MCSA/MCSE: Windows® Server 2003 Upgrade Study Guide
Lisa Donald et al
SYBEX®
MCSA/MCSE: Windows Server 2003 Upgrade Study Guide
MCSA/MCSE: Windows® Server 2003 Upgrade Study Guide
Lisa Donald, Anil Desai, Suzan Sage London, James Chellis, Matthew Sheltz
San Francisco • London
Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Jeff Kellum Production Editor: Lori Newman Technical Editor: Warren Wyrostek Compositor: Craig Woods, Happenstance Type-O-Rama CD Coordinator: Dan Mummert CD Technician: Kevin Ly Proofreaders: Emily Hsuan, Nancy Riddiough Indexer: Ted Laux Book Designer: Bill Gibson Cover Designer: Archer Design Cover Photographer: Colin Paterson, PhotoDisc Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 2003110716 ISBN: 0-7821-4267-2 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997-1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. Microsoft, the Microsoft Internet Explorer logo, Windows, Windows XP Professional, Windows Server 2003, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner. This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
To Our Valued Readers: Thank you for looking to Sybex for your Microsoft Windows 2003 certification exam prep needs. We at Sybex are proud of the reputation we’ve established for providing certification candidates with the practical knowledge and skills needed to succeed in the highly competitive IT marketplace. Sybex is proud to have helped thousands of Microsoft certification candidates prepare for their exams over the years, and we are excited about the opportunity to continue to provide computer and networking professionals with the skills they’ll need to succeed in the highly competitive IT industry. With its release of Windows Server 2003, and the revised MCSA and MCSE tracks, Microsoft has raised the bar for IT certifications yet again. The new programs better reflect the skill set demanded of IT administrators in today’s marketplace and offers candidates a clearer structure for acquiring the skills necessary to advance their careers. The authors and editors have worked hard to ensure that the Study Guide you hold in your hand is comprehensive, in-depth, and pedagogically sound. We’re confident that this book will exceed the demanding standards of the certification marketplace and help you, the Microsoft certification candidate, succeed in your endeavors. As always, your feedback is important to us. Please send comments, questions, or suggestions to
[email protected]. At Sybex we're continually striving to meet the needs of individuals preparing for IT certification exams. Good luck in pursuit of your Microsoft certification!
Neil Edde Associate Publisher—Certification Sybex, Inc
Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the "Software") to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms. The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the "Owner(s)"). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media. In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties ("End-User License"), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time. Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s). Warranty SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the
media during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to: SYBEX Inc. Product Support Department 1151 Marina Village Parkway Alameda, CA 94501 Web: http://www.sybex.com After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX. Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions. Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files. Copy Protection The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.
Acknowledgements This book is the work of a great team. The production editor Lori Newman was always a pleasure to work with and kept the book moving along and on schedule. Thanks also to technical editor Warren Wyrostek for his thorough edit and for keeping us honest. We would like to thank Neil Edde, associate publisher and James Chellis who both helped develop and nurtured the MCSE series of books since the beginning. Jeff Kellum, acquisitions and developmental editor for all of his hard work on the initial development of the book and its format and keeping the project on track. We’d also like to thank the proofreaders Emily Hsuan and Nancy Riddiough, and the indexer Ted Laux. Finally, we want to thank our family for all of their support.
Contents at a Glance Introduction
xxiii
Assessment Test
xl
Part I
MCSA Upgrade Exam
1
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
3
Chapter 2
Managing Users, Groups, and Computers
Chapter 3
System Recovery and Web Services
141
Chapter 4
Managing Windows Server 2003 Remotely
195
Chapter 5
Installing and Managing Domain Name Service (DNS)
249
Chapter 6
Administering Security Policy
307
Part II
MCSE Upgrade Exam
Chapter 7
Planning and Implementing Server Roles
359
Chapter 8
Planning the Domain Name Service (DNS)
383
Chapter 9
Planning, Implementing, and Maintaining Server Availability
417
Chapter 10
Planning Network Security
461
Chapter 11
Planning, Implementing, and Maintaining Certificate Services 529
Chapter 12
Planning and Implementing Domains, Trees, and Forests
599
Chapter 13
Managing and Maintaining the Active Directory
667
Chapter 14
Planning, Implementing, and Managing Group Policy
711
77
357
Glossary
783
Index
809
Table of Contents Introduction
xxiii
Assessment Test
Part I Chapter
1
xl
MCSA Upgrade Exam
1
Installing, Licensing, and Updating Windows Server 2003
3
Features of Windows Server 2003 Active Directory File and Print Services Security Networking and Communications Application Services Management Services Storage Management Services Internet Information Server (IIS) 6.0 Terminal Services Windows Media Services Universal Description, Discovery, and Integration (UDDI) Services Windows Server 2003 Family Features Preparing to Install Windows Server 2003 Hardware Requirements The Hardware Compatibility List (HCL) Checking System Compatibility Clean Install or Upgrade Installation Options Installing Windows Server 2003 Steps for Windows Server 2003 Installation Upgrading a Server to a Domain Controller Setting Up Your Computers for Hands-on Exercises Installing Windows Server 2003 as a Domain Controller Installing Windows XP Professional within the Windows 2003 Domain Post-installation Product Activation Managing Licensing Understanding and Selecting a Licensing Mode Administering the License Logging Service
4 5 6 7 8 8 9 9 10 10 11 11 11 13 14 15 16 16 17 17 17 20 24 24 27 31 33 33 35
x
Table of Contents
Chapter
2
Administering Licensing Locally Administering Licensing in an Enterprise Managing Software Installation and Maintenance Using Windows Update Using Windows Automatic Updates Using Software Update Services Using the Microsoft Baseline Security Analyzer Summary Exam Essentials Key Terms Review Questions Answers to Review Questions
36 38 45 46 48 49 62 66 67 67 68 75
Managing Users, Groups, and Computers
77
Working with Active Directory User Accounts Built-In Users Created in Active Directory Username and Password Rules and Conventions Usernames and Security Identifiers Creating Active Directory Users Disabling or Deleting User Accounts Renaming Users Changing a User’s Password Managing Active Directory User Properties Using the Run As Option Troubleshooting User Authentication Working with Active Directory Group Accounts Understanding Group Scope and Group Type Default Groups Created in Windows 2003 Domain Creating New Groups Managing Group Properties Identifying Group Membership Working with Computer Accounts Creating Computer Accounts Managing Computer Properties Resetting Computer Accounts Troubleshooting Computer Accounts Advanced User, Group, and Computer Management Locating Objects within the Active Directory Moving Objects within the Active Directory Creating Users, Groups, and Computers through Automation Importing Users
78 79 80 82 82 86 87 88 89 104 105 106 106 107 113 114 116 117 117 121 124 125 126 126 128 130 131
Table of Contents
Summary Exam Essentials Key Terms Review Questions Answers to Review Questions Chapter
3
System Recovery and Web Services Safeguarding Your Computer and Recovering from Disaster Using the Backup Utility Using the Backup Wizard Managing System State Data Configuring Backup Options Using Automated System Recovery Using Shadow Copies Benefits of Using IIS Key IIS Services IIS Security Installing IIS Configuring and Administering IIS IIS Backup Troubleshooting IIS Summary Exam Essentials Key Terms Review Questions Answers to Review Questions
Chapter
4
Managing Windows Server 2003 Remotely Understanding Terminal Services Terminal Services Modes Benefits of Terminal Services Terminal Services Improvements and Enhancements for Windows Server 2003 Terminal Services Components Planning the Terminal Services Configuration Determining Client Applications Determining Hardware Requirements Installing Terminal Services Server Using the Terminal Services Configuration Utility Configuring and Managing Terminal Services Connections Managing Server Settings Managing Terminal Services Users Using the Terminal Services Manager Utility
xi
132 132 133 134 139 141 142 143 144 148 151 155 157 163 163 164 165 167 183 184 185 186 186 187 193 195 196 197 198 200 201 201 202 202 203 206 206 215 216 219
xii
Table of Contents
Using Terminal Services Licensing Running Applications on the Terminal Services Server Installing Applications Configuring Application Sharing Troubleshooting Terminal Services Using Remote Desktop and Remote Assistance for Administration Using Remote Desktop Using Remote Assistance Summary Exam Essentials Key Terms Review Questions Answers to Review Questions Chapter
5
Installing and Managing Domain Name Service (DNS) DNS Fundamentals What DNS Does Servers, Clients, and Resolvers DNS and Windows Server 2003 How DNS Works Installing and Configuring a DNS Server Installing a DNS Server Configuring a DNS Server Creating New Zones Setting Zone Properties Configuring Zones for Dynamic Updates Delegating Zones for DNS Manually Creating DNS Records Monitoring and Troubleshooting DNS Monitoring DNS with the DNS Snap-in Monitoring DNS Servers with System Monitor Monitoring DNS Events in the Event Viewer Monitoring DNS in Replication Monitor Troubleshooting DNS Summary Exam Essentials Key Terms Review Questions Answers to Review Questions
220 225 225 225 226 228 228 235 241 241 242 243 247
249 250 251 253 254 255 267 267 268 269 273 278 279 280 283 283 285 286 287 289 294 295 296 297 303
Table of Contents
Chapter
6
Administering Security Policy An Overview of User and Group Accounts User Accounts Group Accounts Security Policy Types and Tools Group Policies within Active Directory Administering Local Computer Policy Configuring Security Settings Administering the Local Computer’s System Policies User Profiles Policies Script Policies Disk Quota Policies Group Policy Policies Windows File Protection Policies Analyzing Security Configurations with the Security Configuration and Analysis Tool Specifying a Security Database Importing a Security Template Performing a Security Analysis Reviewing the Security Analysis and Resolving Discrepancies Managing Windows Server 2003 Services Configuring General Service Properties Configuring Service Log On Properties Configuring Service Recovery Properties Checking Service Dependencies Summary Exam Essentials Key Terms Review Questions Answers to Review Questions
Part II Chapter
MCSE Upgrade Exam 7
Planning and Implementing Server Roles Defining Server Roles Using the Configure Your Server Wizard Using the Manage Your Server Tool Planning a Security Update Infrastructure Using Microsoft Software Update Services Using Microsoft Baseline Security Analyzer Summary
xiii
307 308 308 310 310 311 318 319 331 332 333 333 334 335
336 337 337 340 340 343 343 344 345 345 347 347 348 349 355
357 359 360 365 368 370 371 373 375
xiv
Table of Contents
Exam Essentials Key Terms Review Questions Answers to Review Questions Chapter
8
Planning the Domain Name Service (DNS) Planning a DNS Namespace DNS Namespace Options Planning DNS Zones Selecting the Appropriate Zone Type Selecting the Zone Data Location Securing Zones Integrating DNS and WINS Planning DNS Zone Replication and Delegation Creating Secondary Zones Zone Transfers and Replication Securing Zone Transfers Delegating Zones Planning DNS Caching and Forwarding Planning Caching-Only Servers Planning Stub Zones Planning Conditional Forwarders Planning Forward-Only Servers Planning DNS Server Resources Planning General DNS Server Requirements Planning for Server Capacity Securing DNS Summary Exam Essentials Key Terms Review Questions Answers to Review Questions
Chapter
9
Planning, Implementing, and Maintaining Server Availability Evaluating Availability and Scalability Solutions Identifying Threats to High Availability Evaluating Scalability Methods Evaluating Clustering Technologies Planning Server Clusters Understanding the Terminology Analyzing Business and Application Requirements
376 376 377 381 383 384 385 387 387 388 389 392 394 395 395 397 397 399 399 400 400 402 402 403 403 404 406 407 407 408 414
417 418 420 421 421 422 423 424
Table of Contents
Evaluating Application Deployment Considerations Determining the Cluster Model Planning Multisite Clusters Networking the Cluster Planning Network Load Balancing Monitoring NLB Administering NLB Remotely Recovering from Cluster Node Failure Backing Up Cluster Data Recovering from Cluster Failure Summary Exam Essentials Key Terms Review Questions Answers to Review Questions Chapter
10
Planning Network Security Evaluating IP Security IPSec Fundamentals IPSec in Practice Planning an IPSec Deployment Implementing IPSec Using the IP Security Policy Management Console Managing Policies Configuring IPSec Policies Configuring IPSec for Tunnel Mode Planning Secure Remote Administration Methods Planning to Remotely Administer Computers with Remote Desktop for Administration Planning to Offer Remote Assistance to Client Computers Summary Exam Essentials Key Terms Review Questions Answers to Review Questions
Chapter
11
Planning, Implementing, and Maintaining Certificate Services Understanding the Public Key Infrastructure Key PKI Concepts Elements of a PKI PKI Terminology
xv
425 433 436 438 440 442 446 446 446 447 450 450 451 452 459 461 462 464 477 477 479 480 483 489 501 509 509 512 517 518 519 520 526
529 531 532 535 541
xvi
Table of Contents
Planning and Managing the Certificate Server Installing Microsoft Certificate Server Controlling the CA Service Configuring the CA Configuring Revocation and Trust Managing Certificates Introducing the Certificates Snap-In Viewing and Changing Certificate Properties Requesting New Certificates Rekeying an Existing Certificate Renewing a Certificate Importing, Exporting, and Locating Certificates Summary Exam Essentials Key Terms Review Questions Answers to Review Questions Chapter
12
Planning and Implementing Domains, Trees, and Forests Preparing for Active Directory Installation Planning and Installing DNS Verifying the File System Verifying Network Connectivity Determining the Domain Functional Level Planning the Domain Structure Installing the Active Directory Verifying the Active Directory Installation Using Event Viewer Using the Active Directory Administrative Tools Testing from Clients Creating and Configuring Application Data Partitions Creating Application Data Partitions Managing Replicas Removing Replicas Using ntdsutil to Manage Application Data Partitions Reasons for Creating Multiple Domains Reasons for Using Multiple Domains Drawbacks of Multiple Domains Creating Domain Trees and Forests Planning Trees and Forests The Promotion Process Creating a Domain Tree
546 546 552 556 565 573 573 574 578 582 582 583 587 588 590 591 596
599 601 601 604 605 607 609 610 615 615 618 618 621 621 623 624 624 626 626 628 629 629 633 633
Table of Contents
Joining a New Domain Tree to a Forest Adding Additional Domain Controllers Demoting a Domain Controller Managing Multiple Domains Managing Trusts Managing UPN Suffixes Managing Global Catalog Servers Summary Exam Essentials Key Terms Review Questions Answers to Review Questions Chapter
Chapter
13
14
xvii
640 644 646 648 648 654 654 656 657 659 660 664
Managing and Maintaining the Active Directory
667
Active Directory Security Overview Understanding Security Principals Managing Security and Permissions Using ACLs and ACEs Using Group Policy for Security Understanding Smart Card Authentication Preparing a Smart Card Certificate Enrollment Station Backup and Recovery of the Active Directory Overview of the Windows Server 2003 Backup Utility Backing Up the Active Directory Restoring the Active Directory Summary Exam Essentials Key Terms Review Questions Answers to Review Questions
668 669 673 675 676 680 681 683 685 689 692 701 702 703 704 709
Planning, Implementing, and Managing Group Policy Planning a Group Policy Strategy Implementing Group Policy Creating GPOs Linking GPOs to the Active Directory Using Administrative Templates Managing Group Policy Managing GPOs Filtering Group Policy Delegating Administrative Control of GPOs Controlling Inheritance and Filtering Group Policy
711 713 713 714 719 720 722 722 723 726 727
xviii
Table of Contents
Assigning Script Policies Managing Network Configuration Automatically Enrolling User and Computer Certificates in Group Policy Redirecting Folders Using Group Policy Troubleshooting Group Policy RSoP in Logging Mode RSoP in Planning Mode Using the gpresult.exe Command Overview of Software Deployment The Software Management Life Cycle The Windows Installer Deploying Applications Implementing Software Deployment Preparing for Software Deployment Publishing and Assigning Applications Applying Software Updates Verifying Software Installation Configuring Automatic Updates in Group Policy Configuring Software Deployment Settings The Software Installation Properties Dialog Box Removing Programs Windows Installer Settings Optimizing and Troubleshooting Software Deployment Summary Exam Essentials Key Terms Review Questions Answers to Review Questions Glossary Index
729 731 732 734 736 737 744 744 746 746 747 751 752 752 754 757 759 759 763 763 766 767 768 772 772 774 775 781 783 809
Table of Exercises Exercise
1.1
Installing Windows Server 2003 as a Domain Controller. . . . . . . . 25
Exercise
1.2
Installing Windows XP Professional as a part of a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . 29
Exercise
1.3
Joining an Existing Windows XP Professional Computer to a Windows 2003 Domain . . . . . . . . . . . . . . . . . . . . . 30
Exercise
1.4
Activating Windows Server 2003 . . . . . . . . . . . . . . . . . 33
Exercise
1.5
Configuring the License Logging Service . . . . . . . . . . . . . . 36
Exercise
1.6
Managing Per Server Licensing in a Single Server Environment . . . . 38
Exercise
1.7
Using Windows Update . . . . . . . . . . . . . . . . . . . . . 47
Exercise
1.8
Configuring Automatic Updates. . . . . . . . . . . . . . . . . . 49
Exercise
2.1
Setting Password Security Settings and User Rights Assignments . . . 81
Exercise
2.2
Creating Active Directory Users . . . . . . . . . . . . . . . . . . 85
Exercise
2.3
Disabling a User . . . . . . . . . . . . . . . . . . . . . . . . 87
Exercise
2.4
Deleting a User
Exercise
2.5
Renaming a User . . . . . . . . . . . . . . . . . . . . . . . . 88
Exercise
2.6
Changing a User’s Password . . . . . . . . . . . . . . . . . . . 88
Exercise
2.7
Using Local User Profiles . . . . . . . . . . . . . . . . . . . . 95
Exercise
2.8
Using Roaming Profiles . . . . . . . . . . . . . . . . . . . . . 97
Exercise
2.9
Assigning a Home Folder to a User . . . . . . . . . . . . . . . .100
Exercise
2.10
Using User Account Templates . . . . . . . . . . . . . . . . . .104
Exercise
2.11
Creating and Managing an Active Directory Group . . . . . . . . . .116
Exercise
2.12
Moving Objects within the Active Directory . . . . . . . . . . . . .129
Exercise
3.1
Using the Backup Wizard
Exercise
3.2
Backing Up System State Data . . . . . . . . . . . . . . . . . .150
Exercise
3.3
Using the Automated System Recovery Wizard . . . . . . . . . . .156
Exercise
3.4
Using Shadow Copies . . . . . . . . . . . . . . . . . . . . . .160
Exercise
3.5
Enabling Web Service Extensions . . . . . . . . . . . . . . . . .167
Exercise
3.6
Creating a New Web Site
Exercise
3.7
Managing Websites . . . . . . . . . . . . . . . . . . . . . . .181
Exercise
4.1
Installing a Terminal Services Server
Exercise
4.2
Configuring a Terminal Services Server . . . . . . . . . . . . . .216
Exercise
4.3
Using Remote Desktop Connection . . . . . . . . . . . . . . . .235
Exercise
5.1
Installing and Configuring the DNS Service . . . . . . . . . . . . .272
. . . . . . . . . . . . . . . . . . . . . . . . 87
. . . . . . . . . . . . . . . . . . . .148
. . . . . . . . . . . . . . . . . . . .169
. . . . . . . . . . . . . . .203
xx
Table of Exercises
Exercise
5.2
Configuring Zones and Configuring Zones for Dynamic Updates
. . . 278
Exercise
5.3
Creating a Delegated DNS Zone . . . . . . . . . . . . . . . . . 279
Exercise
5.4
Manually Creating DNS RRs . . . . . . . . . . . . . . . . . . . 280
Exercise
5.5
Simple DNS Testing . . . . . . . . . . . . . . . . . . . . . . 285
Exercise
5.6
Installing and Running Replication Monitor . . . . . . . . . . . . 287
Exercise
5.7
Working with Replication Monitor . . . . . . . . . . . . . . . . 288
Exercise
5.8
Using the nslookup Command . . . . . . . . . . . . . . . . . . 292
Exercise
6.1
Creating a Management Console for Security Settings . . . . . . . . 319
Exercise
6.2
Setting Password Policies. . . . . . . . . . . . . . . . . . . . 321
Exercise
6.3
Setting Account Lockout Policies . . . . . . . . . . . . . . . . . 322
Exercise
6.4
Setting Audit Policies
Exercise
6.5
Setting Local User Rights . . . . . . . . . . . . . . . . . . . . 329
Exercise
6.6
Defining Security Options. . . . . . . . . . . . . . . . . . . . 331
Exercise
6.7
Using the Security Configuration and Analysis Tool . . . . . . . . . 341
Exercise
7.1
Using the Configure Your Server Wizard
Exercise
7.2
Using the Manage Your Server Tool . . . . . . . . . . . . . . . 369
Exercise
10.1
Network Protocol Security and Enabling IPSec on the Local Computer . 480
Exercise
10.2
Enabling IPSec for an Entire Domain . . . . . . . . . . . . . . . 485
Exercise
10.3
Customizing and Configuring the Local Computer IPSec Policy and Rules for Transport Mode . . . . . . . . . . . . . . . . . . 500
Exercise
10.4
Configuring a Policy for IPSec Tunnel Mode . . . . . . . . . . . . 504
Exercise
11.1
Assigning Permissions to Templates . . . . . . . . . . . . . . . 561
Exercise
11.2
Enabling Automatic Enrollment . . . . . . . . . . . . . . . . . 563
Exercise
11.3
Creating a New CTL . . . . . . . . . . . . . . . . . . . . . . 567
Exercise
11.4
Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . 569
Exercise
11.5
Requesting a Certificate
Exercise
11.6
Issuing Certificates
Exercise
11.7
Using the Certificate Export Wizard . . . . . . . . . . . . . . . . 583
Exercise
11.8
Using the Certificate Import Wizard. . . . . . . . . . . . . . . . 585
Exercise
12.1
Promoting a Domain Controller . . . . . . . . . . . . . . . . . 610
Exercise
12.2
Viewing the Active Directory Event Log . . . . . . . . . . . . . . 616
Exercise
12.3
Joining a Computer to an Active Directory Domain . . . . . . . . . 620
Exercise
12.4
Creating a New Subdomain . . . . . . . . . . . . . . . . . . . 634
Exercise
12.5
Creating a New Domain Tree in the Forest . . . . . . . . . . . . . 641
Exercise
12.6
Managing Trust Relationships . . . . . . . . . . . . . . . . . . 649
. . . . . . . . . . . . . . . . . . . . . 325
. . . . . . . . . . . . . 365
. . . . . . . . . . . . . . . . . . . . 578
. . . . . . . . . . . . . . . . . . . . . . 581
Table of Exercises
xxi
Exercise
12.7
Adding a UPN Suffix . . . . . . . . . . . . . . . . . . . . . .655
Exercise
12.8
Managing Global Catalog Servers . . . . . . . . . . . . . . . . .655
Exercise
13.1
Applying Security Policies by Using Group Policy . . . . . . . . . .678
Exercise
13.2
Preparing a Smart Card Certificate Enrollment Station . . . . . . . .681
Exercise
13.3
Setting Up a Smart Card for User Logon . . . . . . . . . . . . . .682
Exercise
13.4
Configuring Group Policy to Require Smart Card Logon. . . . . . . .683
Exercise
13.5
Backing Up the Active Directory. . . . . . . . . . . . . . . . . .690
Exercise
13.6
Restoring the System State and the Active Directory . . . . . . . . .695
Exercise
14.1
Creating a Group Policy Object Using MMC . . . . . . . . . . . . .715
Exercise
14.2
Linking GPOs to the Active Directory. . . . . . . . . . . . . . . .719
Exercise
14.3
Filtering Group Policy Using Security Groups . . . . . . . . . . . .724
Exercise
14.4
Delegating Administrative Control of Group Policy . . . . . . . . . .726
Exercise
14.5
Managing Inheritance and Filtering of GPOs
Exercise
14.6
Configuring Automatic Certificate Enrollment in Group Policy . . . . .733
Exercise
14.7
Configuring Folder Redirection in Group Policy . . . . . . . . . . .735
Exercise
14.8
Running RSoP in Logging Mode
Exercise
14.9
Running RSoP in Planning Mode . . . . . . . . . . . . . . . . .741
Exercise
14.10
Creating a Software Deployment Share
Exercise
14.11
Publishing and Assigning Applications Using Group Policy . . . . . .754
Exercise
14.12
Applying Software Updates . . . . . . . . . . . . . . . . . . .757
Exercise
14.13
Configuring Software Update Services in Group Policy . . . . . . . .760
. . . . . . . . . . . .729
. . . . . . . . . . . . . . . . .741
. . . . . . . . . . . . . .753
Introduction Microsoft’s Microsoft Certified Systems Administrator (MCSA) and Microsoft Certified Systems Engineer (MCSE) tracks for Windows Server 2003 are the premier certifications for computer industry professionals. Covering the core technologies around which Microsoft’s future will be built, this program provides powerful credentials for career advancement. This book has been developed to give you the critical skills and knowledge you need to prepare for both of the Upgrade requirements for the MCSA and MCSE certifications in the new Windows Server 2003 track:
Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 (exam 70-292)
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 (exam 70-296)
You must be an MCSA or an MCSE in Windows 2000 in order to take Exam 70-292. In addition, you must be an MCSE in Windows 2000 in order to take Exam 70-296.
The Microsoft Certified Professional Program Since the inception of its certification program, Microsoft has certified almost 1.5 million people. As the computer network industry increases in both size and complexity, this number is sure to grow—and the need for proven ability will also increase. Companies rely on certifications to verify the skills of prospective employees and contractors. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. Obtaining your MCP certification requires that you pass any one Microsoft certification exam. Several levels of certification are available based on specific suites of exams. Depending on your areas of interest or experience, you can obtain any of the following MCP credentials: Microsoft Certified System Administrator (MCSA) on Windows Server 2003 The MCSA certification is the latest certification track from Microsoft. This certification targets system and network administrators with roughly 6 to 12 months of desktop and network administration experience. The MCSA can be considered the entry-level certification. You must take and pass a total of four exams to obtain your MCSA. Or, if you are an MCSA on Windows 2000, you can take one Upgrade exam--70-292--to obtain your MCSA on Windows Server 2003. Microsoft Certified System Engineer (MCSE) on Windows Server 2003 This certification track is designed for network and systems administrators, network and systems analysts, and technical consultants who work with Microsoft Windows XP and Server 2003 software. You must take and pass seven exams to obtain your MCSE. Or, if you are an MCSE on Windows 2000, you can take two Upgrade exams—70-292 and 70-296—to obtain your MCSE on Windows Server 2003.
xxiv
Introduction
MCSE versus MCSA In an effort to provide those just starting off in the IT world a chance to prove their skills, Microsoft introduced its Microsoft Certified System Administrator (MCSA) program. Targeted at those with less than a year’s experience, the MCSA program focuses primarily on the administration portion of an IT professional’s duties. Therefore, there are certain Windows exams that satisfy both MCSA and MCSE requirements, namely exams 70-270, 70-290, and 70-291. Of course, it should be any MCSA’s goal to eventually obtain his or her MCSE. However, don’t assume that, because the MCSA has to take two exams that also satisfy an MCSE requirement, the two programs are similar. An MCSE must also know how to design a network. Beyond these two exams, the remaining MCSE required exams require the candidate to have much more hands-on experience.
If you purchased this book only to prepare for exam 70-292, Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000, you should be aware that Microsoft expects MCSAs to have a higher-level knowledge of some topics. In areas where we felt a more thorough understanding of a topic was necessary, we added notes referencing the MCSE-level topics covered later in the book. However, you should read the entire book before attempting the 70-292 exam.
Microsoft Certified Application Developer (MCAD) This track is designed for application developers and technical consultants who primarily use Microsoft development tools. Currently, you can take exams on Visual Basic .NET or Visual C# .ΝΕΤ. You must take and pass three exams to obtain your MCSD. Microsoft Certified Solution Developer (MCSD) This track is designed for software engineers and developers and technical consultants who primarily use Microsoft development tools. As of this printing, you can get your MCSD in either Visual Studio 6 or Visual Studio .NET. In Visual Studio 6, you need to take and pass three exams. In Visual Studio .NET, five exams to obtain your MCSD. Microsoft Certified Database Administrator (MCDBA) This track is designed for database administrators, developers, and analysts who work with Microsoft SQL Server. As of this printing, you can take exams on either SQL Server 7 or SQL Server 2000. You must take and pass four exams to achieve MCDBA status. Microsoft Certified Trainer (MCT) The MCT track is designed for any IT professional who develops and teaches Microsoft-approved courses. To become an MCT, you must first obtain your MCSE, MCSD, or MCDBA, then you must take a class at one of the Certified Technical Training Centers. You will also be required to prove your instructional ability. You can do this
Introduction
xxv
in various ways: by taking a skills-building or train-the-trainer class, by achieving certification as a trainer from any of several vendors, or by becoming a Certified Technical Trainer through CompTIA. Last of all, you will need to complete an MCT application.
How Do You Become Certified on Windows Server 2003? Attaining an MCSA or MCSE certification has always been a challenge. In the past, students have been able to acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new MCSE exams, this is simply not the case. Microsoft has taken strong steps to protect the security and integrity of its certification tracks. Now prospective candidates must complete a course of study that develops detailed knowledge about a wide range of topics. It supplies them with the true skills needed, derived from working with Windows XP, Server 2003, and related software products. The Windows Server 2003 certification programs are heavily weighted toward hands-on skills and experience. Microsoft has stated that “nearly half of the core required exams’ content demands that the candidate have troubleshooting skills acquired through hands-on experience and working knowledge.” Fortunately, if you are willing to dedicate the time and effort to learn Windows XP and Server 2003, you can prepare yourself well for the exams by using the proper tools. By working through this book, you can successfully meet the exam requirements to pass the Windows Server 2003 management and maintenance exam. This book is part of a complete series of MCSA and MCSE Study Guides, published by Sybex Inc., that together cover the core MCSA and MCSE operating system requirements, as well as the Design requirements needed to complete your MCSE track. Please visit the Sybex web site at www.sybex.com for complete program and product details.
MCSA Exam Requirements MCSA on Windows 2003 candidates who do not have their MCSA on Windows 2000 certification must pass four exams.
For a more detailed description of the Microsoft certification programs, including a list of all the exams, visit Microsoft’s Training and Certification Web site at www.microsoft.com/traincert.
You must take one of the following client operating system exams:
Installing, Configuring, and Administering Microsoft Windows 2000 Professional (70-210)
Installing, Configuring, and Administering Microsoft Windows XP Professional (70-270)
plus the following networking operating system exams:
Managing and Maintaining a Microsoft Windows Server 2003 Environment (70-290)
Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (70-291)
xxvi
Introduction
plus one of a number of electives, including:
Implementing and Supporting Microsoft Systems Management Server 2.0 (70-086)
Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition (70-227)
Installing, Configuring, and Administering Microsoft SQL Server 2000 Enterprise Edition (70-228)
CompTIA’s A+ and Network+ exams
CompTIA’s A+ and Server+ exams
If you are an MCSA on Windows 2000--which is probably the majority of you--you can take one Upgrade exam: Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 (70-292).
MCSE Exam Requirements MCSE on Windows 2003 candidates who do not have their MCSE in Windows 2000 or Windows NT must pass seven exams, including one client operating system exam, three networking operating system exams, one design exam, and two electives.
For a more detailed description of the Microsoft certification programs, visit Microsoft’s Training and Certification Web site at www.microsoft.com/ traincert.
You must take one of the following client operating system exams:
Installing, Configuring, and Administering Microsoft Windows 2000 Professional (70-210)
Installing, Configuring, and Administering Microsoft Windows XP Professional (70-270)
plus the following networking operating system exams:
Managing and Maintaining a Microsoft Windows Server 2003 Environment (70-290)
Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (70-291)
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (70-293)
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure (70-294)
plus one of the following Design exams:
Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure (70-297)
Designing Security for a Microsoft Windows Server 2003 Network 2000 Server Technologies (70-298)
Introduction
xxvii
plus one of a number of electives, including:
Implementing and Supporting Microsoft Systems Management Server 2.0 (70-086)
Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition (70-227)
Installing, Configuring, and Administering Microsoft SQL Server 2000 Enterprise Edition (70-228)
Designing and Implementing Databases with Microsoft SQL Server 2000 Enterprise Edition (70-229)
The Design exam not taken as a requirement If you are an MCSE on Windows 2000, you can take two Upgrade exams:
Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 (70-292) and Planning, Implementing
Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 (70-296)
In addition, if you are an MCSE in Windows NT, you do not have to take the client requirement, but you do have to take the networking operating system, design, and an elective.
This book is divided into two parts, corresponding with the two different exams required to upgrade your MCSE on Windows 2000 certification to a MCSE on Windows Server 2003 certification.
Windows 2000 and Windows 2003 Certification Microsoft recently announced that they will distinguish between Windows 2000 and Windows Server 2003 certifications. Those who have their MCSA or MCSE certification in Windows 2000 will be referred to as “certified on Windows 2000.” Those who obtained their MCSA or MCSE in the Windows Server 2003 will be referred to as “certified on Windows Server 2003.” If you are certified in Windows 2000, you can take either one Upgrade exam (for MCSA) or two Upgrade exams (for MCSE) to obtain your certification on Windows 2003. Microsoft also introduced a more clear distinction between the MCSA and MCSE certifications, by more sharply focusing each certification. In the new Windows 2003 track, the objectives covered by the MCSA exams relate primarily to administrative tasks. The exams that relate specifically to the MCSE, however, deal mostly with design-level concepts. So, MCSA job tasks are considered to be more hands-on, while the MCSE job tasks involve more strategic concerns of design and planning.
xxviii
Introduction
The Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 Exam The Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 exam covers concepts and skills related to manage, and maintain a Windows Server 2003 environment. It emphasizes the following elements of server management:
Managing users, computers, and groups
Managing and maintaining access to resources
Managing and maintaining a server environment
Managing and implementing disaster recovery
Implementing, Managing, and Maintaining Name Resolution
Implementing, Managing, and Maintaining Network Security
Microsoft includes questions on the 70-292 exam that are MCSE-level topics. In areas where we felt a more thorough understanding of a topic was necessary, we added notes referencing the MCSE-level topics covered later in the book. However, you should read the entire book before attempting the 70-292 exam.
The Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Exam The Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 exam covers concepts and skills related to plan, implement, and maintain a Windows Server 2003 environment. It emphasizes the following elements of server management:
Planning and Implementing Server Roles and Server Security
Planning, Implementing, and Maintaining a Network Infrastructure
Planning, Implementing, and Maintaining Server Availability
Planning and Maintaining Network Security
Planning, Implementing, and Maintaining Security Infrastructure
Planning and Implementing an Active Directory Infrastructure
Managing and Maintaining an Active Directory Infrastructure
Planning and Implementing User, Computer, and Group Strategies
Planning and Implementing Group Policy
Managing and Maintaining Group Policy
These exams are quite specific regarding the Windows Server 2003 environment configuration and operational settings, and they can be particular about how administrative tasks are performed
Introduction
xxix
within the operating system. They also focus on fundamental concepts of Windows Server 2003’s operation. Careful study of this book, along with hands-on experience, will help you prepare for these exams.
Microsoft provides exam objectives to give you a general overview of possible areas of coverage on the Microsoft exams. Keep in mind, however, that exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s Training and Certification Web site (www.microsoft.com/traincert) for the most current listing of exam objectives.
Types of Exam Questions In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has focused its Windows XP and Server 2003 exams on real experience and handson proficiency. There is a greater emphasis on your past working environments and responsibilities, and less emphasis on how well you can memorize. In fact, Microsoft says a certification candidate should have at least six months of hands-on experience.
Microsoft will accomplish its goal of protecting the exams’ integrity by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, and adding new exam elements.
Exam questions may be in a variety of formats: Depending on which exam you take, you’ll see multiple-choice questions, as well as select-and-place and prioritize-a-list questions. Simulations and case study–based formats are included as well. Let’s take a look at the types of exam questions and examine the adaptive testing technique, so you’ll be prepared for all of the possibilities.
For more information on the various exam question types, go to www.microsoft.com/traincert/mcpexams/policies/innovations.asp.
Multiple-Choice Questions Multiple-choice questions come in two main forms. One is a straightforward question followed by several possible answers, of which one or more is correct. The other type of multiple-choice question is more complex and based on a specific scenario. The scenario may focus on several areas or objectives.
Select-and-Place Questions Select-and-place exam questions involve graphical elements that you must manipulate to successfully answer the question. For example, you might see a diagram of a computer network.
xxx
Introduction
A typical diagram will show computers and other components next to boxes that contain the text “Place here.” The labels for the boxes represent various computer roles on a network, such as a print server and a file server. Based on information given for each computer, you are asked to select each label and place it in the correct box. You need to place all of the labels correctly. No credit is given for the question if you correctly label only some of the boxes. In another select-and-place problem you might be asked to put a series of steps in order, by dragging items from boxes on the left to boxes on the right, and placing them in the correct order. One other type requires that you drag an item from the left and place it under an item in a column on the right.
Simulations Simulations are the kinds of questions that most closely represent actual situations and test the skills you use while working with Microsoft software interfaces. These exam questions include a mock interface on which you are asked to perform certain actions according to a given scenario. The simulated interfaces look nearly identical to what you see in the actual product. Because of the number of possible errors that can be made on simulations, be sure to consider the following recommendations from Microsoft:
Do not change any simulation settings that don’t pertain to the solution directly.
When related information has not been provided, assume that the default settings are used.
Make sure that your entries are spelled correctly.
Close all the simulation application windows after completing the set of tasks in the simulation.
The best way to prepare for simulation questions is to spend time working with the graphical interface of the product on which you will be tested.
We recommend that you study with the WinSim 2003 product, which is included on the CD that accompanies this Study Guide. By completing the exercises in this Study Guide and working with the WinSim 2003 software, you will greatly improve your level of preparation for simulation questions.
Case Study–Based Questions Case study–based questions first appeared in the MCSD program. These questions present a scenario with a range of requirements. Based on the information provided, you answer a series of multiple-choice and select-and-place questions. The interface for case study–based questions has a number of tabs, each of which contains information about the scenario.
Microsoft will regularly add and remove questions from the exams. This is called item seeding. It is part of the effort to make it more difficult for individuals to merely memorize exam questions that were passed along by previous test-takers.
Introduction
xxxi
Exam Question Development Microsoft follows an exam-development process consisting of eight mandatory phases. The process takes an average of seven months and involves more than 150 specific steps. The MCP exam development consists of the following phases: Phase 1: Job Analysis Phase 1 is an analysis of all the tasks that make up a specific job function, based on tasks performed by people who are currently performing that job function. This phase also identifies the knowledge, skills, and abilities that relate specifically to the performance area being certified. Phase 2: Objective Domain Definition The results of the job analysis phase provide the framework used to develop objectives. Development of objectives involves translating the jobfunction tasks into a comprehensive package of specific and measurable knowledge, skills, and abilities. The resulting list of objectives—the objective domain—is the basis for the development of both the certification exams and the training materials. Phase 3: Blueprint Survey The final objective domain is transformed into a blueprint survey in which contributors are asked to rate each objective. These contributors may be MCP candidates, appropriately skilled exam-development volunteers, or Microsoft employees. Based on the contributors’ input, the objectives are prioritized and weighted. The actual exam items are written according to the prioritized objectives. Contributors are queried about how they spend their time on the job. If a contributor doesn’t spend an adequate amount of time actually performing the specified job function, his or her data are eliminated from the analysis. The blueprint survey phase helps determine which objectives to measure, as well as the appropriate number and types of items to include on the exam. Phase 4: Item Development A pool of items is developed to measure the blueprinted objective domain. The number and types of items to be written are based on the results of the blueprint survey. Phase 5: Alpha Review and Item Revision During this phase, a panel of technical and jobfunction experts reviews each item for technical accuracy. The panel then answers each item and reaches a consensus on all technical issues. Once the items have been verified as being technically accurate, they are edited to ensure that they are expressed in the clearest language possible. Phase 6: Beta Exam The reviewed and edited items are collected into beta exams. Based on the responses of all beta participants, Microsoft performs a statistical analysis to verify the validity of the exam items and to determine which items will be used in the certification exam. Once the analysis has been completed, the items are distributed into multiple parallel forms, or versions, of the final certification exam.
xxxii
Introduction
Phase 7: Item Selection and Cut-Score Setting The results of the beta exams are analyzed to determine which items will be included in the certification exam. This determination is based on many factors, including item difficulty and relevance. During this phase, a panel of jobfunction experts determines the cut score (minimum passing score) for the exams. The cut score differs from exam to exam because it is based on an item-by-item determination of the percentage of candidates who answered the item correctly and who would be expected to answer the item correctly. Phase 8: Live Exam In the final phase, the exams are given to candidates. MCP exams are administered by Prometric and Virtual University Enterprises (VUE).
Tips for Taking the Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 Exam, and Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Exam Here are some general tips for achieving success on your certification exams:
Arrive early at the exam center so that you can relax and review your study materials. During this final review, you can look over tables and lists of exam-related information.
Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.
On simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used.
For questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. This improves your odds of selecting the correct answer when you need to make an educated guess.
Exam Registration You may take the Microsoft exams at any of more than 1000 Authorized Prometric Testing Centers (APTCs) and VUE Testing Centers around the world. For the location of a testing center near you, call Prometric at 800-755-EXAM (755-3926), or call VUE at 888-837-8616. Outside the United States and Canada, contact your local Prometric or VUE registration center. Find out the number of the exam you want to take, and then register with the Prometric or VUE registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $125 each and you must take them within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.
Introduction
xxxii
You may also register for your exams online at www.prometric.com or www.vue.com.
When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Prometric or VUE. Microsoft requires certification candidates to accept the terms of a Non-Disclosure Agreement before taking certification exams.
Is This Book for You? If you want to acquire a solid foundation in managing and maintaining a Window Server 2003 environment, and your goal is to prepare for the exam by learning how to use and manage the new operating system, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp, and plenty of help to achieve the high level of professional competency you need to succeed in your chosen field. If you want to become certified as an MCSE or MCSA, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows Server 2003 management and maintenance, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of Windows Server 2003 management and maintenance exam.
What’s in the Book? What makes a Sybex Study Guide the book of choice for over 100,000 MCPs? We took into account not only what you need to know to pass the exam, but what you need to know to take what you’ve learned and apply it in the real world. Each book contains the following: Objective-by-objective coverage of the topics you need to know Each chapter lists the objectives covered in that chapter.
The topics covered in this Study Guide map directly to Microsoft’s official exam objectives. Each exam objective is covered completely.
Assessment Test Directly following this introduction is an Assessment Test that you should take. It is designed to help you determine how much you already know about Windows Server 2003 management and maintenance. Each question is tied to a topic discussed in the book. Using the results of the Assessment Test, you can figure out the areas where you need to focus your study. Of course, we do recommend you read the entire book. Exam Essentials To highlight what you learn, you’ll find a list of Exam Essentials at the end of each chapter. The Exam Essentials section briefly highlights the topics that need your particular attention as you prepare for the exam.
xxxiv
Introduction
Key Terms and Glossary Throughout each chapter, you will be introduced to important terms and concepts that you will need to know for the exam. These terms appear in italic within the chapters, and a list of the Key Terms appears just after the Exam Essentials. At the end of the book, a detailed Glossary gives definitions for these terms, as well as other general terms you should know. Review questions, complete with detailed explanations Each chapter is followed by a set of Review Questions that test what you learned in the chapter. The questions are written with the exam in mind, meaning that they are designed to have the same look and feel as what you’ll see on the exam. Question types are just like the exam, including multiple choice, exhibits, and select-and-place. Hands-on exercises In each chapter, you’ll find exercises designed to give you the important hands-on experience that is critical for your exam preparation. The exercises support the topics of the chapter, and they walk you through the steps necessary to perform a particular function. Real World Scenarios Because reading a book isn’t enough for you to learn how to apply these topics in your everyday duties, we have provided Real World Scenarios in special sidebars. These explain when and why a particular solution would make sense, in a working environment you’d actually encounter. Interactive CD Every Sybex Study Guide comes with a CD complete with additional questions, flashcards for use with an interactive device, a Windows simulation program, and the book in electronic format. Details are in the following section.
Why We Chose to Cover Both Exam in One Book You’ll notice that some of the official Microsoft exam objectives overlap or are very similar between the two different Upgrade exams: 70-292 and 70-296. This book is divided into two parts corresponding to the two different exams. The first part of the book covers material related to exam 70-292, based on the exam objectives published by Microsoft. The second part of this book covers topics on the 70-296 exam, but builds upon the material from the first part of the book. As you read this book you’ll notice that in some cases, a chapter in the Part 2 covers similar topics to a chapter in Part 1. In these cases, we only included the new information we felt you needed to pass the 70-296 exam, rather than duplicate the same material in two different chapters. This means that you should read Part 1 before reading Part, since the Part 2 builds upon the information presented in Part 1. Notes are scattered throughout the book explaining where the overlap occurs and directing you to the appropriate pages within the book where you can find more information on the given topics.
Introduction
xxxv
What’s on the CD? With this new member of our best-selling MCSA and MCSE Study Guide series, we are including quite an array of training resources. The CD offers numerous simulations, bonus exams, and flashcards to help you study for the exam. We have also included the complete contents of the Study Guide in electronic form. The CD’s resources are described here: The Sybex E-book for MCSA/MCSE: Windows 2003 Upgrade Study Guide Many people like the convenience of being able to carry their whole Study Guide on a CD. They also like being able to search the text via computer to find specific information quickly and easily. For these reasons, the entire contents of this Study Guide are supplied on the CD, in PDF. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF contents as well as the search capabilities. WinSim 2003 We developed the WinSim 2003 product to allow you to experience the multimedia and interactive operation of working with Windows Server 2003. WinSim 2003 provides both audio/video files and hands-on experience with key features of Windows Server 2003. Built around the Study Guide’s exercises, WinSim 2003 will help you attain the knowledge and hands-on skills you must have in order to understand Windows Server 2003 (and pass the exam). Here is a sample screen from WinSim 2003:
The Sybex Test Engine This is a collection of multiple-choice questions that will help you prepare for your exam. There are four sets of questions:
Four bonus exams designed to simulate the actual live exam.
All the questions from the Study Guide, presented in a test engine for your review. You can review questions by chapter or by objective, or you can take a random test.
The Assessment Test.
xxxvi
Introduction
Here is a sample screen from the Sybex Test Engine:
Sybex MCSE Flashcards for PCs and Handheld Devices The “flashcard” style of question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the exam. The Sybex Flashcards set consists of more than 100 questions presented in a special engine developed specifically for this Study Guide series. Here’s what the Sybex Flashcards interface looks like:
Introduction
xxxvii
Because of the high demand for a product that will run on handheld devices, we have also developed a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).
How Do You Use This Book? This book provides a solid foundation for the serious effort of preparing for the exam. To best benefit from this book, you may wish to use the following study method: 1.
Take the Assessment Test to identify your weak areas.
2.
Study each chapter carefully. Do your best to fully understand the information.
3.
Complete all the hands-on exercises in the chapter, referring back to the text as necessary so that you understand each step you take. If you don’t have access to a lab environment in which you can complete the exercises, install and work with the exercises available in the WinSim 2003 software included with this Study Guide.
To do the exercises in this book, your hardware should meet the minimum hardware requirements for Windows Server 2003. See below for a list of recommended hardware and software we think you should have in your home lab.
4.
Read over the Real World Scenarios to improve your understanding of how to use what you learn in the book.
5.
Study the Exam Essentials and Key Terms to make sure you are familiar with the areas you need to focus on.
6.
Answer the review questions at the end of each chapter. If you prefer to answer the questions in a timed and graded format, install the Sybex Test Engine from the book’s CD and answer the chapter questions there instead of in the book.
7.
Take note of the questions you did not understand, and study the corresponding sections of the book again.
8.
Go back over the Exam Essentials and Key Terms.
9.
Go through the Study Guide’s other training resources, which are included on the book’s CD. These include WinSim 2003, electronic flashcards, the electronic version of the chapter review questions (try taking them by objective), and the two bonus exams.
To learn all the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study, and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!
xxxviii
Introduction
Hardware and Software Requirements You should verify that your computer meets the minimum requirements for installing Windows Server 2003. We suggest that your computer meets or exceeds the recommended requirements for a more enjoyable experience. The exercises in this book assume that you have two computers, a Windows Server 2003 domain controller and a Windows XP Professional computer that is part of the domain.
Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Prometric or VUE, or to obtain other useful certification information and additional study resources, check the following resources: Microsoft Training and Certification Home Page www.microsoft.com/traincert This Web site provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Microsoft TechNet Technical Information Network www.microsoft.com/technet 800-344-2121 Use this Web site or phone number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information. Prometric www.prometric.com 800-755-3936 Contact Prometric to register to take an MCP exam at any of more than 800 Prometric Testing Centers around the world. Virtual University Enterprises (VUE) www.vue.com 888-837-8616 Contact the VUE registration center to register to take an MCP exam at one of the VUE Testing Centers. MCP Magazine Online www.mcpmag.com Microsoft Certified Professional Magazine is a well-respected publication that focuses on Windows certification. This site hosts chats and discussion forums, and tracks news related to the MCSE program. Some of the services cost a fee, but they are well worth it. Windows & .NET Magazine www.windows2000mag.com
Introduction
xxxix
You can subscribe to this magazine or read free articles at the Web site. The study resource provides general information on Windows Server 2003, Windows XP, Windows 2000 Server. Cramsession on Brainbuzz.com cramsession.brainbuzz.com Cramsession is an online community focusing on all IT certification programs. In addition to discussion boards and job locators, you can download one of several free cram sessions, which are nice supplements to any study approach you take.
xl
Assessment Test
Assessment Test 1.
You are the network administrator of a large network. One of your Windows Server 2003 domain controllers recently failed. You reinstalled Windows Server 2003 and now need to restore the System State data and the Active Directory. Which of the following steps should you take? (Choose all that apply.) A. Restart the server in Directory Services Restore Mode. B. Perform an authoritative restore using the Ntdsutil.exe command. C. Perform a non-authoritative restore using the Ntdsutil.exe command. D. Perform an authoritative restore using the Ntdsrestore.exe command.
2.
You are the network administrator for a large network. All of the marketing users use Windows XP Professional computers with a Windows 2003 domain. Each user within the group should use a standardized profile. You decide to implement a mandatory profile that will be shared by all users. After you copy the profile to a shared network location, which of the following steps should you take? A. Rename the Ntuser.dat file to Ntuser.man. B. Rename the Ntuser.dat file to Ntuser.sav. C. Change the file attributes in the Ntuser.dat file to Read-Only. D. Change the file attributes in the Ntuser.dat file to Mandatory.
3.
You are the network administrator of a large network. You use a SUS server to manage all of the updates to the Windows computers within the network. As part of your general maintenance, you manually approve which updates will be applied to the network after you have tested the update. Which of the following actions would you use to view the SUS server’s synchronization log? A. Administrative Tools SUSAdmin B. http://yourservername/SUSAdmin C. Administrative Tools SUS Administrator D. http://yourservername/SUS
4.
You are the network administrator for a Windows 2003 network. You have decided to implement shadow copies on the Sales server on the D: volume, which is configured to use the NTFS file system. After you configure the volume to use shadow copies, you want to configure several client computers to be able to access the shadow copies. Which of the following steps must be taken before the clients can access the shadow copies? A. The users who will access the shadow copies must be given Full Control access to the
shadow copy volume. B. The users who will access the shadow copies must be added to the Shadow Users group. C. The users who will access the shadow copies must be added to the Server Operators group. D. The users who will access the shadow copies must install the Shadow Copies Of Shared
Folders software from the \\windir\system32\clients\twclient folder (located on a Windows Server 2003 share).
Assessment Test
5.
xli
The time to live (TTL) attached to a DNS record __________. A. Cannot be used by a resolver, only by servers making recursive queries B. Is used only by resolvers C. Is used to determine how long to cache retrieved results D. Is refreshed each time the record is modified
6.
You are the network administrator of a large network. You are designing a network backup strategy for all of the servers within the domain. Every Friday, you will perform a complete backup. On Saturday through Thursday you want to create backups at 1 A.M. and 1 P.M. that use the minimum amount of space. Which of the following backup options should you use? A. Copy B. Differential C. Incremental D. Daily
7.
You are the network administrator for your company. Your company recently acquired a smaller company that has 100 employees. You need to add the 100 new users to the Users domain on your Windows 2003 network. Which of the following command-line utilities will allow you to automate this process through a batch script? A. Dsget B. Dsadd C. Dsuser D. Dscreate
8.
You are the network administrator of a Windows 2003 network. One of the Help Desk managers uses Windows 2000 Professional as their desktop operating system and wants to use Remote Desktop Connection (RDC) to make a Remote Desktop For Administration connection to Windows Server 2003 computers. What software needs to be installed on his client computer? A. \Windir\System32\Clients\RDC\Win32 from a share on a Windows Server
2003 computer. B. \Windir\System32\Clients\Tsclient\Win32 from a share on a Windows
Server 2003 computer. C. Install the RDC software through Add Or Remove Programs in Control Panel. D. Install the Tsclient software through Add Or Remove Programs in Control Panel. 9.
Which of the following statements about Windows Server 2003 Dynamic DNS is true? A. DDNS requires a Microsoft DHCP server to work. B. The Windows Server 2003 DDNS server can interoperate with recent versions of BIND. C. DDNS clients may not register their own addresses. D. DDNS only works with Microsoft clients and servers.
xlii
Assessment Test
10. You recently decided to implement Terminal Services to support a wide variety of legacy hardware still used within your corporation. When you tested the new configuration, some of the Terminal Service clients could connect to the Terminal Services server and some of the clients could not connect. You suspect that the problem is related to security settings. Which of the following settings should you use to promote a balance between connectivity and security for the Terminal Service clients? A. No Security B. Low C. Client Compatible D. FIPS Compatible 11. Which of the following statements is true regarding cacheing-only servers? A. They are authoritative for a domain B. They perform queries C. They contain zone files D. They participate in zone transfers 12. Which option is used as a tool to compare your desired security settings with your current security settings? A. Security template B. Security database C. Security profile D. Security analyst 13. What is the name of the file that stores information for a DNS zone? A. domain_name.dns B. LMHOSTS C. ZONES D. SERVERS 14. Which policy types are applied to the computer as opposed to users and groups? (Choose all that apply) A. Password policies B. Account lockout policies C. User rights assignment policies D. Security options
Assessment Test
xliii
15. Which of the following options describes the behavior of a stub zone? A. A DNS server hosting a stub zone in one network will reply to queries for names in the
other network with only a list of all the authoritative DNS servers for that zone. B. A DNS server hosting a stub zone in one network will respond with the specific DNS
servers that are designed to handle the name resolution traffic for that zone. C. A DNS server hosting a stub zone in one network will forward DNS queries for external
DNS names to DNS servers outside of its own network. D. A DNS server hosting a stub zone in one network will send recursive queries to root
hints servers on the Internet. E. A DNS server hosting a stub zone in one network will neither build up a cache, nor per-
form recursion if the query fails. 16. You want to configure IPSec for additional security on your Windows Server 2003 network using the least amount of administrative effort. All clients are Windows XP. How should you apply the IPSec policies? A. Apply the Server (Request Security) policy to all servers on the network. Apply the
Client (Require Security) policy to all clients on the network. B. Apply the Server (Require Security) policy to all servers on the network. Apply the
Client (Request Security) policy to all clients on the network. C. Apply the Server (Require Security) policy to all servers on the network. Apply the
Client (Respond Only) policy to all clients on the network. D. Apply the Server (Request Security) policy to all servers on the network. Apply the
Client (Allow Security) policy to all clients on the network. E. Apply a custom policy requiring IPSec for client-server traffic to all servers on the net-
work. Apply the Client (Respond Only) policy to all clients on the network. 17. You need to plan a strategy for high availability. Which of the following options describes the standby server configuration? A. Standby servers are good for larger applications that require a lot of resources such as
processing power, memory, and input/output (I/O) bandwidth. B. In the event of a failure on one node, the processing load for all applications in the clus-
ter will be equally distributed across the remaining nodes. C. In the event of a failure on one node, the processing load for the failed application in
the cluster will be equally distributed across the remaining nodes. D. Standby servers eliminate the possibility of a single point of failure. 18. You are planning a high availability strategy for a multisite Windows Server 2003 network. Which of the following cluster models should you choose? A. Local quorum B. Single quorum device C. Multiple quorum device D. Majority node set
xliv
Assessment Test
19. You are configuring security policies to establish server-level security. Which of the following describes the behavior of Group Policy options? A. Use the Block Inheritance option when you want only the GPO you had set for your
container to be applied. B. Use the Block Inheritance option when you want to set corporate-wide policies without
allowing administrators of lower-level containers to override your settings C. Use the Disabled option when you want to block the application of a GPO to a container D. Use the No Override option to prevent higher-level GPOs from overriding a lower-level
GPO on any containers for which the lower-level GPO is applied 20. You want to implement the strongest possible security for your root CA. What should you do? A. Configure the root CA as a standalone CA. B. Configure the root CA as an enterprise CA. C. Disconnect the root CA from the network. D. Configure the root CA to only publish CRLs manually. 21. When running in Windows Server 2003 domain functional level, which of the following Group scope changes cannot be performed? A. Universal Global B. Domain Local Universal C. Global Universal D. None of the above 22. What happens when you renew a certificate? A. The key pair always changes. B. You may elect to keep the existing key pair or request a new key pair. C. The certificate attributes will not change. D. This action will reestablish security in the event that the private key has been
compromised. 23. Which of the following options describes the affinity behavior of clustered applications in Windows Server 2003? A. With strong affinity, groups will always be located together on the same node. B. With strong anti-affinity, groups will always be kept apart. C. With group affinity, applications are always targeted to specific nodes as configured by
the administrator. D. With group affinity, dependencies are established between groups that determine the
relative location of groups within a cluster. E. Exchange virtual servers are an example of groups that use weak affinity.
Assessment Test
xlv
24. Which of the following pieces of information should you have before you begin the Active Directory Installation Wizard? (Choose all that apply.) A. Active Directory domain name B. Administrator password for the local computer C. NetBIOS name for the server D. DNS configuration information 25. Which of the following types of servers contain a copy of the Active Directory? A. Member server B. Stand-alone server C. Domain controller D. Certificate server 26. Which of the following commands can you use to publish certificates and CRLs? A. certpublish -dsutil B. dsutil -certpublish C. dspublish -certutil D. certutil -dspublish 27. A systems administrator wants to allow a group of users to add Computer accounts to only a specific organizational unit (OU). What is the easiest way to grant only the required permissions? A. Delegate control of a User account. B. Delegate control at the domain level. C. Delegate control of an OU. D. Delegate control of a Computer account. E. Create a Group Policy at the OU level. 28. Which of the following tools can be used to create Group Policy object (GPO) links to the Active Directory? (Choose all that apply.) A. Active Directory Users And Computers B. Active Directory Domains And Trusts C. Active Directory Sites And Services D. Group Policy Editor 29. Trust relationships can be configured as which of the following? (Choose all that apply.) A. One-way and transitive B. Two-way and transitive C. One-way and nontransitive D. Two-way and nontransitive
xlvi
Assessment Test
30. A GPO at the domain level sets a certain option to Disabled, whereas a GPO at the OU level sets the same option to Enabled. No other GPOs have been created. Which option can a systems administrator use to ensure that the effective policy for objects within the OU is enabled? A. Block Policy Inheritance on the OU B. Block Policy Inheritance on the site C. Set No Override on the OU D. Set No Override on the site
Answers to Assessment Test
xlvii
Answers to Assessment Test 1.
A, B. If you need to restore System State data on a domain controller, you should restart your computer with the advanced startup option Directory Services Restore Mode. This allows the Active Directory directory service database and the SYSVOL directory to be restored. If the System State data is restored on a domain controller that is a part of a domain where data is replicated to other domain controllers, you must perform an authoritative restore. For an authoritative restore, you use the Ntdsutil.exe command, then restart the computer. For more information, see Chapter 3.
2.
A. A mandatory profile is a profile that can’t be modified by the user. Only members of the Administrators group can manage mandatory profiles. You might consider creating mandatory profiles for users who should maintain consistent Desktops. By default the user profile is stored in a file called Ntuser.dat. You can create mandatory profiles for a single user or a group of users. The mandatory profile is stored in a file named Ntuser.man. A user with a mandatory profile can set different Desktop preferences while logged on, but those settings will not be saved when the user logs off. For more information, see Chapter 2.
3.
B. In order to install and manage SUS, you must use IIS. You manage the SUS server through http://yourservername/SUSAdmin that starts the Software Update Services screen. For more information, see Chapter 1.
4.
D. You can configure the Client for Shadow Copies on Windows XP and Window Server 2003 computers. In order to use shadow copies, the client must install the Shadow Copies Of Shared Folders software. Windows Server 2003 computers have this software installed in the \\windir\system32\clients\twclient folder. For more information, see Chapter 3.
5.
C. The TTL indicates how long the record may be safely cached; it may or may not be modified when the record is created. See Chapter 5 for more information on TTL.
6.
C. Incremental backups will back up only the files that have not been marked as archived and sets the archive bit for each file that is backed up. Requires the last normal backup set and all of the incremental tapes that have been created since the last normal backup for the restore process. For more information, see Chapter 3.
7.
B. Windows Server 2003 includes several command-line utilities for managing objects within the Active Directory. You can automate the process of creating users, groups, and computers through the Dsadd command-line utility. For more information, see Chapter 2.
8.
B. RDC is installed by default on Windows XP Professional and Windows Server 2003 computers. For other clients, you can install the software by creating a share on the \Windir\ System32\Clients\Tsclient\Win32 folder and then running the Setup program. For more information, see Chapter 4.
9.
B. DDNS works with BIND 8.2 and later. For more information, see Chapter 5.
10. C. The Client Compatible setting encrypts data between the server and the client at the highest security level that can be negotiated between the server and the client. This encryption level is used with environments that support a mixture of Windows 2000 and higher and older legacy clients. For more information, see Chapter 4.
xlviii
Answers to Assessment Test
11. B. DNS caching-only servers perform queries and cache the results, but they are not authoritative for any domains, do not contain zone files, or participate in zone transfers. See Chapter 5 for more information. For more information, see Chapter 5. 12. A. Using the Security Configuration and Analysis tool, you can compare the security settings defined in a security template with a specific computer’s actual security settings. For more information, see Chapter 6. 13. A. The domain_name.dns file stores name to address mappings for DNS. LMHOSTS is used for WINS, and the other two options are not valid. For more information, see Chapter 5. 14. A, B, D. Security options apply to computers as opposed to users and groups. For more information, see Chapter 6. 15. A. The purpose of a stub zone is to keep a DNS server that hosts a parent zone aware of the authoritative DNS servers for its child zone. A DNS server hosting a stub zone in one network will reply to queries for names in the other network with only a list of all the authoritative DNS servers for that zone. It will not respond with the specific DNS servers that are designed to handle the name resolution traffic for that zone. For more information, see Chapter 8. 16. C. The three default IPSec policies are: Client (Respond Only), Server (Request Security), and Server (Require Security). In this scenario, you would apply the Server (Require Security) policy to all servers on the network. Then you would apply the Client (Respond Only) policy to all clients on the network. You could apply custom policies, but that’s not necessary considering that the built-in policies should work fine. For more information, see Chapter 10. 17. A. Standby servers are a variation of the N+I configuration in which idle nodes are prepared to take on the work of one or more active nodes. They are good for larger applications that require a lot of resources such as processing power, memory, and input/output (I/O) bandwidth. In the event of a failure on one node, all applications are still hosted on separate servers. For more information, see Chapter 9. 18. D. The majority node set quorum model is intended for sophisticated, end-to-end clustering solutions. Each node maintains its own copy of the cluster configuration data. The quorum resource ensures that the cluster configuration data is kept consistent across the nodes. For this reason, majority node set quorums are typically found in geographically dispersed clusters. For more information, see Chapter 9. 19. A. The Block Inheritance option is used to allow the child container to block GPO inheritance from parent containers. You would use this option if you did not want child containers to inherit GPO settings from parent containers and only wanted the GPO you had set for your container to be applied. The No Override option is used to specify that child containers can’t override the policy settings of higher-level GPOs. Use this option when you want to set corporate-wide policies without allowing administrators of lower-level containers to override your settings. The Disabled option is used to specify that the GPO is not applied to this container. You would use the Disabled option if you wanted to define a policy on a higher-level container to be applied to all down-level containers, without actually applying the policy to the parent container itself. For more information, see Chapter 7.
Answers to Assessment Test
xlix
20. C. The strongest possible security for your root CA involves disconnecting it from the network so that no security compromise is possible via network access. You still must ensure physical security for the computer that acts as the root CA. For more information, see Chapter 11. 21. A. The scope of Universal groups cannot be changed because they apply to more than one domain. For more information, see Chapter 13. 22. B. When you renew a certificate, you may elect to keep the existing key pair or request a new key pair. Some of the certificate attributes will change. If the private key has been compromised, you must revoke the old certificate in order to reestablish security. For more information, see Chapter 11. 23. D. Group affinity is used to establish dependencies between groups that determine the relative location of groups within a cluster. With strong affinity, they will be placed together on the same node, if possible. They can also be set up to have strong or weak anti-affinity. With strong antiaffinity, groups will be kept apart if at all possible. Because running more than one instance of Exchange on the same node is not recommended, Exchange virtual servers are an example of groups that use anti-affinity. For more information, see Chapter 9. 24. A, B, C, D. Before beginning the installation of a domain controller, you should have all of the information listed. For more information, see Chapter 12. 25. C. Only Windows Server 2003 computers configured as domain controllers contain a copy of the Active Directory database. For more information, see Chapter 12. 26. D. Certificates are published to Active Directory by default. You can use the certutil dspublish command to publish certificates and CRLs. For more information, see Chapter 11. 27. E. In order to allow this permission at the OU level, the systems administrator must create a Group Policy object with the appropriate settings and link it to the OU. For more information, see Chapter 14. 28. A, C. Both the Active Directory Users And Computers tool and the Active Directory Sites And Services tool can be used to create GPO links to the Active Directory. For more information, see Chapter 14. 29. A, B, C, D. All of the trust configurations listed are possible. A one-way trust means that DomainA trusts DomainB, but not the reverse. A two-way trust means that both DomainA and DomainB trust each other automatically. Transitive trusts are implied, meaning that if DomainA trusts DomainB, and DomainB trusts DomainC, then DomainA trusts DomainC. For more information, see Chapter 12. 30. A. By blocking policy inheritance on the OU, you can be sure that other settings defined at higher levels do not change the settings at the OU level. However, this will only work if the No Override option is not set at the site level. For more information, see Chapter 14.
MCSA Upgrade Exam
PART
I
Chapter
1
Installing, Licensing, and Updating Windows Server 2003 MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Manage software update infrastructure Install and configure software update infrastructure
Install and configure software update services
Install and configure automatic client update settings
Configure software updates on earlier operating systems
Windows Server 2003 provides the highest level of features and security compared to previous versions of Windows servers. This chapter will begin by introducing you to Windows Server 2003. You will start by learning about the features of Windows Server 2003 and the key features and differences between the versions within the Windows Server 2003 family of operating systems. Before you can use Windows Server 2003, you have to install it. You need to know what the basic hardware requirements are, how to check for system compatibility, determine whether you will upgrade or use a clean installation, and understand the installation options. Once you have considered the options for installing Windows Server 2003, you are ready for the installation. To take advantage of Active Directory, you will need to upgrade your server to a domain controller after it is installed. After your computer has been installed with Windows Server 2003 and configured as a domain controller, you will need to complete post-installation activation. This ensures that you are running a valid copy of Windows Server 2003. In addition to activating Windows Server 2003, you need to ensure that the clients that connect to the server are properly licensed. You can manage licensing through a single server or through enterprise management using a site license server. You also need to manage software installation and maintenance for your network. You can keep your software up-to-date through Windows Update, Windows Automatic Updates, and Software Update Services. The Microsoft Baseline Security Analyzer is used to ensure that your computer is configured in a secure manner.
Features of Windows Server 2003 The Windows Server 2003 family was originally going to be called Windows .NET Server. Early in 2003, Microsoft announced that the product family would be called Windows Server 2003. Windows .NET is a set of Microsoft technologies and software that are designed to work together to provide a high level of services, compatibility, and XML (Extensible Markup Language) Web services. Windows Server 2003 is the server component of .NET services. Windows Server 2003 builds upon the features of Windows NT and Windows 2000. The main features of Windows Server 2003 include:
Active Directory
File and Print Services
Security
Networking and Communications
Features of Windows Server 2003
Application Services
Management Services
Storage Management Services
Internet Information Server (IIS) 6.0
Terminal Services
Windows Media Services
Universal Description, Discovery, and Integration (UDDI) Services
5
In the following sections, you will learn more about the enhancements and new features that have been added to Windows Server 2003 compared to Windows NT Server 4 and Windows 2000 Server.
Active Directory Active Directory has been enhanced so that it supports easier deployment and management, increased security, and improved performance and dependability. New features within Windows Server 2003 for Active Directory include:
Active Directory Migration Tool (ADMT) 2.0, which allows migration of users and passwords from Windows NT 4.0 domains or Windows 2000 domains to Windows 2003 domains.
New support for renaming DNS and/or NetBIOS names of existing domains within a forest. This allows greater support for companies that merge or are restructured.
New group policy management tool called Microsoft Group Policy Management Console (GPMC), which allows users to manage group policy for multiple domains and sites within a specified forest. The User Interface (UI) is simplified and allows drag-and-drop support and functionality for backup, restore, copy, import, and reporting of Group Policy Objects (GPOs).
Improvement to the MMC, which allows administrators to have better drag-and-drop capability, ability to save and reuse queries, and the ability to select and manage multiple objects concurrently.
Support for cross-forest authentication, which allows secure access for a user who is located in one forest accessing resources in another forest.
Support for inter-forest permissions, which allows administrators in one forest to add users and groups to Discretionary Access Control Lists (DACLs) from trusted forests.
Support for cross-certification, if cross-forest trusts have been configured. This allows Internet Authentication Service/ Remote Authentication Dial-In User Server (IAS/RADIUS) authentication for user accounts from the trusted forests. RADIUS (Microsoft’s IAS) is equipment-to-equipment authentication. The equipment is authenticated first and then the user is authenticated. For example, two routers verify password authentication and then the user account can be authenticated in a normal manner.
6
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Improved Credential Manager, which allows a secure store of user password and X.509 certificates.
Software restriction policies, which are lists of software that is allowed to be installed on client computers through the use of GPOs. You can specify that software that is not on the list can’t be installed.
Enhanced logon for remote sites, which increases the speed by which remote users can log on.
Better management of how group membership changes are replicated. Only the delta changes are replicated as compared to replicating all group information when changes are made.
Ability of the Active Directory database to be initially replicated from media as opposed to being populated from the network.
Better dependability through a new feature called Health Monitoring, which is used to verify replications between domain controllers. Improved scaling of forests and sites (compared to Windows 2000) with the use of an improved Inter-Site Topology Generator (ISTG). The speed and dependability of global catalog replication has also been enhanced.
File and Print Services File and print management is one of the most critical server roles. Windows Server 2003 improves file and print services through higher dependability, increased productivity, and better connectivity. New features for file and print services include:
Improved reliability with enhanced Automated System Recovery (ASR), which is used to recover the system and restore files in the event of system failure. The key improvement in ASR is one-step restore of the operating system, system state, and hardware configuration.
Ability to support remote document sharing over the Internet through Web Distributed Authoring and Versioning (WebDAV).
New command-line utilities for supporting disk management tasks and file system tuning.
New GUID Partition Table (GPT) that is used with Windows Server 2003 64-bit edition, which replaces the Master Boot Record (MBR) used with 32-bit versions of Windows. With GPT partitions there are redundant primary and backup partition tables for better data structure integrity.
Improved Windows Defragmenter Tool, which is faster and more efficient than the version that was used with Windows 2000.
Enhanced Distributed File System (DFS), which now can be used with Active Directory to publish DFS objects as Volume objects and allow delegation of administration for DFS objects. There is also a new service called DFS File Replication Service (FRS), which is used to replicate DFS within the Active Directory.
Improved Encrypting File System (EFS), which now runs as an integrated system service.
New kernel APIs, which provide new support for antivirus applications.
Faster CHKDSK, which runs 20% to 38% faster after an unplanned disk shutdown or disk failure than it did in Windows 2000.
Features of Windows Server 2003
7
New feature called shadow copies, which creates copies of network shares, and is used to roll back to a previous copy of a file in the event that a shared file is overwritten, deleted, or corrupted.
New command-line utilities for managing printing.
New 64-bit print drivers for 64-bit editions of Windows Server 2003. The new Point-nPrint 64-bit drivers can support both 32-bit and 64-bit clients.
Added support for over 3,800 print devices.
Improved support for publishing printers to Active Directory.
New support for wireless (IEEE 802.11 and 802.1X, and Bluetooth) devices.
Broader support for cross-platform printing support for AppleTalk, LPR/LPD, and IPX print protocols.
Security Windows Server 2003 provides the highest level of security of any of the Windows platforms to date. Security enhancements have been added through general improvements in security, public key infrastructure, and secure Internet accessibility. Specific enhancements to security include:
Improved Internet Connection Firewall (ICF), which is designed to act as a firewall for computers directly connected to the Internet.
Better support for authentication of users who connect to the network via wireless and Ethernet LANs. New support is also included for IEEE 802.11 protocols.
New support for IAS, which is used by RADIUS to manage remote user connections and authentication.
New software restriction policies, which are used by administrators to specify policy or execution enforcement. For example, through software restriction policies specific applications can only be run from specified directories, which is used to prevent Trojan viruses from running.
Improved web server security through IIS 6.0.
New options to support the encryption of off-line files.
Protocol support for RFC 2617 and RFC 2222, which is a digest authentication protocol and is used with IIS and the Active Directory.
Better system security performance with Secure Sockets Layer (SSL), which is 35% faster with Windows Server 2003 compared to Windows 2000 Server.
Ability of SSL session cache to be used by multiple processes, which increases performance by reducing the number of times reauthentication is required by applications.
Automatic enrollment and deployment of X.509 certificates to users. Certificates can also be automatically renewed as they expire.
Improved support for digital signatures in conjunction with Windows Installer packages.
8
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Through the Certificate Server that ships with Windows Server 2003, support for delta Certificate Revocation Lists (CRLs), which makes the publication of revoked X.509 certificates more efficient.
New support for Microsoft Passport integration with Active Directory and Windows Server 2003.
Support for cross-forest trusts.
Networking and Communications Windows Server 2003 makes significant improvements to networking and security, which are critical to network operations. Some of the key improvements are extended versatility, better reliability and security, and more simplified management. Specific improvements include:
Support for the latest generation of TCP/IP, which is IPv6. IPv6 makes improvements over IPv4 in the areas of address depletion, auto-configuration capabilities, and enhanced security. Windows Server 2003 supports IPv6 through an enhanced Internet Explorer (IE), IIS, and Internet file and print sharing utilities such as telnet and the ftp client software.
A new Point-to-Point Protocol over Ethernet (PPPoE) driver that is used to make broadband connections to Internet Service Providers (ISPs) without requiring additional software.
Better support for network bridging when using wireless adapters, Ethernet adapters, or dial-up adapters.
Ability to support IPSec-based VPNs or IPSec-protected applications across Network Address Translation (NAT). Also allows support of Layer Two Tunneling Protocol (L2T2) over IPSec.
Support for DNS client settings through Group Policy.
Enhanced Connection Manager Administration Kit (CMAK) for providing remote access to clients running Windows XP, Windows 2000, Windows NT 4, Windows Me, or Windows 98.
Enhancements to IAS, which allows you to better support wireless network deployments using RADIUS servers.
New Network Load Balancing Manager that is used to load-balance TCP/IP traffic on an IEEE 1394 serial bus.
Application Services Windows Server 2003 is designed to better support application integration and interoperability, help developers produce better applications, increase efficiency, improve scalability and reliability, provide a high level of application security, and provide efficient deployment and management of applications. To help support these goals, the following options have been added or improved in Windows Server 2003:
Native support for XML Web services, for standards including XML, Simple Object Access Protocol (SOAP), Universal Description, Discovery, and Integration (UDDI), and Web Services Description Language (WSDL).
Features of Windows Server 2003
9
Enterprise UDDI support that allows companies to use their own custom UDDI services for internal or external use.
A common .NET framework, which makes it easier for software developers to develop applications across Windows platforms.
Integrated support for applications through IIS 6.0.
Improved ASP .NET caching model, which improves performance.
Improved security for applications through integration with Active Directory, plus added support for .NET Passport.
New support for application-installed tools, such as Fusion, which makes deploying applications easier and more reliable.
Management Services The new management services in Windows Server 2003 are designed to make management more dependable, provide greater productivity, and provide greater connectivity. Specific improvements to management services include:
The Group Policy Editor has been added, which makes it easier to manage the Active Directory.
A new tool, the Resultant Set of Policy (RSoP). The RSoP snap-in is used to determine what the effective policies are when Group Policies have been applied at many layers of Active Directory to a user or computer.
New policy settings that are used to manage configurations such as Remote Assistance, AutoUpdating, and Error Reporting.
Improved help features within the Group Policy Editor that explain functions and supported environments for group policy objects.
New support for creation and management of cross-forests.
More comprehensive software restriction policies.
Updated Remote Installation Services (RIS) to support remote installations of XP Professional and 32-bit/64-bit editions of Windows Server 2003, with the exception of Windows Server 2003, Datacenter Edition.
New Windows Server 2003 tools, including remote server operation via an /s switch on the command-line utility.
Improved Windows Update to more fully support keeping all of your Windows files up-todate. Windows Update can also be configured for Automatic Updating, manually or through Group Policy. Windows Update is covered in greater detail later in this chapter in the section, “Using Windows Update.”
Storage Management Services Storage management services are used to manage volumes and disks, backup and restore operations, and access to Storage Area Networks (SANs). Windows Server 2003 adds the following features and improvements in storage management services:
10
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
A new service called Virtual Disk Service (VDS), which enables support for multi-vendor storage devices through native Windows support.
The Volume Shadow Copy service, which can be used to create shadow copies in conjunction with SANs.
Ability for offline files to be encrypted with EFS.
Support for open file backups, which allow you to back up a file without it being closed, in conjunction with shadow copies.
A new command-line utility, Diskpart.exe, that includes all of the functionality of Disk Manager, an MMC snap-in.
Enhanced DFS to allow support for multiple DFS roots on a single server.
Internet Information Server (IIS) 6.0 Internet Information Server is included with Windows Server 2003 to provide scalable, integrated Web services. By default, IIS is not loaded on Windows Server 2003 during installation, and must be manually installed through Add/Remove Programs. The enhancements to IIS 6.0 include:
Application health monitoring and automatic application recycling.
Improved security and manageability over previous versions of IIS. By default, maximum security settings are applied.
A new kernel mode driver, http.sys, used to improve scalability and performance.
URL authorization in conjunction with Authorization Manager, used to control access and manage administrator delegation.
Ability for IIS to use URLs that are encoded with Unicode, which is used to support multi-languages.
Terminal Services Terminal Server is used to provide Windows-based applications to clients, even if the client computer is not capable of running Windows. This allows you to leverage server processing power for client computers. The improvements to Terminal Server in Windows Server 2003 include:
Better scalability; more users are supported than were with Windows 2000.
Improved user interface for the client software, the Remote Desktop Connection. Additionally, users can more easily set up and save connections, and switch between windowed and full mode screens.
Enhanced Remote Desktop Protocol (RDP) giving better support for accessing resources, such as printers.
Ability to set color depth and screen resolution higher than with previous versions on Terminal Server.
Terminal Server now better able to take advantage of Windows Server 2003 features such as software restriction policies, enhancements to roaming profiles, and new application compatibility modes.
Windows Server 2003 Family Features
11
Windows Media Services Windows Media Services are used for distribution of digital media content over an intranet or the Internet. Advances to Windows Media Services include:
Fast stream technology, which bypasses buffering delays, to provide instant-on playback capabilities.
Always-on Fast Cache, which streams playback to the client computer via streaming content as fast as the player’s cache and network will allow.
Fast recovery, which is used to reduce or eliminate packet corruption through local packet correction technology.
Fast reconnect technology, which reconnects a connection to the Internet faster if a client is disconnected during a broadcast.
Support now provided for integrating with third-party AD servers, and support for advanced usage reporting.
Improved wizards that provide scenario-based help for completing common management activities for audio and video streaming needs.
Universal Description, Discovery, and Integration (UDDI) Services UDDI services are used to provide dynamic and flexible XML Web services. UDDI provides web developers with the ability to create applications more easily and make the applications easier to manage through Windows Server 2003. Some of the key improvements to UDDI services include:
Enterprise service based on the Microsoft .NET framework. UDDI services can be automatically published and discovered through web-based interfaces.
Can take advantage of Active Directory features such as authentication and authorization.
Supports programming inquiries through the UDDI API or a web interface.
Active monitoring to allow auditing of all authenticated activities including the username and the activity that was completed.
Windows Server 2003 Family Features Windows Server 2003 is available in four different versions:
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
Windows Server 2003, Web Edition
12
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Windows Server 2003, Standard Edition is designed for the most common server environments. Windows Server 2003, Enterprise Edition is designed for larger enterprise environments or businesses that require higher reliability and performance. Windows Server 2003, Datacenter Edition is designed for businesses that use mission-critical applications and also need a higher level of scalability and reliability. Windows Server 2003, Web Edition is designed to be optimized for hosting web servers. By offering different editions, Microsoft ensures that consumers and businesses can select the product family that best suits their needs and budget. Table 1.1 summarizes the features found in the different Server 2003 families: TABLE 1.1
Windows Server 2003 Feature Comparison
Feature
Web Edition
Standard Edition
Enterprise Edition
Datacenter Edition
.NET Framework
Yes
Yes
Yes
Yes
Act as a Domain Controller in the Active Directory
No
Yes
Yes
Yes
Microsoft Metadirectory Services (MMS) support
No
No
Yes
Yes
Internet Information Services (IIS) 6.0
Yes
Yes
Yes
Yes
ASP .NET
Yes
Yes
Yes
Yes
Enterprise UDDI services
No
Yes
Yes
Yes
Network load balancing
Yes
Yes
Yes
Yes
Server clusters
No
No
Yes
Yes
Virtual Private Network (VPN) support
Only supports one connection per media type
Yes
Yes
Yes
Internet Authentication Services (IAS)
No
Yes
Yes
Yes
IPv6
Yes
Yes
Yes
Yes
Distributed File System (DFS)
Yes
Yes
Yes
Yes
Encrypting File System (EFS)
Yes
Yes
Yes
Yes
Preparing to Install Windows Server 2003
TABLE 1.1
13
Windows Server 2003 Feature Comparison (continued)
Feature
Web Edition
Standard Edition
Enterprise Edition
Datacenter Edition
Shadow Copy Restore
Yes
Yes
Yes
Yes
Removable and Remote Storage
No
Yes
Yes
Yes
Fax services
No
Yes
Yes
Yes
Services for Macintosh
No
Yes
Yes
Yes
Print Services for Unix
Yes
Yes
Yes
Yes
Terminal Services
No
Yes
Yes
Yes
IntelliMirror
Yes
Yes
Yes
Yes
Remote OS Installation (RIS)
Yes
Yes
Yes
Yes
64-bit support for Itanium-based computers
No
No
Yes
Yes
Datacenter Program
No
No
No
Yes
In addition to providing different product families, Windows Server 2003 also comes in 32-bit editions, which are used with Pentium-based computers (also referred to as x86-based computers), and a 64-bit edition (for Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition). The 64bit edition of Windows Server is compatible only with Itanium-based systems and can’t be installed on 32-bit x86-based systems. Previously known by the code name Merced, the Itanium processor employs a 64-bit architecture and enhanced instruction handling to greatly increase the performance of computational and multimedia operations, and supports clock speeds of up to 800MHz. The Itanium 2 processor uses a 128-bit architecture and supports speeds of 900MHz and 1GHz.
Preparing to Install Windows Server 2003 Planning and preparation are key to making your Windows Server 2003 installation proceed smoothly. Before you begin the installation, you should know what is required for a successful
14
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
installation and have all the pieces of information you’ll need to supply during the installation process. In preparing for the installation, you should make sure you have the following information:
What the hardware requirements are for Windows Server 2003
How to determine whether your hardware is supported by Windows Server 2003
Determine whether your system is compatible with Windows Server 2003
The difference between a clean installation and an upgrade
What installation options are suitable for your system, such as which disk-partitioning scheme and file system you should select for Windows Server 2003 to use
Hardware Requirements In order to install Windows Server 2003 successfully, your system must meet certain hardware requirements. Table 1.2 lists the minimum requirements as well as the more realistic recommended requirements.
The hardware requirements listed in Table 1.2 were those specified at the time this book was published. Check Microsoft’s website for the most current information.
TABLE 1.2
Hardware Requirements for Windows Server 2003 Web Edition
Standard Edition
Enterprise Edition
Datacenter Edition
128MB
128MB
128MB
512MB
Recommended RAM 256MB
256MB
256MB
1GB
Maximum RAM
2GB
4GB
32GB for x86-based computers, 64GB for Itanium-based computers
64GB for x86-based computers, 512GB for Itanium-based computers
Minimum CPU Speed
133MHz
133MHz
133MHz for x86-based computers, 733MHz for Itanium-based computers
400MHz for x86-based computers, 733MHz for Itanium-based computers
Recommended mini- 550MHz mum CPU speed
550MHz
733MHz
733MHz
Minimum RAM
Preparing to Install Windows Server 2003
TABLE 1.2
15
Hardware Requirements for Windows Server 2003 (continued) Web Edition
Standard Edition
Enterprise Edition
Datacenter Edition
Multiprocessor Support
Up to 2
Up to 4
Up to 8
Minimum of 8, maximum of 32 for 32bit version, 64 for Itanium-based computer
Free disk storage for setup
1.5GB
1.5GB
1.5GB for x86-based computers, 2GB for Itanium-based computers
1.5GB for x86-based computers, 2GB for Itanium-based computers
Cluster nodes
No
No
Up to 8
Up to 8
These requirements represent the operating system requirements. If you are running any processor- or memory-intensive tasks or applications, factor those requirements separately. When determining disk-space requirements for addon software and data, a good rule of thumb is to plan what you need for the next 12 months, then double that number.
Depending on the installation method you choose, other devices may be required:
If you are installing Windows Server 2003 from the CD, you should have at least a 12x CDROM drive.
If you choose to install Windows Server 2003 from the network, you need a network connection and a server with the distribution files.
The Hardware Compatibility List (HCL) Along with meeting the minimum requirements, your hardware should appear on the Hardware Compatibility List (HCL). The HCL is an extensive list of computers and peripheral hardware that have been tested with the Windows Server 2003 operating system. The Windows Server 2003 operating system requires control of the hardware for stability, efficiency, and security. The hardware and supported drivers on the HCL have been put through rigorous tests. If you call Microsoft for support, the first thing a Microsoft support engineer will ask about is your configuration. If you have any hardware that is not on the HCL, there is no guarantee of support.
To determine if your computer and peripherals are on the HCL, check the most up-to-date list at www.microsoft.com/hcl.
16
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Checking System Compatibility The Windows Server 2003 CD comes with a utility to check system compatibility. When you launch the CD, you’ll see several options, one being Check System Compatibility. When you check system compatibility, you can select:
Check My System Automatically
Visit The Compatibility Web Site
If your computer is not connected to the Internet, you would select Check My System Automatically. If you are connected to the Internet, selecting Visit The Compatibility Web Site will allow your computer to be checked against the most updated information. The Windows compatibility check will determine whether your system meets the minimum requirements for Windows Server 2003 and whether the hardware components that are installed are compatible. If any errors are found, a report will be created and details can be viewed.
Clean Install or Upgrade Once you’ve determined that your hardware not only meets the minimum requirements but is also on the HCL, you need to decide whether you want to do a clean install or an upgrade. A clean install installs Windows Server 2003 in a new folder and uses all of the Windows Server 2003 default settings. An upgrade preserves existing settings from an operating system that is on the upgrade list. If you already have Windows NT Server 4 or Windows 2000 Server installed on your computer, you might want to upgrade that system to Windows Server 2003. In an upgrade, you retain previous settings such as the Desktop, users and groups, and program groups and items. During an upgrade, you point to a prior operating system, and the Windows Server 2003 files are loaded into the same folder that contained the former operating system. The only operating systems that can be directly upgraded to Windows Server 2003 are Windows NT Server 4 SP5 or greater and Windows 2000 Server. Any other operating systems cannot be upgraded, but they may be able to coexist with Windows Server 2003 in a multi-boot environment. If you don’t have Windows NT Server 4 or Windows 2000 Server, you need to perform a clean install. A clean install puts the operating system into a new folder and uses its default settings the first time the operating system is loaded. You should perform a clean install if any of the following conditions are true:
There is no operating system currently installed.
You have an operating system installed that does not support an upgrade to Windows Server 2003 (such as DOS, Windows 3.x, Windows 9x, Windows XP, Windows NT 3.51 Server, or Windows 2000 Professional).
You want to start from scratch, without keeping any existing preferences.
You want to be able to dual-boot between Windows Server 2003 and your previous operating system.
Installing Windows Server 2003
17
Installation Options There are many choices that you will need to make during the Windows Server 2003 installation process. The following are some of the options that you will configure:
How your hard disk space will be partitioned
The file system your partitions will use
The licensing method the computer will use
Whether the computer will be a part of a workgroup or a domain
The language and locale for the computer’s settings
The process for a clean installation is described in the next section.
Installing Windows Server 2003 Before you install Windows Server 2003, you should check for system compatibility. Once you have ensured that your computer is compatible, you can begin the Windows Server 2003 installation process. The Windows Server 2003 installation process consists of five main stages:
Collecting information
Updating dynamically
Preparing installation
Installing Windows
Finalizing installation
We will look at these steps in detail in the next, followed by how to upgrade your server to a Domain Controller.
Steps for Windows Server 2003 Installation If you are installing Windows Server 2003 on an Itanium processor, you would insert the Windows Server 2003 Itanium CD and restart the computer. When the EFI Boot manager appears, select the CD-ROM option, and select Windows Server 2003 CD. You will then boot from the CD-ROM and follow the onscreen instructions as if you were installing a 32-bit version of Windows Server 2003. The steps in the following sections assume that the disk drive is clean and that you are starting the installation using the Windows Server 2003 CD.
18
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
The stages you see during your installation will vary based on the installation option you are using. For example, if you boot to the Window Server 2003 CD and start a new installation, you will not use Dynamic Update. If you are upgrading or starting the installation from an existing operating system, you would see the Dynamic Update stage.
The following sections give the details of the installation process to show how the process works. But you should not actually install Windows Server 2003 until you reach the “Setting Up Your Computers for Hands-on Exercises” section. In the exercises in that section, you’ll set up a domain controller and a Windows XP Professional computer, which you’ll use to complete the rest of the exercises in this book.
If you have installed previous versions of Windows, you will notice that this is the most streamlined installation to date. Installing Windows Server 2003 can be broken into three phases: 1.
Collecting information and preparing for the installation
2.
Installing Windows
3.
Finalizing the installation We will look at each of these phases in the following sections.
Collecting Information and Preparing Installation To start collecting information and preparing for the installation, follow these steps: 1.
Boot your computer using the Windows Server 2003 distribution CD.
2.
The text mode portion of Setup will start, and through the process will advise you to press F6 if you need to install any additional SCSI or RAID device drivers or F2 if you want to run the Automated System Recovery (ASR) utility. If you have a SCSI or RAID driver that is not provided through the Windows Server 2003 CD, you would press F6; otherwise ignore these prompts and setup will continue.
3.
The Welcome To Setup dialog box will appear. You can set up Windows by pressing Enter, repair an existing Windows installation by pressing R to run the Recovery Console, or quit Windows Setup by pressing F3. In this example, you would press Enter to continue.
4.
The Windows License Agreement dialog box appears. You can accept the license agreement by pressing F8, or Esc if you do not agree. If you do not agree to the license agreement, the installation process will terminate. In this case, you would press F8 to continue.
5.
The next dialog box asks you which partition you want to use to set up Windows Server 2003. You can pick a partition that already exists, or you can choose free space and create a new partition. To set up Windows Server 2003 on an existing partition, you would highlight the partition you want to use for installation and press Enter. To create a new partition, you
Installing Windows Server 2003
19
would press C. To delete an existing partition, you would press D. If you create a new partition, you can format it as NTFS or FAT32. 6.
After you select your partition and it is formatted, the installation files will be automatically copied to your computer. This requires no user intervention. Once this process is complete, the computer will reboot.
Installing Windows To actually start installing Windows, follow these steps. 1.
Once the computer has rebooted, the Windows installation will automatically continue using the Setup Wizard. The installation process will detect and install device drivers and copy any needed files. This process will take several minutes, and during this process, your screen may flicker.
2.
The Regional And Language Options dialog box will appear. From this dialog box, you choose your locale and keyboard settings. Locale settings are used to configure international options for numbers, currencies, times, and dates. Keyboard settings allow you to configure your keyboard to support different local characters or keyboard layouts. For example, you can choose Danish or United States–Dvorak through this option. Once you make your selection, click Next to continue.
3.
The Personalize Your Software dialog box appears. In this dialog box, you fill in the Name and Organization boxes. This information is used to personalize your operating system software and the applications that you install. If you install Windows Server 2003 in a workgroup, the Name entry here is used for the initial user. Type in your information and click the Next button.
4.
The Your Product Key dialog box appears. From the product key located on the yellow sticker on the back of the Windows Server 2003 CD folder, type in the 25-character product key and click the Next button.
5.
The Licensing Modes dialog box appears. You can choose from Per Server licensing or Per Seat licensing. Licensing is covered in greater detail in the “Managing Licensing” section later in this chapter. Make your selection and click the Next button. If you’re unsure which licensing mode to use, select Per Server.
6.
The Computer Name And Administrator Password dialog box appears. Here you specify a name that will uniquely identify your computer on the network. The Setup Wizard will suggest a name, but you can change it to another name. In this dialog box, you also type and confirm the Administrator password. An account called Administrator will automatically be created as a part of the installation process. Verify that the computer name is correct or specify a name and an Administrator password and click the Next button to continue. If you do not use a complex password (upper case, lower case, number, or symbol), a warning will appear.
Be sure that the computer name is a unique name within your network. If you are part of a corporate network, you should also verify that the computer name follows the naming convention specified by your Information Services (IS) department.
Chapter 1
20
Installing, Licensing, and Updating Windows Server 2003
7.
If you have a Plug and Play modem installed, you will see the Modem Dialing Information dialog box. Here, you specify your country/region, your area code (or city code), whether you dial a number to get an outside line, and whether the telephone system uses tone dialing or pulse dialing. Select the applicable options and click the Next button.
8.
The Date And Time Settings dialog box will appear. In this dialog box, you set your date and time settings and the time zone in which your computer is located. You can also configure the computer to automatically adjust for daylight savings time (recommended). Verify that the correct settings are selected and click the Next button.
9.
The Network Settings dialog box appears. This dialog box is used to specify how you want to connect to other computers, networks, and the Internet. You have two choices:
Typical Settings installs network connections for Client for Microsoft Networks, as well as File and Print Sharing for Microsoft Networks. It also installs the TCP/IP protocol with an automatically (DHCP) assigned address.
Custom Settings allows you to customize your network settings. You can choose whether or not you want to use Client for Microsoft Networks, File and Print Sharing for Microsoft Networks, and the TCP/IP protocol. You should use the custom settings if you need to specify particular network settings, such as a specific IP address and subnet mask (rather than using an automatically assigned address). Once you make your selection, click the Next button to continue.
10. The Workgroup Or Computer Domain dialog box appears. In this dialog box, you specify
whether your computer will be installed as a part of a local workgroup or as a part of a domain. Once you make your selection, click the Next button. 11. Based on your selections, the Windows installation process will automatically copy any
needed files. The computer will also perform some final tasks, including installing Start menu items, registering components, saving settings, and removing any temporary files. This will take several minutes (there is a countdown clock) and is fully automated. After this process is complete, your computer will automatically restart.
Finalizing Installation To finalize the installation, follow these steps: 1.
Windows Server 2003 will automatically start. Press Ctrl+Alt+Delete to access the Log On To Windows dialog box. By default, Administrator will be specified for the User Name. Type in your Administrator password and click the OK button.
2.
The Manage Your Server dialog box will automatically appear.
You will learn how to upgrade a member server to a domain controller using the Manage Your Server utility in the next section.
Upgrading a Server to a Domain Controller Once a server has been installed with Windows Server 2003, you can upgrade it to a domain controller through the Dcpromo utility. The following steps assume that the server will be the first server installed into the domain and DNS is not already installed.
Installing Windows Server 2003
21
To upgrade a Windows Server 2003 member server to a domain controller, take the following steps: 1.
Select Start Run. In the Run dialog box, type Dcpromo and click the OK button.
