic applications clusters 869Generic script clusters 870Clustering Distributed Transaction Coordinator 870Clustering Message Queuing 871Maintaining terminal sessions across clusters 871

MS SQL Server clusters 873Web server clusters 876Summary 878

Part VI: File, Print, Web, and Application Services 879

Chapter 26: Windows Server 2003 File Systems 881

An Overview of Disk Structure 881FAT16 and FAT32 883NTFS 885NTFS structure 886Disk quotas 889Reparse points 890Encrypting File System 891Hierarchical Storage Management 891Directory junctions 891Mounted volumes 892Choosing a File System 892Optimizing Storage Capacity 894Optimizing cluster size 894Defragmenting volumes 895Using disk compression in NTFS 896Managing the Distributed File System 897Changes in DFS for R2 898DFS structure and terminology 898Domain-based DFS roots vs standalone DFS roots 900Client support 901Replication with FRS 901Replication with DFS-R 902Client-side caching 902Working with the Distributed File System console 903Creating and deleting DFS roots 904Creating DFS links 904Working with targets 905Creating root targets 906Configuring replication with FRS 907Creating a custom replication topology 909Excluding files and folders from replication 911Managing DFS with the DFS Management console 911Working with Mounted Volumes 916Mounting a volume 918Unmounting a volume 918Hierarchical Storage Management 918How HSM works 920Installing and configuring Remote Storage 920Managed volumes 920Limitations of Remote Storage 923File Services for Macintosh 924FSM security 925FSM file permissions 925FSM filename considerations 926Installing File Services for Macintosh 927

Adding a Macintosh volume 927Removing a Macintosh volume 928Backup and recovery considerations 928Services for Unix 929Installing services for Unix 930Configuring User Name Mapping 931Configuring NFS 934Setting up an NFS gateway server 939Integrating NFS Shares in DFS 941Microsoft Services for Network File System 941NetWare Integration 943Migration/integration tools 944Getting ready to integrate 945Summary 947

Chapter 27: Sharing and Securing Files and Folders 949

Sharing and Securing Your Data 950Ownership 951Configuring the File Server Role 952File Server Management console for R2 953Publishing Shares in Active Directory 958Creating a Share 958Sharing a local folder 958Establishing shares by using the File Server Management console 960Share Attributes 962Deny 964Accumulation of share permissions 964Moving or copying folders 964Intradomain shares 964Who can share folders 965Hidden shares 965Connecting to Shares 965Connecting users to published shares 966Mapping out the DFS namespace for users 968Administrative Shares 971Commonsense Strategies for Sharing Folders 972Restricting shares 972Setting up application sharepoints 972Setting up data sharepoints 973Offline Access (Caching) 973Offline attributes 975Synchronizing cached resources 975Securing Files and Folders by Using Permissions 975Permission Types 977Permissions Attributes 979Inheritance 980Taking Ownership 980Copying and Moving 981Strategies for Managing Permissions 982

Securing Files by Using the Encrypting File System 983How EFS works 984Recoverability and the encryption recovery policy 986Using EFS 987Copying, moving, or renaming encrypted files 990Accessing encrypted data remotely 990Sharing encrypted data 991Encrypting files for multiple users 994Backing up and recovering encrypted data 996Configuring and using a recovery policy 996Summary 1000

Chapter 28: Print Services 1001

Understanding Windows Server Printer Services 1002Printer services: The logical environment 1002Printer services: The physical environment 1009Print Services Strategy 1012Printer taxonomy 1012Creating print groups 1013Creating a print network 1013Keeping drivers current 1014Installing and Setting Up Printers 1014Installing the local printer 1015Publishing Printers 1018Locating printers 1018Hiding printers 1020Printer pools 1020Loading printer ports 1021Printer Administration 1023Printer management 1023Job management 1026Advanced spool options 1026Access control 1028Troubleshooting 1030Server-side print problems 1031Client-side print problems 1033Enabling bi-directional printing 1033Auditing Printer Usage and Management 1034Print Services 1034Summary 1035

Chapter 29: Web, FTP, and Intranet Services 1037

What’s New in IIS 6.0 1037New server role 1037Processing changes 1037Security changes 1038Passport and other security changes 1039Management and administration changes 1039

Overview of Web and FTP Server Administration 1039Web-related services 1040Web services checklist 1041Installing IIS 6.0 1043Configuring and Managing HTTP Services 1044Default sites created by Setup 1044Configuring Web sites 1045Backing up and restoring configuration data 1058Managing the Web server 1058Disabling Web server extensions 1060Managing Application Pool Settings 1060Configuring and Managing FTP Services 1062Creating and configuring FTP sites 1063Managing the FTP server 1066FTP client access 1066Configuring and Managing SMTP Services 1066Overview of the SMTP service 1067Installing SMTP 1069Configuring SMTP 1069Configuring and Managing NNTP Services 1076Installing NNTP 1077Configuring NNTP 1077Summary 1083

