Windows 2000 Server System Administration Handbook P1

WINDOWS 2000 SERVERSYSTEM ADMINISTRATION HANDBOOK FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge Paul Shields,

WINDOWS 2000 SERVER

SYSTEM ADMINISTRATION HANDBOOK

FREE Monthly Technology Updates

One-year Vendor Product Upgrade Protection Plan

FREE Membership to Access.Globalknowledge

Paul Shields, MCSE

Ralph Crump, MCSE, CCNA, Master CNE

Martin Weiss, MCSE, MCP+I, CNA

Technical Edit By:

Sean Wallbridge, MCSE, MCSD, MCT, MCDBA, MCP+I

An insightful and detailed overview

of the tools and tasks that the

Windows 2000 administrator faces.

Great as an introduction and as a

resource for any IT library.”

—Lloyd Fray,Information Technology ManagerMutual Risk Management

“

With over 1,000,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally By listening, we've learned what you like and dislike about typical computer books The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies In response, we have created solutions@syngress.com, a service that includes the following features:

■ A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades We will provide regular web updates for affected chapters.

■ Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for solutions@syngress.com

■ Regularly updated links to sites that our editors have determined offer valuable additional information on key topics.

■ Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors.

Once you've purchased this book, browse to

www.syngress.com/solutions.

To register, you will need to have the book handy to verify your purchase Thank you for giving us the opportunity to serve you.

s o l u t i o n s @ s y n g r e s s c o m

WINDOWS 2000 SERVER

SYSTEM ADMINISTRATION HANDBOOK

Syngress Media, Inc., the author(s), and any person or firm involved in the writing, editing, or production lectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

(col-There is no guarantee of any kind, expressed or implied, regarding the Work or its contents The Work is sold

AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other dental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

inci-You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc “Career Advancement Through Skill Enhancement™” is a trademark of Syngress Media, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Windows 2000 Server System Administration Handbook

Copyright © 2000 by Syngress Media, Inc All rights reserved Printed in the United States of America Except

as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-09-1

Copy edit by: Adaya Henis Proofreading by: Adrienne Rebello

Technical edit by: Sean Wallbridge Page Layout and Art by: Emily Eagar and

Project Editor: Eva Banaszek

We would like to acknowledge the following people for their kindness andsupport in making this book possible.

Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, KevinMurray, Dale Leatherwood, Shelly Everett, and Robert Sanregret of GlobalKnowledge, for their generous access to the IT industry’s best courses,instructors and training facilities

Ralph Troupe and the team at Rt 1 Solutions for their invaluable insightinto the challenges of designing, deploying and supporting world-classenterprise networks

Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, MichaelRuggiero, Kevin Votel, Brittin Clark, Sarah Schaffer, Luke Kreinberg, EllenLafferty and Sarah MacLachlan of Publishers Group West for sharing theirincredible marketing experience and expertise

Peter Hoenigsberg, Mary Ging, Caroline Hird, Simon Beale, Julia Oldknow,Kelly Burrows, Jonathan Bunkell, Catherine Anderson, Peet Kruger, PiaRasmussen, Denelise L'Ecluse, Rosanna Ramacciotti, Marek Lewinson,Marc Appels, Paul Chrystal, Femi Otesanya, and Tracey Alcock of HarcourtInternational for making certain that our vision remains worldwide inscope

Special thanks to the professionals at Osborne with whom we are proud topublish the best-selling Global Knowledge Certification Press series

And finally, to Thomas Edward O’Brien, for waiting

v

Acknowledgments

At Global Knowledge we strive to support the multiplicity of learning stylesrequired by our students to achieve success as technical professionals Asthe world's largest IT training company, Global Knowledge is uniquelypositioned to offer these books The expertise gained each year from pro-viding instructor-led training to hundreds of thousands of students world-wide has been captured in book form to enhance your learning experience.