2.
You will see the Welcome To The Active Directory Installation Wizard dialog box. Click the Next button.
3.
The Operating System Compatibility dialog box will appear, notifying you that Windows Server 2003 domain security does not support Windows 95 or Windows NT 4.0 Service Pack 3 or earlier clients. Click the Next button.
4.
The Domain Controller Type dialog box will appear, as shown in Figure 1.1. Verify that Domain Controller For A New Domain is selected and click the Next button.
FIGURE 1.1
Domain Controller Type dialog box
5.
The Create New Domain dialog box will appear, as shown in Figure 1.2. Verify that Domain In A New Forest is selected and click the Next button.
6.
The New Domain Name dialog box will appear. Type in whatever domain name you wish to use. In this example, we are using Sybex.local. (The .local extension is not a legal extension and therefore cannot be connected directly to the Internet. If you are going to connect directly to the Internet, you must use a registered domain name.) Once you have specified your Active Directory domain name, click the Next button.
7.
The NetBIOS Name dialog box will appear. NetBIOS names are used for compatibility with other Windows clients that are not using Windows 2000, Windows XP, or Windows Server 2003. You would typically accept the default values in this dialog box, then click the Next button.
8.
The Database And Log Folders dialog box will appear, as shown in Figure 1.3. You can accept the default values for the location of the Database folder and the Log folder or you can manually specify the location of these folders. Once you make your selection, click the Next button.
22
9.
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
The Shared System Volume name dialog box will appear. The shared system volume is called SYSVOL and contains the domain’s public files. You can accept the default location or manually specify the location of the SYSVOL folder. The SYSVOL folder must be installed on a NTFS partition. Once you make your selection, click the Next button.
10. The DNS Registration Diagnostics dialog box will appear, as shown in Figure 1.4. This dia-
log box appears because DNS has not been installed in the network. Select Install And Configure The DNS Server On This Computer, And Set This Computer To Use This DNS Server As Its Preferred Server and click the Next button. FIGURE 1.2
Create New Domain dialog box
FIGURE 1.3
Database And Log Folders dialog box
Installing Windows Server 2003
FIGURE 1.4
23
DNS Registration Diagnostics dialog box
11. The Permissions dialog box will appear. You can select Permissions Compatible With Pre–Win-
dows 2000 Server Operating Systems or Permissions Compatible Only With Windows 2000 or Windows Server 2003 Operating Systems. Make your selection and click the Next button. 12. The Directory Services Restore Mode Administrator Password dialog box will appear, as
shown in Figure 1.5. This password is associated with restoring Directory Services if it becomes corrupt or can not be accessed. Type in and confirm the Restore Mode Password and click the Next button. 13. The Summary dialog box will appear. Verify that your selections are correct and click the
Next button. 14. The Active Directory Installation Wizard will configure the Active Directory, which will
take several minutes. During this process you will need to insert the Windows Server 2003 distribution CD. 15. If the server was installed with a dynamic IP address you will see an Optional Networking
Components dialog box notifying you that for DNS you must use a static IP address. Click the OK button. The Local Area Connection Properties dialog box will appear. If this is not a practice server, you should configure an IP address based on your corporate standards. Make your selections and click the OK button. 16. The Completing The Active Directory Installation Wizard dialog box will appear. Click the
Finish button. You will be prompted to restart your computer. Click the Restart Now button.
You should make a complete backup of your computer before doing any repartitioning or installation of new operating systems. All data will be lost during this process!
24
Chapter 1
FIGURE 1.5
Installing, Licensing, and Updating Windows Server 2003
Directory Services Restore Mode Administrator Password dialog box
Setting Up Your Computers for Hands-on Exercises The exercises in this book assume that you have two computers configured in a specified manner. In order to complete all of the exercises throughout the book, you will install Windows Server 2003 on one computer as a domain controller within Active Directory, and Windows XP Professional on a second computer, which will act as a member computer of the domain. Both computers need to be networked and your Windows Server 2003 computer will require Internet access.
Installing Windows Server 2003 as a Domain Controller For the exercises to work properly, you should make sure that the computer that will act as your server meets the list of requirements specified in Table 1.2. Your server should have a network card installed, and it should have at least a 2.5GB drive that is configured with the minimum space requirements and partitions. Other exercises in this book assume that your server is configured as follows:
2GB (about 2000MB) C: primary partition with the NTFS file system
500MB of free space
Of course, you can allocate more space to your partitions if it is available. Exercise 1.1 assumes that you are not currently running any previous versions of Windows and that you are performing a clean install and not an upgrade. Your partitions should be created and formatted, or you can create the primary partition through the installation process.
Setting Up Your Computers for Hands-on Exercises
25
In Exercise 1.1, you will install Windows Server 2003, then upgrade the server to a domain controller. Before you start, you should note what values you will use for the following options for the domain controller:
Name and organization
Computer name
Workgroup name
Administrator password (if one will be assigned)
Domain name
In this chapter the installation process assumes that you are using a 32-bit edition of Windows Server 2003. If you are using a 64-bit Itanium-based server, then refer to the Microsoft website for installation instructions.
EXERCISE 1.1
Installing Windows Server 2003 as a Domain Controller Collecting Information and Preparing Installation
1.
Boot your computer using the Windows Server 2003 distribution CD.
2.
The text mode portion of Setup will start. If you have a SCSI or RAID driver that is not provided through the Windows Server 2003 CD, you would press F6; otherwise ignore these prompts and setup will continue.
3.
The Welcome To Setup dialog box will appear. Press Enter to continue.
4.
The Windows License Agreement dialog box appears. Press F8 to continue.
5.
In the next dialog box, you can pick a partition that already exists, or you can choose free space and create a new partition. The partition you use must be formatted with NTFS since you will be upgrading this server to a domain controller.
6.
After you select your partition (and it is formatted), the installation files will be automatically copied to your computer. This requires no user intervention. Once this process is complete, the computer will reboot.
Installing Windows
1.
After the installation process detects and installs device drivers and copies any needed files, the Regional And Language Options dialog box will appear. Make your selections and click Next to continue.
2.
The Personalize Your Software dialog box appears. Fill in the Name and Organization boxes and click the Next button.
26
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
EXERCISE 1.1 (continued)
3.
The Your Product Key dialog box appears. From the product key located on the yellow sticker on the back of the Windows Server 2003 CD folder, type in the 25-character product key and click the Next button.
4.
The Licensing Modes dialog box appears. Accept the default values and click the Next button.
5.
The Computer Name And Administrator Password dialog box appears. Specify the computer name you want to use and type and confirm the Administrator password. Click the Next button to continue.
6.
If you have a Plug and Play modem installed, you will see the Modem Dialing Information dialog box. Select the applicable options and click the Next button.
7.
The Date And Time Settings dialog box will appear. Configure the appropriate date and time settings and click the Next button.
8.
The Network Settings dialog box appears. Specify Typical Settings and click the Next button to continue.
9.
The Workgroup Or Computer Domain dialog box appears. Select the No, This Computer Is Not On A Network, Or Is On A Network Without A Domain. Make this computer a member of the following workgroup: Workgroup. Click the Next button to continue.
10. Based on your selections, the Windows installation process will automatically copy any needed files, perform some final tasks, and automatically restart. Upgrading Your Server to a Domain Controller
1.
Select Start Run. In the Run dialog box, type Dcpromo and click the OK button.
2.
You will see the Welcome To The Active Directory Installation Wizard dialog box. Click the Next button.
3.
The Operating System Compatibility dialog box will appear, notifying you that Windows Server 2003 domain security does not support Windows 95 or Windows NT 4.0 Service Pack 3 or earlier clients. Click the Next button.
4.
The Domain Controller Type dialog box will appear. Verify that Domain Controller For A New Domain is selected and click the Next button.
5.
The Create New Domain dialog box will appear. Verify that Domain In A New Forest is selected and click the Next button.
6.
The New Domain Name dialog box will appear. Type in whatever domain name you wish to use. In this example, we are using Sybex.local. If you are going to connect directly to the Internet, you must use a registered domain name. Once you have specified your Active Directory domain name, click the Next button.
Setting Up Your Computers for Hands-on Exercises
27
EXERCISE 1.1 (continued)
7.
The NetBIOS Name dialog box will appear. Accept the default values in this dialog box, then click the Next button.
8.
The Database And Log Folders dialog box will appear. Accept the default values for the location of the Database folder and the Log folder and click the Next button.
9.
The Shared System Volume name dialog box will appear. Ensure that SYSVOL is pointing to an NTFS partition, and accept the default location and click the Next button.
10. The DNS Registration Diagnostics dialog box will appear. Select Install And Configure The DNS Server On This Computer, And Set This Computer To Use This DNS Server As Its Preferred Server and click the Next button.
11. The Permissions dialog box will appear. Select Permissions Compatible Only With Windows 2000 Or Windows 2003 Operating Systems and click the Next button.
12. The Directory Service Restore Mode Administration Password dialog box will appear. Leave the password as blank and click the Next button.
13. The Summary dialog box will appear. Verify that your selections are correct and click the Next button.
14. The Active Directory Installation Wizard will configure the Active Directory, which will take several minutes. During this process you will need to insert the Windows Server 2003 distribution CD.
15. Since the server was installed with a dynamic IP address you will see an Optional Networking Components dialog box notifying you that for DNS you must use a static IP address. Click the OK button. The Local Area Connection Properties dialog box will appear. Without assigning a static IP address, click the OK button. You will see a notification dialog box that you have chosen not to use a static IP address. Click the OK button.
16. The Completing The Active Directory Installation Wizard dialog box will appear. Click the Finish button. You will be prompted to restart your computer. Click the Restart Now button.
17. After the server restarts, log on as Administrator.
Installing Windows XP Professional within the Windows 2003 Domain Once Windows Server 2003 has been installed and configured as a domain controller, you will install Windows XP Professional. The computer that will be installed with Windows XP Professional must meet the minimum requirements listed in Table 1.3.
Chapter 1
28
TABLE 1.3
Installing, Licensing, and Updating Windows Server 2003
Hardware Requirements for Windows XP Professional
Component
Minimum Requirement
Recommended Requirement
Processor
Intel Pentium (or compatible) 233MHz or higher
Intel Pentium II (or compatible) 300MHz or higher
Memory
64MB
128MB
Disk space
1.5GB of free disk space
2GB or more of free disk space
Network
None
Network card and any other hardware required by your network topology if you want to connect to a network or if you will install over the network
Display
Video adapter and monitor with Video adapter and monitor with VGA resolution SVGA resolution or higher
Peripheral devices
Keyboard, mouse, or other pointing device
Keyboard, mouse, or other pointing device
Removable storage
CD-ROM or DVD-ROM drive
12x or faster CD-ROM or DVD-ROM
Windows XP Professional is covered in MCSE: Windows XP Professional Study Guide, Second Edition, by Lisa Donald with James Chellis (Sybex, 2003).
If you do not have a computer already installed with Windows XP Professional, you will use Exercise 1.2 to install Windows XP Professional on a computer within the domain you created in Exercise 1.1 as part of the Windows Server 2003 installation. If you already have Windows XP Professional installed on a computer, use Exercise 1.3 to join your existing Windows XP Professional computer to the domain you created in Exercise 1.1. Before you start, note the following information that you will need to provide as a part of the installation process:
Windows XP Professional Product Key
Name of the registered user
Organization name
Computer name
Administrator password
Setting Up Your Computers for Hands-on Exercises
29
EXERCISE 1.2
Installing Windows XP Professional as a part of a Windows 2003 Domain Information Collection
1.
Boot your computer with the Windows XP CD inserted into your CD-ROM drive.
2.
The Welcome To Setup screen appears. Press Enter to set up Windows XP Professional.
3.
The License Agreement dialog box appears. Press F8 to agree to the license terms if you wish to continue.
4.
In the next dialog box, if needed, create a partition, and then specify the C: partition as the one you want to use to set up Windows XP Professional. Then press Enter.
5.
If you create a partition, in the next dialog box choose NTFS (Quick Format) for the file system and press Enter to continue. Note that formatting the hard drive will erase all of the data on the drive. The file copying will take a few minutes to complete and your computer will reboot automatically.
Installing Windows
1.
You will see a series of informational screens as the system does some background installation tasks.
2.
The Regional And Language Options dialog box will appear. Verify that the settings are correct, and click the Next button.
3.
In the Personalize Your Software dialog box, type your name and organization. Click the Next button.
4.
In the Your Product Key dialog box, type the 25-character product key (this key can be found on a yellow sticker on the installation folder). Click the Next button.
5.
The Computer Name And Administrator Password dialog box appears. Type in the computer name. You can also specify an Administrator password (or, since this computer will be used for practice, you can leave the Password field blank if you want to). Click the Next button.
6.
If you have a Plug and Play modem installed, the Modem Dialing Information dialog box appears. Specify the settings for your environment and click the Next button.
7.
The Date And Time Settings dialog box appears. Verify that all of the settings are correct, and click the Next button.
8.
After the Networking Component files are copied (which takes a few minutes), the Network Settings dialog box appears. Confirm that the Typical Settings radio button is selected. Then click the Next button.
30
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
EXERCISE 1.2 (continued)
9.
In the Workgroup And Computer Domain dialog box, select Yes, Make This Computer A Member Of The Following Domain and specify the domain name you specified in Exercise 1.1 (for example, sybex.local), then click the Next button.
10. The Join Computer To Domain dialog box will appear. For User Name, specify Administrator and for Password, the password you specified in Exercise 1.1. Click the OK button. The Setup components will be installed, which takes several minutes, and your computer will reboot as part of this process. Finalizing Installation
1.
The Welcome To Network Identification Wizard will start. Click the Next button to continue.
2.
The User Account dialog box will appear. Click the Do Not Add A User At This Time radio button and click the Next button.
3.
The Completing The Network Identification Wizard dialog box will appear. Click the Finish button.
4.
In the Welcome To Windows dialog box, press Ctrl+Alt+Delete to start the logon process.
5.
In the Log On To Windows dialog box, confirm that the username is Administrator and type in the password you specified in Exercise 1.1. Click the Options button. In the Log On To field, click the arrow to the right of the dialog box, and from the drop-down menu select the domain you specified in Exercise 1.1. Then click the OK button.
If you already have Windows XP Professional installed on a computer, you would use Exercise 1.3 to join the existing computer to the domain you created in Exercise 1.1. EXERCISE 1.3
Joining an Existing Windows XP Professional Computer to a Windows 2003 Domain 1.
From Windows XP Professional, select Start, right-click My Computer, and select Properties.
2.
From the System Properties dialog box, select the Computer Name tab, then click the Network ID button.
3.
The Network Identification Wizard will start. Click the Next button.
4.
In the Connecting To The Network dialog box, verify that the This Computer Is Part Of A Business Network, And I Use It To Connect To Other Computers At Work option is selected and click the Next button.
Post-installation Product Activation
31
EXERCISE 1.3 (continued)
5.
The next question will ask what kind of network you use. Verify that the My Company Uses A Network With A Domain option is selected and click the Next button.
6.
The Network Information dialog box will appear. Click the Next button.
7.
The User Account And Domain Information dialog box will appear. For User Name, specify Administrator, and for Password and Domain, specify the options you configured in Exercise 1.1, then click the Next button.
8.
The User Account dialog box will appear. Click the Do Not Add A User At This Time option and click the Next button.
9.
The Completing The Network Identification Wizard dialog box will appear. Click the Finish button.
10. The Computer Name Changes dialog box will appear, notifying you that you need to restart the computer for the changes to take effect. Restart the computer and log on as Administrator to the domain you created.
Post-installation Product Activation Product activation is Microsoft’s way of reducing software piracy. Unless you have a volume corporate license for Windows Server 2003 or are using a 64-bit version of Windows Server 2003 (which does not use product activation), you will need to perform post-installation activation. This can be done online or through a telephone call. After Windows Server 2003 is installed, you will have 14 days to activate the license. After the 14-day grace period expires, you will not be able to restart Windows Server 2003 normally if you log out of the computer or if the computer is restarted. However, you can start Windows Server 2003 to Safe Mode. With Safe Mode, you will not have any networking capabilities, but you would have access to any folders or files located on the server. When you activate Windows Server 2003, product activation uses the 25-character product key you provided during the Windows Server 2003 installation to create a product ID, which is a unique 20-character ID for your computer. A non-unique hardware hash will also be created based on general information for your server’s hardware configuration, which creates a hardware identifier. Based on product ID and the hardware identifier, a unique installation ID is created. The installation ID is what activates Windows Server 2003. When the installation ID is generated, you should store it in a safe place—for example, within the Windows Server 2003 installation folder. Then, if you need to re-install Windows Server 2003 on the same computer, you can use the installation ID that was previously generated. However, if you install Windows Server 2003 on a different computer, using a product key that has already been used, a new installation ID will need to be generated, as the hardware hash will not match.
32
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Microsoft scans no personal information during product activation. This process is completely anonymous.
To activate Windows Server 2003 over the Internet, you would take the following steps: 1.
Select Start All Programs Activate Windows.
2.
The Let’s Activate Windows dialog box will appear. Select Yes, Let’s Activate Windows Over The Internet Now and click the Next button.
3.
The Register With Microsoft? dialog box will appear, which gives you the option of registering Windows Server 2003 at the same time you activate it. In this example, we will skip registering Windows by clicking the No, I Don’t Want To Register Now; Let’s Just Activate Windows and clicking the Next button.
4.
You will see a Thank You! dialog box indicating that you have successfully activated your copy of Windows.
Once Windows Server 2003 has been activated, you can see the Product ID listed through the properties of My Computer as shown in Figure 1.6.
You can verify that Windows Server 2003 has been activated through Event Viewer in the Application Event Log.
FIGURE 1.6
Product ID shown through My Computer Properties dialog box
Managing Licensing
33
You will need an Internet connection to complete Exercise 1.4. In this exercise, you will activate Windows Server 2003. EXERCISE 1.4
Activating Windows Server 2003 1.
Select Start All Programs Activate Windows.
2.
The Let’s Activate Windows dialog box will appear. Select Yes, Let’s Activate Windows Over The Internet Now and click the Next button.
3.
The Register With Microsoft? dialog box will appear. Click the No, I Don’t Want To Register Now; Let’s Just Activate Windows and click the Next button.
4.
You will see a Thank You! dialog box indicating that you have successfully activated your copy of Windows.
Managing Licensing Each Microsoft client must have a local client license. For example, if you have 100 computers running Windows 2000 Professional and 100 computers running Windows XP Professional, all 200 computers would have to have an appropriate client license. Additional licensing is required if the client computers will connect to Windows Server 2003 servers. In the following sections you will learn:
How to select a licensing mode
How to configure the License Logging service
How to administer licensing in a local environment
How to administer licensing in an enterprise environment
Understanding and Selecting a Licensing Mode Windows Server 2003 supports two types of client licensing:
Per Server licensing
Per Seat licensing (which includes Per Device or Per User licensing)
In the following sections, you will learn how to select which licensing option is right for your network and how to administer licensing.
Using Per Server Licensing The Per Server licensing mode is the traditional method for client licensing. In this mode, the server must be licensed for each concurrent connection. For example, assume that you have five
34
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
users and three servers, as shown in Figure 1.7. All five users need to access each of the three servers. Each of the three servers must be licensed per server, supporting five connections. If you added more users, they could technically access the server as long as no more than five concurrent users were accessing a single server at the same time. With Per Server licensing, clients are granted access on a first-come, first-served basis. Once the maximum number of clients for the license has been reached, any additional clients attempting to access the server will be denied access. FIGURE 1.7
Per Server Licensing
In an enterprise environment, where users need to access resources on multiple servers, Per Server licensing can be very expensive. However, in small companies where clients only need to access a single server, the per server mode of licensing is less expensive than the Per Seat licensing mode. This option is also useful if you are supporting remote clients or your server is providing Internet services, and clients are only accessing a single server.
Using Per Seat (Per Device or Per User) Licensing The Per Seat licensing mode is more practical for the enterprise environment. By purchasing a Client Access License (CAL) for each device or user, each client is licensed at the client side to access as many servers as needed. When using the Per Seat licensing mode, you record the CALs. In Figure 1.8, note that the servers are only licensed for the server software, and the right to access the server is licensed at the client. In environments where one user uses a computer, this would be referred to as Per Seat usage. However, some environments have special considerations and must require you to create license groups for Per Device and Per User licensing. You would create licensing groups in the following scenarios:
You may have more than one user using a computer—if, for example, your organization has workers in shifts and users from different shifts all share a computer.
You have many users who share many devices—for example, students working in a school computer lab.
Managing Licensing
35
You have a single user who accesses many computers—for example, someone working in a test lab. The licensing that would be required in these scenarios is as follows:
If 10 or fewer users are sharing a single computer, then you only need one CAL.
If one user is accessing multiple devices, you will need a CAL for each device.
You will learn how to create license groups in the “Administering Licensing in an Enterprise” section. FIGURE 1.8
Per Seat Licensing
Administering the License Logging Service If the License Logging service is running, Administrators can manage and track licensing through the Licensing option in Control Panel or the Licensing utility in Administrative Tools. If you were managing licenses for a single server, you would use the Licensing option in Control Panel. If you were managing licenses for an enterprise environment, you would use the Licensing Tools within Administrative Tools. If the License Logging service has not been started, then licensing is not monitored, although it is still enforced. You can view the status and manage the License Logging service from Start Administrative Tools Services. From Services, you would double-click the License Logging service to see the dialog box shown in Figure 1.9. In order to use license logging, the following settings should be applied:
Configure Startup Type as Automatic.
If the Service Status is Stopped, click the Start button to start the service.
Failure to start the License Logging service will prevent you from managing licenses through the Licensing option in Control Panel or through the Licensing utility in Administrative Tools.
36
Chapter 1
FIGURE 1.9
Installing, Licensing, and Updating Windows Server 2003
License Logging Properties dialog box
In Exercise 1.5, you will configure the License Logging service. EXERCISE 1.5
Configuring the License Logging Service 1.
Select Start Administrative Tools Services.
2.
Scroll down until you see the License Logging service, and double-click License Logging.
3.
Click the Log On tab and under Log On As, click Local System Account.
4.
Click the General tab. Under Startup Type, select Automatic.
5.
Under Service Status, click the Start button. The service will start and the Service Status will display Started. Click the OK button.
6.
Close the Service window.
Administering Licensing Locally The Licensing option in Control Panel, as shown in Figure 1.10, is used to manage a local server’s licensing. The following tasks can be managed:
Add or remove CALs for the Per Server licensing mode
Managing Licensing
37
Convert Per Server licensing to Per Device or Per User licensing (a one-time conversion from Per Server to Per Seat licensing is allowed, at no charge)
Configuration of replication frequency if the server’s licensing is managed on a centralized licensing server
FIGURE 1.10
Choose Licensing Mode dialog box
In the following sections, you will learn about managing specific tasks through the Licensing option in Control Panel.
Managing Per Server Connections If you are using Per Server licensing, you can add or remove licenses with the Add Licenses and Remove Licenses buttons. If you need to add additional licenses and you have purchased the Per Server licenses from Microsoft, you would click the Add Licenses radio button. This brings up the New Client Access License dialog box, shown in Figure 1.11. Within the Quantity field, specify how many additional licenses you are adding and click the OK button. You will need to agree that you have purchased the license and that you agree to the governing terms of the license agreement. FIGURE 1.11
New Client Access License dialog box
You would remove Per Server licenses from a server if you wanted to use them on another server. You would complete this task by clicking the Remove Licenses button. The Select Certificate To Remove Licenses dialog box will appear. Specify how many licenses you want to remove and click the Remove button.
38
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Switching from Per Server Connections to Per Device or Per User Connections Microsoft allows a one-time conversion from Per Server to Per Device or Per User Connections. If you want to switch from Per Server connections to Per Device or Per User connections, in the Choose Licensing Mode dialog box you would click the Per Device or Per User radio button. You will see a License Violation dialog box warning you that your change may violate the license agreement. If you have met all of the terms of the license agreement, click the No button (so that the request is not cancelled) to complete the conversion process.
If you configure Per Server licensing, you can always convert to Per Device or Per User licensing. However, you can’t convert from Per Device or Per User licensing to Per Server licensing.
In Exercise 1.6, you will administer Per Server licensing in a single server environment using the Licensing option in Control Panel. EXERCISE 1.6
Managing Per Server Licensing in a Single Server Environment 1.
Select Start Control Panel Licensing.
2.
From the Choose Licensing Mode dialog box, click the Add Licenses button. (If you receive an error at this point, it’s because the License Logging Service is not started.)
3.
The New Client Access License dialog box will appear. In the Quantity field, select 1 and click the OK button.
4.
The Per Server Licensing Agreement dialog box will appear. Click the I Agree That: dialog box and click the OK button.
5.
In the Choose Licensing Mode dialog box, you will see that your Per Server concurrent connections are listed as 6.
If you are using a production server, as opposed to a practice server, verify that your license meets the Microsoft requirements.
Managing Per Device and Per Users are typically associated with enterprise environments and are covered in detail in the following section.
Administering Licensing in an Enterprise If a network consists of multiple servers in an enterprise network (using Active Directory services), then licensing should be administered on an enterprise level. The following topics relate to administering licensing in an enterprise environment:
Managing Licensing
Determining and specifying which server is the site license server
Using the Licensing utility in Administrative Tools
Viewing site licensing for a Windows 2000 or Windows 2003 site
39
Each of these topics is covered in greater detail in the following subsections.
Determining and Specifying the Site License Server The site license server is responsible for managing all of the Windows licenses for the site. The default license server is the first domain controller in the site. The site license server does not have to be a domain controller but for best performance it is recommended that site license server and domain controller be in the same site. To determine what server is the site license server, you would take the following steps from a domain controller: 1.
Select Start Administrative Tools Active Directory Sites And Services.
2.
The Active Directory Sites And Services window will be displayed. Expand Sites and click on Default-First-Site. In the right-hand pane, you will see Licensing Site Settings, as shown in Figure 1.12.
FIGURE 1.12
Active Directory Sites And Services window
3.
Double-click License Site Settings, and the Licensing Site Settings Properties dialog box will appear, as shown in Figure 1.13. In the lower half of the dialog box, under Licensing Computer, you will see the server that has been designated the site license server.
4.
If you want to change the site license server, under Licensing Computer you click the Change button. The Select Computer dialog box appears and you can specify the computer name that will be the new site license server.
Once you have determined which server is the site license server, you can manage licensing for your site through the Licensing utility in Administrative Tools.
40
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Using the Licensing To access the Licensing utility, select Start Administrative Tools Licensing. This brings up the Licensing utility shown in Figure 1.14. FIGURE 1.13
Licensing Site Settings Properties dialog box
FIGURE 1.14
Licensing utility
Managing Licensing
41
If you click the Server Browser tab, then expand your domain and your server, you will see an entry called Windows Server. Double-clicking Windows Server accesses the Choose Licensing Mode dialog box, as shown in Figure 1.15. This allows you to specify whether you will manage enterprise licensing through Per Server mode or Per Device or Per User mode. FIGURE 1.15
Choose Licensing Mode dialog box
Once you have selected your licensing mode, you can manage licensing from the main dialog box of the Licensing utility, which contains four main tabs:
Purchase History
Products View
Clients
Server Browser
Each of these tabs and the processes for creating and editing licensing groups and for managing replication are covered in greater detail in the following subsections.
Purchase History The Purchase History tab of Licensing (shown in Figure 1.14) displays the historical overview of all licenses that have been added or deleted for the site. Specifically, you can see the date the license was added or deleted, the product (Windows or other Microsoft product), the quantity (added or deleted), the user who added the licenses, and a comment (if one was added). If you click the heading for Date, Product, Quantity, Administrator, or Comment, the purchase history will be sorted based on the category you selected. You would add new licenses through the following process: 1.
Select License New License.
2.
The New Client Access License dialog box will appear. For Product, select Windows Server and then specify the quantity for the licenses you have purchased. You can add a descriptive comment in the comment field. Click the OK button when you are done.
Chapter 1
42
Installing, Licensing, and Updating Windows Server 2003
3.
The Per Device or Per User Licensing dialog box will appear. You must agree that you have read and are bound to the license agreement for this product, then click the OK button.
4.
The new licenses will appear in the Purchase History tab.
Products View Through the Products View tab, shown in Figure 1.16, you can see the following information for each product that is licensed on the server:
Per Device or Per User licenses that have been purchased
Per Device or Per User licenses that have been allocated
Per Server licenses that have been purchased
The number of connections for Per Server that have been reached
FIGURE 1.16
Product View tab of the Licensing utility
If you look on the left-hand side of the Products View tab, you will see the licensing status of each product. The following symbols are used to indicate license status: Symbol
License Status License is in legal compliance.
License is not in legal compliance.
License has reached legal limit, and you should consider purchasing additional licenses.
Clients Through the Clients tab, shown in Figure 1.17, you can see the following information for each client that has accessed the server:
The username of each user who has accessed the server
The licensed usage (access) to the server
Managing Licensing
43
The unlicensed usage (access) to the server
The product (for example, Windows Server or Windows BackOffice) that was accessed by the user
FIGURE 1.17
Clients tab of the Licensing utility
If you look on the left-hand side of the Clients tab, you will see the licensing status of each product. The following symbols are used to indicate license status: Symbol
License Status User’s license is in legal compliance.
User’s license is not in legal compliance.
Server Browser The Server Browser tab, as shown in Figure 1.18, displays all of the sites, domains, and servers within the Active Directory structure. You can view and configure licensing for the servers that you have administrative rights to within the site. FIGURE 1.18
Server Browser tab of the Licensing utility
44
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Creating and Editing Licensing Groups You would create a license group if more than one person will be using a single computer. In the following example, you will create a license group called WS1 that consists of three users (who work different shifts) who share a single computer. 1.
Select Start Administrative Tools Licensing. In the main menu of the Licensing utility, select Options Advanced New License Group.
2.
The New License Group dialog box will appear, as shown in Figure 1.19.
FIGURE 1.19
New License Group dialog box
3.
Specify a group name (in this example, it’s WS1) and a description (optional).
4.
In the Licenses drop-down box, you would specify 1, as up to 10 users can share a single computer.
5.
To add users to this license group, click the Add button, which brings up the Add Users dialog box, shown in Figure 1.20. Select the users you want to add by highlighting them and then clicking the Add button. When you are done, click the OK button.
6.
In the New License Group dialog box, click the OK button.
FIGURE 1.20
Add Users dialog box
Managing Software Installation and Maintenance
45
Once a license group has been created, you can edit the licenses or group members for the license group through Options Advanced Edit License Group.
Managing Replication In an enterprise environment, you can centrally manage licensing information by collecting and storing all license information on a central server (the site license server) through the License Logging service. If your Windows Server 2003 server is not the site license server, you can configure how your server will replicate information to the site license server through the following steps: 1.
Select Start Control Panel Licensing.
2.
From the Choose Licensing Mode dialog box, click the Replication button.
3.
The Replication Configuration dialog box will appear, as shown in Figure 1.21. You can configure replication to start at a specific time (every 24 hours) or specify that licensing information should be replicated every x (number specified) hours.
FIGURE 1.21
Replication Configuration dialog box
In sites with a large number of servers, staggering replication times on different servers can balance the load of traffic that is sent to a site license server.
Managing Software Installation and Maintenance To keep your Windows operating systems up-to-date and secure, you use Windows Update, Automatic Update, Software Update Services (SUS), and the Microsoft Baseline Security Analyzer (MBSA): Windows Update This attaches to the Microsoft website through a user-initiated process and allows the Windows users to update their operating systems by downloading updated files (critical and non-critical software updates). Automatic Update This extends the functionality of Windows Update by automating the process of updating critical files. With Automatic Update, you can specify whether you want
Chapter 1
46
Installing, Licensing, and Updating Windows Server 2003
updates to be automatically downloaded and installed or whether you just want to be notified when updates are available. Software Update Services (SUS) This is used to deploy a limited version of Windows Update to a corporate server, which in turn provides the Windows updates to client computers within the corporate network. This allows clients that are limited to what they can access through a firewall to still keep their Windows operating systems up-to-date. Microsoft Baseline Security Analyzer (MBSA) This is a utility you can download from the Microsoft website to ensure that you have the most current security updates. In the following sections you will learn how to use Windows Update, Automatic Update, Microsoft Software Update Services, and the Microsoft Baseline Security Analyzer.
Using Windows Update Windows Update is available through the Microsoft website and is used to provide the most current files for the Windows operating systems. Examples of updates include security fixes, critical updates, updated help files, and updated drivers. Sometimes the updates that are installed require that the computer be restarted before the update can take effect. In this event, Windows Update uses a technology called chained installation. With chained installation, all updates that require a computer restart are applied before the computer is restarted. This eliminates the need to restart the computer more than once. If Windows Update detects any updates for your computer, you will see an update icon in the notification area of the Taskbar. The following steps are used to set up Windows Update from a Windows Server 2003 server that is connected to the Internet: 1.
Select Start Help And Support.
2.
The Help And Support Center dialog box will appear.
3.
Under Support Tasks, click the Windows Update option.
4.
The Welcome To Windows Update will appear. Click Scan For Updates.
5.
Windows Update will look for all available updates based on your computer’s configuration. A list of all updates for your computer will be listed, and you can selectively pick which updates you want to download.
The results of the Windows Update search will be displayed on the left-hand side of the Windows Update screen. You will see options for:
Welcome, which describes what Windows Update is and provides an option to Scan For Updates
Pick Updates To Install, which lists what updates are available for your computer and includes:
Critical Updates And Service Packs
Windows Server 2003 Family
Driver Updates
Managing Software Installation and Maintenance
47
Review And Install Updates, which allows you to view all updates you have selected to install and installs the updates
View Installation History, which allows you to track all of the updates you have applied to your server
Personalize Windows Update, which customizes what you see when you use Windows Update
Get Help And Support, which displays help and support information about Windows Update
About Windows Update, which displays information about what Windows Update is used for
The information that is collected by Windows Update includes operating system and version number, Internet Explorer version, the software version information for any software that can be updated through Windows Update, Plug and Play ID numbers for installed hardware, and region and language settings. Windows Update will also collect the Product ID and Product Key to confirm that you are running a licensed copy of Windows, but this information is only retained during the Windows Update session, and this information is not stored. No information that can be used to personally identify users of the Windows Update service is collected.
You will use Windows Update in Exercise 1.7. EXERCISE 1.7
Using Windows Update 1.
Select Start Help and Support.
2.
The Help And Support Center dialog box will appear.
3.
Under Support Tasks, click the Windows Update option.
4.
The Welcome To Windows Update will appear. Click Scan For Updates.
5.
Windows Update will look for all available updates based on your computer’s configuration.
6.
A list of all updates for your computer will be listed. Click each option for Critical Updates And Service Packs, Windows Server 2003 Family, and Driver Updates and check the updates you want to install.
7.
Click Review And Install Updates. In the Total Selected Updates section, click the Install Now button.
48
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Using Windows Automatic Updates Windows Automatic Updates extends the functionality of Windows Update by automating the update process. With Automatic Updates, Windows Server 2003 recognizes when you have an Internet connection and will automatically search for any updates for your computer from the Windows Update website. If any updates are identified, they will be downloaded using Background Intelligent Transfer Services (BITS). BITS is a bandwidth-throttling technology that only allows downloads to occur using idle bandwidth. This means that downloading Automatic Updates will not interfere with any other Internet traffic.
In order to configure Automatic Updates, you must have local administrative rights to the computer that Automatic Updates is being configured on. Requiring administrative rights prevents users from specifying that critical security updates not be installed. In addition, Microsoft will digitally sign any updates that are downloaded. Automatic Updates will not install files that do not contain a digital signature.
You configure Automatic Updates through the following process by selecting Start Control Panel System and click the Automatic Updates tab. You will see the dialog box shown in Figure 1.22. FIGURE 1.22
Automatic Updates tab from System Properties
Managing Software Installation and Maintenance
49
You enable Automatic Updates by checking the option Keep My Computer Up To Date. With This Setting Enabled, Windows Update Software May Be Automatically Updated Prior To Applying Any Other Updates. The settings that can be applied to Automatic Updates include:
Notify Me Before Downloading Any Updates And Notify Me Again Before Installing Them On My Computer. This option will prompt you to accept the downloading of any updates and you will be required to verify that you want the updates installed.
Download The Updates Automatically And Notify Me When They Are Ready To Be Installed. This is the default setting and will automatically download updates as a background process; however, you must verify that you want to install the updates.
Automatically Download The Updates, And Install Them On The Schedule That I Specify. This allows you to specify the days and times you want Windows to search for updates— for example, during non-business hours. You still have to verify that you want the updates installed prior to the updates being applied to your server.
The bottom of the Automatic Updates tab has a Declined Updates button. If Windows Update notifies you of an update and you decline the update—meaning you did not choose certain updates initially—you can click this button at a later time and still access the update, even if it was initially declined. You will configure Automatic Updates in Exercise 1.8. EXERCISE 1.8
Configuring Automatic Updates 1.
Select Start Control Panel System and click the Automatic Updates tab.
2.
Verify that the Keep My Computer Up To Date option is checked.
3.
Under Settings, select the Automatically Download The Updates, And Install Them On The Schedule That I Specify option. Select Every Sunday at 2:00 a.m. and click the OK button.
Using Software Update Services Software Update Services (SUS) is used to leverage the features of Windows Update within a corporate environment by downloading Windows Update to a corporate server, which in turn provides the updates to the internal corporate clients. This allows administrators to test and have full control over what updates are deployed within the corporate environment. SUS is designed to work in medium-sized corporate networks that are not using Systems Management Server (SMS). In the following sections, you will learn about:
Advantages of using SUS
SUS server requirements
50
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Installing and configuring the SUS servers
SUS client requirements
Configuration of the SUS clients
The current version of SUS, during the writing of this book, is SUS 1.0 with Service Pack 1.
Using SUS You are the network administrator for a large company. You want to ensure that your Windows servers and clients are kept up-to-date. You have a process that specifies that all updates must be tested in a lab environment before they are deployed within the network. You want to streamline the update process as much as possible with minimum cost and setup. All of your client computers are running Windows 2000 Professional or Windows XP Professional and all of the servers are running Windows 2000 Server or Windows Server 2003. They all have the current Service Packs applied. You decide to use Software Update Services. The software can be downloaded from the Microsoft website at no charge and can be configured to automatically download any updates based on the schedule you specify. You can then test all of the updates before they are configured to be deployed within the internal network.
Advantages of Using SUS There are many advantages to using SUS. The advantages include:
SUS allows an internal server within a private intranet to act as a virtual Windows Update server.
Administrators have selective control over what updates are posted and deployed from the public Windows Update site. No updates are deployed to client computers unless they are first approved by an administrator.
Administrators can control the synchronization of updates from the public Windows Update site to the SUS server either manually or automatically.
Automatic Updates can be configured on client computers to access the local SUS server as opposed to the public Windows Update site.
Each update can be checked to verify that they are digitally signed by Microsoft, and any updates that are not digitally signed are discarded.
Managing Software Installation and Maintenance
51
Updates can be deployed to clients in multiple languages.
You can configure the SUS statistics server to log update access, which allows an administrator to track which clients have installed updates. The SUS server and the SUS statistics server can coexist on the same computer.
Administrators can manage SUS servers remotely using HTTP or HTTPS if their web browser is Internet Explorer 5.5 or higher.
SUS Server Requirements In order to act as a SUS server, the server must meet the following requirements:
Be running Windows 2000 Server with Service Pack 2 or higher or Windows Server 2003.
Be using Internet Explorer 5.5 or higher.
Have all of the most current security patches applied.
Be running Internet Information Services (IIS).
Be connected to the network.
Have an NTFS partition with 100MB free disk space to install the SUS server software and 6GB of free space to store all of the update files.
If your SUS server meets the following system requirements, it can support up to 15,000 SUS clients:
Pentium III 700MHz processor
512MB of RAM
Installing and Configuring the SUS Server The SUS server should run on a server that is dedicated to running SUS, meaning that it will not run any other applications other than IIS, which is required. Microsoft recommends that you install a clean or new version of Windows 2000 Server or Windows Server 2003 and apply any service packs or security-related patches.
You should not have any virus-scanning software installed on the server. Virus scanners can mistake SUS activity for a virus.
Installing a SUS Server The following steps are used to install the SUS server: 1.
Download the SUS software from the Microsoft website. The URL for accessing the SUS home page is: http://go.Microsoft.com/fwlink/?linkid=6930. The download file is called SUS10SP1.exe. The SUS software is available in English and Japanese.
2.
Once SUS is downloaded, the Welcome To The Microsoft Software Update Services Setup Wizard screen will appear. Click the Next button.
52
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
If IIS is not installed on the server, which is a prerequisite for SUS, you will receive an error.
3.
The End-User License Agreement dialog box will appear. Accept the terms of the agreement and click the Next button.
4.
The Choose Setup Type dialog box will appear. You can select Typical (which installs Microsoft Software Update Services with default settings) or Custom (which customizes the installation and settings of Microsoft Software Update Services). Click Typical to install the SUS with default settings.
5.
The Ready To Install dialog box will appear and a download URL will be specified, as shown in Figure 1.23. The download URL is HTTP://yourservername by default. Computers running Automatic Updates must be configured to use this URL. Click the Install button.
FIGURE 1.23
Ready To Install dialog box
6.
The Completing The Microsoft Software Update Services Setup Wizard dialog box will appear. Click the Finish button.
7.
The SUS Administration website will automatically open in Internet Explorer.
Configuring a SUS Server In the following sections, you will learn how to set the SUS server options, set synchronization, approve updates, view the synchronization log, view the approval log, and monitor the SUS server.
Managing Software Installation and Maintenance
53
SETTING SUS SERVER OPTIONS
You can configure the SUS server through the following steps: 1.
If the SUS Administration website is not open, you can open it from Internet Explorer through the URL http://yourservername/SUSAdmin.
2.
The Software Update Services screen will appear. Under the Other Options section, click Set Options. Within the Set Options selection, shown in Figure 1.24, you can select the following options:
3.
Select A Proxy Server Configuration
Specify The Name Your Clients Use To Locate This Update Server
Select Which Server To Synchronize Content From (Microsoft Windows Update Servers Or Local Software Update Server)
Select How You Want To Handle New Versions Of Previously Approved Updates (Automatically Approve New Versions Of Previously Approved Updates, Do Not Automatically Approve New Versions Of Approved Updates, Default, or Recommended)
Select Where You Want To Store Updates (You Can Maintain The Updates On A Microsoft Windows Update Server Or Save The Updates To A Local Update Folder)
Synchronize Installation Packages Only For These Locales (Allows You To Specify Locales/Languages That You Are Storing Update Packages For) Click the Apply button when you are done with your configuration settings.
FIGURE 1.24
Set Options
54
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
SETTING SUS SERVER SYNCHRONIZATION
By default, SUS server synchronization is not defined. You can manually synchronize your server with the Windows Update server or you can set a synchronization schedule to automate the process. The following steps are used to configure SUS Server synchronization: 1.
From the Software Update Services screen, click Synchronize Server.
2.
The Synchronize Server screen will appear, as shown in Figure 1.25.
FIGURE 1.25
Synchronize Server
3.
You can select Synchronize Now (which forces a manual synchronization) or Synchronization Schedule. To set a synchronization schedule, click the Synchronization Schedule button.
4.
The Schedule Synchronization—Web Page Dialog dialog box will appear (see Figure 1.26). You can specify that you will not use a synchronization schedule (which means you will need to manually synchronize your server) or synchronize your server using the specified schedule. You would typically schedule updates during non-peak network hours. When you are done, click the OK button.
Managing Software Installation and Maintenance
FIGURE 1.26
55
Schedule Synchronization—Web Page Dialog dialog box
APPROVING UPDATES
Before updates can be deployed to SUS clients, the administrator must approve the updates. You approve updates through the following steps: 1.
From the Software Update Services screen, click Approve Updates.
2.
The Approve Updates screen will appear, as shown in Figure 1.27.
FIGURE 1.27
Approve Updates screen
56
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
VIEWING THE SYNCHRONIZATION LOG
The following steps are used to view the synchronization log: 1.
From the Software Update Services screen, click View Synchronization Log.
2.
The Synchronization Log screen will appear.
VIEW THE APPROVAL LOG
The approval log shows the update status for each item. Update status will be marked as New, Approved, Not Approved, Updated, or Temporarily Unavailable. The following steps are used to view the approval log: 1.
From the Software Update Services screen, click View Approval Log.
2.
The Approval Log screen will appear, as shown in Figure 1.28.
MONITORING THE SUS SERVER
The Monitor Server option allows you to see what updates have been cached into the server memory. If the memory cache does not load automatically, you can click the Refresh button. 1.
From the Software Update Services screen, click Monitor Server.
2.
The Monitor Server screen will appear, as shown in Figure 1.29.
FIGURE 1.28
Approval Log screen
Managing Software Installation and Maintenance
57
SUS Client Requirements SUS clients run a special version of Automatic Updates that are designed to support SUS. The enhancements to Automatic Updates include:
Support so that the client can receive updates from a SUS server as opposed to the public Microsoft Windows Update site
Support so that the administrator can schedule when downloading of updated files will occur
Configuration support so that clients can be configured via Group Policy or through editing the Registry
Support for allowing updates when an administrative account or non-administrative account is logged on
FIGURE 1.29
Monitor Server screen
The only client platforms that SUS currently supports are:
Windows 2000 Professional (with Service Pack 2 or higher)
Windows 2000 Server (with Service Pack 2 or higher)
Windows 2000 Advanced Server (with Service Pack 2 or higher)
Windows XP Home Edition (with Service Pack 1 or higher)
Windows XP Professional (with Service Pack 1 or higher)
Windows Server 2003 (all platforms)
58
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Configuration for the SUS Clients There are two methods for configuring SUS clients. The method you use is dependent on whether your network uses Active Directory. In a non-enterprise network (not running Active Directory), you would configure Automatic Updates through Control Panel using the same process that was defined in the “Using Automatic Updates” section of this chapter. Each client’s Registry would then be edited to reflect the location of the server that will provide the Automatic Updates. Within an enterprise network, using Active Directory, you would typically see Automatic Updates configured through Group Policy. Group policies are used to manage configuration and security settings via Active Directory. Group Policy is also used to specify what server a client will use for Automatic Updates. If Automatic Updates are configured through Group Policy, then Automatic Updates settings through Control Panel System, Automatic Updates tab are disabled.
Configuring a Client in a Non–Active Directory Network The easiest way to configure the client to use Automatic Updates is through Control Panel System, Automatic Updates tab. However, you can also configure Automatic Updates through the Registry. The Registry is a database of all of your server’s settings and can be accessed by clicking Start Run and typing Regedit in the Run dialog box. Automatic Updates settings are defined through HKEY_LOCAL_MACHINE\Software\Policies\ Microsoft\Windows\WindowsUpdate\AU. The Registry options that can be configured for Automatic Updates are specified in Table 1.4. TABLE 1.4
Registry Keys and Values for Automatic Updates
Registry Key
Options for Values
NoAutoUpdate
0 Automatic Updates are enabled (default) 1 Automatic Updates are disabled
AUOptions
2 Notify of download and installation 3 Auto download and notify of installation 4 Auto download and schedule installation
ScheduledInstallDay
0 Every day 1 Sunday 2 Monday 3 Tuesday 4 Wednesday 5 Thursday 6 Friday 7 Saturday
UseWUServer
0 Use public Microsoft Windows Update site 1 Use server specified in WUServer entry
To specify what server will be used as the Windows Update server, you edit two Registry keys, which are found at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\ Windows\WindowsUpdate.
The WUServer key sets the Windows Update server using the server’s HTTP name—for example, http://intranetSUS.
The WUStatusServer key sets the Windows Update intranet SUS statistics server by using the server’s HTTP name—for example, http://intranetSUS.
Managing Software Installation and Maintenance
59
Configuring a Client in an Active Directory Network If the SUS client is a part of an enterprise network using Active Directory, you would configure the client via group policy. To configure group policy on a Windows Server 2003 domain controller, you would take the following steps: 1.
Select Start Run. In the Run dialog box, type MMC.
2.
From the MMC console, select File Add/Remove Snap-in.
3.
In the Add/Remove Snap-in dialog box, click the Add button.
4.
In the Add Standalone Snap-in dialog box, select Group Policy Object Editor and click the Add button.
5.
For Group Policy Object, click the Browse button and select Default Domain Policy and click the OK button.
6.
In the Select Group Policy Object dialog box, click the Finish button. In the Add Standalone Snapin dialog box, click the Close button. In the Add/Remove Snap-in dialog box, click the OK button.
7.