Chapter 30: Terminal Services 1085

Thin-Client/Server Computing 1085Refresher: Client/server computing model 1086Total recall: The mainframe computing model 1086Enter Citrix Systems 1087The thin-client/server computing model 1088The Thin-Client/Server Revolution 1088Good candidates: Data I/O applications 1089Poor candidates: Processor- and graphics-intensive applications 1089More poor candidates: Bad software 1089The benefits of thin-client/server computing 1090The cons of thin-clients 1091Terminal Services Architecture 1092Remote Desktop for Administration 1093Full Terminal Server 1093Enabling Terminal Services 1094Administering Terminal Services 1096The Terminal Services Manager 1096Terminal Services Configuration 1098Terminal Services Group Policies 1100Active Directory Users and Computers and Terminal Server

extensions to Local Users and Groups 1101Command-line utilities 1102Terminal Services WMI Provider 1103Terminal Services Licensing 1103Remote Desktop for Administration features 1107

Full Terminal Server Features 1109Desktop deployment 1109Application-publishing deployment 1110Installing applications 1110Printer management 1111Starting a program on connection to a Terminal Server 1113Remote Assistance Features 1113Terminal Services Clients 1114Deploying Terminal Services to clients 1114Connecting to the server 1115Optimizing remote desktop connections 1116Session encryption levels 1117SSL Encryption for Terminal Services Connections 1118Remote administration and Telnet 1119Summary 1120

Index 1121

Windows Server 2003, R2, is an intermediate release between Windows Server 2003 and thenext major version of the flagship operating system from Microsoft, due in the latter part ofthis decade This release builds on the solid foundation of an already released and widelyused operating system to provide critical security, authentication, and networking enhance-ments It also provides features that make the extension of the enterprise network to branchoffices and remote locations far easier and more secure R2 takes you closer to the goal of aserver and network consolidation, no matter how diverse or remote the various parts of yournetwork

If you are still supporting Windows 2000 (or, Heaven forbid, Windows NT), Windows Server

2003 offers many new and improved features that present you with both exciting and ing challenges This book is the culmination of thousands of hours spent testing, evaluating,and experimenting with just about everything that Windows Server 2003 can throw at you.Gone are the days when the Windows server operating systems could be covered in a singlebook or a week’s crash course at a training center If we told you that this is the only book thatyou need about Windows Server 2003, we would be lying Many of the features that we coverwarrant advanced treatment under separate cover We have attempted to build as complete ahands-on reference as possible, while still providing a broad scope of coverage of the mostimportant aspects and implications of the Windows Server 2003 platform for all editions.There is no excuse to be still using Windows 2000 (which was released to manufacturing inthe sunset of 1999) or Windows NT (which was released before the dawn of the Internet as

daunt-we know it today)—those giddy years for technology in the mid-1990s Windows Server 2003presents some compelling reasons to convert sooner rather than later Windows 2003 offersexpanded hardware support and support for plug-and-play Windows Server 2003 incorpo-rates numerous new technologies and improves on several existing ones, particularly forWindows Server 2003 Enterprise Edition, the focus of this book

One of the most pervasive changes in Windows 2000 was the Active Directory, and WindowsServer 2003 expands on and improves implementation of the Active Directory In R2, Active

Directory comes with the so-called Active Directory Federation Services (ADFS), built-in

tech-nology that makes it easier than ever, and with much more reliability, to extend AD to remotelocations and branch offices

AD affects most aspects of Windows Server 2003, including the areas of security and user andgroup administration, network and domain topology, replication, DHCP and DNS, and more.Other important changes include changes to the Distributed File System (DFS), which enablesyou to build a homogenous file-system structure from shares located on various serversacross the network The concept of presenting shared folders to users as a grouping called a

namespace has been further extended and enhanced In R2, the enhanced DFS Namespaces

(DFS-N) provides for easier management of file system roots within a DFS network ture DFS-N gives you far greater flexibility in deploying DFS; you now have a much moresophisticated tool to create multiple DFS roots and manage them

infrastruc-In a similar fashion, volume mountpoints, a feature of NTFS 5.0 (introduced in Windows 2000),enable you to mount a volume into an empty NTFS folder, making the volume appear as part

of the structure of the volume in which the NTFS folder resides Mounted volumes do much

the same for a local file structure that DFS provides for a network file structure Changes inDNS and DHCP enable DHCP clients to dynamically request updates of their host recordshosted by Windows Server 2003 DNS servers, enabling you to maintain up-to-date host recordsfor all systems in the enterprise, even when they are assigned an IP address dynamically, ortheir host or domain names change.

If you have been creating and managing Windows 2000 networks, you should find many tures in Windows Server 2003 welcome improvements A good example is Group Policy Youknow from Windows 2000 that you cannot implement a Windows 2000 network without GroupPolicy, but Group Policy is difficult to master without supporting tools Windows Server 2003greatly improves Group Policy technology with increased functionality, such as resultant set

fea-of policy (RSoP) and the capability to more easily report on Group Policy application.These changes are just a few of the many new features and modifications offered by theWindows Server 2003 operating platform

Who Should Read This Book

Windows Server 2003 Bible, R2 and SP1 Edition, is for anyone involved in network

administra-tion, server management, MIS, and so on This book is for you if the questions you have arealong the lines of “How do we handle this?”