We hope that the quality of these books demonstrates our commitment toyour lifelong learning success Whether you choose to learn through thewritten word, computer based training, Web delivery, or instructor-ledtraining, Global Knowledge is committed to providing you with the verybest in each of these categories For those of you who know Global

Knowledge, or those of you who have just found us for the first time, ourgoal is to be your lifelong competency partner

Thank your for the opportunity to serve you We look forward to servingyour needs again in the future

Sean Wallbridge (MCSE+i, MCSD, MCT, MCDBA, MSS, MCP+i, MCP+sb,

Compaq ASE, Novell CNA and Vinca VCE) is a Senior Consultant/Trainerfor NexGen Technologies based in Hamilton, Bermuda As a consultant,Sean provides turnkey networking solutions and takes great pride in creat-ing satisfied customers Sean has co-authored seven other books and tech-nical publications When not on the beach or in front of a computer, Seanspends his time with his wife Wendy, Murphy- the-Bassett-Hound, andtheir two cats

Martin Weiss (MCSE, MCP+I, CNA, CIBS, A+, Network+) is a Senior

Information Management Specialist with ACS Government SolutionsGroup, a provider of broad-based information technology solutions forclient organizations Marty lives in New England with his wife Gin and sonKobe You can contact Martin via e-mail at castadream@hotmail.com

Ralph Crump (MCSE, CCNA, and a CNE 3.x, 4.x, and 5.x, with a Master

CNE in Integrating Windows NT) manages a team responsible for a largescale Windows NT and Novell NetWare infrastructure for a major telecom-munications company in Atlanta, Georgia He specializes in Windows NTand BackOffice applications as well as Novell Netware solutions He is cur-rently working in cooperation with Microsoft on Windows 2000 RapidDeployment projects

Cameron Brandon (MCSE, CNE, CNA, MCSE+Internet, A+, Network+) is a

Network Engineer/Administrator in Portland, Oregon He specializes inWindows NT with BackOffice Integration and helped work on IntelCorporation's large-scale migration at its Oregon facility to Windows NT

He completed his MCSE, CNE, CNA, MCPS:Internet Systems, and A+ fications in five months’ time, proving once again that you can achievethose things to which you set your mind

certi-Contributors

Adam Quiggle (Master CNE, MCSE, CCNA) is a senior level network

engi-neer for Metamor Worldwide In his most recent role, he served as remoteaccess project leader for one of North Carolina's largest state governmentagencies, utilizing Windows NT Terminal Server, Metaframe and CiscoAccess Servers He is president of the Research Triangle Park chapter ofthe Cisco Professional Association Worldwide

Holly Simard (MCSE, MCP+I) is a networking specialist in Victoria, BC.

Along with providing turnkey solutions for her clients, Holly also deliversonline instruction in her spare time Holly lives with her husband Hervey,who works as a multimedia developer, their springer spaniel Hubert, andtheir cat Daisy

Paul Shields (Certified MCSE) currently works as a network engineer for a

major telecommunications company He has been working with, ing, and writing about Windows NT for the last five years His current proj-ects revolve around the design and implementation of enterprise-classservers in a mixed platform environment He is also working on the roll-out of Windows 2000 to the corporate desktop Paul can be contacted atpshields@airmail.net

support-Erik Sojka is a system administrator and trainer currently working for a

major software company He is an MCSE and has a BS in InformationScience and Technology from Drexel University

Eriq Oliver Neale is a technology strategist with Nortel Networks,

research-ing new technology solutions for inclusion in the designer workplace Hehas worked in the computer support industry for eleven years and in thattime has contributed to several computing technology publications Whennot writing, he and his wife try to keep up with seven cats, two dogs, and aplethora of tropical fish

Jay Tomlin works as a server-based computing software specialist for Citrix

Systems, Inc in Fort Lauderdale His primary duty is training the CitrixTechnical Support organization worldwide Prior to joining Citrix, Jay stud-ied Mathematics and Music Theory in college and graduate school He can

be reached at jtomlin@adelphia.net

viii

CHAPTER 1 The Windows 2000 System Administration Migration Path 1

Brief Overview of Windows 2000 Server 2Windows 2000 System Administration Overview 5Increased Reliability, Availability, and Scalability 6Core Operating System Services 6

Migrating to Windows 2000 Server 23

Streamlining 25Planning 26Architecture 27Costs 28

Contents

ix

x Contents

Timeline 30Testing 31Deployment 31

Summary 37FAQs 40

CHAPTER 2 Overview of Windows 2000 Administration 43

Domains 57Namespace 60

Groups 62Name 64Features and Benefits of Active Directory 65

Contents xi

Summary 81FAQs 83

CHAPTER 3 Setting Up User Accounts 87

Template: Acceptable Use/Security Policy 90Purpose 90Interpretation 90Definitions 90Responsibility 91

Loading Security Snap-ins into the MMC 104

Changing Account (Password) Policies 106

General 111Address 112Account 113Profile 115Telephones/Notes 116Organization 118Dial-in 119

xii Contents

Other Active Directory Users and

CHAPTER 4 Using Groups to Organize User Accounts 135

Information Needed to Create a Group 144

Adding Users through the Group Setting 147Adding User through the User Settings 149