Expand Default Domain Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update to access the Windows Update settings shown in Figure 1.30.
FIGURE 1.30
Group Policy Settings for Windows Update
Double-click the Configure Automatic Updates option. The Configure Automatic Updates Properties dialog box will appear, as shown in Figure 1.31. The Automatic Update options that can be configured through group policy are:
8.
Whether Automatic Updates are Not Configured, Enabled, or Disabled
How automatic updating is configured, either Notify For Download And Notify For Install, Auto Download And Notify For Install, or Auto Download And Schedule The Install
The schedule that will be applied for the install day and the install time
Chapter 1
60
Installing, Licensing, and Updating Windows Server 2003
To configure which server will provide automatic updates, you click the Next Setting button on the Configure Automatic Updates Properties dialog box. This brings up the Specify Intranet Microsoft Update Service Location Properties dialog box. The Specify Intranet Microsoft Update Service Location Properties that can be configured through group policy are:
9.
The status of the Intranet Microsoft Update Service location as Not Configured, Enabled, or Disabled
The HTTP name of the server that will provide intranet service updates
The HTTP name of the server that will act as the intranet SUS statistics server
FIGURE 1.31
Configure Automatic Updates Properties dialog box
10. To configure rescheduling of automatic updates, you click the Next Setting button on
the Specify Intranet Microsoft Update Service Location Properties dialog box. This brings up the Reschedule Automatic Updates Scheduled Installation Properties dialog box shown in Figure 1.32. You can enable and schedule the amount of time that Automatic Updates waits after system startup to proceed with a scheduled installation that was previously missed. 11. To configure auto-restart for scheduled Automatic Updates installations, you click the
Next Setting button on the Reschedule Automatic Updates Scheduled Installation Properties dialog box. This brings up the No Auto-Restart For Scheduled Automatic Updates Installations dialog box shown in Figure 1.33. If an update requires the computer to restart, there are two configuration options available: the computer will be updated the next time the computer is restarted, or the restart is automatically performed as a part of the update. 12. When you are done making setting changes, click the OK button.
Managing Software Installation and Maintenance
FIGURE 1.32
61
Reschedule Automatic Updates Scheduled Installation Properties dialog box
There are security templates called Wuau.adm (for Windows 2000 Server, if you are using Service Pack 2 you will need to import this template. If you are using Service Pack 3 or higher, the template is included as a part of the Service Pack Update), which is available through the Software Update Services installation. If you are using Windows Server 2003 you would use the System.adm security template that automatically applies the group policy settings that are used by SUS.
FIGURE 1.33
No Auto-Restart Of Scheduled Automatic Updates Installations dialog box
62
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Using the Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (MBSA) is a security assessment utility that can be downloaded from the Microsoft website. It verifies whether your computer has the latest security updates and whether there are any common security violation configurations (configurations that could allow security breaches) that have been applied to your computer. The programs that are scanned by MBSA include:
Windows NT 4
Windows 2000
Windows XP
Windows Server 2003
IIS 4 and 5
Internet Explorer, versions 5.01 and higher
SQL Server 7 and SQL Server 2000
Microsoft Office 2000 and Microsoft Office XP
Windows Media Player, versions 6.4 and higher In order to use MBSA, the computer must meet the following requirements:
Be running Windows 2000, Windows XP, or Windows Server 2003 (MBSA is not supported by Windows 95, Windows 98, or Windows Me)
Be running Windows Explorer 5.01 or higher
Have an XML parser installed for full functionality
Have the Workstation and the Server service enabled
Have Client for Microsoft Networks installed
MSBA replaces the Microsoft Personal Security Advisor (MPSA), an application that was previously used to scan for possible security threats to your computer.
A GUI version of MBSA can be run from Start All Programs Microsoft Baseline Security Analyzer. You can also open a command prompt by changing the path to Drive: Program Files\Microsoft Baseline Security Analyzer and typing mbsa (after the Mbsasetup.msi has been downloaded and installed from the Microsoft site) or from the command line by using mbsacli.exe.
Using the GUI Version of MBSA Once you have installed MBSA, you can access it from Start All Programs Microsoft Baseline Security Analyzer or by opening the command prompt and executing mbsa.exe. This brings up the Baseline Security Analyzer utility shown in Figure 1.34. You can select from Scan A Computer, Scan More Than One Computer, or View Existing Security Reports.
Managing Software Installation and Maintenance
63
Using MBSA You are the network administrator of a large company. In the past you have had problems with security as security holes have become public knowledge and hackers have tried to gain unauthorized access to your network. You also want to ensure that your configuration settings meet the current standards for security that have been defined by Microsoft. You decided to use the Microsoft Baseline Security Analyzer. The utility is constantly being updated and will tell you if you have any configurations that could cause security problems or if there are any known security problems with your current software.
FIGURE 1.34
Baseline Security Analyzer
When you click Scan A Computer, the Pick A Computer To Scan dialog box will appear, as shown in Figure 1.35. You can specify that you want to scan a computer based on computer name or IP address. You can also specify the name of the security report that will be generated. Options for the security scan include: Check for windows vulnerabilities This option checks for various potential vulnerabilites that are specific to Windows policy settings. Specifically, it lists all of the members of the Administrators group, which could pose a security threat because they have unlimited access to the computer. This option also checks for the presence of auditing and whether auto-logon is enabled or not. It also checks for the presence of unnecessary services that hackers could use to attack the system, such as FTP, Telnet, WWW, and SMTP. The Windows Vulnerabilites option also verifies that the scanned system is a domain controller running NTFS and whether or not the Guest account is enabled. Finally, this option returns the OS version, the password expiration status, the status of the RestrictAnonymous registry key, and the status of any shared folders on the scanned computer.
64
Chapter 1
FIGURE 1.35
Installing, Licensing, and Updating Windows Server 2003
Pick A Computer To Scan dialog box
Check for weak passwords This option checks for the presence of weak passwords for any user accounts that could access the system. Examples of weak passwords include blank passwords, duplicate passwords, passwords that are the same as the machine name, and passwords that are entered literally as “password,” “admin,” or “administrator.” Check for IIS vulnerabilities IIS is a particularly vulnerable spot in a Windows domain because it is typically exposed to the public Internet. The Check For IIS Vulnerabilities option scans fpr the presence of the following IIS vulnerabilities: MSADC and Scripts Virtual Directories and whether or not IIS is running on a domain controller. In addition, it checks for the following options that can improve security for IIS servers: the presence of the IISADMPWD Virtual Directory (for managing IIS user passwords), and the presence of the IIS lockdown tool, IIS logging, IIS parent paths, and IIS sample applications. Check for SQL vulnerabilities abilities:
This option checks and reports the following SQL vulner-
The number of members of the Sysadmin role. The Cmdexec right is restricted to Sysadmin only. Simple local SQL Server account passwords. The authentication mode used on the SQL Server. The built-in Administrators group is listed as a member of the Sysadmin role.
SQL Server directories have limited access to SQL service accounts and local Administrators only.
Managing Software Installation and Maintenance
65
SQL 7.0 SP1, SP2, or SP3 sa account passwords are written in plaintext to the setup.iss and sqlstp.log\sqlspX.log files in the system and system\temp directories. The splstp.log\sqlspX.log file is also checked on SQL 2000 if domain credentials are used in starting the SQL Server services. The SQL Server Guest account has access to databases (excluding master, tempdb, and msdb). SQL Server is running on a system that is a domain controller. The Everyone group is restricted to Read permission for the following registry keys: HKLM\Software\Microsoft\Microsoft SQL Server and HKLM\Software\Microsoft\ MSSQLServer. The SQL Server service accounts are members of the local or Domain Administrators group on the scanned computer, or whenever any SQL Server service accounts are running under the LocalSystem context. Check for security updates This check ensures that the scanned machine has all of the latest service packs and security updates installed. If you use this option and are using SUS, you can specify the name of the SUS server that should be checked for the security updates. Once you are done with your selections, click Start Scan. Once the scan is complete, the security report will be automatically displayed, as shown in Figure 1.36. If you have scanned multiple computers, you can sort the security reports based on issue name, score (worst first), or score (best first). FIGURE 1.36
View Security Report dialog box
Chapter 1
66
Installing, Licensing, and Updating Windows Server 2003
Using mbsacli.exe If you use MBSA from the command-line utility mbsacli.exe, there are several options that can be specified. MBSA uses the HFNetChk tool technology to scan for missing security updates and service packs for the following products: Windows NT 4, 2000, 2003, and XP; IIS 4 and 5; SQL Server 7 and 2000; IE 5.01 and later; Exchange 5.5 and 2000; and Windows Media Player 6.4 and later. You type mbsacli.exe /hf (from the folder that contains mbsacli.exe, which is Drive: Program Files\Microsoft Baseline Security Analyzer) and can then customize the command execution with the options defined in Table 1.5. TABLE 1.5
mbsacli.exe /hf Command-line Options
Option
Description
-h hostname
Scans the specified host. You can specify that you want to scan multiple host computers by separating the hostnames with a comma.
-fh filename
Scans the NetBIOS names of each computer that is to be scanned and saves the information as text within the filename you specify.
-i xxxx.xxxx.xxxx.xxxx
Scans a computer based on the specified IP address. You can scan multiple computers by IP address by separating each IP address with a comma.
-fip filename
Scans the computer’s IP addresses within the text file that was specified, up to a maximum of 256 IP addresses.
-d domainname
Scans the specified domain.
-n
Specifies that all of the computers on the local network should be scanned.
Summary In this chapter, you learned about basic features of Windows Server 2003, how to install Windows Server 2003, licensing for Windows Server 2003, and how to keep Windows Server 2003 up-to-date. We covered the following topics:
The basic features of Windows Server 2003, which include Active Directory, file and print services, security, network and communications, application services, management services, Storage Management Services, Internet Information Services, Terminal Services, Universal Description, Discovery, and Integration services.
Key Terms
67
Preparation needed for installing Windows Server 2003, which included verifying that your computer meets the hardware requirements for Windows Server 2003, making sure your hardware is on the Hardware Compatibility List, checking system compatibility, and understanding the installation options for Windows Server 2003.
How to install Windows Server 2003 and configure the server as a domain controller.
What post-installation activation is and how to activate Windows Server 2003.
The options for managing licensing with Windows Server 2003 clients and how to administer licensing.
How to manage software installation and maintenance through Windows Update, Windows Automatic Updates, Software Update Services, and Microsoft Baseline Security Analyzer.
Exam Essentials Be able to manage Windows licensing. You should understand the options for licensing Windows clients and how licensing can be administered in a local environment or within an enterprise environment. Be able to keep Windows up-to-date and secure. Understand the use of Windows Update, Windows Automatic Updates, Software Update Services, and Microsoft Baseline Security Analyzer. Be able to install and configure SUS servers and clients and administer software updates. Know how to use the Microsoft Baseline Security Analyzer to identify possible security weaknesses from a GUI interface and from the command line.
Key Terms Before you take the exam, be certain you are familiar with the following terms: Active Directory (AD)
Microsoft Baseline Security Analyzer (MBSA)
Automatic Update
organizational units (OUs)
Client Access License (CAL)
Per Seat licensing
containers
Per Server licensing
domain controller
product activation
domains
site license server
Hardware Compatibility List (HCL)
Software Update Services (SUS)
License Logging service
Windows Update
68
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
Review Questions 1.
You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers have the most current software installed for their operating systems, including:
Critical Updates and Service Packs Windows Server 2003 Family Driver Updates You want to automate the process as much as possible, and you want the client computers to download the updates from a central server that you are managing. You decide to use Software Update Services. You have several computers that you can use as the SUS server. Which of the following computers meet(s) the requirements for being a SUS server?
Computer Hardware/ Software
Computer A
Computer B
Computer C
Computer D
Operating System Windows Server 2003
Windows 2000 Windows Server Server (SP2) 2003
Windows 2000 Server (SP3)
Partitions
FAT32 with 10GB free space
NTFS with 10GB free space
FAT32 with 8GB free disk space
Additional software
Domain Domain Member server, Member server, controller, most controller, IIS, most current IIS, most current current IE most current IE IE IE
A. Computer A B. Computer B C. Computer C D. Computer D
NTFS with 8GB free space
Review Questions
2.
69
You were recently hired to manage the network for the Wacky Widgets Corporation. One of your first tasks is to ensure that all of the operating systems and software that is being used is properly licensed. Your network consists of a Windows 2003 domain that includes 10 Windows Server 2003 servers and 250 Windows XP Professional client computers. All of the computers within the network are located in a single site. You create a licensing strategy that specifies that you will use a server called LicenseServer to manage all of the Windows licensing through Administrative Tools Licensing. You configure all of the servers with the License Logging service. The next step you need to complete is determining which server is acting as the site license server and changing the site license server to LicenseServer. Which of the following options will allow you to configure the site license server? A. Configure the site license server through the License Logging service. B. Configure the site license server using Administrative Tools Active Directory Sites
And Services. C. Configure the site license server through Administrative Tools Licensing. D. Configure the site license server through Control Panel Licensing. 3.
You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers have the most current software installed for their operating systems, including:
Critical Updates and Service Packs Windows Server 2003 Family Driver Updates You want to automate the process as much as possible, and you want the client computers to download the updates from a central server that you are managing. You decide to use Software Update Services. Which of the following client computers (with their current configuration) can be used with Software Service Update? (Choose all that apply.) A. Windows 98 (with most current Service Pack) B. Windows Me (with most current Service Pack) C. Windows 2000 Professional (Service Pack 2) D. Windows XP Home Edition (Service Pack 1) E. Windows XP Professional (no Service Pack) F. Windows Server 2003 member server (no Service Pack)
70
4.
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers have the most current software installed for their operating systems, including:
Critical Updates and Service Packs Windows Server 2003 Family Driver Updates You want to automate the process as much as possible, and you want the client computers to download the updates from a central server that you are managing. You decide to use Software Update Services. The SUS server software has been installed on a server called SUSServer. You want to test the SUS server before you set up group policy within the domain. You install Windows XP Professional with the latest Service Pack on a test client. Which of the following Registry entries needs to be made for the client in order to specify that the client should use SUSServer for Windows Update? (Choose all that apply.) A. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
WindowsUpdate\AU\UseWUServer and specify 0 for data B. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
WindowsUpdate\AU\UseWUServer and specify 1 for data C. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
WindowsUpdate\AU\WUServer and specify http://SUSServer D. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
WindowsUpdate\AU\WUServer and specify SUSServer E. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
WindowsUpdate\WUServer and specify http://SUSServer F. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
WindowsUpdate\WUServer and specify SUSServer
Review Questions
5.
71
You are the network administrator for a small company. Your company has one Windows Server 2003 computer configured as a domain controller and 25 clients running Windows XP Professional. You want to ensure that your server stays up-to-date through Windows Automatic Update. Where should you configure your server to use Windows Automatic Update? (Choose all that apply.) A. Through the Registry B. Through Group Policy C. Start All Programs Accessories System Tools Windows Update D. Start Control Panel System and click the Automatic Updates tab
6.
You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers have the most current software installed for their operating systems, including:
Critical Updates and Service Packs Windows Server 2003 Family Driver Updates You want to automate the process as much as possible, and you want the client computers to download the updates from a central server that you are managing. You decide to use Software Update Services. The SUS server software has been installed on a server called SUSServer. You want to use Group Policy to define all of the Windows Update settings for the SUS clients. Where would you configure this information within Group Policy? A. Computer Configuration\Administrative Templates\Windows Components\
Windows Update B. Computer Configuration\Windows Update C. Computer Configuration\Administrative Templates\SUS Settings\Windows
Update D. Software Settings\SUS Settings\Windows Update 7.
You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers are secure. You decide to use MBSA to scan your client computers for possible security violations. Which of the following clients are supported by MBSA? (Choose all that apply.) A. Windows 98 (with most current Service Pack) B. Windows Me (with most current Service Pack) C. Windows 2000 Professional (Service Pack 2) D. Windows XP Home Edition (Service Pack 1) E. Windows XP Professional (no Service Pack) F. Windows Server 2003 member server (no Service Pack)
72
8.
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers have the most current software installed for their operating systems, including:
Critical Updates and Service Packs Windows Server 2003 Family Driver Updates You want to automate the process as much as possible, and you want the client computers to download the updates from a central server that you are managing. You decide to use Software Update Services. The SUS server software has been installed on a Windows Server 2003 member server called SUSServer. You want to use Group Policy to define all of the Windows Update settings for the SUS clients. Which of the following template files should you use to apply the Group Policy settings? A. Wuau.adm B. Sus.adm C. System.adm D. Security.adm 9.
You are the manager of a testing lab. Your company develops applications that will run with Windows Server 2003. As a part of your job, you install and configure servers that will be used for testing purposes. You recently installed a Windows Server 2003 member server for testing of a local application, but did not register the product. After 14 days, you still have not registered the product, and now you cannot access the server. The product key is being supplied through your corporate IT department, but you will not have access to the information for two more days. In the meantime, what process can you use to access local data on the computer? A. Start the server using Automated System Recovery (ASR). B. Boot the server using Safe Mode. C. Start the server using the Recovery Console. D. There is nothing you can do until you complete Windows Activation. E. Boot the server using Safe Mode with Networking.
10. You are the network administrator for the computer lab at the University of Microsoft. Within the lab 250 students use 25 computers on a regular basis. When you manage the licensing for the lab, you receive error reports that you are out of licenses. You decide to implement license groups to manage licensing. Which of the following options can be used to create a license group? A. Administrative Tools License Manager B. Administrative Tools Licensing C. Control Panel License Manager D. Control Panel Licensing
Review Questions
73
11. You are the network administrator for a small company. Your network consists of one Windows Server 2003 server, which is configured as a domain controller, with 250 client computers. You want to make license management as easy as possible. Which of the following utilities should you use to configure licensing? A. Administrative Tools License Manager B. Administrative Tools Licensing C. Control Panel License Manager D. Control Panel Licensing 12. You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers have the most current software installed for their operating systems, including:
Critical Updates and Service Packs Windows Server 2003 Family Driver Updates You want to automate the process as much as possible, and you want the client computers to download the updates from a central server that you are managing. You decide to use Software Update Services. The SUS server software has been installed on a server called SUSServer. Which of the following options would you use to remotely manage the SUS server? A. Start Administrative Tools SUSAdmin B. Start Administrative Tools Software Update Services C. From command-line through SUSAdmin D. Internet Explorer through the URL http://yourservername/SUSadmin 13. You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers are secure. You decide to use MBSA to scan your client computers for possible security violations. You want to use the command-line version of MBSA to scan all of the computers on the local network. Which of the following commands should you use? A. mdsacli.exe /hf -n B. mbsacli.exe /hf -n C. mbsa.exe /hf -n D. mbsa.exe -n 14. You are the network administrator for a small company. Your network consists of one Windows Server 2003 server, which is configured as a domain controller, and 250 client computers. You want to make license management as easy as possible. Which of the following requirements must be met before you can manage licensing? A. You must have the License Management service running. B. You must have the License Logging service running. C. You must have the License Query service running. D. Nothing, license management is inherent in Windows Server 2003.
74
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
15. You are the network administrator for a Fortune 500 company. You are responsible for all client computers at the central campus. You want to make sure that all of the client computers are secure. You decide to use MBSA to scan your client computers for possible security violations. You want to use the command-line version of MBSA to scan your computers based on IP address. Which of the following commands should you use? A. mbsacli.exe /hf -i xxxx.xxxx.xxxx.xxxx B. mbsacli.exe /hf -ip xxxx.xxxx.xxxx.xxxx C. mbsa.exe /hf -ip xxxx.xxxx.xxxx.xxxx D. mbsa.exe /ip xxxx.xxxx.xxxx.xxxx
Answers to Review Questions
75
Answers to Review Questions 1.
C. In order to act as a SUS server, the following requirements must be met: the server must be running Windows 2000 Server with Service Pack 2 or higher or Windows Server 2003. The server must be using Internet Explorer 5.5 or higher. The server must have the most current security patches applied. The server must be running Internet Information Services (IIS). The server must be connected to the network. The server must have an NTFS partition with 100MB free disk space to install the SUS server software and 6GB of free space to store all of the update files.
2.
B. You can view and configure the site license server by selecting Start Administrative Tools Active Directory Sites And Services. The Active Directory Sites And Services dialog box will be displayed. Expand Sites and click Default-First-Site. In the right-hand pane, you will see Licensing Site Settings. Double-click License Site Settings and the Licensing Site Setting Properties dialog box will appear. In the lower half of the dialog box, under Licensing Computer, you will see the server that has been designated the site license server. By default, the licensing server is the first domain controller installed in the site. You can change the site license server through the Licensing Computer dialog box.
3.
C, D, F. The following clients can use Software Update Services: Windows 2000 Professional (with Service Pack 2 or higher), Windows 2000 Server (with Service Pack 2 or higher), Windows 2000 Advanced Server (with Service Pack 2 or higher), Windows XP Home Edition (with Service Pack 1 or higher), Windows XP Professional (with Service Pack 1 or higher), and Windows Server 2003 (all platforms). These clients use a special version of Automatic Updates that is required by Software Update Services.
4.
B, E. The Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ WindowsUpdate\AU\UseWUServer can be set to 0, which uses the public Windows Update server, or 1, which specifies that you will specify the server for Windows Update in the HKEY_ LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate key. The WUServer key sets the Windows Update server using the server’s HTTP name, for example, http://intranetSUS.
5.
D. You configure Automatic Update by selecting Start Control Panel System and clicking the Automatic Updates tab. You can configure the schedule that your computer will use to scan for updates and how updates should be applied to your computer.
6.
A. You can configure Windows Update settings that are used in conjunction with Software Update Services (SUS) through group policy. Within Group Policy, you edit Computer Configuration\Administrative Templates\Windows Components\Windows Update.
7.
C, D, E, F. MBSA will scan the following clients: Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003. Service packs are not required to use MBSA.
8.
C. There are security templates called Wuau.adm (for Windows 2000 Server), which is available through the Software Update Services installation, and System.adm (for Windows Server 2003), which automatically applies the Group Policy settings that are used by SUS.
76
9.
Chapter 1
Installing, Licensing, and Updating Windows Server 2003
B. After Windows Server 2003 is installed, you will have 14 days to activate the license. After the 14-day grace period expires, you will not be able to restart Windows Server 2003 normally if you log out of the computer or if the computer is restarted. However, you can start Windows Server 2003 in Safe Mode (not Safe Mode with Networking). With Safe Mode, you will not have any networking capabilities, but you will have access to any folders or files located on the server.
10. B. Some environments have special considerations and will require you to create license groups for Per Device and Per User licensing. You would create licensing groups if you have more than one user using a computer—for example, if your organization has workers in shifts and users from different shifts all share a computer. Another possibility might be that you have many users who share many devices—for example, students working in a school computer lab. To create a license group you would use Administrative Tools Licensing. From the main menu, you would then select Options Advanced New License Group. 11. D. If you only have one server, then you will be using Per Server licensing in a non-enterprise environment. In this case, the preferred way to manage licensing is through Control Panel Licensing. In Enterprise Licensing, licensing considerations must be accomplished through Administrative Tools Licensing. 12. D. To remotely manage a SUS server, open http://yourservername/SUSadmin from Internet Explorer. 13. B. If you use MBSA from the command-line utility mbsacli.exe, there are several options that can be specified. You type mbsacli.exe /hf (from the folder that contains mbsacli.exe) and can then customize the command execution with an option such as -n, which specifies that all of the computers on the local network should be scanned. 14. B. If the License Logging service is running, Administrators can manage and track licensing through the Licensing option in Control Panel or the Licensing utility in Administrative Tools. If you were managing licenses for a single server, you would use the Licensing option in Control Panel. If you were managing licenses for an enterprise environment, you would use the Licensing within Administrative Tools. 15. A. If you use MBSA from the command-line utility mbsacli.exe, there are several options that can be specified. You type mbsacli.exe /hf from the folder (Drive: Program Files\ Microsoft Baseline Security Analyzer) that contains mbsacli.exe and can then customize the command execution with an option such as /hf -i xxxx.xxxx.xxxx.xxxx, which specifies that computers with the specified IP address should be scanned.
Chapter
2
Managing Users, Groups, and Computers MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Create and manage groups
Identify and modify the scope of a group
Find domain groups in which a user is a member
Manage group membership
Create and modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in
Create and modify groups by using automation
Create and manage user accounts
Create and modify user accounts by using the Active Directory Users and Computers MMC snap-in
Create and modify user accounts by using automation
Import user accounts
Troubleshoot user authentication issues
One of the most fundamental tasks in network management is the creation of user and group accounts. Without a user account, a user could not log on to a computer, a server, or a network. Without group accounts, an administrator would have a more difficult job of granting users’ rights to network resources. Computer accounts are used to manage computers that are a part of the Active Directory. Windows 2003 domains contain a limited number of default users. You will need to create a user account for each user within the domain. When you manage user accounts, you should first create a naming conventions standard that will be used to define the users’ names that will be created. Managing users consists of common administrative tasks such as renaming user accounts and setting passwords as well as managing user properties. Windows 2003 domains have several default groups already created that have all of the permissions needed to perform different administrative tasks. You can also create groups based on common rights requirements to network resources. When you use groups within a Windows 2003 domain, you must first select group type and group scope. You can configure properties for the group and, using the Active Directory Users And Computers snap-in, list what groups a particular user belongs to. Each Windows NT, Windows 2000, Windows XP Professional, and Windows Server 2003 computer that is a part of the domain requires you to create a computer account for the computer within the Active Directory. Once the computer is created, you can manage the properties of the computer through the Active Directory Users And Computers utility. Advanced user, group, and computer management allows you to locate objects within the Active Directory, move objects within the Active Directory, automate common administrative tasks through the use of command-line utilities, and import users from a Windows NT 4.0 domain.
Working with Active Directory User Accounts Each user requires a user account to log on to the Windows 2003 domain. Once a user logs on, they can access resources based on the permissions that have been assigned to their user account and any groups that the user belongs to. In the following sections, you will learn about working with Active Directory user accounts through the Active Directory Users And Computers utility. The specific topics that will be covered include:
The default users that are created on Windows 2003 domains
Username and password rules and conventions
Working with Active Directory User Accounts
What usernames and security identifiers are
How to create an Active Directory user
How to disable or delete a user account
How to rename a user account
How to reset a user’s password
How to manage a user’s properties
What a user account template is and how to use a user account template
What the Run As option is and why it should be used
How to troubleshoot user authentication problems
79
Built-In Users Created in Active Directory On a Windows Server 2003 domain, the Active Directory Users And Computers utility has a container called Users, which contains two built-in user accounts: Administrator and Guest. Each of the built-in accounts has rights and permissions automatically assigned.
Administrator Account The Administrator account is created locally when you install a Windows Server 2003 member server or in the Active Directory when you install a Windows Server 2003 computer as the first server in the Active Directory domain. Administrator is a special account that has full control over the computer or the domain. The Administrator account within the Active Directory has the following default settings:
Administrators have full control over the domain and are able to assign user rights and access control to other users and groups.
Administrators are members of the following groups: Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema Admins. Groups are covered later in this chapter in the “Working With Active Directory Group Accounts” section.
The Administrator account can’t be deleted or removed from the Administrators group. It can be renamed or disabled. For security purposes, it is recommended that you rename this account. If the Administrator account is disabled, it can still be used if the server is booted using Safe Mode.
By default, the name Administrator is given to the account with full control over the computer. You can increase the computer’s security by renaming the Administrator account, and then creating an account named Administrator without any permissions. This way, even if a hacker is able to log on as Administrator, they won’t be able to access any system resources.
80
Chapter 2
Managing Users, Groups, and Computers
Guest Account The Guest account allows users to access the computer even if they do not have a unique username and password. Because of the inherent security risks associated with this type of account, this account is disabled by default. When this account is enabled, it is given very limited privileges.
When a Remote Assistance session is initiated, a HelpAssistance user account is automatically created. The Remote Desktop Help Session Manager service manages the HelpAssistance user account. HelpAssistance is automatically deleted when there are no Remote Assistance requests pending.
Username and Password Rules and Conventions The only real requirement for creating a new user is that you must provide a valid username, meaning that the name must follow the Windows 2003 rules for usernames. However, it’s also a good idea to have your own rules for usernames, which form your naming convention. These are the Windows 2003 rules for usernames:
The username must be unique to the user, different from all other user and group names stored within the specified computer.
If your users will log on from pre–Windows 2000 environments, then the username must be between 1 and 20 characters. If you are using only Windows 2000 and Windows 2003, the usernames can be longer.
The username cannot contain any of these characters: ∗/\[]:;|=,+∗?“
A username cannot consist exclusively of periods or spaces or combinations of the two.
Keeping these rules in mind, you should choose a naming convention, which is a consistent naming format. For example, consider a user named Kate Donald. One naming convention might use the last name and first initial, for the username DonaldK. Another naming convention might use the first initial and last name, for the username KDonald. Other user-naming conventions are based on the naming convention defined for e-mail names, so that the logon name and e-mail name match, although some environments might consider this a security breach. You should also provide a mechanism that would accommodate duplicate names. For example, if you had a user named Kate Donald and a user named Kevin Donald, you might use a middle initial, creating the usernames KLDonald and KMDonald. The password rules are based on the security settings you define through Administrative Tools Domain Security Policy, Security Settings, Account Policies, Password Policy. You can set password policies as follows:
Enforce Password History, specifies how many passwords are remembered and is used to prevent users from re-using the same password when they configure new passwords (default—24 passwords remembered)
Working with Active Directory User Accounts
81
Maximum Password Age, defines how many days a user can keep the same password before having to create a new password (default—42 days)
Minimum Password Age, defines the minimum number of days a user must keep a password before they can change the password (default—1 day)
Minimum Password Length, specifies the minimum number of characters a password can contain (default—seven characters)
Password Must Meet Complexity Requirements, specifies that passwords must not contain the user’s account name, must be a minimum of six characters, and must contain characters from three of the following groups: English uppercase letters, English lowercase letters, numbers, and non-alphabetic numbers (default—enabled)
Store Passwords Using Reversible Encryption, determines whether the operating system will store the user password using reversible encryption (default—disabled)
Microsoft recommends that all passwords contain an uppercase character, a lowercase character, and a symbol or a number; for example, instead of using oscar, you might use Osc@r.
Naming conventions should also be applied to objects such as groups, printers, and computers.
In Exercise 2.1, you will configure the default domain security settings for a user’s password. Since this is a practice configuration, we will be easing the password restrictions to make the practice environment easier to use. You will also change the User Right Assignment so that non-Administrative users can log on to the domain controller. Normally you do not want regular users to log on to domain controllers so this action is not allowed by default. However, in this practice environment the option should be enabled. If the option is not enabled, when you create users in the following exercises and try to log on you will see the following error message: “The local policy of this system does not permit you to log on interactively.”
EXERCISE 2.1
Setting Password Security Settings and User Rights Assignments 1.
Select Start Administrative Tools Domain Security Policy.
2.
Under Security Settings select Account Policies, Password Policy.
3.
Double-click Minimum Password Length and in the Minimum Password Length Properties dialog box, set the Password Must Be At Least field to 0. Click the Apply button, then the OK button.
82
Chapter 2
Managing Users, Groups, and Computers
EXERCISE 2.1 (continued)
4.
Double-click Password Must Meet Complexity Requirements and in the Password Must Meet Complexity Requirements Properties dialog box, click the Disabled radio button. Click the Apply button, then the OK button.
5.
From the Default Domain Security Settings dialog box, select File Exit.
6.
Select Start Administrative Tools Domain Controller Security Policy.
7.
Under Security Settings, select Local Policies, User Right Assignment.
8.
Double-click Allow Log On Locally.
9.
The Allow Log On Locally Properties dialog box will appear. Click the Add User Or Group button. The Add User Or Group dialog box will appear. In the User And Group Names field, type in Everyone and click the OK button. In the Allow Log On Locally Properties dialog box, click the Apply button, then the OK button.
10. From the Default Domain Controller Security Settings dialog box, select File Exit. 11. To force the system to recognize your changes immediately select Start Command Prompt and from the Command Prompt window type Gpupdate and press Enter.
Usernames and Security Identifiers When you create a new user, a security identifier (SID) is automatically created on the computer for the user account. The username is a property of the SID. For example, a user SID might look like this: S-1-5-21-823518204-746137067-120266-629-500
It’s apparent that using SIDs would make administration a nightmare. Fortunately for your administrative tasks, you see and use the username instead of the SID. SIDs have several advantages. Because Windows 2003 uses the SID as the user object, you can easily rename a user while retaining all the properties of that user. SIDs also ensure that if you delete and re-create a user using the same username, the new user account will not have any of the properties of the old account, because it is based on a new, unique SID. Renaming and deleting user accounts are discussed later in this chapter.
Creating Active Directory Users The Active Directory Users And Computers utility, shown in Figure 2.1, is the main tool for managing the Active Directory users, groups, and computers. You access this utility through Administrative Tools on a domain controller or a Windows 2000 Professional/Windows XP Professional/ Windows Server 2003 member server with Administrative Tools (adminpak.msi) loaded.
Working with Active Directory User Accounts
FIGURE 2.1
83
The Active Directory Users And Computers window
The options that can be configured for new users include: First Name, Initials, Last Name, and Full Name Allows you to provide more detailed information about this user. The Full Name field is automatically populated with the information you provide for the First Name, Initials, and Last Name fields. The full name (rather than the user logon name) will be displayed in the Active Directory Users And Computers utility under the container where the user is created. User Logon Name Defines the username for the new account that will be used with the logon process. Choose a name that is consistent with your naming convention (for example, WSmith). This field is required. User logon names are not case-sensitive within the logon process. The user principal name (UPN) is made up of the user logon name and the principal name suffix, which are connected with the @ sign. For example, the user logon name might be Kdonald and the principal suffix name might be Sybex.local. The UPN would then be
[email protected]. User Logon Name (Pre–Windows 2000) Enables a Windows 2003 domain to accept logon requests from clients running pre–Windows 2000 computers. Password Assigns the initial password for the user. For security purposes, it is not advisable to use readily available information about the user. If your clients are not exclusively Windows 2000/Windows XP/Windows 2003, passwords can contain up to 14 characters and are case-sensitive. If you operate in an exclusive Windows XP/Windows 2000/ Windows 2003 environment, passwords can be up to 127 characters. Confirm Password Confirms that you typed the password the same way two times, thus verifying that you entered the password correctly.
84
Chapter 2
Managing Users, Groups, and Computers
User Must Change Password At Next Logon If selected, forces the user to change the password the first time they log on. This is done to increase security and moves password responsibility to the user and away from the administrator. By default, this option is selected. User Cannot Change Password If selected, prevents a user from changing the password. It is useful for accounts such as Guest and those that are shared by more than one user. By default, this option is not selected. Password Never Expires If selected, specifies that the password will never expire, even if a password policy has been specified. For example, you might select this option if this is a service account and you do not want the administrative overhead of managing and changing passwords. By default, this option is not selected. Account Is Disabled If selected, specifies that this account cannot be used for logon purposes. For example, you might select this option for template accounts or for an account that is not currently being used. It helps keep inactive accounts from posing security threats. By default, this option is not selected.
Make sure that your users know that usernames are not case-sensitive, but passwords are.
To create an Active Directory user, take the following steps: 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
The Active Directory Users And Computers window appears (refer to Figure 2.1). Rightclick Users, select New from the pop-up menu, and select User.
3.
The first New Object–User dialog box appears, as shown in Figure 2.2. Type in the user’s first name, initials, last name, and logon name. The full name and pre–Windows 2000 logon name (for clients logging in from non–Windows 2000/2003 operating systems) will be filled in automatically when you enter the other information, but you can change them if desired. Click the Next button.
FIGURE 2.2
The New Object–User dialog box for username information
Working with Active Directory User Accounts
4.
The second New Object–User dialog box appears, as shown in Figure 2.3. Type in and confirm the user’s password. The checkboxes in this dialog box allow you to specify that the user must change the password when the user logs on, that the user cannot change the password, that the password never expires, or that the account is disabled. Click the Next button.
FIGURE 2.3
5.
85
The New Object–User dialog box for password information
The final New Object–User dialog box appears. This dialog box shows the account you have configured. If all of the information is correct, click the Finish button.
In Exercise 2.2, you will create new domain user accounts. This exercise assumes you have completed Exercise 2.1. EXERCISE 2.2
Creating Active Directory Users 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, right-click Users, select New, and then select User.
3.
In the first New Object–User dialog box, enter the following information: First Name: Ginnie Initial: B. Last Name: Donald User Logon Name: Ginnie
4.
Click the Next button.
5.
In the next New Object–User dialog box, type and confirm the password girLYc@t. Check the Password Never Expires checkbox and uncheck the User Must Change Password At Next Logon checkbox. Then click the Next button.
86
Chapter 2
Managing Users, Groups, and Computers
EXERCISE 2.2 (continued)
6.
Create six more users. For each user, uncheck the User Must Change Password At Next Logon checkbox. Fill out the fields as follows: First Name: Robert; Last Name: Jones; User Logon Name: Robert; Password: b4tm4n First Name: Terry; Last Name: Belle; User Logon Name: Terry; Password: b4tg1rl First Name: Ron; Last Name: Klein; User Logon Name: Ron; Password: sup3rm4n First Name: Wendy; Last Name: Smith; User Logon Name: Wendy; Password: sup3rg1rl First Name: Emily; Last Name: Buras; User Logon Name: Emily; Password: p34ch First Name: Michael; Last Name: Phillips; User Logon Name: Michael; Password: 4ppl3
Disabling or Deleting User Accounts When a user account is no longer needed, the account should be disabled or deleted. If you choose to disable an account, you can later enable that account to restore it with all of its associated user properties and permissions. An account that is deleted can never be recovered.
User accounts that are not in use pose a security threat because an intruder could access your network though an inactive account. For example, after inheriting a network, I ran a network security diagnostic and noticed several accounts for users who no longer worked for the company. These accounts had Administrative rights, including dial-in permissions. This was not a good situation, and the accounts were deleted on the spot.
You might disable an account because a user will not be using it for a period of time, perhaps because that employee is going on vacation or taking a leave of absence. Another reason to disable an account is if you’re planning on putting another user in that same function. For example, suppose that Rick, the engineering manager, quit. If you disable his account, when your company hires a new engineering manager, you can simply rename the user account and password (from Rick to the username for the new manager) and enable that account. This ensures that the user who takes over Rick’s position will have all of the user properties and own all of the resources that the original user Rick had. Disabling accounts also provides a security mechanism for special situations. For example, if your company were laying off a group of people, a security measure would be to disable their accounts at the same time as these employees get their layoff notices. This prevents the users from inflicting any damage to the company’s files on their way out. (Yes, this does seem coldhearted, and the remaining employees are bound to fear for their jobs if they aren’t able to log on later because the servers go down, but it does serve the purpose.)
Working with Active Directory User Accounts
87
You disable a user account by right-clicking the user account in the Active Directory Users And Computers utility and selecting the Disable Account option. You will see a confirmation dialog box stating that the selected object was deleted. In Exercise 2.3, you will disable a user account. Before you follow this exercise, you should have already created the new users in Exercise 2.2. EXERCISE 2.3
Disabling a User 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, expand Users.
3.
Right-click user Robert and select Disable Account.
4.
You will see an Active Directory Users and Computers dialog box appear stating that Object Robert Has Been Disabled. Click the OK button.
5.
From your Windows XP Professional computer, attempt to log on as Robert to your domain. This will fail, since the account is now disabled.
You should delete a user account if you are sure that the account will never be needed again. In Exercise 2.4, you will delete a user account. This exercise assumes that you have completed the previous exercises in this chapter. EXERCISE 2.4
Deleting a User 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, expand Users.
3.
Right-click user Robert and select Delete.
4.
You will see an Active Directory Users and Computers dialog box appear asking you Are You Sure You Want To Delete This Object? Click the Yes button.
Renaming Users Once an account has been created, you can rename the account at any time. Renaming a user account allows the user to retain all of the associated user properties and permissions of the previous username. As noted earlier in the chapter, the name is a property of the SID. You might want to rename a user account because the user’s name has changed (for example, the user got married) or because the name was spelled incorrectly. Also, as explained in
88
Chapter 2
Managing Users, Groups, and Computers
“Disabling or Deleting User Accounts” earlier in this chapter, you can rename an existing user’s account for a new user whom you want to have the same properties, such as someone hired to take an ex-employee’s position. In Exercise 2.5, you will rename a user account. This exercise assumes that you have completed all of the previous exercises in this chapter. EXERCISE 2.5
Renaming a User 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, expand Users.
3.
Right-click user Terry and select Rename.
4.
Type in the username Taralyn and press Enter.
5.
The Rename User dialog box will appear. Notice that the First Name retained the original property of Terry. Make any needed changes and click the OK button.
Renaming a user does not change any “hard-coded” names, such as the user’s home directory. If you want to change these names as well, you need to modify them manually.
Changing a User’s Password What do you do if a user forgot his or her password and can’t log on? You can’t just open a dialog box and see the old password. However, as an administrator, you can change a user’s password, and then the user can use the new one. In Exercise 2.6, you will change a user’s password. This exercise assumes that you have completed all of the previous exercises in this chapter. EXERCISE 2.6
Changing a User’s Password 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, expand Users.
3.
Right-click user Ron and select Reset Password.
Working with Active Directory User Accounts
89
EXERCISE 2.6 (continued)
4.
The Reset Password dialog box will appear. Type in the New Password g0lf and Confirm Password g0lf. Check the box User Must Change Password At Next Logon to force Ron to change his password the next time he logs on. Click the OK button.
5.
You will see an Active Directory Users and Computers dialog box appear confirming The Password For Ron Has Been Changed. Click the OK button.
Managing Active Directory User Properties For Active Directory users, you can configure a wide variety of properties. To access the Properties dialog box for an Active Directory user, open the Active Directory Users And Computers utility (by selecting Start Administrative Tools Active Directory Users And Computers), open the Users folder, and double-click the user account. The Active Directory user Properties dialog box has tabs for the 13 main categories of properties: General
Terminal Services Profile
Address
COM+
Account
Member Of
Profile
Dial-in
Telephones
Environment
Organization
Sessions
Remote Control Four of the tabs in the Active Directory user Properties dialog box contain properties that relate to Terminal Services: Remote Control, Terminal Services Profile, Environment, and Sessions. Terminal Services is covered in Chapter 4, “Managing Windows Server 2003 Remotely.” In the following sections, we will look at the tabs commonly used for user administration.
Configuring General Active Directory User Properties The General property tab, shown in Figure 2.4, contains the information that you supplied when you set up the new user account. You can add information in the Description and Office text boxes. You can also enter contact information for the user, including Telephone Number, E-mail, and Web Page URL.
Adding Active Directory User Address Information You can provide address information for the user on the Address tab, as shown in Figure 2.5. This tab has text boxes for the user’s street address, post office box number, city, state or province, and zip code. You can also select a country or region identifier from the Country/ Region drop-down list.
90
Chapter 2
Managing Users, Groups, and Computers
FIGURE 2.4
The General tab of the Active Directory user Properties dialog box
FIGURE 2.5
The Address tab of the Active Directory user Properties dialog box
Working with Active Directory User Accounts
91
Controlling Active Directory Users’ Accounts Using the Account tab, shown in Figure 2.6, you can control the user’s account. This tab shows the logon name information that you supplied when you set up the new user account and allows you to configure these settings:
The user logon name and principal name suffix
Pre–Windows 2000 user logon name
The logon hours for the user
The computers that the user is allowed to log on to
Account lockout options
Account options that apply to the user
When the account expires
The settings for logon hours, controlling computer access, account options, and account expiration are described in the following sections.
Controlling Logon Hours When you click the Logon Hours button, you’ll see the Logon Hours dialog box, as shown in Figure 2.7. By default, users are allowed to log on 24 hours a day, 7 days a week. Logon hours are typically restricted during computer backups. You might also want to restrict logon hours for security reasons. A blue box indicates that logon is permitted. A white box indicates that logon is not permitted. You can change logon hours by selecting the hours you want to modify and clicking the Logon Permitted radio button or the Logon Denied radio button. FIGURE 2.6
The Account tab of the Active Directory user Properties dialog box
92
Chapter 2
Managing Users, Groups, and Computers
Controlling Computer Access When you click the Log On To button, you’ll see the Logon Workstations dialog box, as shown in Figure 2.8. This dialog box allows you to specify that the user can log on to all the computers in the domain (default) or limit the user to logging on to specific computers in the network. For example, if the Administrator works in a secure environment, you might limit the Administrator account to log on only to a specific computer. You configure the computers that the user can log on to based on the computer’s name. You add the computers that are allowed by typing in the computer name and clicking the Add button. FIGURE 2.7
The Logon Hours dialog box
FIGURE 2.8
The Logon Workstations dialog box
Managing Account Lockouts You can configure account lockout settings through group policy. The account lockout policies that can be set include:
Account Lockout Threshold, which specifies that the user gets a specific number of invalid login attempts before the account is locked
Working with Active Directory User Accounts
93
Account Lockout Duration, which specifies how long the account will be locked in the event that the Account Lockout Threshold is exceeded
Reset Account Lockout Counter After, which specifies in minutes how long the account lockout threshold will be tracked for
If you configure account lockout policies, you can unlock the account by unchecking the Account Is Locked Out checkbox (shown as inactive in Figure 2.6).
Setting Account Options The account options listed in the Account tab allow you to control password security for the user account. You can specify these account options:
User Must Change Password At Next Logon
User Cannot Change Password
Password Never Expires
Store Password Using Reversible Encryption
Setting Account Expiration By default, user accounts are set to Never Expire. The End Of radio button at the bottom of the Account tab lets you set account expiration for a specific date. You might want to set an expiration date if you have temporary employees and you want to disable their accounts on a specific date. This option is also useful in academic environments where students need user accounts, but their accounts should be disabled at the end of the academic period. FIGURE 2.9
The Profile tab of the user Properties dialog box
94
Chapter 2
Managing Users, Groups, and Computers
Setting Up the Active Directory User Environment The Profile tab, shown in Figure 2.9, allows you to customize the user’s environment. Here, you can specify these items for the user:
User profile path
Logon script
Home folder
The following sections describe how these properties work and when you might want to use them.
Using User Profiles User profiles contain information about the Windows 2003 environment for a specific user. For example, profile settings include the Desktop arrangement, program groups, and screen colors that users see when they log on. If the configuration option is a personal preference, it is most likely a part of the user profile. Configuration options that relate to the computer are not a part of the user profile. For example, the mouse driver is not a part of a user profile. However, the properties of the mouse configuration—such as the speed, pointer, and mouse button settings—reflect the user’s personal preferences and are a part of a user profile. In the following sections you will learn about local user profiles, roaming profiles, and mandatory profiles. LOCAL USER PROFILES
By default, when a user logs on, a profile is opened for that user. The first time users log on, they receive a default user profile. A folder that matches the user’s logon name is created for the user in the Documents And Settings folder. The user profile folder that is created holds a file called Ntuser.dat, as well as subfolders that contain directory links to the user’s Desktop items. Any changes that the user makes to the Desktop are stored in the user’s profile when the user logs off. For example, suppose that user Kevin logs on, picks his wallpaper, creates shortcuts, and customizes the Desktop to his personal preference. When he logs off, his changes are stored in his user profile. If another user logs on at the same computer, that user’s profile—not Kevin’s—is loaded. The Profile Path option in the Profile tab is used to point to another location for profile files other than the default local location. To specify a path, just type it in the Profile Path text box using Universal Naming Convention (UNC) format. This allows users to access profiles that have been stored on a shared network folder. This way, profiles are stored remotely and can be accessed from any machine in the system. Also, if a hard disk fails, the hard drive would be replaced and re-imaged, but the profile will be restored the first time the user logs on because it was stored remotely. In Exercise 2.7, you will create and manage user profiles. This exercise assumes that you have completed Exercise 2.2.
Working with Active Directory User Accounts
95
EXERCISE 2.7
Using Local User Profiles 1.
Log on to your domain as Administrator.
2.
Select Start All Programs Accessories Windows Explorer; expand My Computer, then Local Disk (C:), then Documents And Settings. The folder will have subfolders for only those users who have logged in. Verify that no user profile folders exist for the users Emily and Michael (since they haven’t logged on yet).
3.
Log off as Administrator and log on as Emily (with the password p34ch).
4.
Right-click an open area on the Desktop and select Properties. In the Display Properties dialog box, click the Desktop tab. Select the Follow Background, click the Apply button, and then click the OK button.
5.
Right-click an open area on the Desktop and select New Shortcut. In the Create Shortcut dialog box, type CALC and click Next. Enter the name Calculator as the name for the shortcut and click the Finish button.