Granted, Windows NT and 2000 administrators have a leg up on their Unix and NetWare rades, but Windows Server 2003 makes waves in all IS infrastructures The audience covers

com-a wide spectrum com-as brocom-ad com-as the number of services thcom-at the product offers Not only do

we cater to network or server administrators, but many chapters are aimed at people taskedwith certain responsibilities, such as security, user-account administration, service level, customer-relationship management, e-commerce, and so on

Although we assume that you are familiar with the Windows environment (from Windows 9x

through Windows XP), much of what we offer here is of value to administrators working inheterogeneous environments—even midrange and mainframe facilities We have also focused

on issues of concern to managers and information offices This is very much an integrationbook, so you find conversion tips aplenty, culled from an eagle eye cast on every process thatmay create problems for business systems and processes that are still in place

Whether you’re just trying to get a handle on what’s new in Windows Server 2003 and theeffect that it’s sure to have, looking at installing new Windows Server 2003 systems, consider-ing an upgrade from Windows 2000 Server, or are tasked with converting from Windows NTServer to Windows Server 2003, you will find a wealth of information between the covers ofthis book that can help you meet your goals

Everything that we discuss in these pages has been tested and deployed in several early tions, in one form or another, so step into our shoes and get a heads-up on the road ahead Youwill no doubt go on to learn a lot more about Windows Server 2003, as will we If you would like to comment on anything or add to what we’ve written, we value your contributions Youcan write to us at jeffrey.shapiro@codetimes.com or boyce_jim@compuserve.com

adop-How This Book Is Organized

The Windows Server 2003 Bible, R2 and SP1 Edition, is divided into several logical parts, each

focusing on a specific feature area or technology in Windows Server 2003 The following listsummarizes the topics covered and how they are structured

Part I: Windows Server 2003 Architecture

Part I provides extensive coverage of the Windows Server 2003 architecture in three keyareas: system design, the Active Directory (AD), and security Chapter 1 covers the systemarchitecture to give you an understanding of how Windows Server 2003’s components func-tion and interact with one another Chapter 1 also covers several higher-level components,such as Internet services, power management, plug-and-play, and so on Chapter 2 focuses onActive Directory, giving you an overview of the AD’s purpose and design Chapter 3 takes abroad look at security in Windows Server 2003, including Kerberos, certificates, encryption,and many other security-related topics A section on Certificate Authorities has been added

to facilitate the establishment of smart card systems, IPSec, encryption services, secure ets, and so on Chapter 4 rounds out this part with a look at the latest NET FrameworkServices, including architecture and installation issues

sock-Part II: Planning, Installation, and Configuration

Turn to Part II if you’re ready to start planning your Windows Server 2003 deployment, whether

on a single system or a wider-scale deployment Chapter 5 helps you decide whether you need

to upgrade your hardware, plan deployment across the enterprise, and deal with several otherpre-installation issues Chapter 6 covers the actual installation of Windows Server 2003 and dis-cusses machine or platform configuration, hardware selection, choosing services, and so on

Chapter 7 takes you to the next step after installation and explains how to configure services,the user interface, and other Windows Server 2003 options and properties

Part III: Active Directory Services

Active Directory represents one of the most significant additions in Windows Server 2003over Windows NT Part III provides a complete look at AD, starting in Chapter 8 with a look atAD’s logical structure and what it really represents Chapter 9 examines the issues involved indeveloping a logical domain structure Chapter 10 explores the physical structure of AD toexplain it in the context of domains, sites, servers, and security Chapter 11 covers AD plan-ning, installation, and deployment Chapter 12 explores AD management Managing users andgroups is covered in detail in Chapter 13, and Chapter 14 finishes the section with coverage

of change management and how Group Policy facilitates change control over users, ers, security, and the workspace

comput-Part IV: Networking and Communication Services

Part IV explores in detail several key networking and communications services in WindowsServer 2003 Chapter 15 lays the groundwork by covering the ubiquitous TCP/IP protocol,along with routing, troubleshooting, Network Address Translation (NAT), SNMP, and legacyprotocols You find detailed coverage in Chapter 16 for help with configuring and deployingDHCP for automatic IP-address assignment and administration DNS and WINS server configu-ration and client management are covered in Chapter 17, and the Routing and Remote AccessService is covered in detail in Chapter 18

Part V: Availability Management

Windows Server 2003 builds on Windows NT and 2000 for fault tolerance, storage management,recovery, and other availability issues Storage management is covered in detail in Chapter 19,including removable storage, fault tolerance, RAID, general file-system management, and relatedtopics Chapter 20 helps you develop and implement a backup and recovery strategy and