General 152Members 153

Object 154

CHAPTER 5 Administering File Resources 175

Introduction 176Using Microsoft Windows NT File System (NTFS)

Permissions 176

How Windows 2000 Applies NTFS Permissions 178

File Permissions Override Folder Permissions 179Deny Overrides All Other Permissions 180

xiv Contents

Setting the Special Access Permissions 188Taking Ownership of Files and Folders 190

Assigning Permissions to a Shared Folder 204

Typical Permission-Related Access Problems 213Solving Permission-Related Access Problems 214

Avoiding Permission-Related Access Problems 215Guidelines for Managing Shared Folder Permissions 216Summary 217FAQs 218

CHAPTER 6 Administering User Accounts 221

Contents xv

Creating Individualized Roaming User Profiles 228

Assigning Customized Roaming Profiles 231

Filtering Policy Based on Security Group Membership 241

Allowing for Different Hardware Configurations 242Combining the Power of Profiles and Policies 242Tightening Security on Home Directories 243Summary 244FAQs 244

CHAPTER 7 Administering Printer Resources 247

Introduction to Administering Printers 248Terminology 248

Dedicated vs Non-dedicated Print Servers 249Local, Remote, and Network Printers 250

Installing a Printer from Another Server 256

xvi Contents

General 261Sharing 262Ports 262Advanced 263Security 263

Setting Priority, Notification, Printing Time 277Administering Printers by Using

CHAPTER 8 Managing Storage Data 285

Copying and Moving Compressed

Storing Encrypted Files on Remote Servers 308

Defragmenting NTFS File System Partitions 316

FAQs 319

CHAPTER 9 Monitoring Event Logs 321

Summary 360FAQs 361

CHAPTER 10 Backing Up and Restoring Data 363

Introduction to Backing Up and Recovering Data 364

xviii Contents

Summary 396FAQs 397

CHAPTER 11 Advanced Administration of Windows 2000 399

Performance 407

Configuring Adapters and Protocols 412

Contents xix

Connection Manager Administration Kit 450Customizing Windows 2000 Tools

CHAPTER 12 Administering Active Directory 469

Introduction to Administering

Directory 471Namespace 472

Using Active Directory Management Utilities 486

xx Contents

DCPromo 486Active Directory Users and Computers 493Active Directory Domains and Trusts 496Active Directory Sites and Services 498Publishing Objects in Active Directory 503

Delegating Administrative

Overview of Active Directory Service Interface (ADSI) 515

Summary 517FAQs 521

CHAPTER 13 Implementing Group Policy 523

GPT.INI 534

Contents xxi

How Group Policy Is Applied in Active Directory 536

Using the Group Policy Management Snap-in 549Group Policy Configuration Example 549Delegating Administrative Control of a Group Policy Object 550

Managing a Group Policy Object Link to a Site,

Guidelines for Implementing Group Policy 557

Summary 562FAQs 565

CHAPTER 14 Managing User Environments Using Group Policy 567

Introduction to Managing User Environments 568Types of Group Policy for Managing

Group Policy Snap-In for the Microsoft

Creating Custom Administrative Templates 579

Assigning Script Policies to Users and Computers 588

FAQs 593

xxii Contents

CHAPTER 15 Managing Software by Using Group Policy 595

Introduction 596Introduction to Managing Software Deployment 596

Creating a Non-Windows Installer Package File 601

CHAPTER 16 Administering User Accounts and Groups 629

Introduction to Administration of User Accounts

Migrating Users from an NT 4.0 Domain 632Creating New Active Directory Users in Bulk 634

Importing Users from Novell Directory

Configuring Account Policies Using Group Policy 641

Redirecting User Data to a Network Share 651

Multilink and Bandwidth Allocation

Windows NT 3.x and 4.x Groups Types 660

Contents xxiii

Summary 665FAQs 666

CHAPTER 17 Implementing Security in a Windows 2000 Network 669

Introduction to Securing a Windows 2000 Network 670

The Security Settings Extension to Group Policy 672

Creating, Modifying, and Analyzing Security Configurations 675Security Configuration and Analysis Snap-in 675SECEDIT.EXE 677

Certificates 688

Enabling and Administering File Encryption 702

Summary 712FAQs 715

CHAPTER 18 Sharing File Resources by Using DFS 717