6.
Log off as Emily and log on as Michael (with the password 4ppl3). Notice that user Michael sees the Desktop configuration stored in the default user profile.
7.
Log off as Michael and log on as Emily. Notice that Emily sees the Desktop configuration you set up in steps 4 and 5.
8.
Log off as Emily and log on as Administrator. Select Start Windows Explorer; expand My Computer, then Local Disk (C:), then Documents And Settings. Verify that user profile folders now exist for Emily and Michael.
The creation of network shares, and NTFS and share permissions is beyond the scope of this book.
ROAMING USER PROFILES
A roaming profile is stored on a network server and allows users to access their user profile, regardless of the client computer to which they’re logged on. Roaming profiles provide a consistent Desktop for users who move around, no matter which computer they access. Even if the server that stores the roaming profile is unavailable, the user can still log on using a local profile. To create a roaming user profile, you create a network share that will store the roaming user profile, create the user profile, then copy the user profile to a shared network folder. You would use the following steps to create a roaming user profile: 1.
Create a network share on the computer that will store the roaming profile. Assign NTFS permissions and share permissions to any users who will access the roaming profile. In this example, a share has been created called \\Server2003\Profiles.
96
Chapter 2
Managing Users, Groups, and Computers
2.
Create a user using the Active Directory Users And Computers utility that will be used as a template account to create the roaming user profile. In this example, we are using a user called Test.
3.
Log on as the Test user and create a local user profile with whatever settings the roaming user profile should have (for example, desktop environment, appearance settings, shortcuts, and Start menu options).
4.
Log on as an administrator to the computer that is storing the local profile.
5.
Select Start Control Panel System.
6.
Select the Advanced tab and click the User Profiles Settings button to access the User Profiles dialog box shown in Figure 2.10.
7.
Select the user’s profile that you want to copy and click the Copy To button.
FIGURE 2.10
8.
The User Profiles dialog box
The Copy To dialog box will appear, as shown in Figure 2.11. Specify the network location where the roaming user profile will be stored. In this example, the roaming user profile is stored in \\Server2003\Profiles\Test.
FIGURE 2.11
The Copy To dialog box
Working with Active Directory User Accounts
9.
97
At the bottom of the Copy To dialog box, you will see the Permitted To Use option. Click the Change button to specify which users can access this profile. The Select User Or Group dialog box will appear, as shown in Figure 2.12. In this example, user Michael is being permitted to use the profile. Click the OK button. And in the Copy To dialog box, click the OK button.
10. From the Active Directory Users And Computers utility, access the Test user’s properties and
click the Profile tab (shown in Figure 2.9), and under User Profile, Profile Path, specify the network share where the user profile was copied (in this example \\Server2003\Profiles\Test) and click the OK button. 11. You can test the roaming profile by logging in at a remote computer.
If you are using roaming profiles, the contents of the user’s roaming profile from the shared network path folder will be copied to the local computer each time the roaming profile is accessed. If you have stored large files in any subfolders of your user profile folder, you may notice a significant delay when accessing your profile remotely as opposed to locally. If this problem occurs, you can reduce the amount of time the roaming profile takes to load by moving the subfolder to another location, such as the user’s home directory, or you can use Group Policy Objects within the Active Directory to specify that specific folders should be excluded or loaded after the roaming profile is loaded. FIGURE 2.12
The Select User Or Group dialog box
In Exercise 2.8, you will create a roaming profile. This exercise assumes that you are using two computers, one with Windows Server 2003 and one with Windows XP Professional. EXERCISE 2.8
Using Roaming Profiles 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, right-click Users, select New, and then select User.
3.
In the first New Object—User dialog box, enter the following information: First Name: Test Last Name: Account User Logon Name: Test
98
Chapter 2
Managing Users, Groups, and Computers
EXERCISE 2.8 (continued)
4.
Click the Next button.
5.
In the next New Object—User dialog box, do not specify any password. Check the Password Never Expires checkbox. Then click the Next button and the Finish button.
6.
Select Start Windows Explorer. Expand My Computer and Local Disk (C:). Select File New Folder and create a folder called Profiles.
7.
Right-click the Profiles folder and select Sharing And Security. From the Sharing tab, click the Share This Folder radio button. Click the Permissions button.
8.
The Permissions For Profiles dialog box will appear. Verify that group Everyone is highlighted and click Allow Full Control checkbox. Click the OK button.
9.
Click the Security tab. Highlight the Users group and under Permissions For Users click the Allow Full Control checkbox. Click the OK button.
10. Log off as the Administrator and log on as Test. 11. Right-click an open area on the Desktop and select New Shortcut. In the Create Shortcut dialog box, type CALC and click Next. Enter the name Calculator as the name for the shortcut and click the Finish button.
12. Right-click an open area on the Desktop and select New Shortcut. In the Create Shortcut dialog box, type Explorer and click Next. Accept Explorer as the name for the shortcut and click the Finish button.
13. Log off as Test and log on as Administrator. 14. Select Start Control Panel System. 15. Select the Advanced tab and click the User Profiles Settings button to access the User Profiles dialog box.
16. Select the Test profile that you want to copy and click the Copy To button. 17. The Copy To dialog box will appear. Specify the network location where the roaming user profile will be stored as \\yourservername\Profiles\Test. At the bottom of the Copy To dialog box, you will see the Permitted To Use option. Click the Change button. The Select User Or Group dialog box will appear. In the Enter The Object Name To Select field, type in Test and click the OK button. In the Copy To dialog box, click the OK button.
18. Select Start Administrative Tools Active Directory Users And Computers. Expand Users and double-click Test.
19. Click the Profile tab and under User Profile, Profile Path, specify the network share \\yourservername\Profiles\Test and click the OK button.
20. From your Windows XP Professional computer, log on to your domain as Test. You will see the shortcuts on the desktop that were created as a part of the roaming profile.
Working with Active Directory User Accounts
99
Copying User Profiles Within your company you have a user, Sharon, who logs in with two different user accounts. One account is a regular user account, and the other is an Administrator account used for administration tasks only. When Sharon established all her Desktop preferences and installed the computer’s applications, they were installed with the Administrator account. Now when she logs in with the regular user account, she can’t access the Desktop and profile settings that were created for her as an administrative user. To solve this problem, you can copy a local user profile from one user to another (for example, from Sharon’s administrative account to her regular user account). Go to Control Panel System, Advanced tab, User Profiles Settings button, select the account and copy, then click the Copy To button. You will need to complete this task as an Administrator since you cannot copy an account that you are currently logged into. When you copy a user profile, the following items are copied: Favorites, Cookies, My Documents, Start menu items, and other unique user Registry settings.
USING MANDATORY PROFILES
A mandatory profile is a profile that can’t be modified by the user. Only members of the Administrators group can manage mandatory profiles. You might consider creating mandatory profiles for users who should maintain consistent Desktops. For example, suppose that you have a group of 20 salespeople who know enough about system configuration to make changes, but not enough to fix any problems they create. For ease of support, you could use mandatory profiles. This way, all of the salespeople will always have the same profile and will not be able to change their profiles. You can create mandatory profiles for a single user or a group of users. The mandatory profile is stored in a file named Ntuser.man. A user with a mandatory profile can set different Desktop preferences while logged on, but those settings will not be saved when the user logs off.
Only roaming profiles can be used as mandatory profiles. Mandatory profiles do not work for local user profiles.
Using Logon Scripts Logon scripts are files that run every time a user logs on to the network. They are usually batch files, but they can be any type of executable file. You might use logon scripts to set up drive mappings or to run a specific executable file each time a user logs on to the computer. For example, you could run an inventory management file that collects information about the computer’s configuration and sends that data to a central
100
Chapter 2
Managing Users, Groups, and Computers
management database. Logon scripts are also useful for compatibility with non–Windows 2000/ Windows XP/Windows 2003 clients who want to log on but still maintain consistent settings with their native operating system. To run a logon script for a user, enter the path to the logon script in the Logon Script text box in the Profile tab of the user Properties dialog box.
Logon scripts are not commonly used in Windows 2000/Windows XP/Windows 2003 networks. Windows 2000/Windows XP/Windows 2003 automates much of the user’s configuration via group policy. In older NetWare environments, for example, this isn’t the case, and administrators use logon scripts to configure the users’ environment.
Setting Up Home Folders Users normally store their personal files and information in a private folder called a home folder. In the Profile tab of the user Properties dialog box, you can specify the location of a home folder as a local folder or a network folder. To specify a local path folder, choose the Local Path option in the Profile tab and type the path in the text box next to that option. To specify a network path for a folder, choose the Connect option and specify a network path using a UNC (Universal Naming Convention) path. In this case, the network folder should already be created and shared. In Exercise 2.9, you will assign a home folder to a user. This exercise assumes that you have completed all of the previous exercises in this chapter. EXERCISE 2.9
Assigning a Home Folder to a User 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, expand the Users folder and double-click user Wendy. The user Properties dialog box appears.
3.
Select the Profile tab and click the Local Path radio button to select it.
4.
Specify the home folder path by typing C:\Users\Wendy in the text box for the Local Path option. Then click the OK button.
5.
Use Windows Explorer to verify that this folder was created.
Adding Active Directory User Telephone Information The Telephones tab, shown in Figure 2.13, allows you to configure the user’s telephone numbers for home, pager, mobile, fax, and IP phone. You can also add notes such as “Don’t call home after 10:00 P.M.” The Other buttons allow you to specify alternate telephone numbers.
Working with Active Directory User Accounts
FIGURE 2.13
101
The Telephones tab of the Active Directory user Properties dialog box
Adding Active Directory Organization Information The Organization tab, shown in Figure 2.14, allows you to provide information about the user’s role in your organization. You can enter the user’s title, department, company, and manager. You can also view or add any users and contacts who directly report to the selected user account through the Direct Reports field. FIGURE 2.14
The Organization tab of the Active Directory user Properties dialog box
102
Chapter 2
Managing Users, Groups, and Computers
Managing Active Directory User Group Membership The Member Of tab displays the groups that the user belongs to, as shown in Figure 2.15. You can add the user to an existing group by clicking the Add button. To remove the user from a group listed on this tab, highlight the group and click the Remove button. If you are using Macintosh clients or POSIX-compliant applications, you can set the user’s Primary Group at the bottom of the Member Of tab.
Configuring Dial-in Properties Using the Dial-in tab, as shown in Figure 2.16, you configure the user’s remote-access permissions for dial-in or VPN connections. The options that can be configured include:
Remote Access Permission (Dial-in Or VPN). Here, you can set Allow Access, Deny Access, or Control Access Through Remote Access Policy (this last choice is available only if the domain is in native mode).
Verify Caller ID (this option is not available if the Active Directory is configured to support a mixed-mode configuration).
Callback Options. This can be set to No Callback, Set By Caller (Routing And Remote Access Service Only), or Always Callback To.
Assign a Static IP Address.
Apply Static Routes.
FIGURE 2.15
The Member Of tab of the Active Directory user Properties dialog box
Working with Active Directory User Accounts
FIGURE 2.16
103
The Dial-in tab of the Active Directory user Properties dialog box
Remote access is covered in more detail in MCSE: Windows XP Professional Study Guide, Second Edition, by Lisa Donald with James Chellis (Sybex 2003).
Using User Account Templates You can use user account templates to simplify user administration. For example, if you were managing the Sales organizational unit, you could create a user account template called #Sales (in this example, the # sign indicates that the user account is a user account template). You could then populate the following user properties any time you create a new account by copying the user account template:
All Account properties except Logon Name
All Address properties except Street Address
Profile properties except for Profile Path and Home Folder (which are modified with the logon name of the user you are creating)
Organization properties except for Title
Member Of properties
If you use user account templates, you should disable the user account templates so that users cannot use them to log on to your network.
104
Chapter 2
Managing Users, Groups, and Computers
In Exercise 2.10, you will create a user account template and then create new users based on the template account. EXERCISE 2.10
Using User Account Templates 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers window, right-click Users, select New, and then select User.
3.
In the first New Object–User dialog box, enter the following information: First Name: #Sales Last Name: Template User Logon Name: #Sales
4.
Click the Next button.
5.
In the next New Object–User dialog box, do not specify any password. Check the Password Never Expires checkbox and the Account Is Disabled checkbox. Then click the Next button. Click the Finish button.
6.
Double-click #Sales to access the #Sales Template Properties dialog box.
7.
Click the Address tab. For City, type in Santa Cruz. For State, type in California. For Zip/Postal Code, type in 95060. For Country/Region, select United States from the pull-down list.
8.
Click the Organization tab. For Department, type in Sales. For Company, type in Wacky Widgets Corporation. Click the OK button.
9.
Right-click #Sales Template User and select Copy.
10. The Copy Object–User dialog box will appear. Enter the following information: First Name: Dietrich Last Name: Moorehead User Logon Name: Dietrich
11. Click the Next button. 12. In the next New Object–User dialog box, do not specify any password. Uncheck the Account Is Disabled option. Then click the Next button. Click the Finish button.
13. Double-click user Dietrich and click the Address tab and the Organization tab to verify that the information was populated based on the settings configured for the #Sales account template.
Using the Run As Option The Run As option allows you to use a secondary logon process to log on to a computer using administrative credentials in order to perform a specific task. For security purposes,
Working with Active Directory User Accounts
105
it is recommended that you use the Run As option when performing administrative tasks as opposed to logging into a computer or domain with an administrative account. You can use the Run As option through most Windows programs, some Control Panel items, and the Microsoft Management Console (MMC). You can also use the Run As option with command-line utilities. Assume that you were logged in as a regular user and you wanted to add a user through Active Directory Users And Computers utility using the Run As option with your administrative user account. You would take the following action: 1.
Select Start Administrative Tools and then right-click Active Directory Users And Computers. Select Run As.
2.
The Run As dialog box will appear. Select The Following User and specify the administrator username and password. Click the OK button.
Troubleshooting User Authentication If a user can’t log on, there are many possible causes. Logon failure can result from problems with the username, password, user account settings, or security settings. The following are some common causes of domain logon errors: Incorrect username You can verify that the username is correct by checking the Microsoft Active Directory Users And Computers utility to verify that the name was spelled correctly. Incorrect password As with local accounts, check that the password was entered in the proper case (and that the Caps Lock key isn’t on), the password hasn’t expired, and the account has not been locked out. If the password still doesn’t work, you can assign a new password through the Microsoft Active Directory Users And Computers utility. Prohibitive user rights Does the user have permission to log on locally at the computer? This assumes that the user is attempting to log on to the domain controller. Regular users do not have permission to log on locally at the domain controller. The assumption is that users will log on to the domain from network workstations. If the user has a legitimate reason to log on locally at the domain controller, that user should be assigned the Log On Locally user right in Domain Controller Security Policy. A disabled or deleted account You can verify whether an account has been disabled or deleted by checking the account properties through the Microsoft Active Directory Users And Computers utility. A local account logon at a domain computer Is the user trying to log on with a local user account name instead of a domain account name? Make sure that the user has selected to log on to a domain in the Logon dialog box. The computer is not part of the domain Is the user sitting at a computer that is a part of the domain to which the user is trying to log on? If the client computer is not a part of the domain that contains the user account or does not have a trust relationship defined with the domain that contains the user account, the user will not be able to log on.
106
Chapter 2
Managing Users, Groups, and Computers
Unavailable domain controller, DNS Server, or Global Catalog Is the domain controller available to authenticate the user’s request? If the domain controller is down for some reason, the user will not be able to log on until it comes back up (unless the user logs on using a local user account). A DNS server and the Global Catalog (if the Active Directory has multiple domains) for Active Directory are also required. User unable to log on from their computer, but can log on from another computer Active Directory issues a new computer password every 30 days. If your computer does not receive that password for any reason you will not be able to log on. The symptom is that you cannot log on from your computer but you can log on from any other computer. To fix the problem, open Active Directory Users And Computers using Administrative privileges, open the Computers folder, right-click the computer account, and select Reset Account.
Working with Active Directory Group Accounts Within the Active Directory a group is defined as a collection of user accounts, computer accounts, other group accounts, and contacts that can be managed as a single entity. Groups are used to simplify administration by allowing you to administer many accounts (through group membership) as opposed to manually administering individual user accounts. In the following sections, you will learn about group scope and group type, default groups created on a Windows 2003 domain, how to create a new group, how to manage groups, and how to identify what groups a user belongs to.
Understanding Group Scope and Group Type On a Windows 2003 domain controller in the Active Directory, groups are characterized by group scope and group type. Group scope is used to determine if the group is limited to a single domain or if the group can span multiple domains. Group scopes are used to assign permissions to resources. The three types of group scopes are: Domain Local Groups Domain local groups are used to assign permissions to resources. Domain local groups can contain user accounts, universal groups, and global groups from any domain in the tree or forest. A domain local group can also contain other domain local groups from its own local domain. Microsoft recommends that global groups be added to domain local groups in a single domain environment and that universal groups are added to the domain local group in a multi-domain environment. User accounts should not be added to a domain local group. Global Groups Global groups are used to organize users who have similar network access requirements. A global group is simply a container of users. Global groups can contain users and global groups (in native mode) from the local domain.
Working with Active Directory Group Accounts
107
Universal Groups Universal groups are used to logically organize global groups and appear in the Global Catalog (a search engine that contains limited information about every object in the Active Directory). Universal groups can contain users (not recommended) from anywhere in the domain tree or forest, other universal groups, and global groups.
In order to support universal groups, the domain must be configured for Windows 2000/2003 native mode. If the domain is configured for Windows 2000/ 2003 mixed mode (which supports Windows NT 4.0), then universal groups are not supported.
Group type is used to organize users, computers, and other groups into logical objects that are used for management purposes. There are two group types: Security Group A security group is a logical group of users who need to access specific resources. Security groups are listed in Discretionary Access Control Lists (DACLs) to assign permissions to resources. Distribution Group A distribution group is a logical group of users who have common characteristics. Applications and e-mail programs (for example, Microsoft Exchange) can use distribution groups. Distribution groups can’t be listed in DACLs and therefore have no permissions. This allows these groups to execute at very high speed.
Default Groups Created in Windows 2003 Domain When you install Windows Server 2003, there are several built-in group accounts that are created by default. On a Windows Server 2003 domain controller, groups are located in the Users folder and the Builtin folder within the Active Directory Users And Computers utility. There are also special groups whose members are based on specific conditions being met. Table 2.1 describes group accounts located in the Builtin folder. TABLE 2.1
Default Group Accounts in the Builtin Folder
Builtin Group
Description
Account Operators
Members of the Account Operators group can create and manage domain user, group, and computer accounts within the Users or Computers containers (with the exception of the Domain Controllers container) or organizational units that have been created. Account Operators do not have rights to modify the Administrators or Domain Admins groups. This group has no default members.
108
Chapter 2
TABLE 2.1
Managing Users, Groups, and Computers
Default Group Accounts in the Builtin Folder (continued)
Builtin Group
Description
Administrators
The Administrators group has full rights and privileges on all domain controllers within the domain. Its members can grant themselves any permissions they do not have by default to manage all of the objects on the computer. (Objects include the file system, printers, and account management.) By default, the Administrator user account and the Domain Admins and Enterprise Admins groups are members of the Administrators group. Because of the permissions associated with this group, you should add users to this group with caution.
Backup Operators
The members of the Backup Operators group have rights to back up and restore the file system, even if the file system is NTFS and they have not been assigned permissions to the file system. However, the members of Backup Operators can access the file system only through the Backup utility. To be able to directly access the file system, they must have explicit permissions assigned. By default, there are no members of the Backup Operators local group.
Guests
The Guests group has limited access to the computer. This group is provided so that you can let people who are not regular users have access to specific network resources. As a general rule, most administrators do not allow Guest access because it poses a potential security risk. By default, the Guest user account is a member of the Guests local group.
Incoming Forest Trust Builders
This group has special permissions to build one-way, incoming trusts to the forest root domain. This group has no default members.
Network Configuration Operators
This group has special permissions to manage TCP/IP networking configuration options. For example, members can renew and release TCP/IP addresses on domain controllers within the domain. This group does not have any default members.
Performance Log Users
Members of this group have special permissions related to configuring and managing performance counters, logs, and alerts on domain controllers and computers within the domain. This group does not have any default members.
Performance Monitor Users
Members of this group have special permissions to remotely monitor (view) performance counters for all domain controllers and computers within the domain. This group does not have any default members.
Pre–Windows 2000 Compatible Access
This is a special group with backward compatibility for allowing read access to users and groups in the domain. By default, the Everyone group is a member of this group when the computer is loaded with pre–Windows 2000 permissions.
Working with Active Directory Group Accounts
TABLE 2.1
109
Default Group Accounts in the Builtin Folder (continued)
Builtin Group
Description
Print Operators
Print Operators group members can administer, create, delete, and share printers connected to domain controllers. In addition, members of this group can also manage printer objects within the Active Directory. This group does not have any default members.
Remote Desktop Users
This special group allows its members to log on to the server remotely through Terminal Services. This group does not have any default members.
Replicator
The Replicator group is intended to support directory replication, which is a feature used by domain servers prior to Windows 2000 and 2003. Only domain users who will start the replication service should be assigned to this group. By default, there are no members of the Replicator local group.
Server Operators
The Server Operators group members can administer domain servers. Administration tasks include creating, managing, and deleting shared resources, starting and stopping services, formatting hard disks, backing up and restoring the file system, and shutting down domain controllers. By default, there are no members in this group.
Terminal Server License Servers
This group includes any Terminal Server License servers that have been installed within the domain.
Users
The Users group is used by end users who should have very limited system access. If you have installed a fresh copy of Windows Server 2003, the default settings for this group prohibit users from compromising the operating system or program files, changing the system time, and adding a local printer. By default, all users who have been created on the computer, except Guest, are members of the Users group.
Windows Authorization Access Group
Users of this group have been granted permissions to the TokenGroupsGlobalAndUniversal attribute on user objects. The Enterprise Domain Controllers group is added to this group by default.
Table 2.2 lists and describes the group accounts that are created in the Users folder by default. TABLE 2.2
Default Group Accounts in the Users Folder
Users Group
Description
Cert Publishers
The Cert Publishers group members can manage enterprise certification and renewal agents for users and computers. There are no default members of this group.
110
Chapter 2
TABLE 2.2
Managing Users, Groups, and Computers
Default Group Accounts in the Users Folder (continued)
Users Group
Description
DHCP Administrators
The DHCP Administrators group has administrative rights to manage Dynamic Host Configuration Protocol (DHCP) servers. Only available on DHCP servers.
DHCP Users
The DHCP Users group has read-only rights to the DHCP console. Only available on DHCP servers.
DnsAdmins
The DnsAdmins group has administrative rights to manage Domain Name System (DNS) servers. There are no default members of this group. (This group is installed with DNS.)
DnsUpdateProxy
The DnsUpdateProxy group has permissions that allow DNS clients to perform dynamic updates on behalf of other clients, such as DHCP servers. There are no default members of this group. (This group is installed with DNS.)
Domain Admins
The Domain Admins group has complete administrative rights over the domain. By default, the Administrator user account is a member of this group.
Domain Computers
The Domain Computers group contains all of the workstations and servers that are a part of the domain. Any computer that is added to the domain becomes a member of this group by default.
Domain Controllers
The Domain Controllers group contains all of the domain controllers in the domain. By default, any domain controller that is added to the domain becomes a member of this group.
Domain Guests
The Domain Guests group has limited access to the domain. This group is provided so that you can let people who are not regular users access specific network resources.
Domain Users
The Domain Users group contains all of the domain users. This group should have very limited system access. By default, any users who have been added to the domain become members of this group.
Enterprise Admins
The Enterprise Admins group has complete administrative rights over the enterprise (all domains within the forest). This group has the highest level of permissions of all groups and only exists in the forest root server.
Group Policy Creator Owners
The Group Policy Creator Owners group has permissions to modify group policy for the domain. By default, the Administrator user account is a member of this group.
HelpServicesGroup
This group has special permissions to manage the Help and Support Center.
Working with Active Directory Group Accounts
TABLE 2.2
111
Default Group Accounts in the Users Folder (continued)
Users Group
Description
IIS_WPG (installed with IIS)
This group is used by the Internet Information Services worker process group. There are no default members of this group.
RAS and IAS Servers
The RAS and IAS Servers group contains the Remote Access Service (RAS) and Internet Authentication Service (IAS) servers in the domain. Servers in this group can access remote access properties of users.
Schema Admins
The Schema Admins group has special permissions to modify the schema of the Active Directory. By default, the Administrator user account is a member of this group.
TelnetClients
Members of this group have access to the Telnet server on this system.
WINS Users
The WINS Users group has special permissions to view information on the Windows Internet Name Service (WINS) server.
In addition to the default groups that are created, there are special groups used by Windows Server 2003. Membership in these groups is automatic if certain criteria are met. Special groups can’t be managed through the Active Directory Users And Computers utility. Table 2.3 describes the special groups that are used by Windows Server 2003. TABLE 2.3
Special Groups in Windows Server 2003
Group
Description
Creator Owner
The Creator Owner is the account that created or took ownership of the object. This is typically a user account. Each object (files, folders, printers, and print jobs) has an owner. Members of the Creator Owner group have special permissions to resources. For example, if you are a regular user who has submitted 12 print jobs to a printer, you can manipulate your print jobs as Creator Owner, but you can’t manage any print jobs submitted by other users.
Creator Group
The Creator group is the group that created or took ownership of the object (rather than an individual user). When a regular user creates an object or takes ownership of an object, the username becomes the Creator Owner. When a member of the Administrators group creates or takes ownership of an object, the group Administrators becomes the Creator group.
112
Chapter 2
TABLE 2.3
Managing Users, Groups, and Computers
Special Groups in Windows Server 2003 (continued)
Group
Description
Everyone
This group includes anyone who could possibly access the computer. The Everyone group includes all users who have been defined on the computer (including Guest), plus (if your computer is a part of a domain) all users within the domain. If the domain has trust relationships with other domains, all users in the trusted domains are part of the Everyone group as well. The exception to automatic group membership with the Everyone group is that members of the Anonymous Logon group are no longer a part of the Everyone group.
Interactive
The Interactive group includes all users who use the computer’s resources locally. Local users belong to the Interactive group.
Network
This group includes users who access the computer’s resources over a network connection. Network users belong to the Network group.
Authenticated Users
The Authenticated Users group includes users who access the Windows Server 2003 operating system through a valid username and password. Users who can log on belong to this group.
Anonymous Logon
This group includes users who access the computer through anonymous logons. When users gain access through special accounts created for anonymous access to Windows Server 2003 services, they become members of the Anonymous Logon group.
Batch
This group includes users who log on as a user account that is only used to run a batch job. Batch job accounts are members of the Batch group.
Dialup
The Dialup group includes users who log on to the network from a dial-up connection. Dial-up users are members of the Dialup group.
Service
The Service group includes users who log on as a user account that is only used to run a service. You can configure the use of user accounts for logon through the Services program, and these accounts become members of the Service group.
Working with Active Directory Group Accounts
TABLE 2.3
113
Special Groups in Windows Server 2003 (continued)
Group
Description
System
When the system accesses specific functions as a user, that process becomes a member of the System group. For example, say you have a virus scanner that runs as a service called abcscan; you want the service to run no matter what user is logged on and regardless of what the logged-on user’s permissions are. You can create a special user—for example, abcscanuser—who has all of the permissions required to run the abcscan service each time the computer is started. The local user—for example, Katie—logs on. The user Katie is logged on as an interactive user. In addition, when the abcscan service was started, the abcscanuser was also logged on as a system user, which is a transparent process to user Katie.
Terminal Server User
This group includes users who log on through Terminal Services. These users become members of the Terminal Server User group.
Creating New Groups To create a new group on a domain controller, take these steps (you must be logged in as Administrator or be given the right to create groups): 1.
Select Start Administrative Tools Active Directory Users And Computers to open the Active Directory Users And Computers utility.
2.
Right-click the Users folder, select New from the pop-up menu, and then select Group.
3.
The New Object–Group dialog box appears, as shown in Figure 2.17. Type in the group name. The pre–Windows 2000 group name will be filled in automatically, but you can change it if desired.
FIGURE 2.17
The New Object–Group dialog box
114
Managing Users, Groups, and Computers
In the Group Scope section, select the scope for the group:
4.
Choose the Domain Local option if you want to use the group to assign permissions to resources. Domain local groups are always created where the resource resides.
Choose the Global option if you want to use this group for users who require similar network access.
Choose the Universal option if you want to assign permissions related to resources in multiple domains. This option is not active if the Active Directory is configured for Windows 2000/2003 mixed-mode support. In the Group Type section, select the type of group that you want to create:
5.
6.
Chapter 2
Choose the Security option if this group is for users who need access to specific resources.
Choose the Distribution option if this group is for users who have common characteristics (for example, users whom you may need to receive the same e-mail messages). Click OK to close the dialog box and create the new group.
Managing Group Properties You can manage an Active Directory group through the group Properties dialog box, shown in Figure 2.18. To access this dialog box, right-click the group in the Active Directory Users And Computers utility and select Properties from the pop-up menu. This dialog box has four tabs with options for managing the group:
The General tab allows you to view and change the pre–Windows 2000 group name, the description, and the e-mail address. You can view the group scope and change group scope and group type. You can also add notes for the group.
FIGURE 2.18
The Active Directory group Properties dialog box
Working with Active Directory Group Accounts
115
The Members tab, shown in Figure 2.19, allows you view and change group membership.
The Member Of tab, shown in Figure 2.20, allows you to view group members and add groups to or remove groups from other groups, if the group type allows group nesting (one group contained within another group).
The Managed By tab, shown in Figure 2.21, allows you to view and change the user who manages the group.
FIGURE 2.19
The Members tab of the Active Directory group Properties dialog box
FIGURE 2.20
The Member Of tab of the Active Directory group Properties dialog box
116
Chapter 2
FIGURE 2.21
Managing Users, Groups, and Computers
The Managed By tab of the Active Directory group Properties dialog box
In Exercise 2.11, you will create and manage an Active Directory group. This exercise assumes that you have completed the other exercises in this chapter. EXERCISE 2.11
Creating and Managing an Active Directory Group 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
In the Active Directory Users And Computers utility, right-click the Users folder, select New, and then select Group.
3.
In the New Object–Group dialog box, enter Test Group as the group name. Choose the Global option for the group scope and the Security option for the group type. Click the OK button.
4.
In the Active Directory Users And Computers utility, right-click Test Group and select Properties.
5.
In the Test Group Properties dialog box, click the Members tab and then click the Add button. Enter user Ginnie and click the Add button. Click the OK button. In the Test Group Properties dialog box, click the OK button.
6.
Close the Active Directory Users And Computers utility.
Identifying Group Membership You can easily identify what groups a user belongs to by viewing the user’s properties and clicking the Member Of tab. For example, Figure 2.22 lists all of the groups that the Administrator user account belongs to. You can also use this dialog box to add or remove a user
Working with Computer Accounts
117
from a group through the Add and Remove buttons. The Set Primary Group button is used to support Macintosh and POSIX-compliant applications and is normally not used. FIGURE 2.22
The Member Of tab for the Administrator user account
Working with Computer Accounts Computer accounts are accounts stored in the Active Directory that are used to uniquely identify, authenticate, and manage computers within the domain. Computer accounts are created for any computer that joins the domain that is running Windows NT, Windows 2000, Windows XP Professional, or Windows Server 2003. You manage computer accounts through the Active Directory Users And Computers utility.
Windows 98, Windows Me, and Windows XP Home Edition operating systems do not have computer accounts created through the Active Directory. These operating systems do not have the ability to support the computer security requirements specified by Active Directory.
Creating Computer Accounts You can create a computer account through two options. You can create the computer account in the Active Directory Users And Computers utility before the computer is joined to the domain, using the New Object-Computer dialog box (see Figure 2.23), or you can add the
118
Chapter 2
Managing Users, Groups, and Computers
computer to the domain through the Computer Name tab of the computer’s System Properties dialog box (see Figure 2.24). FIGURE 2.23
The New Object–Computer dialog box
In order to add computers to the domain, you must be logged in as a member of the Account Operators group (which can only create new computer accounts in the Computers container or administrator-created organizational units), Domain Admins group, or Enterprise Admins group. If you have administrative rights to add computer accounts to the domain and you are installing a new client computer, you would typically create the computer account as part of the installation process when you join the computer to the domain. If the client computer is already installed and configured and the user at the client computer will configure the computer to join the domain, you would pre-create the computer account in the Active Directory Users And Computers utility, since the local user would not have administrative rights to create a computer account in the domain.
Creating a Computer Account through Active Directory Users And Computers To create a computer account in the Active Directory Users And Computers utility, you would take the following steps (you must be logged in as administrator or be given the right to add computers to the domain): 1.
Select Start Administrative Tools Active Directory Users And Computers to open the Active Directory Users And Computers utility.
2.
Right-click the Computers folder (or whatever location the computer will be created in), select New from the pop-up menu, and then select Computer.
3.
The New Object–Computer dialog box will appear, as shown in Figure 2.23. The options that can be configured for a new computer object include:
Computer Name, which uniquely identifies the object within the Active Directory.
Computer Name (Pre–Windows 2000) specifies the backward-compatible computer name that will be used if the computer is using Windows NT.
Working with Computer Accounts
119
User or Group field specifies which user or group can manage this computer.
Assign This Computer Account As A Pre–Windows 2000 Computer is used to assign a password to the computer that can be interpreted and used by a computer that is running Windows NT.
Assign This Computer Account As A Backup Domain Controller is used if your domain is running in a mixed-mode configuration and you have a Windows NT 4.0 Backup Domain Controller (BDC) that will be added to the domain.
Creating a Computer Account through the Computer Name System Properties You can add a computer to the domain through the Computer Name tab of the computer’s System Properties dialog box. To add a Windows XP Professional computer to the domain, follow these steps: 1.
On the computer that you are adding to the domain (for example a Windows XP Professional computer) select Start, right-click My Computer, and select Properties.
2.
The System Properties dialog box will appear. Click the Computer Name tab.
3.
To add the computer to the domain from the Computer Name tab, as shown in Figure 2.24, click the Network ID button to start the Network Identification Wizard, or click the Change button to manually add the computer to the domain. In this example, the computer is being manually added to the domain by clicking the Change button.
4.
The Computer Name Changes dialog box will appear, as shown in Figure 2.25. This dialog box can be used to change the computer’s name or whether the computer is a part of a domain or a workgroup. Under Member Of, specify the domain that you will join (in this example, sybex.local) and click the OK button.
FIGURE 2.24
The Computer Name tab of the System Properties dialog box
120
Chapter 2
FIGURE 2.25
5.
Managing Users, Groups, and Computers
The Computer Name Changes dialog box
The Computer Name Changes (request for username and password) dialog box will appear, as shown in Figure 2.26. Type in the username and password of a user who has rights to add the computer to the domain and click the OK button.
FIGURE 2.26
6.
The Computer Name Changes (username and password) dialog box
You will see a confirmation dialog box welcoming you to the domain that you have joined. Click the OK button. If the attempt to join the domain fails, the first thing you need to check is the availability of a DNS server.
Working with Computer Accounts
7.
121
You will see a dialog box notifying you that the computer must be restarted for the change to take effect. Click the OK button. In the System Settings dialog box, click Yes to restart your computer.
Managing Computer Properties To manage a computer through the Active Directory, you right-click the computer account in the Active Directory Users And Computers utility and select Properties. The computer Properties dialog box has seven tabs for management, which include: General The General tab of a computer’s properties, shown in Figure 2.27, is used to display the computer name (pre–Windows 2000), the DNS name for the computer (which will appear after the computer registers with DNS), and the role of the computer (Workstation Or Server). You can also specify a Description for the computer. FIGURE 2.27
The General tab of the computer Properties dialog box
Operating System The Operating System tab of a computer’s properties, as shown in Figure 2.28, is used to display the name of the operating system, the version of the operating system, and the version of the service pack applied to the operating system. Member Of The Member Of tab of a computer’s properties, as shown in Figure 2.29, is used to identify what groups within the local domain or any universal groups the computer object belongs to. You can also set the primary group for the computer if the computer is associated with running a Macintosh or POSIX-compliant application.
122
Chapter 2
Managing Users, Groups, and Computers
FIGURE 2.28
The Operating System tab of the computer Properties dialog box
FIGURE 2.29
The Member Of tab of the computer Properties dialog box
The Delegation tab only appears on domain controllers running in Windows Server 2003 domain functional level. Servers running in Windows 2000 native or Windows 2000 mixed domain functional level replace the Delegation tab with a much simpler Trust This Computer For Delegation checkbox on the General tab.
Working with Computer Accounts
123
Delegation The Delegation tab of a computer’s properties, as shown in Figure 2.30, is used to configure security delegation (which allows a service to act on behalf of another user or object) if the operating system is Windows 2000 or higher. The options that can be configured for delegation are:
Do Not Trust This Computer For Delegation
Trust This Computer For Delegation To Any Service (Kerberos Only)
Trust This Computer For Delegation To Specified Services Only (Use Kerberos Only or Use Any Authentication Protocol).
FIGURE 2.30
The Delegation tab of the computer Properties dialog box
FIGURE 2.31
The Location tab of the computer Properties dialog box
124
Chapter 2
Managing Users, Groups, and Computers
Location The Location tab of a computer’s properties, as shown in Figure 2.31, is used to provide descriptive text about where a computer is located. Managed By The Managed By tab of a computer’s properties, as shown in Figure 2.32, displays the user or contact who is responsible for managing the selected computer object. FIGURE 2.32
The Managed By tab of the computer Properties dialog box
Dial-In The Dial-In tab of a computer’s properties, as shown in Figure 2.33, displays and allows the configuration of the following settings:
Remote Access Permissions (Dial-In Or VPN)
Verify Caller-ID
Callback Options
Assign A Static IP Address
Apply Static Route
Resetting Computer Accounts As a part of Active Directory security, computer accounts are assigned passwords that are changed every 30 days. This process is transparent to the user. If the computer password is reset and the computer crashes and is restored from a backup that contains an outdated computer password, the user who uses the computer will not be able to log on to the domain. In this case you will need to reset the computer account.
Working with Computer Accounts
125
To reset a computer account, logon with administrative rights and take the following steps: 1.
Select Start Administrative Tools Active Directory Users And Computers to open the Active Directory Users And Computers utility.
2.
Expand the Computers folder (or whatever location the computer is located in).
FIGURE 2.33
The Dial-In tab of the computer Properties dialog box
3.
Right-click the computer that needs to be reset and select Reset Account.
4.
You will see an Active Directory dialog box asking you to confirm that you want to reset the computer. Click the Yes button.
5.
An Active Directory dialog box will appear confirming that the computer was successfully reset.
6.
You will need to rejoin the computer to the domain, as covered in the Creating Computer Accounts section of this chapter.
Troubleshooting Computer Accounts If you are having trouble connecting a computer account to a domain, you should ensure that the following conditions are met:
The computer that is being joined to the domain must be running Windows NT, Windows 2000, Windows XP Professional, or Windows Server 2003.
The computer that is joining the domain must have a valid network connection to the domain controller.
The computer that is joining the domain must have a unique computer name.
The user who is adding the computer to the domain must be logged in as a member of the Account Operators group (which can only create new computer accounts in the Computers
126
Chapter 2
Managing Users, Groups, and Computers
container or administrator-created organizational units), Domain Admins group, or Enterprise Admins group.
The computer that is being joined to the domain must have connectivity and an account in a DNS server.
Advanced User, Group, and Computer Management Windows Server 2003 offers additional utilities for advanced user and group management. In the following sections, you will learn how to locate objects within the Active Directory, how to move objects within the Active Directory, how to create users, groups, and computers through automation, and how to import users from a Windows NT 4.0 domain or a Windows 2000 domain to a Windows 2003 domain.
Locating Objects within the Active Directory If your Active Directory stores hundreds or thousands of users, it could potentially be timeconsuming to locate a specific object. The Active Directory Users And Computers utility offers capabilities for searching for the following objects:
Users, contacts, and groups
Computers
Printers
Shared folders
Organizational units
Remote installation servers
Remote installation clients
Custom search
Custom queries
In the following sections you will learn how to create a search for users, contacts and groups, and computers.
Locating Users, Contacts, and Groups To locate a user, contact, or group, you would take the following steps: 1.
From within Active Directory Users And Computers, right-click the domain you want to search and select Find. The Find Users, Contacts, And Groups dialog box will appear, as shown in Figure 2.34.
2.
Type in the name of the user, group, or contact that you want to find and click the Find Now button.
Advanced User, Group, and Computer Management
127
3.
The search results will be displayed in the bottom of the dialog box. You can double-click any objects that are found to bring up their properties.
4.
If you need to perform a more advanced search, you would click the Advanced tab of the Find Users, Contacts, And Groups dialog box. This displays the dialog box shown in Figure 2.35.
FIGURE 2.34
The Find Users, Contacts, And Groups dialog box
FIGURE 2.35
The Advanced tab of the Find Users, Contacts, And Groups dialog box
5.
From the Advanced tab click the Field button to specify the search criteria. You can search for a user, group, or contact. In this example, selecting User will list all of the user properties that can be searched—for example, Department or City. Once you specify the Field, you select the condition (Starts With, Ends With, Is, Is Not, Present, or Not Present) and value. For example, you could search for a user based on the Department Is Sales criteria. Once you have defined your search, click the Find Now button. The results of the search will be displayed in the Search Results section.
128
Chapter 2
Managing Users, Groups, and Computers
Locating Computers Within the Find Users, Contacts, And Groups dialog box, you can specify that you want to search for a computer object by clicking the Find drop-down list and selecting Computer. The Find Computers dialog box will appear, as shown in Figure 2.36. The Computers tab allows you to define a search based on the computer name, owner, or role. The Advanced tab allows you to define a search based on any of the computer properties. Once you define your search criteria, click the Find Now button and the results of the search will be displayed at the bottom of the dialog box. FIGURE 2.36
The Find Computers dialog box
Moving Objects within the Active Directory The Active Directory is designed to allow flexibility in configuration. You can easily move objects within the Active Directory. For example, assume that you have designed your domain structure geographically and you have an OU called New York and an OU called London. You have a user in the New York office named Jsmith who transfers to the London office. You can easily move the Jsmith user object through the Active Directory Users And Computers utility. To move an object, log on with administrative rights and take the following steps: 1.
Select Start Administrative Tools Active Directory Users And Computers to open the Active Directory Users And Computers utility.
2.
Expand the folder that contains the object you want to move.
3.
Right-click the object that needs to be moved and select Move.
4.
The Move dialog box will appear, as shown in Figure 2.37. Select the container that the object will be moved to and click the OK button.
Advanced User, Group, and Computer Management
FIGURE 2.37
The Move dialog box
In Exercise 2.12 you will move a user within the Active Directory. EXERCISE 2.12
Moving Objects within the Active Directory 1.
Select Start Administrative Tools Active Directory Users And Computers.
2.
Right-click your domain and select New Organizational Unit. In the New Object– Organizational Unit dialog box, type in New York and click the OK button.
3.
Right-click your domain and select New Organizational Unit. In the New Object– Organizational Unit dialog box, type in London and click the OK button.
4.
Right-click New York and select New User.
5.
In the New Object–User dialog box, enter the following information: First Name: John Initial: B. Last Name: Jones User Logon Name: John
6.
Click the Next button.
7.
In the next New Object–User dialog box, accept the default settings and click the Next button, then click the Finish button.
8.
From within the New York folder, right-click John and select Move.
9.
The Move dialog box will appear. Select the London folder and click the OK button.
129
Chapter 2
130
Managing Users, Groups, and Computers
Creating Users, Groups, and Computers through Automation Windows Server 2003 includes several command-line utilities for managing objects within the Active Directory. They are Dsadd, Dsget, Dsmod, Dsmove, and Dsquery.
Dsadd You can automate the process of creating users, groups, and computers through the Dsadd command-line utility. The Dsadd commands that can be used are:
Dsadd computer
Dsadd contact
Dsadd group
Dsadd ou
Dsadd user
Dsadd quota
Each Dsadd command offers a series of switches (which can be viewed from a command prompt window by typing Dsadd /?) that can be used to configure the object that is being created. For example, the Dsadd user /? command includes parameters for almost all of the options that can be configured for a user through the Active Directory Users And Computers utility.
Dsget The Dsget command-line utility is used to display the selected properties of a specified object within the Active Directory. Each Dsget command has a unique set of parameters associated with the specified object. The Active Directory objects that can have properties displayed through the Dsget command are:
Dsget computer
Dsget contact
Dsget group
Dsget ou
Dsget server
Dsget user
Dsget subnet
Dsget site
Dsget quota
Dsget partition
Advanced User, Group, and Computer Management
131
Dsmod You can modify existing Active Directory objects through the Dsmod command-line utility. Each Dsmod command has a unique set of parameters based on the Active Directory object that is being modified. The objects that can be modified through the Dsmod command are:
Dsmod computer
Dsmod contact
Dsmod group
Dsmod ou
Dsmod server
Dsmod user
Dsmod quota
Dsmod partition
Dsmove The Dsmove command-line utility is used to rename or move a single object within the Active Directory. When you use the Dsmove command-line utility, you specify the object’s distinguished name, then the new name of the object (if you are changing the object’s name) and the new location of the object.
Dsquery You use the Dsquery command-line utility to query the Active Directory for objects that meet specified criteria. Each Dsquery command has a unique set of parameters based on the Active Directory object that is being modified. The objects that can be modified through the Dsquery command are:
Dsquery computer
Dsquery contact
Dsquery group
Dsquery ou
Dsquery site
Dsquery server
Dsquery user
Dsquery quota
Dsquery partition
Dsquery * (queries any type of object)
Importing Users You can import users, groups, and computer accounts from a Windows NT 4.0 domain or a Windows 2000 domain to a Windows 2003 domain using the Active Directory Migration Tool (ADMT) v2.0. ADMT v2.0 can be downloaded from the Microsoft website. ADMT is a graphical
132
Chapter 2
Managing Users, Groups, and Computers
utility that can be used to migrate users, groups, and computers. This utility allows the copying of accounts between separate forests and the moving of accounts within a forest. A new feature of ADMT v2.0 is the ability to maintain the old password during a user account migration.
Summary In this chapter, you learned about managing users, groups, and computers. We covered the following topics:
Managing user accounts including the default user accounts that are created within a Windows 2003 domain, an understanding of username and password rules and conventions, a description of usernames and security identifiers, how to create, disable, and delete user accounts, how to change a user’s password, how to create and manage user accounts, how to use the Run As option, how to use user account templates, and troubleshooting user account authentication.
Managing group accounts, which included understanding group scope and group type, the default groups created in a Windows 2003 domain, how to create and manage groups, and how to identify what groups a user belongs to.
Working with the Active Directory Users And Computers utility to create computer accounts, manage a computer’s properties, reset a computer account, or troubleshoot a computer account.
Advanced user, group, and computer management, which is used to locate objects within the Active Directory, move objects within the Active Directory, create and manage users, groups, and computers through automation, and how to import user accounts from a Windows NT 4.0 domain or a Windows 2000 domain.
Exam Essentials Be able to create and manage user accounts. Know how to create user accounts from the Active Directory Users And Computers utility or through the command-line utility Dsadd. Be able to manage all of a user’s properties. Know what utility is used to import user accounts from a Windows NT 4 domain or a Windows 2000 domain. Know how to troubleshoot user authentication problems. Know how to create a user through automation. Be able to create roaming and mandatory user profiles. Be able to create and configure local, roaming, and mandatory profiles. Know how to create and manage group accounts. Understand what group scope is and be able to create groups from the Active Directory Users And Computers utility or through the command-line utility Dsadd. Know what the default groups are and what the function of each default group is. Be able to determine what groups a user belongs to. Know how to create a group using automation.
Key Terms
133
Create and manage computers within the Active Directory. Be able to create and manage computers within the Active Directory. Be able to troubleshoot and reset computer accounts when needed.
Key Terms Before you take the exam, be certain you are familiar with the following terms: Active Directory Migration Tool (ADMT)
Guest
Administrator
home folder
computer accounts
logon scripts
Creator group
mandatory profile
Distribution group
roaming profile
domain local groups
security group
global groups
security identifier (SID)
group
universal group
group scope
user profile
group type
134
Chapter 2
Managing Users, Groups, and Computers
Review Questions 1.
You are the administrator of a small network. Some of your users use a specific computer, while others use a bank of computers that are allocated to their department. Your company recently hired a user named Katie. You have created a user account called Katie within the Sales domain. Katie reports that she created a user profile on Computer 1 and that when she logs in to Computer 1 she gets her profile. However, Katie reports that when she logs in to Computer 2 she does not get the profile that she has customized. When you check the user properties for this user, you see the following exhibit. Based on the exhibit, what type of profile will Katie use when she logs in to Computer 2?
A. She will use the default profile for the default_user that is stored on the domain controller. B. She will not have a user profile assigned to her. C. She will use the Katie user profile that is stored on the domain controller. D. She will use the Katie user profile that is stored on Computer 2. 2.
You have just created an Active Directory user on a Windows 2003 domain controller. The security requirements for this user specify that the user should not be able to log on to the computer between 12:01 A.M. and 4:00 A.M. because this is when your company runs automated backups for the computer. You want to specify that the user account can log on only during specified hours. Which user Properties dialog box tab should you use to configure logon hours? A. The General tab. B. The Account tab. C. The Profile tab. D. You cannot restrict logon hours for an Active Directory user account.
Review Questions
3.
135
You are the network administrator for a Fortune 500 company. Your Active Directory structure contains a domain for the parent corporation and a domain for a company that was recently acquired by the parent corporation. You need to create a group that will contain all of the directors and vice presidents for the Accounting departments of the parent corporation and the company that was acquired. You decide to create a group on the domain used by the parent corporation. Which one of the following options should you select for group scope? A. Domain local B. Global C. Distribution D. Universal
4.
You have just created a new group on a Windows 2003 domain controller. Which of the following properties can be configured for an Active Directory group? A. Logon hours B. Logon computers C. Logon scripts D. Whom the group is managed by
5.
You recently hired a new employee to help manage file backups and restores for the Windows Server 2003 computers within the Sales department. You create an account for a user named Jackie, who will be managing the backups and restores. You want to allow Jackie to back up and restore the file system, but you do not want her to be able to access the file system. To which of the following groups should you assign Jackie? A. Server Operators B. Backup Operators C. Administrators D. Replicator
6.
You are the network administrator for a medium-sized network. Your company develops applications that will be used on Windows Server 2003 platforms. You run a test lab that has Windows Server 2003 on member servers within several workgroups. You hire a user named Affie to help you run and manage tests. You have just added Affie to the Server Operators group on your Windows 2003 domain. Which of the following tasks will Affie be able to complete based on this group membership? (Choose all that apply.) A. Create users and groups. B. Delete users and groups. C. Create network shares. D. Create network printers.
136
7.
Chapter 2
Managing Users, Groups, and Computers
You are the network administrator of a small Windows 2003 network. One of your users has come to you because he can’t remember the password he uses to log on to your Windows Server 2003 domain. Which utility should you use to change a user’s password? A. Password Manager B. Password Administrator C. The Setpass utility D. The Active Directory Users And Computers utility
8.
You have just installed a new Windows 2003 domain. You need to create 1000 initial user accounts. You would like to create the accounts as quickly as possible and do not want to use the Windows GUI utilities. Which of the following command-line utilities will allow you to automate the creation of users through scripting? A. Dsadd B. Adduser C. Useradd D. Usrmgr
9.
You are the administrator for a medium-sized company. You support the Finance group, which contains 20 financial analysts. You want to configure the user profiles for each of the financial analysts so that they see a consistent desktop each time they log on. The financial analysts should not be able to modify their user profiles. Which of the following options should you use to create a mandatory profile for these users? A. Configure the Ntuser.dat file for the user profiles as read-only. B. Only allow the users Read permission to the Ntuser.dat file. C. Rename the Ntuser.dat file to Ntuser.man. D. Configure the user profiles as mandatory through Control Panel System, Advanced
Properties tab. 10. You are the network administrator for a large company. As a part of your security policy you have configured your group policy as follows: Account Lockout Threshold: 3 Account Lockout Duration: 60 minutes Reset Account Lockout Counter: 30 minutes You get a call on Monday morning from a user named Blair who tells you that she changed her password on Friday afternoon. When she tried to log on, she could not remember her password and after three attempts, she was locked out of her computer, even through she now remembers what her password is. What course of action should you take? A. Tell Blair to wait 30 minutes and then try to log on again. B. Tell Blair to wait 60 minutes and then try to log on again. C. Use the Group Policy Object utility to unlock Blair’s account. D. Use the Active Directory Users And Computers utility to unlock Blair’s account.
Review Questions
137
11. You are the network administrator of a small company. You have a Windows 2003 domain. You have two user accounts. You use the Kdonald-Admin account, which is a member of the Domain Admins group, for administrative purposes and the Kdonald account for regular user access. You want to ensure that your network is as secure as possible. Which of the following options will allow you to perform administrative tasks through the Active Directory Users And Computers utility without exposing your network to possible security attacks? A. Log on to the domain as Kdonald-Admin to complete the administrative tasks and
immediately log out and log on as Kdonald when you are done with the administrative tasks. B. While logged on as Kdonald, right-click the Active Directory Users And Computers
utility and select the Run As option. Specify that you want to run the utility as Kdonald-Admin. C. Remove Kdonald-Admin from the Domain Admins group and make him a member of
the Account Operators group. D. Use the Adduser command-line utility with the /user=Kdonald-Admin switch. 12. You are the network administrator of a large corporation. You are planning to deploy a Windows 2003 network. You will be using Windows Server 2003 domain controllers with Active Directory. Your client computers will be using a variety of operating systems. Which of the following operating systems will need to have computer accounts created through the Active Directory? (Choose all that apply.) A. Windows 95 B. Windows 98 C. Windows Me D. Windows NT 4 Workstation E. Windows NT 4 Server F. Windows 2000 Professional G. Windows XP Home Edition H. Windows XP Professional I.
Windows Server 2003 member servers
13. You are the network administrator for a Fortune 500 company. Your company recently purchased another company and you need to integrate the new company’s domain into your Active Directory structure. As a part of the integration, you need to rename all of the user accounts so that they meet the naming standards specified by corporate policy. Which of the following command-line utilities can be used to automate renaming Active Directory objects? A. Dsadd B. Dsmod C. Dsget D. Dsmove
138
Chapter 2
Managing Users, Groups, and Computers
14. You are the network administrator for a large company. One of your users, Debbie, recently returned from a three-month maternity leave. While Debbie was on leave, no one used her Windows XP Professional computer. When Debbie attempted to log on to her computer, she received an error because her computer’s password had expired. What should you do? A. Reset her computer account through the Active Directory Users And Computers
utility. B. Reset her computer account through Computer Management. C. Change the group policy setting for Assign New Computer Password for her
computer. D. Log on to her computer running Safe Mode and run the Setpass command-line
utility. 15. You are the system administrator for a large company. You want to create a database that contains all of the employees’ addresses and phone numbers. All of the data you need is currently configured within the Active Directory. You already have a listing of all of the usernames. Which of the following command-line utilities should you use to extract user property data from the Active Directory? A. Dsadd B. Dsmod C. Dsget D. Dsquery
Answers to Review Questions
139
Answers to Review Questions 1.
D. If no user profile is specified in the Profile tab of the user’s Properties, the user will use the locally stored profile on the local computer that is created by default the first time the user logs on. If a user needs to have a user profile that can be accessed from any computer, you would configure roaming profiles.
2.
B. If you create an Active Directory account, you can limit logon hours by clicking the Logon Hours button in the Account tab of the user Properties dialog box.
3.
D. Universal groups are used to logically organize global groups and appear in the Global Catalog (a search engine that contains limited information about every object in the Active Directory). Universal groups can contain users from anywhere in the domain tree or forest, other universal groups, and global groups.
4.
D. Logon hours, logon computers, and logon scripts can be managed only on a per-user basis. You can configure who manages a group in an Active Directory forest.
5.
B. The members of the Backup Operators group have rights to back up and restore the file system, even if the file system is NTFS and they have not been assigned permissions to the file system. However, the members of Backup Operators can access the file system only through the Backup utility. To be able to directly access the file system, they must have explicit permissions assigned. By default, there are no members of the Backup Operators local group.
6.
C, D. The Server Operators group members can administer domain servers. Administration tasks include creating, managing, and deleting shared resources, starting and stopping services, formatting hard disks, backing up and restoring the file system, and shutting down domain controllers.
7.
D. To set up and manage domain user accounts, you use the Active Directory Users And Computers utility. Right-click the user whose password you want to change and select Reset Password.
8.
A. Most of the tasks in Windows 2003 that can be completed through GUI utilities can also be completed through command-line utilities. The Dsadd User command is used to create users.
9.
C. You can create mandatory profiles for a single user or a group of users. The mandatory profile is stored in a file named Ntuser.man. A user with a mandatory profile can set different Desktop preferences while logged on, but those settings will not be saved when the user logs off.
10. D. If you configure account lockout policies, you can unlock the account by unchecking the Account Is Locked Out checkbox through the user’s Properties in the Active Directory Users And Computers utility. This option is active only when a computer has been locked out based on account lockout settings. 11. B. The Run As option allows you to use a secondary logon process to log on to a computer using administrative credentials in order to perform a specific task. For security purposes, it is recommended that you use the Run As option when performing administrative tasks rather than logging into a computer or domain with an administrative account. You can use the Run As option through most Windows programs, some Control Panel items, and the Microsoft Management Console (MMC). You can also use the Run As option with command-line utilities.
140
Chapter 2
Managing Users, Groups, and Computers
12. D, E, F, H, I. Any computers that are running Windows NT, Windows 2000, Windows XP Professional, or Windows Server 2003 require a computer account when added to an Active Directory domain. You manage computer accounts through the Active Directory Users And Computers utility. 13. D. The Dsmove command-line utility is used to rename or move a single object within the Active Directory. When you use the Dsmove command-line utility, you specify the object’s distinguished name, then the new name of the object (if you are changing the object’s name) and the new location of the object. 14. A. As a part of Active Directory security, computer accounts are assigned passwords that are changed every 30 days. This process is transparent to the user. If the computer password is reset and the computer crashes and is restored from a backup that contains an outdated computer password, the user who uses the computer will not be able to log on to the domain. In this case you will need to reset the computer account, which is done through the Active Directory Users And Computers utility. 15. C. The Dsget command-line utility is used to display the selected properties of a specified object within the Active Directory. Each Dsget command has a unique set of parameters associated with the specified object.
Chapter
3
System Recovery and Web Services MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Perform system recovery for a server
Implement Automated System Recovery (ASR)
Back up files and System State data to media
Configure security for backup operations
Restore data from shadow copy volumes
Manage a Web server
Manage Internet Information Services (IIS)
Manage security for IIS
This chapter covers a variety of system management and optimization tools that are valuable to administrators for recovering from disaster, increasing efficiency in the workplace, and providing resources and services to remote users. More specifically, we will cover backup and recovery and remote resource access through IIS. System recovery is the process of making your computer work again in the event of failure. The benefit of having a disaster recovery plan is that when you expect the worst to happen and you are prepared for it, you can easily recover from most system failures. Backups are the best protection you can have against system failure. You can create backups through the Windows Backup utility. The Windows Backup utility offers options to run the Backup and Restore Wizard. Windows Backup also allows you to create an Automated System Recovery backup that is used to restore critical Windows operating system files. You can schedule the backup jobs as an automated process. We'll also examine a new feature found in Windows XP and Server 2003 called shadow copies. The shadow copies feature keeps previous versions of files on the hard drive so that you can quickly revert to them in case the current versions become corrupted or otherwise unusable. Finally, we will examine another feature that is included with Windows Server 2003: web services, or Internet Information Services (IIS). Windows Server 2003 comes with IIS 6.0, which allows you to create and manage websites. This software provides a wide range of options for configuring the content, performance, and access controls for your websites. In the final part of this chapter, you will learn how to install Internet Information Services and how to configure and manage website properties. You will learn how to create a new website. You will also learn about the IIS metabase and how to back it up. The final section of the chapter includes tips for troubleshooting problems with website access.
You must understand the topics in this chapter to pass both the 70-292 and 70-296 exams. Be sure to thoroughly study this chapter before attempting either exam.
Safeguarding Your Computer and Recovering from Disaster One of the worst events you will experience is a computer that won’t boot. An even worse experience is discovering that there is no recent backup for that computer.
Using the Backup Utility
143
The first step in preparing for disaster recovery is to expect that a disaster will occur at some point and take proactive steps to plan your recovery before the failure. The following are some of the preparations you can make:
Perform regular system backups.
Use virus-scanning software.
Perform regular administrative functions, such as monitoring the logs in the Event Viewer utility.
If you can’t start Windows Server 2003, there are several options and utilities that can be used to identify and resolve Windows errors. The following is a broad list of troubleshooting options:
If you have recently made a change to your server’s configuration by installing a new device driver or application and Windows Server 2003 will not load properly, you can use the Last Known Good Configuration, roll back the driver, or use System Restore to restore a previous system configuration.
If you can boot your computer to Safe Mode, and you suspect that you have a system conflict, you can temporarily disable applications, processes, or services, or uninstall software.
If your computer will not boot to Safe Mode, then you can use the Recovery Console to replace corrupted files or perform other recovery options manually. For example, on an x86 system, you should verify that the Boot.ini settings are correct. On an Itanium-based computer, you would verify that the NVRAM startup settings are correct.
Last Known Good, Safe Mode, and the Recovery Console remain relatively unchanged from Windows 2000 Server. You will not be tested on these subjects in the MCSA Upgrade exam, but you should always remember that these tools are available for system recovery functions
If necessary, you can use Windows Backup to restore operating system files and data files from backup media. You can also use Automated System Recovery in conjunction with Windows Backup to reformat the system partition and restore operating system files from backup media you previously created.
In the following sections we will examine the backup strategies necessary to minimize loss of data and quickly recover a computer from failure.
Using the Backup Utility The Backup utility allows you to create and restore backups. Backups protect your data in the event of system failure by storing the data on another medium, such as another hard disk or a tape. If your original data is lost due to corruption, deletion, or media failure, you can restore the data using your backup. The types of data that can be backed up with the Backup utility include System State data and user data and applications. System State data is data related to the configuration of the Windows Server 2003 operating system. User data and applications are the data that have been created and stored on the computer.
144
Chapter 3
System Recovery and Web Services
By default, users can back up their own data and any data that they have Read permission to. Users can restore their own data to any folder that they have Write permission to. Users who are members of the Administrators, Server Operators, or Backup Operators group can back up or restore any files on the server, regardless of file and folder permissions, since these groups have the Backup Files And Directories and Restore Files And Directories user rights. In the following sections you will learn how to use the Backup utility, including the following topics:
Using the Backup Wizard
Managing System State data
Configuring backup options
Using Automated System Recovery
Using shadow copies
Using the Backup Wizard The Backup utility allows you to manually configure backup and restore sessions or to automate the process through the use of wizards. The Backup Wizard takes you through all of the steps that are required for a successful backup. Before you start the Backup Wizard, you should be logged on as a member of the Administrators, Server Operators, or Backup Operators groups. To use the Backup Wizard, take the following steps: 1.
Select Start All Programs Accessories System Tools Backup.
2.
The Welcome To The Backup Utility Advanced Mode dialog box appears. In this example the backup is being performed through the Backup Wizard, so you will need to click the Wizard Mode option to use simplified settings for the backup. The Welcome To The Backup Or Restore Wizard will start, as shown in Figure 3.1. Click the Next button.
FIGURE 3.1
The Welcome To The Backup Or Restore Wizard page
Using the Backup Utility
FIGURE 3.2
145
The Backup Or Restore page
3.
The Backup Or Restore page appears, as shown in Figure 3.2. Ensure that the Back Up Files And Settings option is selected and click the Next button.
4.
The What To Back Up page appears, as shown in Figure 3.3. This dialog box allows you to select what you will back up. You can select All Information On This Computer or Let Me Choose What To Back Up. If you choose what will be backed up, you can choose to back up just selected files, drives, or network data; or back up only the System State data. System State data includes system configuration information, as explained in the next section. For this example, select Let Me Choose What To Back Up and click the Next button.
5.
The Items To Back Up page appears, as shown in Figure 3.4. Check the items that you want to back up and click the Next button.
FIGURE 3.3
The What To Back Up page
146
Chapter 3
FIGURE 3.4
System Recovery and Web Services
The Items To Back Up page
6.
The Backup Type, Destination, And Name page appears, as shown in Figure 3.5. You can either type in the backup media or filename, or click the Browse button to locate it. Clicking the Browse button brings up the Save As dialog box. Select the drive, give your backup a filename (for example, you might use the date as the filename), and click the Open button. You return to the Backup Type, Destination, and Name page. When your backup media or filename path is correct, click the Next button.
7.
The Completing The Backup Or Restore Wizard page appears. If all of the information is correct, click the Finish button.
FIGURE 3.5
The Backup Type, Destination, And Name page
Using the Backup Utility
8.
147
During the backup process, the wizard displays the Backup Progress dialog box, as shown in Figure 3.6. Once the backup process is complete, you can click the Report button in this dialog box to see details of the backup session. Figure 3.7 shows an example of a backup report.
FIGURE 3.6
The Backup Progress dialog box
FIGURE 3.7
An example of a backup report
Clicking the Advanced button in the Completing The Backup Or Restore Wizard page brings up a dialog box that allows you to specify the type of backup: Normal, Copy, Incremental, Differential, or Daily. These backup types are discussed in the “Selecting a Backup Type” section later in this chapter.
148
Chapter 3
System Recovery and Web Services
In Exercise 3.1, you will use the Backup Wizard. You will need a blank, formatted, highdensity floppy disk for this exercise. EXERCISE 3.1
Using the Backup Wizard 1.
Create a folder on your D: drive called DATA. Create some small text files in this folder. The size of all of the files combined should not exceed 1MB.
2.
Select Start All Programs Accessories System Tools Backup.
3.
The Welcome To The Backup Utility Advanced Mode dialog box appears. Click Wizard Mode. The Welcome to the Backup Or Restore Wizard page appears. Click the Next button.
4.
The Backup Or Restore page appears. Ensure that the Back Up Files And Settings option is selected and click the Next button.
5.
The What To Back Up page appears. Select Let Me Choose What To Back Up and click the Next button.
6.
In the Items To Back Up dialog box, select My Computer, expand D:, and check the DATA folder. Click the Next button.
7.
In the Backup Type, Destination, And Name page, select Let Me Choose A Location Not Listed Here from the Choose A Place To Save Your Backup pull-down menu and click the Browse button. In the Open dialog box, select Floppy (A:). For the filename, enter the date (in the mmddyy format). Then click the Open button.
8.
In the Backup Type, Destination, And Name page, click the Next button.
9.
The Completing The Backup Or Restore Wizard page appears. If all of the information is correct, click the Finish button.
10. When the Backup Wizard completes, click the Report button in the Backup Progress dialog box. This will show the backup log in a Notepad window. Close this window when you are finished viewing the report.
11. Close all of the Backup Wizard dialog boxes.
Managing System State Data System State data refers to a collection of system-specific configuration information. You can manage the availability of System State data by using the Backup utility to back up this information on a regular basis. On a Windows Server 2003 member server, System State data consists of the Registry, the COM+ Class Registration database, and the system boot files. If the server is configured as a
Using the Backup Utility
149
certificate server, System State data will also include the Certificate Services database. On Windows Server 2003 domain controller, System State data also includes the Active Directory services database and the SYSVOL directory, which is a shared directory that stores the server copy of the domain’s public files. To backup System State data, you take the following steps: 1.
Select Start All Programs Accessories System Tools Backup.
2.
You will see the Welcome To The Backup Utility Advanced Mode dialog box shown in Figure 3.8.
FIGURE 3.8
The Welcome To The Backup Utility Advanced Mode dialog box
3.
Click the Backup Wizard (Advanced) button. The Welcome To The Backup Wizard dialog box will appear. Click the Next button to continue.
4.
On the What To Back Up page, select the Only Back Up The System State Data radio button, as shown in Figure 3.9, and click the Next button.
5.
In the Backup Type, Destination, And Name dialog box, select the location of your backup media and click the Next button.
6.
The Completing The Backup Wizard dialog box will appear. If all of the information is correct, click the Finish button.
If you need to restore System State data on a domain controller, you should restart your computer with the advanced startup option Directory Services Restore Mode. This allows the Active Directory directory service database and the SYSVOL directory to be restored. If the System State data is restored on a domain controller that is a part of a domain where data is replicated to other domain controllers, you must perform an authoritative restore. For an authoritative restore, you use the Ntdsutil.exe command, then restart the computer.
150
Chapter 3
FIGURE 3.9
System Recovery and Web Services
The What To Back Up page
If you have a backup device attached to your computer, you can follow the steps in Exercise 3.2 to back up your System State data. This information will not fit on a single floppy disk. EXERCISE 3.2
Backing Up System State Data 1.
Select Start All Programs Accessories System Tools Backup.
2.
The Welcome To The Backup Utility Advanced Mode dialog box will appear, click the button for Backup Wizard (Advanced). The Welcome To The Backup Wizard dialog box will appear. Click the Next button to continue.
3.
On the What To Back Up Page, select the Only Back Up the System State Data option and click the Next button.
4.
In the Backup Type, Destination, And Name dialog box, select the location of your backup media (for example, D:\Backup) and click the Next button.
5.
The Completing The Backup Wizard dialog box will appear. If all of the information is correct, click the Finish button.
6.
When the backup is complete, click the Report button in the Backup Progress dialog box.
7.
The backup log appears in a Notepad window. Close this window when you are finished viewing the report.
8.
Close all of the Backup dialog boxes.
Using the Backup Utility
151
Configuring Backup Options You can configure more specific backup configurations by selecting backup options. To access the backup options, start the Backup utility in Advanced mode (as described above) and select Tools Options. This brings up the Options dialog box. This dialog box has five tabs with options for controlling the backup and restore processes: General, Restore, Backup Type, Backup Log, and Exclude Files. The options on these tabs are covered in the following sections.
Configuring General Backup Options The General tab, shown in Figure 3.10, contains options for configuring backup sessions. Table 3. 1 describes these options. FIGURE 3.10
TABLE 3.1
The General tab of the Options dialog box
General Backup Options
Option
Description
Compute Selection Information Before Estimates the number of files and bytes that will be Backup And Restore Operations backed up or restored during the current operation and displays this information prior to the backup or restore operation Use The Catalogs On The Media To Speed Up Building Restore Catalogs On Disk
Specifies that you want to use an on-media catalog to build an on-disk catalog that can be used to select which folders and files will be restored during a restore operation
Chapter 3
152
TABLE 3.1
System Recovery and Web Services
General Backup Options (continued)
Option
Description
Verify Data After The Backup Completes Makes sure that all data has been backed up properly Back Up The Contents Of Mounted Drives
Specifies that the data should be backed up on mounted drives; otherwise, only path information on mounted drives is backed up
Show Alert Message When I Start The Notifies you if Removable Storage is not running Backup Utility And Removable Storage (when you are backing up to tape or other removable Is Not Running media) Show Alert Message When I Start The Backup Utility And There Is Recognizable Media Available
Notifies you when you start Backup if new media have been added to the Removable Storage import pool
Show Alert Message When New Media Notifies you when new media are detected by RemovIs Inserted able Storage Always Allow Use Of Recognizable Media Without Prompting
Specifies that if new media are detected by Removable Storage, that media should be directed to the Backup media pool
Configuring Restore Options The Restore tab of the Options dialog box, shown in Figure 3.11, contains three options that relate to how files are restored when the file already exists on the computer:
Do Not Replace The File On My Computer (Recommended)
Replace The File On Disk Only If The File On The Disk Is Older
Always Replace The File On My Computer
Selecting a Backup Type The Backup Type tab, shown in Figure 3.12, allows you to specify the default backup type that will be used. You should select the type of backup based on the following:
How much data you are backing up
How quickly you want to be able to perform the backup
The number of tapes you are willing to use in the event that you need to perform a restore operation
Using the Backup Utility
FIGURE 3.11
The Restore tab of the Options dialog box
FIGURE 3.12
The Backup Type tab of the Options dialog box
153
Table 3.2 describes the backup type options. TABLE 3.2
Backup Type Options
Option
Description
Normal
Backs up all files and sets the archive bit as marked for each file that is backed up. Requires only one tape set for the restore process.
154
Chapter 3
System Recovery and Web Services
TABLE 3.2
Backup Type Options (continued)
Option
Description
Copy
Backs up all files and does not set the archive bit as marked for each file that is backed up. Requires only one tape set for the restore process.
Differential
Backs up only the files that have not been marked as archived and does not set the archive bit for each file that is backed up. Requires the last normal backup set and the last differential tape set for the restore process.
Incremental
Backs up only the files that have not been marked as archived and sets the archive bit for each file that is backed up. Requires the last normal backup set and all of the incremental tapes that have been created since the last normal backup for the restore process.
Daily
Backs up only the files that have been changed today and does not set the archive bit for each file that is backed up. Requires each daily backup and the last normal backup set for the restore process.
Setting Backup Log Options The Backup Log tab, shown in Figure 3.13, allows you to specify the amount of information that is logged during the backup process. Table 3.3 list the backup log options. FIGURE 3.13
The Backup Log tab of the Options dialog box
Excluding Files The Exclude Files tab of the Options dialog box, shown in Figure 3.14, allows you to explicitly exclude specific files during the backup process. For example, you might choose to exclude the page file or application files.
Using the Backup Utility
TABLE 3.3
155
Backup Log Options
Option
Description
Detailed
Logs all information, including the names of the folders and files that are backed up
Summary
Logs only key backup operations, such as starting the backup
None
Specifies that a log file will not be created
FIGURE 3.14
The Exclude Files tab of the Options dialog box
Using Automated System Recovery Windows XP Professional and Windows Server 2003 now include a new feature in the Backup utility called Automated System Recovery. Automated System Recovery (ASR) is used for system recovery in the event of system failure. It is a two-part system recovery that consists of an ASR backup component and an ASR restore component. The system information that is backed up by ASR includes System State data, system services, and disk configuration information (information about basic and dynamic disks and the file signature associated with each disk). You create ASR backups with the Automated System Recovery Wizard through the Backup utility. This utility is used only to back up system data and your local system partition. It does not back up folders and files. When you use the ASR Restore process, the following information is restored:
Disk recovery configuration information including disk signatures, volumes, and partition for all disks used to start the computer
156
Chapter 3
System Recovery and Web Services
A simplified version of Windows
The copy of the system partition (containing the system state data) that was backed up through the ASR backup component
You should only use the Automated System Recovery Wizard for system recovery after you have tried to boot the computer to Safe Mode and used the Last Known Good Configuration option. You should always try the easier and less invasive methods of recovery before trying more complex recovery options. ASR is used to recover a system when none of the other recovery features work. Example, you power up the computer to a black screen. It is highly recommended that critical machines use the ASR feature.
If you are using FAT16 volumes, ASR will only support volumes up to 2.1GB. If you have a FAT16 partition that is over 2.1GB, you should convert them to NTFS if you want to use ASR.
In Exercise 3.3, you will create an Automated System Recovery backup. You will need some form of backup media, a 1.44MB floppy disk, and your Windows Server 2003 distribution CD. EXERCISE 3.3
Using the Automated System Recovery Wizard Create an Automated System Recovery Backup
1.
Select Start All Programs Accessories System Tools Backup. Click the Advanced Mode link to open the main Backup utility screen.
2.
From the Welcome tab, click the Automated System Recovery Wizard button.
3.
The Automated System Recovery Preparation Wizard will start. Click the Next button to continue.
4.
The Backup Destination page will appear. Specify the location of your backup media (which should not be on the system or boot partition) and click the Next button. This process may take 30 minutes or longer, as the system partition is being backed up. Click the Finish button.
5.
The Backup Utility dialog box will appear and you will be prompted to insert a blank 1.44MB floppy diskette into drive A:. Click the OK button.
6.
The Backup Utility dialog box will prompt you to remove the diskette and label it Windows Automated System Recovery Disk for Backup.bkf created mm/dd/yyyy at h:mm. Label the diskette and click the OK button.
Using the Backup Utility
157
EXERCISE 3.3 (continued)
Perform an Automated System Recovery Restore
1.
Boot your computer using the Windows Server 2003 CD. During the boot process, you may need to press a specified key (based on your computer’s BIOS) to boot the computer from CD.
2.
Press F2 when prompted during the text-mode portion of the Windows Server 2003 Setup process to initiate the recovery process. You will be prompted to insert the ASR floppy disk. Insert the disk and press any key.
3.
You have only a few seconds to cancel the recovery by hitting the Esc key. Otherwise, the system reformats the C drive automatically. After the format is complete, the Automated System Recovery Wizard begins an installation process very similar to the initial Windows Server 2003 installation.
4.
After the Windows Server 2003 files are copied to the hard drive and the computer reboots, the Windows Server 2003 setup procedure continues. During this procedure, the Automated System Recovery Wizard appears automatically and prompts you for the backup location. Select the correct backup location to complete the wizard and continue with the normal setup process. At the end of the Automated System Recovery process, the Backup utility will open automatically and restore the system.
The Ntbackup command-line utility can be used to back up and restore Windows Server 2003 data using command-line switches. Ntbackup only supports backing up of folders unless you create a backup selection file. It is also important to note that Ntbackup does not allow you to back up data based on wildcards (for example, *.doc). You can use Ntbackup to schedule backup jobs. If you run the Ntbackup command without any command-line switches, it opens the Backup and Restore Wizard.
Using Shadow Copies Shadow copies are used to create copies of shared folders and files at specified points in time. The advantages of using shadow copies are:
You can recover files that have been accidentally deleted.
You can recover files that have been overwritten and you want to access a previous version of the file.
You can use file comparison to see the differences between a current version of a file and a previous version of a file.
In order to use shadow copies, you must configure the volume that the shared folders exist on and deploy Shadow Copies Of Shared Folders software to the client computers. This allows a client to access a Previous Versions tab in the Properties dialog box of the shared folder or file.
158
Chapter 3
System Recovery and Web Services
Note that there is a limit of 64 shadow copies that can be created for a volume. When there are more than 64 shadow copies, the oldest shadow copy is deleted.
Using Shadow Copies for Fault Tolerance You are the network administrator of a large company. You manage a server called \SalesData that stores user data for the 20 sales account managers. The \SalesData server has a share called \Data that is accessed by all of the sales account managers. The SalesData\Data share is on an NTFS volume on a 200GB drive. All of the sales account managers have Full Control NTFS and share permissions for the Data share. In the past you have had problems with data accidentally being deleted or overwritten. In order to restore the previous data, you have had to restore the data from the tape backups you make on a daily basis, which is a time-consuming process. You decide to enable shadow copies on the \SalesData\Data share and on each client computer. You train the users on how shadow copies work and can be accessed. Now when a user needs to access a previous version of a file, they can do it without administrative intervention.
In the following sections, you will learn how to configure shadow copies on a Windows Server 2003 computer and a client computer.
Shadow copies should not be considered an alternative to regular backups.
Configuring the Server for Shadow Copies You configure shadow copies at the volume level. The volume must be NTFS. You can’t specify that only specific folders or files will be configured as shadow copies. In order to host shadow copies, the volume that will be configured should have at least 100MB of free volume space. The default maximum amount allocated is 10% of the volume’s free disk space. You can configure an NTFS volume for shadow copies through Windows Explorer or Disk Management (in the following example, we are using Windows Explorer). The steps to enable shadow copies are as follows: 1.
Select Start Windows Explorer.
2.
Right-click the drive you want to enable shadow copies on and select Properties. Click the Shadow Copies tab to display the dialog box shown in Figure 3.15.
3.
Click the drive you want to enable shadow copies on and click the Enable button.
4.
The Enable Shadow Copies dialog box will appear, as shown in Figure 3.16, and will inform you that Windows will use the default schedule and settings for the selected shadow volume. Click the Yes button to continue.
Using the Backup Utility
FIGURE 3.15
The Shadow Copies tab
FIGURE 3.16
The Enable Shadow Copies dialog box
159
Once you have enabled shadow copies, you can configure the settings for the shadow copies by clicking the Settings button from the Shadow Copies tab. This brings up the Settings dialog box shown in Figure 3.17. The options that can be set through the Settings dialog box include:
Defining the storage area for the shadow copies (by default this is on the drive that shadow copies have been enabled on, but you can specify a different volume for storage)
The maximum size (amount of space) that can be used for the shadow copy
The schedule that will be used to create the shadow copies (by default shadow copies are created Monday through Friday, twice a day, at 7:00 A.M. and 12:00 P.M.)
You can force a shadow copy to be created by clicking the Create Now button within the Shadow Copies tab. You can disable shadow copies by clicking the Disable button in the Shadow Copies tab.
160
Chapter 3
FIGURE 3.17
System Recovery and Web Services
The Settings dialog box
Configuring the Client for Shadow Copies You can configure the Client for Shadow Copies on Windows XP and Window Server 2003 computers. In order to use shadow copies the client must install the Shadow Copies of Shared Folders software. Windows Server 2003 computers have this software installed in the \\windir\ system32\clients\twclient folder. You can distribute this software through group policy, or you can create a share to let the clients download and install the client software. In Exercise 3.4, you will configure shadow copies and use shadow copies. EXERCISE 3.4
Using Shadow Copies The following steps should be completed from your Windows Server 2003 domain controller.
1.
From your Windows Server 2003 domain controller, select Start Windows Explorer.
2.
Right-click your D: drive and select Properties. Click the Shadow Copies tab.
3.
Click your D: drive and click the Enable button.
4.
The Enable Shadow Copies dialog box will appear; click the Yes button to continue.
5.
Click the Create Now button to create shadow copies.
6.
From Windows Explorer, select C:\Windows\System32\clients and right-click the twclient folder. Select Sharing And Security and then select the Sharing tab. Click the Share This Folder radio button and click the OK button.
Using the Backup Utility
161
EXERCISE 3.4 (continued)
The following steps should be completed from your Windows XP Professional computer.
7.
Log on as the Administrator of your domain from your Windows XP Professional computer.
8.
Access Windows Explorer and map a drive to the twclient share you created on your Windows Server 2003 domain controller. From the twclient share, open the x86 folder. Click on twcli32 to install Previous Versions Client Setup. When the software is installed, click the Finish button.
The following steps should be completed from your Windows Server 2003 domain controller.
9.
From Windows Explorer, create a folder on your D: drive called Shadows. Within the Shadows folder, create a text file called Data.txt with text within the file noting that this is a part of test 1. Share the Shadows folder and set the share security so that the Everyone group is allowed Full Control permission.
10. From Windows Explorer, right-click your D: drive and select Properties. Click the Shadow Copy tab and click Create Now to create a shadow copy. The following steps should be completed from your Windows XP Professional computer.
11. Access Windows Explorer and map a drive to the Shadows share you created on your Windows Server 2003 domain controller. From the Shadows folder, edit the Data.txt file and save the changes.
12. To access the shadow copy of Data.txt, right-click Data.txt and select Properties. You will see a tab for Previous Versions. You can click the View, Copy, or Restore buttons based on what you want to do with the shadow copy. Click the Restore button and the successful completion dialog box will appear.
162
Chapter 3
System Recovery and Web Services
Listed below are some additional facts about shadow copies:
Mounted drives are not included when shadow copies are taken.
Do not use shadow copies on dual-boot computers. The older version may be corrupted and unusable when the computer is booted to any OS other than Windows Server 2003.
Using a volume on a separate disk is recommended for improved performance. This is highly recommended for production file servers.
Do not schedule shadow copies to occur more often than once per hour.
You must delete the shadow copies scheduled task prior to deleting the volume that is shadowed. Otherwise, the next time the schedule executes, an Event ID of 7001 will occur.
When you restore a file, the file’s permissions will be retained.
When you recover a file that was deleted, the file permissions will become the directory’s default permissions.
You cannot edit the contents of a shadowed copy until it is restored.
The Vssadmin command-line utility displays the current volume shadow copy backups and other shadow copy information from a command-line interface. Table 3.4 lists the available Vssadmin commands. TABLE 3.4
Vssadmin CommandsTable
Command
Description
Add ShadowStorage
Add a new volume shadow copy storage association
Create Shadow
Create a new volume shadow copy
Delete Shadows
Delete volume shadow copies
Delete ShadowStorage
Delete volume shadow copy storage associations
List Providers
List registered volume shadow copy providers
List Shadows
List existing volume shadow copies
List ShadowStorage
List volume shadow copy storage associations
List Volumes
List volumes eligible for shadow copies
List Writers
List subscribed volume shadow copy writers
Resize ShadowStorage
Resize a volume shadow copy storage association
Benefits of Using IIS
163
Benefits of Using IIS Windows Server 2003 includes IIS 6.0, which is web server software that provides integrated, reliable, secure, and scalable software for creating and managing internal corporate websites and external websites on the Internet. The benefits and features of IIS include:
IIS is fully integrated and designed to work with Windows Server 2003.
Each website is isolated and functions as a self-contained worker process. This promotes reliability, since an application that may not be functioning properly on one website can’t adversely affect another website that is hosted on the same IIS server.
For security purposes, IIS 6.0 is not installed by default. IIS offers a variety of security features that protect the IIS site and reduce the possibility of security breaches from external threats.
IIS uses a new kernel-mode driver for HTTP parsing and cacheing. The kernel-mode driver is tuned for scalability and throughput, which increases the number of sites that an IIS server can host and the number of concurrent active worker processes that the IIS server can host.
IIS can be managed in a variety of options including IIS Manager, administration scripts, or editing of IIS configuration files.
IIS supports web developers by supporting the latest web standards, which include XML, SOAP, and IPv6.
In the following sections, we will look at some key IIS services; how to install, configure, and administer IIS; how to perform an IIS backup; and how to troubleshoot IIS.
Key IIS Services IIS is made up of several key services. The following list describes the main IIS services: World Wide Web Service The World Wide Web (WWW) service is used to publish Web services and connect HTTP requests from IIS clients to IIS websites. Hypertext Transfer Protocol Hypertext Transfer Protocol (HTTP) is used to transport content between the client and the server. File Transfer Protocol File Transfer Protocol (FTP) is used to copy files to and from remote computer systems using the Transmission Control Protocol (TCP). The TCP protocol is designed to support accurate and reliable data transfer. FTP requires an FTP server and an FTP client. IIS allows you to create and manage an FTP server. Simple Mail Transfer Protocol Simple Mail Transfer Protocol (SMTP) is used on the Internet to route e-mail between transfer agents. SMTP does not provide e-mail server capabilities. For full e-mail services, you need an e-mail application such as Microsoft Exchange Server. Network News Transfer Protocol Network News Transfer Protocol (NNTP) is used to distribute network news messages to NNTP servers and to NNTP clients (news readers) on the
164
Chapter 3
System Recovery and Web Services
Internet. News articles are stored on an NNTP server in a central database where they can be indexed, retrieved, and posted. IIS Admin Service The IIS Admin Service manages the IIS metabase. The IIS metabase is a special database that contains all of the settings and configuration data for IIS. The IIS Admin Service manages the IIS metabase by updating the Windows Server 2003 Registry with the settings for the WWW service, FTP, SMTP, and NNTP.
IIS Security Before you connect your website to the Internet, you should first plan and implement a security strategy that will meet the requirements of your website. Some of the main considerations are:
Does your site require anonymous access?
How is your current Windows 2003 user security defined?
Do you want to limit access to your website to specific host addresses or network addresses?
Do you require Secure Sockets Layer (SSL) for encryption and authentication? These questions are explored in the following sections.
Access Control for Anonymous Access In order to access IIS, you must be logged in with a valid Windows 2003 user account. If you choose to allow anonymous access, your users will access your website through a user account called IUSR_computername. This user account is created when you install IIS, and can be viewed and managed through Active Directory Users And Computers. The IUSR_computername user account is limited in that it only has guest access permissions (this account is added to the local group Guests on the computer that has IIS installed). The use of the IUSR_computername user account allows anonymous users to access your web server without needing a unique Windows 2003 username and password.
Access Control for Users and Groups One way you can control website access is to eliminate anonymous access. In this case, you force users to be authenticated as valid Windows 2003 users. When users log on to your website through a valid Windows 2003 user account, you can specify that one of the following authentication methods be used:
Integrated Windows Authentication
Digest Authentication For Windows Domain Servers
Basic Authentication (Password Is Sent In Clear Text)
.NET Passport Authentication
Each of these authentication methods is covered in more detail in the “Authentication And Access Control” section of this chapter.
Benefits of Using IIS
165
Access Control through Host and Network It is possible to allow or deny website access to specific IIS services based on IP address and host names. When you define IP address restrictions, they can be set to grant or deny access. If you grant access by default, you specify that access is allowed for all users, except those with the specific IP addresses or domain names that are explicitly defined. If you deny access by default, you specify that access is denied for all users, except those with the specific IP addresses or domain names that are explicitly defined.
Using SSL for Encryption and Authentication One way to ensure that you have a secure communication channel when communicating with a website via the Internet is to take advantage of Secure Sockets Layer (SSL). SSL provides the following advantages:
There is a secure path created between the client and the web server so that data can’t be diverted to another computer.
Because data is encrypted, even if it could be diverted to another computer, the diverting computer would not be able to decrypt the data.
The encryption ensures that the data is delivered intact and that it has not been tampered with in any way.
SSL works through the combination of public and private keys. This is illustrated in the following example. Kevin wants to order a Roadrunner Demolition Kit from the Acme Corporation. He wants to pay by credit card, but does not want to send the credit card number over the Internet in an unsecured manner. The following process would use SSL services: 1.
Kevin would access the Acme Corporation’s website. When he started the payment transaction, his computer would request a copy of Acme’s public key. This key could be generated from Acme or a trusted third-party security organization.
2.
Kevin’s credit card information would be encrypted using the public key that was provided by Acme.
3.
The data would be transmitted from Kevin’s computer to the Acme website.
4.
At the Acme website, the corresponding Acme private key would be used to decrypt the data that contained Kevin’s credit card number.
Installing IIS In this section, you will learn how to install IIS. In order to install IIS, the following requirements must be met:
The server must be using the TCP/IP protocol and your server must be configured with an IP address.
If you will be publishing your web server on the Internet, you must have Internet connectivity.
You must be logged in with Administrative rights to install IIS.
166
Chapter 3
System Recovery and Web Services
It is also recommended that you have a Domain Name System (DNS) server installed (or configure a point to a DNS server through TCP/IP properties), which is a hierarchical database that contains mappings of DNS domain names to IP addresses. You should also consider installing IIS on an NTFS volume, which will allow you to configure additional security. To install IIS, follow these steps: 1.
Select Start Control Panel Add Or Remove Programs.
2.
The Add Or Remove Programs dialog box will appear. Click Add/Remove Windows Components.
3.
The Windows Components dialog box will appear, which is the start of the Windows Components Wizard. Highlight Application Server and then click the Details button.
4.
The Application Server dialog box will appear, as in Figure 3.18. Check the box for Internet Information Services (IIS) and ASP .NET. Click the OK button.
5.
In the Windows Components dialog box, click the Next button.
6.
The Insert Disk dialog box will appear. Insert the Windows Server 2003 distribution CD and click the OK button.
7.
The Completing The Windows Components Wizard dialog box will appear. Click the Finish button. The following directories are installed as a part of IIS:
\Inetpub
\Windir\Help\IisHelp
\Windir\System32\Inetsrv These directories all contain user content and cannot be moved.
FIGURE 3.18
The Application Server dialog box
Benefits of Using IIS
FIGURE 3.19
167
Internet Information Services (IIS) Manager
Configuring and Administering IIS By default, IIS is installed and configured in highly secure mode, which allows you to serve only static content. You must manually enable the features of IIS that you want to use. Examples of features include Active Server Pages (ASP), ASP .NET Internet Server Application Programming Interface (ISAPI), and Common Gateway Interface (CGI). The IIS console can be launched through Administrative Tools Internet Information Services (IIS) Manager or by running the Inetmgr command. Because IIS is installed in highly secure mode, you must first “unlock” it by taking the following steps: 1.
Select Start Administrative Tools Internet Information Services (IIS) Manager. You will see the dialog box shown in Figure 3.19.
2.
Expand your server name. Expand the Web Service Extensions directory. You will see the Web Service Extensions listed on the right-hand side of the dialog box, as shown in Figure 3.20. Select each Web Service Extension that you want to enable and click Allow. In Exercise 3.5, you will enable Web Service Extensions.
EXERCISE 3.5
Enabling Web Service Extensions 1.
Select Start Administrative Tools Internet Information Services (IIS) Manager.
2.
Expand your server name. Expand the Web Service Extensions directory. From Web Service Extensions listed on the right-hand side of the dialog box, select Active Server Pages and click Allow.
168
Chapter 3
System Recovery and Web Services
EXERCISE 3.5 (continued)
3.
Select ASP .NET v1.1.4322 and click Allow.
4.
Select Internet Data Connector and click Allow.
5.
Select Server Side Includes and click Allow.
6.
Select WebDAV and click Allow.
FIGURE 3.20
Web Service Extensions
In the following sections you will learn how to create a new website and how to configure websites. You will also learn how to configure default website properties.
Creating a New Website IIS allows you to host multiple websites on a single computer. Creating a web (or FTP) site using IIS Manager does not create the actual site content, but merely creates a directory structure and configuration files. Content is published by adding it to the directory structure for a website, or by pointing that website to the physical location of the content files. To create a new website, take the following steps from the IIS console:
Benefits of Using IIS
169
1.
Right-click the Web Sites folder under the web server and select New Web Site from the pop-up menu.
2.
The Web Site Creation Wizard starts. Click the Next button.
3.
The Web Site Description dialog box appears, as shown in Figure 3.21. Type a descriptive name for your site and click the Next button.
4.
The IP Address And Port Settings dialog box appears, as shown in Figure 3.22. This allows you to host a different website on each IP address your computer has. You must pick an IP address that is not being used by another website. You can specify the IP address, TCP port, and host header for the website. Host headers are used to route requests to the proper website (when a computer hosts multiple websites). Configure the settings, then click the Next button.
5.
The Web Site Home Directory dialog box appears, as shown in Figure 3.23. Enter the path (such as D:\My Site) that will be used for the home directory. You can also specify whether anonymous access will be allowed for the website. Click the Next button.
6.
The Web Site Access Permissions dialog box appears, as shown in Figure 3.24. Configure permissions (permissions are covered in the “Local Path and Permissions” section of this chapter), then click the Next button.
7.
The Web Site Creation Wizard will tell you that you have successfully completed the Web Site Creation Wizard. Click the Finish button. In Exercise 3.6 you will create a new website.
EXERCISE 3.6
Creating a New Web Site 1.
Select Start Administrative Tools Internet Information Services (IIS) Manager.
2.
Right-click Web Sites and select New Web Site.
3.
The Web Site Creation Wizard starts. Click the Next button.
4.
The Web Site Description dialog box appears. Under Description type Practice Web Site and click the Next button.
5.
The IP Address And Port Settings dialog box appears. Click the arrow for Enter The IP Address To Use For This Web Site and select the IP address of your Windows Server 2003 server. Click the Next button.
6.
The Web Site Home Directory dialog box appears. Click the Browse button. Select Local Disk (C:) and click the Make New Folder button. Type in Practice Web Site for the home directory and click the OK button. Click the Next button.
7.
The Web Site Access Permissions dialog box appears. Accept the default settings and click the Next button.
8.
The Web Site Creation Wizard will tell you that you have successfully completed the Web Site Creation Wizard. Click the Finish button.
170
Chapter 3
System Recovery and Web Services
FIGURE 3.21
The Web Site Description dialog box
FIGURE 3.22
The IP Address and Port Settings dialog box
FIGURE 3.23
The Web Site Home Directory dialog box
Benefits of Using IIS
FIGURE 3.24
171
The Web Site Access Permissions dialog box
Now that you have created a website, you can configure and manage it as described in the following sections.
Configuring Websites Each website hosted on the IIS server can be individually configured through its Properties dialog box, accessed by right-clicking the site and choosing Properties from the pop-up menu. The website Properties dialog box has eight tabs with options for configuring and managing your website. The options on these tabs are described briefly in Table 3.5 and in more detail in the following sections. TABLE 3.5
The Website Properties Dialog Box Tabs
Tab
Description
Web Site
Settings include website identification, connections, and logging
Performance
To configure performance tuning options, including bandwidth throttling and limits on connections to the website
ISAPI Filters
To set ISAPI (Internet Server Application Programming Interface) filters
Home Directory
To configure the content location, access permissions, and application settings
Documents
To set the default document users see when they access the site, as well as the option to enable a document footer
172
Chapter 3
TABLE 3.5
System Recovery and Web Services
The Website Properties Dialog Box Tabs (continued)
Tab
Description
Directory Security
To configure authentication and access control (including anonymous access), IP address and domain name restrictions, and secure communications
HTTP Headers
To enable content expiration, custom HTTP headers, content ratings, and MIME types
Custom Errors
To configure a custom error message for a given HTTP error number
Each of the website property tabs is covered in more detail in the following sections.
Setting Website Properties The Web Site tab (see Figure 3.25) includes options for identifying the website, controlling connections, and enabling logging. FIGURE 3.25
The website Properties dialog box
WEBSITE IDENTIFICATION
The description of the website appears in the Internet Information Services console. By default, the website description is the same as the name of the website. You can change the description in the Description text box.
Benefits of Using IIS
173
You also configure the IP address that is associated with the site. The IP address must already be configured for the computer. If you leave the IP address at the default setting of All Unassigned, all of the IP addresses that are assigned to the computer and have not been assigned to other websites will be used. The TCP port specifies the port that will be used to respond to HTTP requests. By default, HTTP uses TCP port 80. There are some secure environments in which the TCP port is changed to prevent malicious attacks. In this instance, it is necessary to change the port number on the client. Otherwise the client will send HTTP requests on port 80 while the server is listening for HTTP requests on a different port, and you will have a breakdown in communication.
Common ports that are used by IIS and can be modified for additional security include FTP on port 21, Telnet on port 23, and HTTP on port 80.
CONNECTIONS
The Connection Timeout is used to specify how long an inactive user can remain connected to the website before the connection is automatically terminated. Enable HTTP Keep-Alives allows a client to maintain an open connection with the server, as opposed to opening a new connection for each HTTP request the client makes. This is an option that enhances server performance, but may degrade client performance. This option keeps the connection open, thus reducing the number of client connection attempts. Another concern with this setting is security. The longer the connection is open, the greater the chance the connection can be tapped. ENABLE LOGGING
Logging can be enabled on the Web Site tab by checking the Enable Logging option. There are four log file formats, which you can configure to suit any third-party tracking software used to measure and chart website performance counters. This option is enabled by default. The log file formats that are supported through IIS are:
Microsoft IIS Log File Format
NCSA Common Log File Format
ODBC Logging
W3C Extended Log File Format
For each log format you can click the Properties button to configure more specific logging properties. For example, if you select Microsoft IIS Log File Format and click the Properties button, you can configure options for the log schedule and log file directory, as shown in Figure 3.26.
Setting Performance Options The Performance tab, shown in Figure 3.27, allows you to enable bandwidth throttling and limit the total website connections. IIS 6 no longer has options for performance tuning or process throttling, because the new application architecture enables these processes to be controlled on a more granular kernel level.
174
Chapter 3
System Recovery and Web Services
FIGURE 3.26
The Microsoft IIS Log File Format Logging Properties dialog box
FIGURE 3.27
The Performance tab of the website Properties dialog box
BANDWIDTH THROTTLING
Bandwidth is defined as the total capacity of your transmission media. IIS allows you to limit how much network bandwidth can be used by a given website. This is called bandwidth throttling, and it prevents a particular website from hogging bandwidth and adversely affecting the performance of the other sites on the web server. When bandwidth throttling is enabled, IIS sets it to 1024 bytes per second (minimum); the maximum is 32,767 bytes per second.
Benefits of Using IIS
175
WEBSITE CONNECTIONS
You can allow unlimited user connections to the website (the default), or you can control the number of connections. To specify a connection limit, select the Connections Limited To radio button and enter the maximum number of connections allowed.
Setting ISAPI Filters Internet Server Application Programming Interface (ISAPI) filters monitor HTTP requests and respond to specific events as defined through the filter. When an event triggers a filter, the request is redirected to specific ISAPI applications, which are then run. ISAPI filters are commonly used to manage customized logon authentication. The ISAPI Filters tab is shown in Figure 3.28. Filters are applied in the order in which they are listed in the list box.
Configuring Home Directory Options The Home Directory tab, shown in Figure 3.29, includes options for the content location, access permissions, and application settings.
The home directory for the default website is C:\Inetpub\wwwroot.
FIGURE 3.28
The ISAPI Filters tab of the website Properties dialog box
CONTENT
The home directory points to the location of the website content. Radio buttons offer three choices for the location of the home directory:
A Directory Located On This Computer
A Share Located On Another Computer
A Redirection To A URL
176
Chapter 3
FIGURE 3.29
System Recovery and Web Services
The Home Directory tab of the website Properties dialog box
LOCAL PATH AND PERMISSIONS
The local path points to the location of the home directory from the perspective of the web server. For instance, it may be a local directory such as F:\inetpub\wwwroot, or it may be a share on another server such as \ \server2\webshare. Access permissions define what access users have to the website. By default, users have only Read access, and Log Visits and indexing are enabled. Table 3.6 details the many security implications of each of the access permissions. TABLE 3.6
Access Permissions
Option
Description
Script Source Access
Users can access source code for scripts, such as ASP (Active Server Pages) applications, if the user has either Read or Write permissions. Use with caution!
Read
Users can read or download files located in your home folder. This is used if your folder contains HTML files. If your home folder contains CGI applications or ISAPI applications, this option is unnecessary, and you should uncheck it so that users can’t download your application files.
Write
Users can modify or add to your web content. This access should be granted with extreme caution.
Benefits of Using IIS
TABLE 3.6
177
Access Permissions (continued)
Option
Description
Directory Browsing
Users can view the website directory structure. This option is not commonly used because it exposes your directory structure to users who access your website without specifying a specific HTML file.
Log Visits
Enables the logging of user visits to the website. In order to effectively log access, the Enable Logging box in the Web Site tab of the Properties dialog box also must be checked.
Index This Resource
Enables indexing of the home folder for use with the Microsoft Indexing Service.
Web service access permissions and NTFS permissions work together. The more restrictive of the two permissions will be the effective permission. It is recommended that you control permissions solely through NTFS permissions.
APPLICATION SETTINGS
“Application,” in this context, refers to a root directory for an executable application. The Application Name setting is the name of the root directory that contains the files and subdirectories of an executable application. The Execute Permissions option enables an administrator to restrict or enable access as follows:
None restricts access to static files such as HTML or image files.
Scripts Only prevents the user from running executables.
Scripts And Executables lifts all restrictions so that all file types can be either accessed or executed. Note that in IIS 6 you can set the Application Pool associated with this home directory.
Setting a Default Document The Documents tab, shown in Figure 3.30, allows you to specify the default document users will see when they access your website unless they specify a document. Under most circumstances, the default document functions as the website’s home page. You can enable multiple documents in a preferred order. The order provides options for fault tolerance in the event that a document cannot be found—for instance, if default.htm was moved or renamed, default.asp (the second page in the order) will be used. You can also enable document footers. A document footer is an HTML-formatted footer appended to every document the web server returns to a client.
Setting Directory Security The Directory Security tab, shown in Figure 3.31, includes options for authentication and access control, IP address and domain name restrictions, and secure communications.
178
Chapter 3
System Recovery and Web Services
FIGURE 3.30
The Documents tab of the website Properties dialog box
FIGURE 3.31
The Directory Security tab of the website Properties dialog box
AUTHENTICATION AND ACCESS CONTROL
To enable anonymous access and edit the authentication methods used by this web resource, click the Edit button to the right of Authentication And Access Control section of the dialog box. This brings up the Authentication Methods dialog box, as shown in Figure 3.32.
Benefits of Using IIS
FIGURE 3.32
179
The Authentication Methods dialog box
If your website is available for public use, you will most likely allow anonymous access. If you enable anonymous access, by default your computer will use the IUSR_computername user account to allow this access. It is advisable to apply NTFS permissions to the web content in order to limit access from the Anonymous user account. You also have the option of using a different Windows user account for anonymous access. There are four choices in the Authenticated access section of the Authentication Methods dialog box:
The Integrated Windows Authentication option employs a cryptographic exchange between the web server and the user’s Internet Explorer web browser to confirm the user’s identity.
The Digest Authentication For Windows Domain Servers option works only with Active Directory accounts and sends a hash value rather than a clear-text password. It works across proxy servers and other firewalls. Digest authentication requires Windows 2000 or later client computers.
The Basic Authentication (Password Is Sent In Clear Text) option requires a Windows 2000 or Windows Server 2003 user account. If anonymous access is disabled or the anonymous account tries to access data that the account does not have permission to access, the system will prompt the user for a valid Windows 2000 user or Windows Server 2003 user account. With this method, all passwords are sent as clear text. You should use this option with extreme caution since it poses a security risk.
The .NET Passport Authentication option is a new web authentication service that lets users of your site create a single sign-in name and password for simplified, secure access to all .NET Passport–enabled websites and services.
180
Chapter 3
System Recovery and Web Services
IP ADDRESS AND DOMAIN NAME RESTRICTIONS
To control access to files, directories, and websites based on IP addresses or domain names, click the Edit button in the IP Address And Domain Name Restrictions section of the Directory Security tab. This brings up the dialog box shown in Figure 3.33. FIGURE 3.33
The IP Address And Domain Name Restrictions dialog box
In the IP Address And Domain Name Restrictions dialog box, you can specify whether all computers will be granted or denied access and then specify exceptions. Each exception can be based on its IP address, subnet, or domain name (this requires DNS reverse lookup capabilities). SECURE COMMUNICATIONS
Secure communications enable you to increase the security of your website by using certificates. When you click on Server Certificate, the Web Server Certificate Wizard is launched. Server Certificates are required to establish a Secure Sockets Layer (SSL) connection. An SSL connection is indicated by HTTPS: in the address bar of a browser. If a browser is using Basic Authentication, it is highly recommended that this authentication method be secured with SSL.
Configuring HTTP Headers The HTTP Headers tab, shown in Figure 3.34, allows you to configure values that will be returned to web browsers in the HTML headers of the web pages. You can configure four options:
If your website contains information that is time-sensitive, you can enable content expiration. You can set content to expire immediately, after a specified number of minutes, or on a specific date. This helps the client’s web browser to determine whether it should use a cached copy of a requested page or request an updated copy of the web page from the website.
Custom HTTP headers may be used to send instructions that may not be supported by the HTML specification that is currently in use.
Content ratings allow you to specify appropriate restrictions if a site contains violence, sex, nudity, or adult language. Most web browsers can then be configured to block objectionable material based on how the content rating has been defined.
Benefits of Using IIS
181
MIME (Multipurpose Internet Mail Extensions) maps are used to configure web browsers so that they can view files that have been configured with different formats. MIME allows the mapping of a file extension to the application that will open that file.
FIGURE 3.34
The HTTP Headers tab of the website Properties dialog box
Specifying Custom Error Messages If the web browser encounters an error, it will automatically display a message specific to that error number. Through the Custom Errors tab, shown in Figure 3.35, you can customize the error message that is generated. It’s as easy as creating an .HTM file, which you then map to a specific HTTP error number. In Exercise 3.7, you will manage the properties of the website you created in Exercise 3.6. EXERCISE 3.7
Managing Websites 1.
Select Start Administrative Tools Internet Information Services (IIS) Manager.
2.
Expand your server name and expand Web Sites. Right-click Practice Web Site and select Properties.
3.
On the Web Site tab, in the Connection Timeout option, specify 1200 seconds.
4.
Click the Performance tab. Select the Connections Limited To option and specify 500 connections.
182
Chapter 3
System Recovery and Web Services
EXERCISE 3.7 (continued)
5.
Click the Home Directory tab. Under the Execute Permissions option, select Scripts And Executables.
6.
Click the OK button to close the Default Web Site Properties dialog box.
FIGURE 3.35
The Custom Errors tab of the web server Properties dialog box
Configuring Default Website Properties You can configure master properties for all websites created on a specific computer running IIS. This allows you to centrally manage all website properties. If you have websites that were configured before you set the master properties, you have the option to replace the existing configurations with the master properties. New websites will automatically inherit the master properties that you have configured. To configure website master properties: 1.
From Internet Information Services (IIS) Manager, right-click the Web Sites folder and select Properties.
2.
The Web Site Properties dialog box will appear. Configure each property tab that contains properties that can be configured as default settings for all websites.
3.
If you have already created websites, you will see an Inheritance Overrides dialog box that will allow you to select any child nodes of the website that you want to override existing settings for.
Once you’ve created a new website, it will inherit master properties. New settings in the website will override master properties.
Benefits of Using IIS
183
FIGURE 3.36 The Internet Information Services (IIS) Manager Backup/Restore Configuration option dialog box
IIS Backup Windows Server 2003 stores most configuration information in the Registry. IIS stores information in a metabase, which is a hierarchical database and is specific to IIS. In order to back up the IIS metabase you must have administrative rights. You can create a metabase backup of IIS through the Internet Information Services (IIS) Manager through the following steps: 1.
Right-click the server you want to back up and select All Tasks Backup/Restore Configuration, as shown in Figure 3.36.
2.
The Configuration Backup/Restore dialog box will appear, as shown in Figure 3.37. You will notice that an initial backup and automatic backups are created for you. To manually create a backup, click the Create Backup button.
FIGURE 3.37
The Configuration Backup/Restore dialog box
184
3.
Chapter 3
System Recovery and Web Services
The Configuration Backup dialog box will appear, as shown in Figure 3.38. You should type in a Configuration Backup Name. You can also choose Encrypt Backup Using Password, which encrypts the backup and requires the password that is supplied to be used when you restore the metabase. Once you have completed the information in this dialog box, click the OK button.
FIGURE 3.38
The Configuration Backup dialog box
4.
The Configuration Backup Name you specified will now be listed in the Configuration Backup/Restore dialog box (shown in Figure 3.37).
5.
To restore the IIS metabase, you would click on the previous backup that you want to restore in the Configuration/Backup Restore dialog box and click the Restore button. If you choose to restore the metabase it will delete all of the current settings and stop all IIS services. Once the metabase is restored, the IIS services will be automatically restarted.
Troubleshooting IIS In the event that users can’t properly access your IIS server, you may need to troubleshoot IIS access. The following sections cover common troubleshooting techniques that are associated with IIS.
Pinging Your Server If your web browser returned either the Cannot Find Server error or the Page Cannot Be Displayed error, then use the ping command to verify that:
The problem isn’t with the name resolution server.
Your server responds to network requests from a remote computer.
A Request Timed Out error indicates that the web server is not responding to network requests or there is some kind of network failure between the remote computer and the server. An Unknown Host error may indicate a name resolution problem. Try to ping your server by IP address to determine whether this is the case. If the server responds when you ping it by IP address but not by name, then you have a name resolution problem.
Summary
185
Verifying the Location of Content Pages If you receive either the Under Construction or the Site You Are Trying To Reach Does Not Currently Have A Default Page error, you need to verify and/or change the location of your default website. By default, the files for your default website are located at systemroot:\inetpub\wwwroot. Check the location of the home folder and also the default document configuration.
Verifying Permissions If a specific user or group of related users cannot access the website, there are several things you should verify:
If Anonymous access is enabled, verify the Windows account in use. Ensure that a password has not been set on this account. If one has, users will have to know it to access the site.
Check to see if access has been denied due to IP restrictions.
Check NTFS permissions on the home folder.
Restarting IIS If you receive a Page Cannot Be Displayed error, you may need to restart IIS if you cannot locate the source of the problem by using the ping command. Your options include starting or stopping any website on your IIS server or restarting the World Wide Web (WWW) Publishing service, which restarts IIS at the server level. Note that when you restart the WWW Publishing service, all sites running from the designated computer are affected. Only members of the local Administrator group can restart the WWW Publishing service. In the IIS console, right-click the website that you want to restart. Note that the pop-up menu enables you to stop, start, or pause services for the website. When the site is stopped, you will see (Stopped) next to the site name in the IIS Manager. Start the server again.
Summary In this chapter, you learned about the Windows Server 2003 system recovery options and utilities. We covered the following topics:
The Windows Backup utility, which includes a Backup Wizard and Restore Wizard, Automated System Recovery, and the option to schedule backups
How to use shadow copies to maintain copies of files based on a schedule you define for historical purposes
How to install IIS. You add IIS and its optional components through the Add Or Remove Programs icon in Control Panel.
The security issues that should be addressed before you install IIS.
How to create a new website. A single computer can host multiple websites.
186
Chapter 3
System Recovery and Web Services
How to configure and administer IIS. The website Properties dialog box contains eight tabs full of options for your website.
How to configure the master properties, which can be applied to all websites configured on an IIS server.
How to create a backup of the IIS metabase, which is a hierarchical database containing all of the IIS settings.
How to troubleshoot IIS errors and access problems. Depending on the nature of the problem, you can verify network access and name resolution, verify a website’s content directory, check the access permissions, and restart IIS.
Exam Essentials Use the Windows Server 2003 Backup utility. Be able to use the Windows Server 2003 Backup utility to perform system backups and restores. Understand what information is backed up through the System State data option of backup. Be able to restore System State data on a Windows Server 2003 domain controller. Understand the backup schemes, the amount of data backed up by each scheme, and the number of tape sets that are required to execute a restore based on the backup scheme used. Be able to create an Automated System Recovery backup and know how to perform an Automated System Recovery restore. Know how to schedule backups to run on a specified schedule. Know how to install and configure a web server. Know how to install and configure IIS. Know which protocols are used to support different services. Know what security issues should be addressed for IIS. Be able to configure IIS security. Troubleshoot web access problems. List the common problems that cause users access problems and be able to correct them.
Key Terms Before you take the exam, be certain you are familiar with the following terms: Automated System Recovery (ASR)
Internet Server Application Programming Interface (ISAPI) filters
Backup utility
Network News Transfer Protocol (NNTP)
Backup Wizard
shadow copies
bandwidth throttling
Simple Mail Transfer Protocol (SMTP)
File Transfer Protocol (FTP)
windir
Hypertext Transfer Protocol (HTTP)
Review Questions
187
Review Questions 1.
You are the network administrator of a medium-sized company. You have a third-party utility that is used to manage the Active Directory. Before you install the application, you back up your domain controller’s System State data and the Active Directory database using the Backup utility. After you install the third-party application, you realize that one of your domains is corrupt. You remove the application and want to restore the Active Directory database. When you try to perform an authoritative restore of the Active Directory database and information that was backed up through the Backup utility, you are unable to restore the Active Directory service database. Which of the following actions should you take? (Choose all that apply.) A. Restore the ERD. B. Restore the System State data using your ASR backup. C. Perform an authoritative restore with the Ntdsutil utility and restart the computer. D. Boot the computer to Recovery Console Mode and perform an authoritative restore of
the Active Directory. E. Restart the computer using the Advanced Startup Option Directory Services Restore Mode. 2.
You have configured your Windows Server 2003 computer with Certificate Server. Which option should be configured in Windows Backup to ensure that all of the Certificate Server files are properly backed up? A. Back up \Windir\Certificate. B. Back up \Windir\System32. C. Back up \Windir\CertServices. D. Back up the System State data.
3.
You are using Windows Server 2003 Backup. You configure the backup program to back up the System State data. Which of the following options is not considered System State data? A. Registry B. The boot partition C. COM+ Class Registration database D. System boot files
188
4.
Chapter 3
System Recovery and Web Services
You are the network administrator for the Wacky Widgets Corporation. You manage a server called \AcctData that is used to store all of the data for the accounting department. The D: drive for the \AcctData server stores all of the data that is used for forecasting of sales information. This data changes on a daily basis. Sometimes the analysts need to access data from a historical standpoint that may have been modified. You decided to implement shadow copies on the \AcctData D: drive and configure the server as shown in the following exhibit:
You have an analyst named Dietrich who is using Windows XP Professional; when he tries to access a shadow copy from the \AcctData server, he sees the following screen:
Review Questions
189
You have an analyst named Curtis who is using Window XP Professional; when he tries to access a shadow copy from the \AcctData server, he sees the following screen:
What needs to be done so that Curtis can access shadow copies from his computer? A. Edit the Registry entry HKEY_LOCAL_COMPUTER\SOFTWARE\Shadow Copies\Enable
to a value of 1. B. Curtis needs to be added to the Server Operators group. C. From the Shadow Copies tab on the server, click the Settings button to specify that Cur-
tis is allowed to use shadow copies. D. Install the twclient software on Curtis’s computer. 5.
You are the network administrator for a large network. One of your responsibilities is managing all of the accounting servers. One of your servers has become infected with a virus and you suspect that some of the system operating system files have become corrupt. Which of the following system recovery techniques should you use to recover system operating system files? A. Use the ERD. B. Use Automated System Recovery. C. Use System Restore. D. Use Driver Rollback.
190
6.
Chapter 3
System Recovery and Web Services
You are the network administrator for a large network. You are responsible for all of the servers in the IT department. One of the servers has extremely large disk drives and your tape backup system will not accommodate backing up all of the data at once. You want to back up any data that has changed each day. Which of the following backup options backs up only the files that have not been marked as archived and sets the archive bit for each file that is backed up? A. Copy B. Differential C. Incremental D. Normal
7.
You have chosen to use the differential backup method. You perform a full backup on Friday. On Monday, Tuesday, and Wednesday you perform differential backups. Early Thursday morning, the server fails. Within the following exhibit, drag and drop the tapes on the server that will be used to restore the server backup. Select and place tapes required for restore
8.
Tape A
Friday—Full Backup
Tape B
Monday—Differential
Tape C
Tuesday—Differential
Tape D
Wednesday—Differential
Jayda manages her company’s internal website. She wants users to contact her directly if they receive error 404: Not found. She creates a custom error file with the message “Error: Contact Jayda at (415) 555-1234.” What steps must she take? A. Create a file with an .ERR extension. Save it to the \inetpub directory. B. Create a file with an .MSG extension. Save it to the \wwwroot directory. C. Create a file with an .HTM extension. Save it to the systemroot:\help\iisHelp\common\
directory. D. Create a file with either an .HTM or an .MSG extension. Save it to the systemroot:\help\
iisHelp\common\ directory.
Review Questions
9.
191
When Kyle accesses his company’s internal network, he does not see a list of the documents in the website’s home folder. Since this is an internal site, the managers decide that users should be able to access a directory list. Which option should be configured? A. Directory Browsing B. File Lists C. Display Contents Of Folder D. DOS-style Directory Listing
10. You are the system administrator at a web hosting company. A particular company’s website, www.FREERAZOR.com, gets a sudden increase in traffic due to a one-day special promotion they advertised. There is so much traffic to the site that it is disrupting access for all of the other websites hosted on that web server. What options can you configure to relieve the access and congestion problems for the rest of the websites on the web server? (Choose two.) A. In the website’s Properties, limit the network bandwidth available to FREERAZOR
.COM. B. In the web server’s Properties, limit the network bandwidth available to FREERAZOR
.COM. C. In the website’s Properties, enable content expiration for FREERAZOR.COM. Indicate
that website content should expire immediately. D. In the website’s Properties, limit the number of website connections allowed to
FREERAZOR.COM. E. In the web server’s Properties, change the virtual directory for FREERAZOR.COM to
point to its mirror site on a separate server. 11. You have a corporate website that will be used by local and remote users. You want to ensure that security is maintained and you want users to log on to the website with either Windows 2000 or Windows 2003 user accounts and passwords. Which of the following website authentication methods require the user to present a valid Windows 2000 or Windows 2003 user account and password? (Choose all that apply.) A. Basic authentication B. Digest authentication for Windows domain servers C. Integrated Windows authentication D. Anonymous access 12. What is one way you can secure your web server against malicious attacks via HTTP? A. Defend the bandwidth threshold in the web server Properties. B. Change the anonymous access privileges to use the Windows Server 2003 Guest account. C. Reconfigure the website to listen for clients on TCP port 10000. D. Set an ISAPI filter with a rule to deny all HTTP traffic.
192
Chapter 3
System Recovery and Web Services
13. When user Becky tries to browse to the intranet site via a link she created on her desktop, she gets the error “The site you are trying to reach does not currently have a default page.” Other users in her department can browse to the site. How can you fix the problem? A. Enable anonymous access for all users. B. Set the proxy server to bypass local traffic. C. Set Becky’s browser to bypass the proxy server for local traffic. D. Set the Properties for the intranet site to Enable Default Content Page. 14. None of your users can access the default.htm page on the corporate intranet. The error they get is “The page cannot be displayed.” Which of the following is not a valid troubleshooting step in this scenario? A. Try to ping the web server by name and IP address. B. Stop and start the website. C. Restart the WWW Publishing service. D. Change the Windows user account for anonymous access back to IUSR_computername. 15. Your website’s home page lists a special offer that expires at the end of the month. How can you configure IIS so that users don’t find out about the promotion after it’s over? A. Configure HTTP Keep-Alives. B. Configure Content Expiration. C. Configure HTML Header Forwarding. D. Configure HTTP Expiration.
Answers to Review Questions
193
Answers to Review Questions 1.
C, E. If you need to restore System State data on a domain controller, you must restart your computer with the advanced startup option Directory Services Restore Mode. This allows the Active Directory service database and the SYSVOL directory to be restored. If the System State data is restored on a domain controller that is a part of a domain where data is replicated to other domain controllers, you must perform an authoritative restore. For an authoritative restore, you use the Ntdsutil.exe command, then restart the computer. There is no ERD (Emergency Repair Disk) in Windows Server 2003.
2.
D. On Windows Server 2003 computers, System State data includes the Certificate Services database if the server is configured as a Certificate Server. You can back up and restore System State data through the Windows Backup utility.
3.
B. On any Window Server 2003 computer, System State data consists of the Registry, the COM+ Class Registration database, and the system boot files. This data can be backed up and restored with the Windows Backup utility.
4.
D. You can configure the Client for Shadow Copies on Windows XP and Window Server 2003 computers. In order to use shadow copies, the client must install the Shadow Copies of Shared Folders software. Windows Server 2003 computers have this software installed in the \windir\system32\ clientswclient folder. You can distribute this software through group policy, or you can create a share to let the clients download and install the client software.
5.
B. Windows XP Professional and Windows Server 2003 now include a new feature in Windows Backup called Automated System Recovery (ASR). ASR is used to recover from system partition damage. ASR works by allowing you to back up operating system files onto backup media and hard disk configuration settings to a floppy disk. After you have backed up your system settings, you can restore your operating system files by booting to the Windows Server 2003 CD and during text-mode, when prompted, pressing F2 to run Automated System Recovery, then following the screen instructions that appear.
6.
C. Incremental backups are used to back up only the files that have not been marked as archived and set the archive bit for each file that is backed up. This option requires the last normal backup and all of the incremental tapes that have been created since the last normal backup for the restore process.
7.
With differential backups, you only need to restore the last full backup and the last differential tape. Select and place tapes required for restore Tape A Tape D
194
Chapter 3
System Recovery and Web Services
8.
C. To create a custom error message, Jayda should create an .HTM file, which can then be mapped to a specific HTML error. By default, these files appear in the systemroot:\help\ iisHelp\common\ directory.
9.
A. The Directory Browsing option exposes your directory structure to users who access your website without specifying a specific HTML file.
10. A, D. To relieve the access and congestion problems for the other websites on the same server, you can employ bandwidth throttling to limit the network bandwidth available to FREERAZOR.COM. You can also limit the number of connections allowed, which will ease the congestion problems. 11. A, B, C. If you configure your website to use basic authentication, digest authentication for Windows domain servers, or integrated Windows authentication, the user will be prompted for a Windows 2000 or Windows 2003 username and password. 12. C. By default, TCP port 80 is used by IIS websites. For increased security, you can change the default TCP port used for HTTP traffic from port 80 to a unique port number. Note that clients must have their browser settings reconfigured to communicate with the web server via this unique port number. 13. D. The error message “The site you are trying to reach does not currently have a default page” indicates that no default content page is configured in the Documents tab of the website’s Properties. Without a default content page specified, no content can be sent to a client who does not indicate a specific page. The users who could browse to the site successfully were most likely pointing not just to the site, but to a specific page on the site, which would circumvent the error. 14. D. This error indicates a connection or service problem, so options A through C are all valid troubleshooting options. The error has nothing to do with which Windows account is being used for anonymous access, so D is wrong. 15. B. If your website contains information that is time-sensitive, you can configure Content Expiration to make sure clients always get the most up-to-date pages delivered to them. You can set the content to expire immediately, after a specified number of minutes, or on a specific date. The web browser determines whether it should use a cached copy of a requested page or whether it should request an updated copy of the web page from the website.
Chapter
4
Managing Windows Server 2003 Remotely MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Manage servers remotely
Manage a server by using Remote Assistance
Manage a server by using Terminal Services remote administration mode
Manage a server by using available support tools
Troubleshoot Terminal Services
Diagnose and resolve issues related to Terminal Services security
Diagnose and resolve issues related to client access to Terminal Services
In the previous chapter you saw how to perform successful backup and recovery operations, as well as how to plan and deploy IIS for remote access to internal resources via a web site. Now, we'll take a look at the remote administration features included with Windows Server 2003 such as Terminal Services and Remote Desktop. Terminal Services supports networks with older client computers by allowing just about any Windows-based computer or terminal to use Terminal Services servers to handle the entire computing load for every Terminal Services client. Terminal Services can also be used for remote administration. Through Terminal Services, technical staff can perform administrative tasks on remote servers and clients with ease. Terminal Services does require a certain amount of planning. You should make sure that the computer you use as the Terminal Services server is powerful enough to handle all of the users who will be connected to it and that your clients are able to run the client software. You also need to purchase and configure all of the proper licenses that are required to run Terminal Services. After you have planned your Terminal Services configuration, you can begin deploying the server and client software. Terminal Services includes a configuration utility, a management utility, and a client creator tool for managing the server and clients. In this chapter, you will learn how Terminal Services works and how to install, configure, manage, and troubleshoot Terminal Services servers and clients. Windows Server 2003 also supports Remote Desktop and Remote Assistance. Remote Desktop allows you to take remote control access of a remote computer. Remote Assistance is used to request assistance from an expert user.
Understanding Terminal Services The main function of a Terminal Services server is to enable what are known as thin clients to run application sessions directly on a Windows Server 2003. Thin clients are usually devices with simple hardware configurations, often legacy desktops, which lack the hardware resources to run the latest Microsoft Windows operating system or applications. Terminal Services turns Microsoft Windows Server 2003 into a multi-user operating system, in which multiple clients can access the server simultaneously. Such clients often include legacy personal computers, Windows CE–based handheld PCs (H/PCs), or traditional terminal clients. The term Windows-based terminal (WBT) broadly describes a class of thin-client terminal devices that can gain access to servers running a multi-user Windows operating system, such as Windows Server 2003 running Terminal Services.
Understanding Terminal Services
197
In a Terminal Services environment, the only data transmitted across the wire is video, keystroke, and mouse output. The Terminal Services server executes applications and processes all information locally and sends only the data response back to the Terminal Services client. This approach allows clients to run much more powerful applications than they could run locally, as well as minimizing network bandwidth utilization between the server and client. Clients can access Terminal Services over a local area connection or a wide area connection (for example, through a Virtual Private Network connection). Some of the clients that can act as Terminal Services clients include:
MS-DOS-based clients
Windows for Workgroups clients, version 3.11 or later
Windows-based terminals (Windows CE devices)
Macintosh clients (with third-party software)
Unix clients (with third-party software)
In the following sections you will learn about Terminal Services modes, benefits of Terminal Services, Terminal Services enhancements in Windows Server 2003, and Terminal Services components.
Terminal Services Modes Terminal Services can serve either of two functions:
Terminal Server mode delivers powerful user applications to computers that may be unable to run such applications locally because of hardware or other limitations.
Remote Desktop For Administration mode allows administrators to perform administrative tasks on remote servers and clients from a centralized console.
Terminal Server Mode In Terminal Server mode, the Terminal Services server enables administrators to deploy and manage enterprise applications from a central location. The server’s graphical user interface is transmitted to the remote client (the thin client), and the client sends keyboard and mouse signals to the server. Users log on through any client on the network and can see only their individual session. Terminal Services manages unique client sessions transparently. Many different types of hardware devices can run the thin-client software, including Windows-based terminals and computers. You can deploy applications by installing them directly on the server or you could use Group Policy and Active Directory to publish Windows Installer application packages to a Terminal Services server or a group of Terminal Services servers. Applications can be installed by an Administrator— only on a per-server basis, and only if the appropriate Group Policy setting is enabled. It is necessary to use a license server; each client computer that will connect to the Terminal Services server must have a Terminal Services Client Access License as well as a Client Access License for the appropriate version of Microsoft Windows. Terminal Server licensing is covered in detail in the section “Determining Proper Licensing Requirements,” later in this chapter.
198
Chapter 4
Managing Windows Server 2003 Remotely
In Windows 2000, Terminal Server mode was called Application Server mode.
Remote Desktop For Administration Mode The Remote Desktop For Administration mode gives system administrators the ability to remotely administer any Windows Server 2003 server over any TCP/IP connection. The administrator can access administrative graphical utilities even if the local computer they are using does not have a Windows-based operating system. Some of the tasks that can be administered include file and print sharing, edits to the Registry, and performance monitoring.
In Windows 2000, Remote Desktop For Administration mode was called Remote Administration mode.
You can use Remote Desktop For Administration mode in conjunction with Terminal Server mode to support up to two concurrent remote administration sessions. In Windows 2000, you could not use Application Server mode and Remote Desktop For Administration mode concurrently.
Benefits of Terminal Services Terminal Services offers many benefits that could make it the most advantageous solution for your network, including: Wider deployment of advanced desktop operating systems Rather than installing a full version of the latest Microsoft Windows client operating system on every Desktop, you can deploy Terminal Services instead. Computers whose hardware might not be supported by the full version of a new operating system can still take advantage of many of its features. Simultaneous operation of both the thin client software and a stand-alone operating system With Terminal Services, network users can continue to use their existing computer systems, but they can also enjoy the benefits of the Windows Server 2003 environment. Simplified application deployment Instead of installing and updating applications on every machine in the network, the administrator can install and update one copy on the Terminal Services server. This ensures that every user has access to the latest version of the application. Remote administration of the server Terminal Services allows you to administer the server remotely. This is especially useful in enterprise environments with many servers in diverse locations. Support is included for two remote sessions, which can be used for collaboration between administrators.
Understanding Terminal Services
199
Terminal Services includes many features that make it easy to use and manage. These features are described in Table 4.1. TABLE 4.1
Terminal Services Features
Feature
Description
Multiple logon support Users can log on multiple times simultaneously, either from many clients or from one client, and can log on to multiple servers as well. This allows users to perform several tasks at the same time. Roaming disconnect support
A user can disconnect from a session without logging off. The session remains active while disconnected, allowing the user to reconnect at another time or from another client.
Performance enhancements
Enhanced use of caching improves performance significantly.
Clipboard redirection
Users can cut and paste between applications on the local computer and applications on the Terminal Services server.
Automated local printer support
Printers attached to clients are automatically added and reconnected.
Security
The logon process is encrypted, and administrators can specify the number of logon attempts and the connection time of individual users. Data transmitted between the server and client can be encrypted at three levels (low, medium, or high) depending on your security needs.
Session remote control
Two users can view the same session concurrently. This allows support personnel to diagnose problems or train users.
Network load balancing
Terminal Services can evenly distribute client connections across a group of servers, thus alleviating the load on any one server.
Windows-based terminals
Windows-based terminals that run on a modified version of Windows CE and Remote Desktop Protocol are available.
Client Connection Manager
This utility creates an icon on the Desktop that allows quick connectivity to servers for either single program or full Desktop access.
Terminal Services Licensing
This tool helps administrators track clients and their licenses.
Dfs support
Users can connect to a Distributed file system (Dfs) share. Administrators can host a Dfs share from a Terminal Services server.
200
Chapter 4
TABLE 4.1
Managing Windows Server 2003 Remotely
Terminal Services Features (continued)
Feature
Description
Terminal Services Manager
This tool is used by administrators to query and manage sessions, users, and processes.
Terminal Services Configuration
This tool is used to create, modify, and delete sessions.
Integration with local users and groups and the Active Directory
Administrators can create Terminal Services accounts in much the same way as they create regular user accounts.
Integration with System Monitor
System performance characteristics of Terminal Services can be tracked by System Monitor.
Messaging support
Administrators can send messages to clients.
Remote administration Users with appropriate permissions can remotely manage all aspects of a Terminal Services server. Configurable session timeout
Administrators can configure how long a session can remain either active or idle before disconnecting it.
Terminal Services Improvements and Enhancements for Windows Server 2003 The following features and improvements have been made for Terminal Services in Windows Server 2003: Improved scalability Terminal Services supports more users on high-end servers compared to the number of users that could be supported in Windows 2000. There is also support for network load balancing. New Remote Desktop For Administration Mode In Windows 2000, remote administration was implemented directly through the Terminal Services server. In Windows Server 2003, this component has been modularized and is implemented through Remote Desktop For Administration mode. New Remote Desktop Connection Remote Desktop Connection replaces the Terminal Services client that was used to make remote connections to the server. Remote Desktop Connection uses an improved user interface, allows users to easily save connection settings, and control the Remote Desktop environment (referred to as Experience).
Planning the Terminal Services Configuration
201
Terminal Services Components Terminal Services consists of three components: the Terminal Services server, the Remote Desktop Protocol, and the Terminal Services client. The Terminal Services server communicates with the Terminal Services client using the Remote Desktop Protocol. We will look at each of these components in the following sections.
The Terminal Services Server Most Terminal Services operations take place on the Terminal Services server (or Terminal Server). Applications are run on the server. The Terminal Services server sends only screen information to the client and receives only mouse and keyboard input. The server must keep track of the active sessions, and this process is completely transparent to the clients. The data itself is considered very secure because it is stored solely on the server and not on the client.
The Remote Desktop Protocol When you install Terminal Services, the Remote Desktop Protocol (RDP) is automatically installed. RDP is the only connection that needs to be configured in order for clients to connect to the Terminal Services server. You can configure only one RDP connection per network adapter. You use the Terminal Services Configuration tool to configure the properties of the RDP connection. You can set encryption settings and permissions, and limit the amount of time client sessions can remain active.
The Terminal Services Client The Terminal Services client (or Terminal client) uses thin-client technology to establish a connection with the server and display the graphical user interface information that it receives from the server. This process requires very little overhead on the client’s part, and it can be run on older machines that would not otherwise be able to use newer applications. The Terminal Services client uses Remote Desktop Connection (RDC), which is the latest client software used by Terminal Services. The software that ships with Windows Server 2003 and Windows XP Professional uses Remote Desktop Protocol (RDP) 5.2, which makes significant improvements and enhancements over previous versions of Terminal Services client software.
Planning the Terminal Services Configuration Before you can use Terminal Services, you need to determine which applications will be shared and what kind of hardware you will be using. The requirements for running a Terminal Services server are more substantial than for those servers running Windows Server 2003 without Terminal Services, especially if you are using it to run applications on the server.
202
Chapter 4
Managing Windows Server 2003 Remotely
You must also consider the extent and cost of licensing a Terminal Services configuration. Each client that will connect to the Terminal Services server must have a special Terminal Services client license. In the following sections you will learn how to determine client applications and the hardware requirements for Terminal Services servers.
Determining Client Applications Applications used with Terminal Services are installed on a per-computer basis, rather than a per-user basis. They must be available to every user who accesses the Terminal Services server. Administrators can install applications on the Terminal Services server directly or from a remote session. Terminal Services tends to require extra system resources to manage all of the client traffic. You should be aware of certain program characteristics that might inordinately tax the server. Intel-based programs running on Alpha machines, video-intensive applications, MS-DOS applications, and bits of code that are continuously running (such as automatic spell checkers) can drain system resources. You should limit access to these types of programs to only those users who really need them, and turn off any optional application features that might burden the server unnecessarily. The Windows Server 2003 operating system uses a 32-bit environment (for x86-based computers) or a 64-bit environment (for Itanium-based computers). In order to run 16-bit applications, Windows Server 2003 must employ a system called Windows On Windows (WOW), which consumes copious system resources. Using 16-bit applications can reduce the number of users that a single processor can handle by 40 percent and can increase the amount of memory required for each user by 50 percent. Obviously, it’s best to use 32-bit applications whenever possible.
You cannot run 16-bit applications on the 64-bit version of Windows 2003. Running 32-bit applications on the 64-bit platform will result in significantly reduced performance.
Determining Hardware Requirements You will need a computer that can handle the Terminal Services loads for your Terminal Services server. The requirements for Terminal Services clients are minimal. The hardware requirements for a Terminal Services server depend on how many clients will be connecting concurrently and the usage requirements of the clients. The following are some guidelines:
A Terminal Services server requires at least a Pentium processor and 128MB RAM (256MB RAM to perform adequately). You should also provide an additional 10MB to 20MB RAM per client connection, depending on the applications the clients will be using. A Terminal Services server shares executable resources among users, so memory requirements for additional users running the same application are less than the requirements for the first user to load the program.
Installing Terminal Services Server
203
You should use a high-performance bus architecture such as EISA, MCA, or PCI, with PCI being preferred since it is the highest performance architecture. The ISA (AT) bus cannot move enough data to support the kind of traffic that is generated by a typical Terminal Services installation.
You should consider using a SCSI disk drive, preferably one that is compatible with Fast SCSI, Ultra WideFast, SCSI-2, or Ultra160 SCSI. For the best performance, you should use a SCSI disk with RAID, which significantly reduces disk-access time by placing data on multiple disks.
Because many users will be accessing the Terminal Services server simultaneously, you should use a high-performance network adapter. The best solution would be to install two adapters in your machine and dedicate one to RDP traffic only. The Terminal Services client runs well on a variety of machines, including:
Windows-based terminal devices (embedded)
Intel and Alpha-based computers running Windows for Workgroups 3.11, Windows 95, Windows 98, Windows Me, Windows CE, Windows NT 3.1, 3.5, and 3.51, Windows NT 4, Windows 2000, Windows XP, or Windows Server 2003
Macintosh OS-X (with third-party software)
Unix-based computers (with third-party software)
Installing Terminal Services Server The Terminal Services server controls all of the thin clients that are connected to it. All Terminal Services operations actually take place on the Terminal Services server. The clients are nothing more than dumb terminals that display information sent from the server and send mouse and keyboard information to the server. You install Terminal Services through the Add Or Remove Programs applet in Control Panel. Exercise 4.1 steps you through the process. EXERCISE 4.1
Installing a Terminal Services Server 1.
Select Start Control Panel Add Or Remove Programs.
2.
In the Add Or Remove Programs window, click Add/Remove Windows Components.
204
Chapter 4
Managing Windows Server 2003 Remotely
EXERCISE 4.1 (continued)
3.
The Windows Components Wizard will automatically start. Check the Terminal Server checkbox and click the Next button.
4.
The Terminal Server Setup page will appear. You’ll be presented with information notifying you that certain applications may not work properly after installing Terminal Services in Terminal Server mode and that you will need to have Terminal Server Licensing configured within 120 days. Click the Next button.
Installing Terminal Services Server
205
EXERCISE 4.1 (continued)
5.
The Terminal Server Setup page for security settings will appear. You can select Full Security or Relaxed Security. Select the Relaxed Security option and click the Next button to continue.
6.
The appropriate files will be copied from the Windows Server 2003 distribution CD. The Completing The Windows Components Wizard page will appear. Click the Finish button.
7.
The System Settings Change page will appear. This prompts you to reboot the computer. Click Yes to reboot now.
After you install Terminal Services, three new items are added to the Administrative Tools program group:
Terminal Services Configuration
Terminal Services Manager
Terminal Server Licensing
The following sections describe how to configure and manage Terminal Services with the Terminal Services Configuration and Terminal Services Manager utilities. You will also learn how to license Terminal Services.
206
Chapter 4
Managing Windows Server 2003 Remotely
Using the Terminal Services Configuration Utility With the Terminal Services Configuration utility (TSCC.msc), you can change the properties of the RDP-Tcp (Remote Desktop Protocol–Transmission Control Protocol) connection that is created when you install Terminal Services. You can also add new connections with this utility. To open Terminal Services Configuration, select Start Administrative Tools Terminal Services Configuration. The main Terminal Services Configuration window is shown in Figure 4.1. FIGURE 4.1
The Terminal Services Configuration window
In the following sections you will learn how to manage Terminal Services connections, Terminal Services server settings, and Terminal Services user settings through the Terminal Services Configuration utility.
Configuring and Managing Terminal Services Connections To configure the properties for a specific connection, select the Connections folder, right-click the connection (for example, RDP-Tcp) in the Terminal Services Configuration window, and select Properties from the pop-up menu. This opens the RDP-Tcp Properties dialog box. This dialog box has eight tabs: General, Logon Settings, Sessions, Environment, Remote Control, Client Settings, Network Adapter, and Permissions. The options on these tabs are described in the following sections.
Configuring General Properties The General tab, shown in Figure 4.2, shows the connection type and transport protocol. In this tab, you can also specify a comment for the connection, select the encryption level that will be
Using the Terminal Services Configuration Utility
207
used, and choose whether or not standard Windows authentication will be used. If another authentication package has been installed on the server (besides Windows authentication), you would have the option of selecting standard Windows authentication as opposed to the authentication method that had been installed on the server. FIGURE 4.2
The General tab of the RDP-Tcp Properties dialog box
Terminal Services uses the standard RSA RC4 encryption method when transferring data between the server and clients. You can change the level of encryption depending on your needs. The Encryption Level drop-down list has four choices:
The Low setting encrypts data sent from the client to the server, but not from the server to the client, using a 56-bit encryption key.
The Client Compatible setting encrypts data between the server and the client at the highest security level that can be negotiated between the server and the client. This encryption level is used with environments that support a mixture of Windows 2000 and higher and older legacy clients.
The High setting secures data traveling in both directions. This encryption level uses a 128-bit key. If a client does not support 128-bit encryption, they will not be able to connect to the Terminal Services server.
The FIPS Compliant setting uses Federal Information Processing Standard (FIPS) to encrypt data that is sent between the server and the client. If you enable FIPS compliance through the Group Policy setting System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing, then this option will be enabled by default and you will not be able to change the security setting for the Terminal Services connection.
208
Chapter 4
Managing Windows Server 2003 Remotely
Windows XP Professional and Windows XP Professional with SP1 do not support the FIPS Compliant level and cannot connect to a Windows Server 2003 server using remote assistance.
Configuring Logon Settings The Logon Settings tab, shown in Figure 4.3, allows you to specify whether the client will provide logon information or whether the logon information will be pre-configured for the User Name, Domain, Password, and Confirm Password. You can also specify whether the user will always be prompted for a password even if the user has configured their password for automatic logon. FIGURE 4.3
The Logon Settings tab of the RDP-Tcp Properties dialog box
Configuring Sessions Settings The Sessions tab, shown in Figure 4.4, allows you to configure the following option:
The first Override User Settings selection is used to override user settings that have been configured for a user through the Active Directory Users And Computers utility. You can choose to end a disconnected session, active session, or idle session based on how long the session has been disconnected, active, or idle (time can be never, by minutes, or by days).
The second Override User Settings selection is used to override user settings that have been configured for a user through the Active Directory Users And Computers utility. You can specify that when a session limit is reached or a connection is broken, you want to disconnect from the session or end the session. A disconnected session is saved on the server, and the disconnected
Using the Terminal Services Configuration Utility
209
user can reconnect from any client without losing any data. Ending a session closes all of the user’s applications immediately, usually resulting in lost data.
The third Override User Settings selection is used to override user settings that have been configured for a user through the Active Directory Users And Computers utility. You can allow a reconnection from any client or from a previous client.
FIGURE 4.4
The Sessions tab of the RDP-Tcp Properties dialog box
Configuring Environment Settings The Environment tab, shown in Figure 4.5, allows you to override the settings that are created in the Active Directory Users And Computers utility or client settings that are configured in the Client Connection Manager. When this option is selected, you can configure a specific program to start when the user logs on. FIGURE 4.5
The Environment tab of the RDP-Tcp Properties dialog box
210
Chapter 4
Managing Windows Server 2003 Remotely
Configuring Remote Control Options Remote control allows you to view or control a user’s session from another session. You cannot control a session from the Terminal Services server console. The Remote Control tab, shown in Figure 4.6, allows you to configure the following options:
Use Remote Control With Default User Settings
Do Not Allow Remote Control
Use Remote Control With The Following Settings (with this option you can configure Require User’s Permission, which allows you to configure whether the user can only view the session or can interact with the session).
FIGURE 4.6
The Remote Control tab of the RDP-Tcp Properties dialog box
You can access a session for remote control management through the Terminal Services Manager utility, as described in “Using Remote Desktop and Remote Assistance for Administration,” later in this chapter.
Configuring Client Settings The Client Settings tab, shown in Figure 4.7, allows you to configure connection settings and specify which options are disabled.
Using the Terminal Services Configuration Utility
FIGURE 4.7
211
The Client Settings tab of the RDP-Tcp Properties dialog box
By default, mappings that a user sets in a session are lost when the user logs off. Terminal Services Configuration allows you to automatically restore the user’s mappings every time he or she logs on. Users can map drives and connect to Windows printers, and can set the main client printer as the default. You can also specify whether you want to limit maximum color depth for the Terminal Services client. In addition, you can specify whether the following options are disabled:
Drive mapping
Windows printer mapping
LPT port mapping
COM port mapping
Clipboard mapping
Audio mapping
Configuring the Network Adapter The Network Adapter tab, shown in Figure 4.8, allows you to specify the network adapter that will service Terminal Services clients. You can also allow unlimited connections or set the maximum number of connections that can be made. You might choose to limit connections to conserve your server’s resources and improve its ability to service clients.
212
Chapter 4
FIGURE 4.8
Managing Windows Server 2003 Remotely
The Network Adapter tab of the RDP-Tcp Properties dialog box
Configuring Connection Permissions The Permissions tab, shown in Figure 4.9, allows you to configure permissions that allow or deny Terminal Services server access to users and groups. The specific permissions you can set are: Full Control, which allows:
Query Information, which queries sessions and servers for information
Set Information, which configures connection properties
Remote Control, which allows you to view or control another session
Logon, which logs on to a Terminal Services session
Logoff, which logs off another user from a session
Message, which sends a message to another session
Connect, which connects to another session
Disconnect, which disconnects another session
Virtual Channels, which uses virtual channels to provide access from a server program to client devices User Access, which allows:
Query Information, which queries sessions and servers for information
Using the Terminal Services Configuration Utility
Logon, which logs on to a Terminal Services session
Connect, which connects to another session
Message, which sends a message to another session Guest Access, which allows:
213
Logon, which logs on to a Terminal Services session Special Permissions allow you to create a customized combination of permissions, which can be set through the Advanced button
By default, the RDP-Tcp connection that is installed with Terminal Services assigns Full Control to Administrators and User Access to Users. FIGURE 4.9
The Permissions tab of the RDP-Tcp Properties dialog box
You can set specific permissions by clicking the Advanced button in the Permissions tab, which accesses the Advanced Security Settings For RDP-Tcp dialog box shown in Figure 4.10. Then click the name (the user or group) you want to set permissions for and click the Edit button. You will see the Permission Entry For RDP-Tcp dialog box (shown in Figure 4.11), which allows you to set customized Terminal Services permissions.
214
Chapter 4
Managing Windows Server 2003 Remotely
FIGURE 4.10
The Advanced Security Settings For RDP-Tcp dialog box
FIGURE 4.11
The Permission Entry For RDP-Tcp dialog box
Using the Terminal Services Configuration Utility
215
Managing Server Settings Through the Terminal Services Configuration utility, you can also configure settings that apply to the Terminal Services server. When you click the Server Settings folder in the Terminal Services Configuration, as shown in Figure 4.12, you see configuration options defined in Table 4.2. FIGURE 4.12
TABLE 4.2
The Terminal Services Configuration\Server Settings window
Terminal Services Server Settings
Setting
Value
Description
Delete Temporary Folders On Exit
Yes/No
Specifies whether or not temporary folders are deleted after a session ends.
Use Temporary Folders Per Session
Yes/No
Specifies whether or not temporary folders should be created for each session.
Licensing
Enable/Disable
Specifies whether you are using the Per Device or the Per User Licensing Mode. If you enable licensing, a license is required for each device that connects to the Terminal Services server.
Active Desktop
Enable/Disable
Turns on or off the Active Desktop. Disabling the Active Desktop conserves server resources, since the Active Desktop configuration is not passed between the Terminal Services server and the Terminal Services client.
Permission Compatibility
Full Security or Relaxed Security
Specifies whether you are using Full Security or Relaxed Security for clients accessing the Terminal Services server. Some applications may not work properly with Full Security.
Chapter 4
216
TABLE 4.2
Managing Windows Server 2003 Remotely
Terminal Services Server Settings (continued)
Setting
Value
Description
Restrict Each User To One Session
Enabled/Disable
Specifies that, to conserve server resources, a user can only use a single session.
Session Directory
Enable/Disable Session Directory
Stores user session information in a Session Directory, which is used to reconnect to disconnected servers if the Terminal Services server is a part of a server cluster.
In Exercise 4.2, you will use the Terminal Services Configuration utility to configure the Terminal Services server you installed in Exercise 4.1. EXERCISE 4.2
Configuring a Terminal Services Server 1.
Select Start Administrative Tools Terminal Services Configuration.
2.
In the Terminal Services Configuration window, expand the Connections folder and then right-click the RDP-Tcp connection and select Properties.
3.
In the General tab of the RDP-Tcp Properties dialog box, select High from the Encryption Level drop-down list.
4.
Click the Sessions tab. Check the first Override User Settings checkbox and specify 15 minutes for the Idle Session Limit option.
5.
Click the Remote Control tab. Click the Use Remote Control With The Following Settings radio button and select the Interact With The Session radio button.
6.
Click the OK button to close the RDP-Tcp Properties dialog box.
Managing Terminal Services Users You can also configure properties that apply to users on a per-user basis through user Properties in the Active Directory Users And Computers utility. If you want these properties to apply to all of the users on a connection, use Terminal Services Configuration to override the individual user settings. To set Terminal Services properties for an Active Directory user, open the Active Directory Users And Computers utility, open the folder that contains the user you want to manage (for example, the Users folder), and double-click the user account. Four of the tabs in the Active Directory user Properties dialog box contain properties that relate to Terminal Services:
The Environment tab, shown in Figure 4.13, contains options for configuring the user’s Terminal Services startup environment. This allows you to specify programs that should be started at logon and any devices that the client should connect to at logon.
Using the Terminal Services Configuration Utility
217
The Sessions tab, shown in Figure 4.14, allows you to configure Terminal Services timeout and reconnection settings.
The Remote Control tab, shown in Figure 4.15, allows you to configure Terminal Services remote control settings. You can configure whether remote control will be enabled and whether remote control access requires the user’s permission.
FIGURE 4.13
The Environment tab of the Active Directory user Properties dialog box
FIGURE 4.14
The Sessions tab of the Active Directory user Properties dialog box
218
Chapter 4
Managing Windows Server 2003 Remotely
The Terminal Services Profile tab, shown in Figure 4.16, allows you to set up a Terminal Services user profile. You can also specify the location of the Terminal Services home directory that will be used by the user.
FIGURE 4.15
The Remote Control tab of the Active Directory user Properties dialog box
FIGURE 4.16 dialog box
The Terminal Services Profile tab of the Active Directory user Properties
Using the Terminal Services Manager Utility
219
Using the Terminal Services Manager Utility The Terminal Services Manager utility allows you to manage and monitor users, sessions, and processes that are connected to or running on any Terminal Services server on the network. With this utility, you can perform the following tasks:
Display information about servers, sessions, users, and processes
Connect to and disconnect from sessions
Monitor sessions
Reset sessions
Send messages to users
Log off users
Terminate processes
To open Terminal Services Manager, select Start Administrative Tools Terminal Services Manager. The main Terminal Services Manager window is shown in Figure 4.17. The navigation pane on the left displays the domains, servers, and sessions. The details pane on the right has tabs that display information about the selected item in the navigation pane. FIGURE 4.17
The Terminal Services Manager window
Chapter 4
220
Managing Windows Server 2003 Remotely
The options on the Actions menu allow you to perform several actions on sessions and processes. Most of these actions require special permissions. The Actions menu options are described in Table 4.3. TABLE 4.3
Terminal Services Manager Actions Menu Options Permission Required
Action
Description
Connect
Allows a user to connect to a session from another session. Full Control or This option can be used only from a session; it cannot be User Access used from the console.
Disconnect
Disconnects a user from a session. The session is saved, and all running applications continue to run.
Full Control
Send Message
Allows a user to send a message to any or all sessions.
Full Control or User Access
Remote Control
Allows a user to use the session to view or control another Full Control user’s session. Sessions cannot be controlled from the console.
Reset
Immediately ends a session. Any unsaved data will be lost. Full Control
Status
Displays information about a session, such as bytes sent and received.
Full Control or User Access
Log Off
Logs off a user from a session.
Full Control
End Process
Ends a process on a session. This is useful if a program has Full Control crashed and is no longer responding.
Using Terminal Services Licensing Terminal Services uses its own licensing method. A Terminal Services client must receive a valid license from a Terminal Services license server before logging on to a Terminal Services server to run applications. For remote administration, two concurrent client sessions are allowed automatically; you do not need to receive a license from a license server. You can enable Terminal Services Licensing when you install Windows Server 2003 or later, through the Add Or Remove Programs icon in Control Panel. When you enable Terminal Services Licensing, you can select between two types of license servers:
An enterprise license server can serve Terminal Services servers on any Windows Server 2003 or Windows 2000 domain, but cannot serve workgroups or Windows NT 4 domains.
Using Terminal Services Licensing
221
A domain license server can serve only Terminal Services servers that are in the same domain. In Windows Server 2003 or 2000 domains, domain license servers must be installed on domain controllers. In workgroups or Windows NT 4 domains, domain license servers can be installed on any member server.
In order to deploy Terminal Services, you will be required to obtain server and client licenses. The licenses you may need are described in Table 4.4. TABLE 4.4
Terminal Services Licenses
License
Description
Windows Server 2003 license
This server license is included when you purchase Windows Server 2003.
Windows Server 2003 Client Access license
This license is required for all computers or Terminal Services clients that connect to a Windows Server 2003 server. This license is required by all connecting computers to use file, print, and other network services, regardless of whether they are using Terminal Services.
Windows Server 2003 Terminal Services Client Access license
Every Terminal Services client needs to have a Windows Terminal Services Client Access license in addition to a Windows Server 2003 Client Access license. This license provides each Terminal Services client the right to connect to a Terminal Services server and run applications on the server.
Windows Terminal Services Internet Connector license
This license can be purchased and used separately from the client access licenses described above. This license allows up to 200 clients to connect anonymously from the Internet. This is useful for providing Windows-based applications to the public without porting them to a web-based format.
Work At Home Windows Terminal Services Client Access license
This license is required for users who want to use Terminal Services to access the Windows Desktop and applications from home. You can purchase a Work At Home Windows Terminal Services Client Access license for each Terminal Services Client Access license owned. The Work At Home license includes a Windows Server Client Access license, but does not include application licenses, which must be purchased separately.
The first time a client attempts to log on to the Terminal Services server, the server will recognize that the client has not been issued a license and will locate a license server to issue a license to the client. This license is a digitally signed certificate that will remain with the client forever and cannot be used by any other client.
222
Chapter 4
Managing Windows Server 2003 Remotely
Before you can begin using a license server, you must activate it through the Microsoft Clearinghouse using the Terminal Services Licensing tool. You can configure Terminal Services Licensing through the following steps: 1.
Select Start Control Panel Add Or Remove Programs.
2.
Click the Add/Remove Windows Components option.
3.
The Windows Components Wizard starts. Check the Terminal Services Licensing checkbox and click the Next button.
4.
The Terminal Services Licensing Setup dialog box appears, as shown in Figure 4.18. Specify whether the license server will be available for your entire enterprise, or for your domain or workgroup. You can accept the default location for where the license database server should be stored or select an alternate location. Click the Next button.
5.
If your Windows Server 2003 distribution CD is not already in the CD-ROM drive, you will be prompted to insert the Windows Server 2003 distribution CD so that the necessary files can be copied.
6.
The Completing The Windows Components Wizard dialog box appears. Click the Finish button. Close the Add/Remove Windows Components window.
7.
Select Start Administrative Tools Terminal Services Licensing.
8.
The Terminal Server Licensing utility starts, as shown in Figure 4.19. Note that even though you have installed a license server, it is not activated by default. Right-click your license server and select Activate Server.
FIGURE 4.18
The Terminal Services Licensing Setup dialog box
Using Terminal Services Licensing
FIGURE 4.19
9.
223
The Terminal Server Licensing window
The Terminal Server License Activation Wizard will start. Click the Next button.
10. The Connection Method dialog box appears, as shown in Figure 4.20. You can choose to
connect to the Microsoft Clearinghouse by one of three methods: Automatic, Web Browser, or Telephone. In this example, we will connect by telephone. Select the Telephone option and click the Next button. FIGURE 4.20
The Connection Method dialog box
224
Chapter 4
Managing Windows Server 2003 Remotely
11. The Country/Region Selection dialog box appears. Select your country or region and click
the Next button. 12. The License Server Activation dialog box appears (see Figure 4.21). Type in the license
number provided by Microsoft (or leave this blank and provide a valid number within 120 days). Click the Next button, then Finish. FIGURE 4.21
The License Server Activation dialog box
While you are waiting for the registration process to complete, you can issue temporary 120-day licenses to clients who need to use Terminal Services immediately.
After a license server is activated, you can begin installing client license key packs. The key packs are sets of client licenses that the license server distributes to your clients. You install key packs either at the end of the license server activation process or, later, by right-clicking a license server in the Terminal Services Licensing tool and selecting Install Licenses (this option will not be active if the license server has not been activated). Terminal Services Licensing will contact Microsoft (requires an Internet connection) and request the number of keys that you specify. Microsoft will send the keys to the license server, and the keys will be available for use immediately after they are received by the license server.
Running Applications on the Terminal Services Server
225
Running Applications on the Terminal Services Server When you have configured Terminal Services in Terminal Server mode, the Terminal Services clients you have installed will be able to access the applications running on the Terminal Services server. The following sections describe how to install applications on your Terminal Services server as well as how to configure applications for multi-session use.
Installing Applications The Registry and .ini file mapping support that is built into Terminal Services allows programs to run correctly in Terminal Services, even if they were not designed to run in a multi-user environment. Terminal Services automatically replicates the .ini files and Registry settings from the system to each user if the application is installed properly. It places the .ini files in the user’s home folder, or if no home folder is specified, in the \Windir\Documents and Settings\ Username folder. Registry settings are moved from HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WindowsNT\CurrentVersion\Terminal Server\Install\Software to HKEY_ CURRENT_USER\Software. To install applications on a Terminal Services server, use the Add Or Remove Programs icon in Control Panel. Add Or Remove Programs automatically runs the change user command, which ensures that the .ini files and Registry entries are replicated and the program you install will work properly for all Terminal Services clients. You should install the applications on an NTFS partition, so that you can set permissions for your programs. If you need to install applications after your Terminal Services server is up and running, you should make sure that all of the users have ended their sessions. You can send a message to every session notifying them of the impending shutdown so that users have a chance to save their work. It is essential that you test your application from at least two clients before allowing users access to the Terminal Services server. This gives you the chance to test your programs before users can access them, reducing the number of errors that might occur. Some programs need to be fine-tuned before they can be run in multi-session mode. This is explained in more detail in the next section.
Configuring Application Sharing Terminal Services allows several users to simultaneously run the same program. Because of this, applications that are run with Terminal Services must be configured for multi-session use. Most of the time, you will not need to perform any extra steps for a program to run correctly with Terminal Services server. However, you might need to configure certain applications for multi-session use. In the following sections you will learn about compatibility scripts and per-user data.
226
Chapter 4
Managing Windows Server 2003 Remotely
Compatibility Scripts Most well-known applications have been tested for use with Terminal Services. Some of these applications require compatibility scripts that should be run after the program is installed to achieve the best performance on a Terminal Services server. These scripts can be found in \Windir\Application Compatibility Scripts\Install. The compatibility scripts may include notes on specific script capabilities and instructions on modifying them for custom installations. You can edit compatibility scripts in Notepad. Windows Server 2003 comes with three application compatibility scripts by default:
Eudora4.cmd, for Eudora 4.0
Msvs6.cmd, for Microsoft Visual Studio 6.0
Outlk98.cmd, for Microsoft Outlook 98
Per-User Data Each user is given an HKEY_CURRENT_USER Registry key, which stores user-specific data. There is also a Registry key called HKEY_LOCAL_MACHINE, which stores information that is shared among users. Unfortunately, applications that assume one computer equals one user also assume that they can store user-specific data in HKEY_LOCAL_MACHINE. They also assume that they can store any file-based information, such as user preferences, in the System folder or the program directory. You should always make sure that any per-user data is stored in HKEY_ CURRENT_USER, in the user’s home folder, or in a user-specified folder. Any global data should always be stored in either HKEY_LOCAL_MACHINE or in a specific location on the disk that is write-protected, such as the System folder. Problems can arise when programs need to store user-specific data in either the Registry or in a file. This data could consist of path information, such as to a mailbox, or per-user preference settings, such as enabling background spell checking. If all of this data is stored in one location, the users will need to either use the same settings or readjust their settings every time they log on. If one user updates the settings, the changes will affect every other user. Another problem is that programs sometimes update files in the Windir folder. Administrators have write access to the Windir folder, but most users do not. You will know that write access to this folder is necessary if a program executes properly for an Administrator but not for other users. You can audit all write operations and see which ones fail in order to detect and remedy the problem.
Troubleshooting Terminal Services If you are having trouble with Terminal Services, there are several things you can troubleshoot. Possible problems you might encounter include: Installed applications do not work properly on Terminal clients. You may encounter this problem if the application was installed before Terminal Services was installed. To fix this problem, uninstall the application, and then reinstall it using the Add Or Remove Programs icon in Control Panel.
Troubleshooting Terminal Services
227
Maximizing Terminal Services in Terminal Server Mode You have installed Terminal Services in Terminal Server mode. Your users are complaining that performance is much slower than expected. Before you resort to a hardware upgrade on the Terminal Services server, consider the following options that can improve the performance between a Terminal Services server and a Terminal Services client. These options would be configured on the Terminal Services server.
Minimize the use of animated graphics. This includes graphics and the animated Microsoft Office Assistant.
When configuring the desktop appearance, do not use bitmap files for wallpaper, and set wallpaper to None. Select a single color for the display appearance. Do not use screen savers.
Disable the smooth scrolling option.
Do not use Active Desktop.
Avoid the use of DOS or Windows 16-bit applications. Use Windows 32-bit applications, if possible.
Terminal Services is installed on a domain controller, and the Administrator can log on to the Terminal Services server but regular users can’t. Verify that users have the Log On Locally user right. Terminal Services is working in Terminal Server mode and after a period of time no users can access the Terminal Services server. If you are using Terminal Server mode, you can only use temporary licenses for 120 days. If you do not complete the Terminal Services licensing process, no users will be able to connect to the Terminal Services server after the temporary license period has expired. Sometimes users can access the Terminal Server and sometimes they can’t. If you are using Terminal Services in Terminal Server mode, use Terminal Services Configuration to see if the number of connections has been limited. Users are unable to connect to the Terminal Services server. Verify that the Terminal Services server and the Terminal Services client are configured to use compatible encryption levels. If you suspect that the client can’t connect due to encryption settings, configure the Terminal Services server to use Client Compatible encryption. When using remote control, the user can view the remote session, but can’t interact with the remote session. Check the Remote Control settings through Terminal Services Configuration to verify that the Level Of Control is set to Interact With The Session instead of View The Session.
228
Chapter 4
Managing Windows Server 2003 Remotely
Using Remote Desktop and Remote Assistance for Administration Remote Desktop allows you to remotely take control of a Windows Server 2003 server from another location. For example, you could access a server located in a remote office from your company’s corporate headquarters. Remote Assistance is used to request assistance from another user. For example, if you were having problems troubleshooting your Windows Server 2003 server, you could ask a remote administrator to walk you through the troubleshooting process. You will learn more about Remote Desktop and Remote Assistance in the following sections.
Using Remote Desktop Remote Desktop allows you to take control of a remote computer’s keyboard, video, and mouse. This tool does not require that someone collaborate with you on the remote computer. While the remote computer is being accessed, it remains locked and any actions that are performed remotely will not be visible on the monitor that is attached to the remote computer. Remote Desktop is used in the following situations:
For troubleshooting computers within an organization that are in a remote location but are connected to the central network through a direct network connection, secure Virtual Private Network (VPN), or remote access
To allow Help Desk administrators within a network to remotely troubleshoot organizational computers
To allow remote access to organizational computers without security concerns that unauthorized users are viewing the remote computer’s monitor and watching what actions are being performed remotely In the following sections you will learn:
The Remote Desktop restrictions
The minimum set of requirements for Remote Desktop
How to configure the computer that will be accessed remotely
How to configure the computer that will be used to access the remote computer
How to customize a remote Desktop session
How to start a remote Desktop session
How to end a remote Desktop session
Remote Desktop Restrictions Remote Desktop uses all of the inherent security features of Windows Server 2003. In addition, Remote Desktop imposes these security features:
Remote Desktop is designed to be used for accessing internal domain computers. If the computer that you want to access is outside your organization’s firewall, then you will need to use Internet proxy software or Microsoft Internet Security and Acceleration Server client software.
Using Remote Desktop and Remote Assistance for Administration
229
If you want to establish a session from a computer via the Internet to your company’s internal network, you must first establish a secure VPN connection to the internal network you wish to access.
Remote Desktop can’t be used to create a connection between two computers directly connected to the Internet.
There is no option for simultaneous remote and local access to the Windows Server 2003 Desktop. If a computer will be accessed remotely, Windows Server 2003 will prompt the local user that they need to be logged off before the computer can be accessed remotely.
Remote Desktop Requirements To use Remote Desktop, the following requirements must be met:
Windows XP Professional or Windows Server 2003 must be running on the computer that will be accessed remotely.
The computer that will access the remote computer must be running Windows 95 or higher and have Remote Desktop client software installed and configured.
There must be an IP connection between the two computers that will be used to establish a Remote Desktop session.
Configuring a Computer for Remote Access You enable a computer to be accessed remotely through Control Panel. To enable remote access, select Start Control Panel System. Click the Remote tab. Within the Remote tab of System Properties, check Allow Users To Connect Remotely To This Computer, as shown in Figure 4.22. To enable Remote Desktop, you must be logged on to the computer as an administrator or a member of the Administrators group.
When you enable remote access to a computer, the changes will take effect immediately. By default, members of the local or domain Administrators group will have Remote Desktop permissions. Members of the Administrators groups can end a local user’s session without permission. Non-administrative users who are granted Remote Desktop permissions can’t end a local user’s session if the local user refuses the session.
By default, only members of the Administrators group can access a computer that has been configured to use Remote Desktop. To enable other users to access the computer remotely, click the Select Remote Users button shown in Figure 4.22. This brings up the Remote Desktop Users dialog box, shown in Figure 4.23, and allows you to specify which users can access the remote computer by selecting users through the Add or Remove buttons.
230
Chapter 4
Managing Windows Server 2003 Remotely
FIGURE 4.22
The Remote tab of the System Properties dialog box
FIGURE 4.23
The Remote Desktop Users dialog box
Configuring the Remote Desktop Client Software The Remote Desktop Connection client software is used to control a Windows Server 2003 computer remotely. This software is installed by default on computers running Windows XP Home Edition, Windows XP Professional, and Windows Server 2003. To configure the Remote Desktop Connection, you would click Start All Programs Accessories Communications Remote Desktop Connection, which displays the dialog box shown in Figure 4.24.
Using Remote Desktop and Remote Assistance for Administration
FIGURE 4.24
231
The Remote Desktop Connection dialog box
To configure the Remote Desktop Connection options, you would click the Options button in the Remote Desktop Connection dialog box. You will see the Remote Desktop Connection options. The options that can be configured for the client that is initiating the Remote Desktop Connection include General, Display, Local Resources, Programs, and Experience. Each of these options is covered in more detail in the following sections.
General The General tab, as shown in Figure 4.25, is used to configure Logon Settings, which specifies the computer you will connect to, the username, password, and domain for the user who will remotely connect to the server, and whether you want to save the current settings or bypass the current settings and open an existing saved connection settings file. FIGURE 4.25
The General tab of the Remote Desktop Connection options dialog box
232
Chapter 4
Managing Windows Server 2003 Remotely
Display The Display tab, as shown in Figure 4.26, is used to configure the remote desktop size, the color settings you want to use, and whether to display the connection bar when in Full Screen Mode. FIGURE 4.26
The Display tab of the Remote Desktop Connection options dialog box
FIGURE 4.27 dialog box
The Local Resources tab of the Remote Desktop Connection options
Using Remote Desktop and Remote Assistance for Administration
233
Local Resources The Local Resources tab, as shown in Figure 4.27, is used to configure the Remote Computer sound (choices are Bring To This Computer, Do Not Play, and Leave At Remote Computer), the keyboard (specifies how Windows key combinations are applied), and which local devices you want to connect to (disk drives, printers, and serial ports).
Programs The Programs tab, as shown in Figure 4.28, is used to specify whether you want to start a program when the remote connection is made. If you choose to start a program on connection, you can configure the Program Path And File Name and the Start In The Following Folder options. FIGURE 4.28
The Programs tab of the Remote Desktop Connection options dialog box
Experience The Experience tab, as shown in Figure 4.29, is used to specify performance options for your connection. You can specify the maximum connection speed and the following options:
Desktop Background
Show Contents Of Window While Dragging
Menu And Window Animation
Themes
Bitmap Caching
234
Chapter 4
FIGURE 4.29
Managing Windows Server 2003 Remotely
The Experience tab of the Remote Desktop Connection options dialog box
If you connect through a modem, you can increase performance by disabling options such as Desktop Background and Menu And Window Animation, and enabling Bitmap Caching.
Starting a Remote Desktop Session Once you have configured the computer that will be accessed remotely and have configured the Remote Desktop Connection client software, you are ready to start a Remote Desktop session. You start a session through the following steps: 1.
Select Start All Programs Accessories Communications Remote Desktop Connection. You could also use the command-line utility MSTSC to start the Remote Desktop connection. This will bring up the Remote Desktop Connection dialog box that was shown in Figure 4.24.
2.
In the Computer field, type in the name of the computer you wish to access. Remote Desktop must be enabled on this computer and you must have permissions to access the computer remotely.
3.
Click the Connect button.
4.
The Log On To Windows dialog box will appear. Type in your username, password, and domain name, and click OK.
5.
The Remote Desktop Connection window will open, and you will now have complete control of the remote machine.
Once a computer has been accessed remotely, it will be locked. No one at the local site will be able to use the local computer without a password. In addition, no one at the local site will be able to see the work that is being done on the computer remotely.
Using Remote Desktop and Remote Assistance for Administration
235
Ending a Remote Desktop Session Once you have a Remote Desktop Connection, you will see a modified taskbar at the top of your remote connection that displays the computer name that you are connected to. Click the ξ to close the Remote Desktop Connection. In Exercise 4.3, you will remotely access your Windows Server 2003 domain controller from your Windows XP Professional computer. EXERCISE 4.3
Using Remote Desktop Connection 1.
From your Windows Server 2003 domain controller, select Start Control Panel System and click the Remote tab.
2.
Within the Remote tab of System Properties, check Allow Users To Connect Remotely To This Computer.
3.
From your Windows XP Professional computer, log on to the domain as Administrator.
4.
Select Start All Programs Accessories Communications Remote Desktop Connection and click the Options button.
5.
In the General tab, type in the name of your Windows Server 2003 domain controller in the Computer field. Use the Administrator username and configure your password and domain in the Password and Domain fields.
6.
Click the Experience tab. Select Desktop Background, Themes, and Bitmap Caching from the Allow The Following list.
7.
Click the Connect button at the bottom of the Remote Desktop Connection dialog box.
8.
The Log On To Windows dialog box will appear. Verify that the Administrator name and password are entered and click the OK button.
9.
The Remote Desktop Connection will appear. You can manage any task from the remote session. When you are done, click the ξ button at the top of the screen in the modified taskbar.
Using Remote Assistance Remote Assistance provides a mechanism for requesting help for x86-based computers through Windows Messenger and an e-mail client. To use Remote Assistance, the computer requesting help and the computer providing help must be using Windows XP or Windows Server 2003 and both computers must have interconnectivity. Common examples of when you would use Remote Assistance include:
When you are diagnosing problems that are difficult to explain or reproduce. By using Remote Assistance, you can remotely view the computer and the remote user can show you what the error is or step you through processes that caused the error to occur.
236
Chapter 4
Managing Windows Server 2003 Remotely
When an inexperienced user needs to perform a complex set of instructions. Instead of asking the inexperienced user to complete the task, you can use Remote Assistance to take control of the computer and complete the tasks yourself. In the following sections you will learn more about:
Differences between Remote Desktop and Remote Assistance
Options for establishing remote connections
Enabling Remote Assistance
How users request remote assistance
How administrators respond to remote assistance requests
Administrator-initiated remote assistance
Limitations of Remote Assistance invitations
Security and Remote Assistance
Differences Between Remote Desktop and Remote Assistance The key differences between the Remote Desktop utility and the Remote Assistance utility are:
With Remote Desktop, there is only one connection at a time. With Remote Assistance, the expert is able to establish a concurrent session with the user at the remote computer.
Remote Assistance requires the user at the remote computer to authorize access. Remote Desktop does not require administrators to seek permission before they establish a remote session.
With Remote Assistance, both computers have to be running Windows XP or Windows Server 2003.
Options for Establishing Remote Assistance The following options can be used to establish remote connections:
A Local Area Network connection between the expert’s computer and the novice’s computer
An Internet connection between the expert’s computer and the novice’s computer
Connection via the Internet when the expert computer is behind a firewall and the novice computer is just connected to the Internet
Connection via the Internet when the expert computer is behind a firewall and the novice computer is also behind a firewall
If the Remote Assistance connections are made through a firewall, the firewall may need to be configured to open TCP Port 3389.
Using Remote Desktop and Remote Assistance for Administration
237
Enabling Remote Assistance You can enable Remote Assistance through the following steps: 1.
Select Start Control Panel System.
2.
Click the Remote tab and select the Turn On Remote Assistance And Allow Invitations To Be Sent From This Computer checkbox, as shown in Figure 4.30.
If you click the Advanced button from the Remote tab, you can set configuration options for the maximum number of days, hours, or minutes that invitations will remain open, as shown in Figure 4.31.
Requesting Remote Assistance If a user requires remote assistance, they send an invitation. In the following example, a user who is at a Windows Server 2003 domain controller is asking a user who is logged in at a Windows XP Professional computer for help. The following steps are used to request remote assistance: 1.
Notify the person providing assistance that you will be sending a Remote Assistance invitation. Notification methods might include e-mail, instant messaging, or a telephone call. Give the person providing assistance the password that will be used for the Remote Assistance session.
FIGURE 4.30
The Remote Tab of the System Properties dialog box
238
Chapter 4
FIGURE 4.31
Managing Windows Server 2003 Remotely
The Remote Assistance Settings dialog box
2.
Select Start Help And Support.
3.
From the Help And Support Center window, under Support Tasks, click the Remote Assistance option, as shown in Figure 4.32.
4.
From the Remote Assistance window, shown in Figure 4.33, select Invite Someone To Help You.
5.
You will be asked to specify how you want to contact the person providing assistance. You can specify Windows Messenger or e-mail (for example, using Outlook or Outlook Express).
6.
Click Send Invitation to send the invitation. You can specify the invitation delivery method, the length of time until the invitation expires, and whether to use the optional password protection feature.
FIGURE 4.32
The Help And Support Center window
Using Remote Desktop and Remote Assistance for Administration
FIGURE 4.33
239
The Remote Assistance window
Responding to Remote Assistance Requests When you receive a Remote Assistance invitation, you would use the following steps to respond: 1.
Receive the Remote Assistance invitation via e-mail or Instant Messenger.
2.
Open the invitation and double-click the attachment that is used to start the session. If a password has been configured, provide the appropriate password.
3.
The user seeking assistance will see an acceptance message on their screen and be prompted to verify that you be allowed to view the remote screen and chat with them.
4.
The user seeking assistance should confirm the acceptance message; a terminal window will appear on your monitor, displaying the user’s computer Desktop.
5.
You will then be able to manipulate remotely the user’s computer by using the Take Control option, after the user approves the interaction by clicking the Allow Expert Interaction button that they see in the Remote Assistance window.
The person who requested remote assistance can terminate the session at any time by clicking the Stop Control button in the Remote Assistance window.
240
Chapter 4
Managing Windows Server 2003 Remotely
Initiating a Remote Assistance Session Administrators can also initiate a remote assistance session through the Offer Remote Assistance feature. By default, this option is disabled, but can be enabled through Group Policy by taking the following actions: 1.
Select Start Run and in the Run dialog box, type gpedit.msc.
2.
Expand Local Computer Policy Computer Configuration Administrative Templates.
3.
Expand System, then Remote Assistance.
4.
In the details pane, double-click Offer Remote Assistance and check the Enabled checkbox. Under Helpers, click the Show button. Click the Add button, type in the names of any users that are allowed to offer Remote Assistance, and click the OK button.
Once Offer Remote Assistance is enabled, you can offer remote assistance to a user through the following steps: 1.
Inform the user that you will be offering remote assistance.
2.
From the Help And Support Center dialog box, under the Support Tasks list, select Remote Assistance, then Offer Remote Assistance.
3.
Follow the instructions for providing the name or IP address of the user’s computer.
4.
The user will see a prompt that you—the network administrator—would like to view the screen, chat with them in real time, and work on their computer. The user then accepts your assistance request.
Reuse of Remote Assistance Invitations If both of the following conditions are met, a Remote Assistance ticket can be used more than once:
The invitation ticket can’t be expired.
The IP address of the computer cannot have changed since the ticket was issued. Such a change can occur if a user connects to the Internet through an ISP that assigns dynamic IP addresses each time the user connects to the Internet.
Security and Remote Assistance You need to keep the following security concerns in mind when authorizing Remote Assistance:
If a user clicks the Allow Expert Interaction button, then the person providing expert assistance will have all of the security privileges that the local user has.
If you allow a user outside of your organization to access your computer, you should have them connect via a VPN account. If they connect through the network firewall, then TCP Port 3389 must be opened, which may be considered a security risk.
Exam Essentials
241
Summary In this chapter, you learned about the Windows Server 2003 remote administration options and utilities. We covered the following topics:
The Remote Desktop and Remote Assistance features that are used to remotely control a computer or to ask for help from a remote user
The features and benefits of Terminal Services, including rapid deployment, application sharing, and remote administration.
Planning for Terminal Services deployment, including hardware requirements, licensing requirements, and client application requirements
Installing a Terminal Services server
Managing Terminal Services with the Terminal Services Configuration and Terminal Services Manager utilities
How to license a Terminal Services server
Installing applications and configuring application sharing on a Terminal Services server
Remotely administering a server through Terminal Services
How to troubleshoot Terminal Services
Exam Essentials Use Remote Control and Remote Desktop. Be able to troubleshoot Windows Server 2003 computers remotely through the use of Remote Control and Remote Desktop. Know the requirements for configuring these options and how they are used. Understand the primary purpose of Terminal Services. Know what a thin client is and how Terminal Services can be used to support a wide variety of client types. List and describe the components of Terminal Services. Know the function and requirements for the Terminal Services server and the Terminal Services clients. Understand the function of the Remote Desktop Protocol. Be able to install and configure Terminal Services for use as an terminal server. List the utilities and options that are used to install and configure Terminal Services as an application server. Be able to configure applications for use with Terminal Services. Know how to install and configure Terminal Services client software. Know where the client software is located and know the options for deploying client software to different Terminal Services clients. Be able to manage servers remotely through Terminal Services. Configure Terminal Services for remote administration. Know what options can be remotely managed. Know how to troubleshoot Terminal Services. Know the common causes of Terminal Services errors and how they can be corrected.
242
Chapter 4
Managing Windows Server 2003 Remotely
Key Terms Before you take the exam, be certain you are familiar with the following terms: client license key packs
Remote Desktop Protocol (RDP)
compatibility scripts
Terminal Server mode
license server
Terminal Services client
Remote Assistance
Terminal Services Configuration utility
Remote control
Terminal Services Manager utility
Remote Desktop
Terminal Services server
Remote Desktop For Administration mode
thin clients
Review Questions
243
Review Questions 1.
You are running an application on a Terminal Services server from a Terminal Services client. The application is not saving user preferences properly. What is most likely the problem? A. The application was installed by running Setup.exe, and therefore is not properly
configured. B. There is a bug in the program that is affecting only the saving of user preferences. C. You have not activated the license server. D. The application was not installed using Control Panel, Add Or Remove Programs, and
therefore did not replicate the .ini files and Registry entries for each user. 2.
For security and performance reasons, you want any user who has remained idle for 15 minutes to be disconnected from the Terminal Services server. Furthermore, if that user does not reconnect within 15 minutes, you want her session to be terminated. Which of the following options accomplishes the objective with the least amount of administrative effort? A. Create a security group called TSUsers and set the appropriate session-related settings
for the group. B. Specify the appropriate session-related settings for each user account. C. Configure an alert in System Monitor to notify you each time the user reaches her limit,
then take appropriate action. D. Configure the session-related settings for the Terminal Services connection. 3.
Your network is configured with the clients shown in the following diagram. Based on your network, which of the clients will run as Terminal Services clients without having to install thirdparty software? (Choose all that apply.) Terminal Services Server Windows 3.11
Windows 95 Windows CE
A. Windows 3.11 clients B. Windows CE devices C. Windows 95 clients D. Macintosh computers
Macintosh
244
4.
Chapter 4
Managing Windows Server 2003 Remotely
You are the IT manager for a division of a regional insurance company. This division handles call center and customer service functions. Recently all client computers were upgraded from Windows 2000 Professional to Windows XP Professional. You want to establish a more proactive approach to ensuring that users get the help they need to understand how to use the new operating system. You decide to use the Offer Remote Assistance feature to invite users to get live assistance from your help desk staff. Which of the following actions must you take in order to use the Offer Remote Assistance feature? A. Enable the GPO for Remote Assistance, and add users who can offer Remote Assistance. B. Designate Windows XP Professional computers that can be used by the help desk staff
to initiate Remote Assistance sessions. C. Open TCP port 3389 on the network firewall. D. Specify Windows Messenger or e-mail as the means of providing assistance. 5.
You are the network administrator of a large company. You have configured your Windows Server 2003 member server as a Terminal Services server. You want to disable drive mapping for all users on a particular Terminal Services server. Where should you configure this setting? A. In the Client Settings tab of the Domain Users group Properties dialog box B. In the Client Settings tab of the TSUsers group Properties dialog box C. In the Environment tab of the TSUsers group Properties dialog box D. In the Client Settings tab of the RDP-Tcp connection Properties dialog box
6.
You are upgrading the hardware on a server in preparation for installing Windows Server 2003 with Terminal Services. How much extra RAM should you allow for each user connection to the Terminal Services server? A. 2MB B. 10–20MB C. 256KB D. 25MB
7.
You are the lead network administer for your company. Your network consists of Windows 2000 Servers and Windows Server 2003 servers. With several hundred users, many of whom are remote, you have implemented Terminal Services on 12 of the Windows Server 2003 servers. You want to enable the HelpDesk security group to perform administrative tasks on the Terminal Services servers. How can you best achieve this objective? A. Create a GPO, link it to the HelpDesk group, and enable all relevant Terminal Services
policies. B. Create a remote access policy with the appropriate permissions and define a filter so
that it applies only to the HelpDesk group. C. In the Properties page of the HelpDesk group, assign Administrative control. D. Assign the HelpDesk group the appropriate permissions for the connection on each
Terminal Services server.
Review Questions
8.
245
You are the network administrator of a large company. You have configured your Windows Server 2003 member server as a Terminal Services server. Which of the following utilities enables the administrator to interact with users’ sessions, with the users’ permission? A. Terminal Services Client Manager B. Terminal Services Configuration C. Terminal Services Manager D. Terminal Services Administration
9.
You can log on to the Terminal Services server as Administrator. When you tried to log on to Terminal Services as a regular user, you received an error message that reported that you could not log on interactively. What is the most likely cause of this problem? A. You need to grant the users Read permission to the Tcp-RDP protocol. B. You need to grant the users Full Control permission to the Tcp-RDP protocol. C. You need to grant the users the Log On Locally user right. D. You need to grant the users the Allow Interactive Logon user right.
10. You have a user who is connected to the Terminal Services application server. The session seems to have hung and you want to manually disconnect the user. Which utility should you use? A. Terminal Services Client Creator B. Terminal Services Configuration C. Terminal Services Manager D. Terminal Services Licensing 11. You are the network administrator of a large company. You have configured your Windows Server 2003 member server as a Terminal Services server. Which of the following utilities can be used to view all of the users who are currently connected to the Terminal Services server? A. Terminal Services Client Manager B. Terminal Services Configuration C. Terminal Services Manager D. Terminal Services Administration 12. You work in the corporate headquarters of a company with 200 customer services reps, many of whom from work home or offsite. One CSR calls to report a problem with her Windows XP computer after she installed a new sound card. You discover that the card was not supported on the HCL. You know that you can fix her computer much faster by doing it yourself. You attempt to establish a Remote Desktop connection to her computer, but you are unable to do so. What is the most likely reason you cannot establish a Remote Desktop connection to the user’s computer? A. The RDP protocol must be configured on the client computer before a Remote Desktop
connection can be established. B. Remote Desktop is supported only in Windows Server 2003. C. Remote Desktop cannot be used over a VPN connection. D. Remote Desktop is not enabled in Control Panel System Remote.
246
Chapter 4
Managing Windows Server 2003 Remotely
13. You are the System Administrator of a manufacturing company that uses a proprietary procurement application that is constantly being updated by the software vendor. Instead of managing the application on the users’ local computers, you decide to deploy the application through Terminal Services in Terminal Server mode. You want members of the IT group to be able to remotely manage and troubleshoot any application problems that the users may have. Which action should you take to enable the IT department to do this? A. Grant the IT group Read permission to the RDP-Tcp protocol. B. Grant the IT group Full Control permission to the RDP-Tcp protocol. C. Add the IT group to the built-in TS-Operators group. D. Add the IT group to the built-in TS-Admins group. 14. Clients are complaining that they are not able to access the Terminal Services server. You want to verify that the service required by the Terminal Services server is running properly. Which of the following services is required for use with Terminal Services? A. RDP-Tcp B. NetBEUI C. TS-Tcp D. RTS-Tcp 15. You are attempting to connect to a Windows Server 2003 domain controller using remote administration. When you attempt to connect to the server you receive an error message because the number of concurrent connections has been exceeded. How many concurrent connections are supported by Terminal Services remote administration mode? A. 1 B. 2 C. 3 D. 4
Answers to Review Questions
247
Answers to Review Questions 1.
D. You should always use the Add Or Remove Programs icon in Control Panel to install applications on a Terminal Services server. This ensures that your applications will be properly configured for all users.
2.
D. Session-related settings for Terminal Services users can be configured on a per-user basis on the Sessions tab in each user’s Properties page, or on a per-server basis on the Sessions tab in the connection’s Properties page, which will override the user-specific settings. In this scenario, you want the settings to apply to any given user, so D is the best choice.
3.
A, B, C. Terminal Services can run on Macintosh-based computers, but this requires third-party software. Windows-based computers can use the client software provided with Windows Server 2003 Terminal Services.
4.
A. The Offer Remote Assistance feature is enabled in Group Policy. When you enable the GPO for Remote Assistance, you add users who are permitted to offer Remote Assistance to other users. The other options either don’t apply or don’t need to be configured in order to use the Offer Remote Assistance feature. The Offer Remote Assistance feature can be used on any computer that supports Remote Assistance (Windows XP Professional or Windows Server 2003). If you are connecting across a firewall, you will need to open TCP port 3389 on the firewall. Remote Assistance can be provided through Windows Messenger or e-mail.
5.
D. To disable the drive mapping option for all users, you should configure the setting in the Properties dialog box (Client Settings tab) for the RDP-Tcp connection. You can also configure this setting on a per-user basis in the Client Settings tab of the user Properties dialog box.
6.
B. Terminal Services is a memory-intensive application. Each user connection will require between 10 and 20MB of RAM on the server. You should add 20MB of additional RAM for each user who is running three or more applications simultaneously.
7.
D. Each Terminal Services connection can be configured with unique permission sets for specific user groups via the Permissions tab in its Properties page.
8.
B. Through the Remote Control tab of Terminal Services Configuration, you can configure the connection property to allow you to interact with user sessions.
9.
C. When you install Terminal Services on a domain controller, you will have to grant regular users the Log On Locally user right. Otherwise users will receive an error message that they cannot log on interactively. Installing Terminal Services on a domain controller is not recommended, for both load and security reasons.
10. C. You manage sessions and servers with the Terminal Services Manager utility. 11. C. You can manage and access Terminal Services sessions through the Terminal Services Manager utility. 12. D. Remote Desktop is supported in Windows XP Professional and Windows Server 2003, and it is used to remotely administer desktops connected via a direct network connection, a VPN connection, or a remote access connection. No additional protocols need to be configured to establish a Remote Desktop connection.
248
Chapter 4
Managing Windows Server 2003 Remotely
13. B. You configure Terminal Services permissions through the Terminal Services Configuration utility. You can grant the IT group the Full Control permission to the RDP-Tcp protocol, and this will enable them to manage the users’ Terminal Services sessions. 14. A. The Remote Desktop Protocol–Transmission Control Protocol (RDP-Tcp) service is used by all Terminal Services connections. 15. B. Terminal Services remote administration enables administrators to remotely perform such tasks as file sharing, managing users and groups, and editing the Registry. Remote administration allows up to two concurrent connections to the Terminal Services server, but does not require additional Terminal Services client licenses.
Chapter
5
Installing and Managing Domain Name Service (DNS) MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Install and configure the DNS Server service
Configure DNS server options
Configure DNS zone options
Configure DNS forwarding
Manage DNS
Manage DNS zone settings
Manage DNS record settings
Manage DNS server options
DNS is one of the most important topics in both Windows Server 2003 network administration and the Windows Server 2003 Network Infrastructure exam. Active Directory depends absolutely on DNS, and many important system functions (including Kerberos authentication and finding domain controllers) are now handled through DNS lookups. Windows 2000 and XP clients use DNS for name resolution, too, but they also use DNS to find Kerberos key distribution centers (KDCs), global catalog servers, and other services that may be registered in DNS. By the time you finish this chapter, you will have a deeper understanding of how DNS works in general, plus an understanding of how to set up, configure, manage, and troubleshoot DNS in Windows Server 2003.
DNS is a very important topic, both for the MCSA exam and beyond. DNS plays a vital role in the MCSE exam as well, and is covered in depth in Chapter 8, "Planning the Domain Name Service (DNS)." For more information on planning DNS, see Chapter 8.
DNS Fundamentals The Domain Name Service (DNS) is a hierarchically distributed database. In other words, its layers are arranged in a definite order, and its data is distributed across a wide range of machines. DNS is a standard set of protocols that defines the following:
A mechanism for querying and updating address information in the database
A mechanism for replicating the information in the database among servers
A schema of the database
DNS began in the early days of the Internet when the Internet was a small network created by the Department of Defense for research purposes. Before DNS, computer names, or hostnames, were manually entered into a file located on a centrally administered server. Each site that needed to resolve hostnames had to download this file. As the number of computers on the Internet grew, so did the size of this HOSTS file, and the amount of traffic generated by downloading it. The need for a new system that would offer features such as scalability, decentralized administration, and support for various data types became more and more obvious. The Domain Name Service (DNS), introduced in 1984, became this new system. With DNS, the hostnames reside in a database that can be distributed among multiple servers, decreasing the load on any one server and providing the ability to administer this naming system
DNS Fundamentals
251
on a per-partition basis. DNS supports hierarchical names and allows registration of various data types in addition to the hostname-to-IP-address mapping used in HOSTS files. By virtue of the DNS database being distributed, its size is unlimited and performance does not degrade much when adding more servers. In the following sections, you will learn more about what DNS is and how it works and see how Windows Server 2003 handles DNS.
What DNS Does DNS translates between computer hostnames and IP addresses. DNS works at the Application layer of the OSI reference model and uses TCP and UDP at the transport layer. The DNS model is pretty plain: Clients make requests (“what’s the IP address for www.chellis.net?”) and get back answers (“209.155.222.222”). If a particular server can’t answer a query, it can forward it to another, presumably better informed, server. To really understand how DNS works, it’s important to learn about some fundamental parts of the system. We will do that in the following sections.
An Introduction to Domain Naming The Domain Name System is composed of a distributed database of names that establishes a logical tree structure called the domain name space. Each node, or domain, in that space has a unique name. Therefore, chellis.com and chellis.netchellis.net are two different domains, and they can contain subdomains, such as sales.chellis.com and marketing.chellis.netchellis.net. A domain name identifies the domain’s position in the logical DNS hierarchy in relation to its parent domain by separating each branch of the tree with a period. Figure 5.1 shows a few of the top-level domains, where the Microsoft domain fits, and a host called Tigger within the microsoft.com domain. If someone wanted to contact that host, they would use the fully qualified domain name (FQDN) tigger.microsoft.com. FIGURE 5.1
The DNS hierarchy (Managed by Internic)
Int/Net/Org
Mil Army Navy
Gov White House
IRS
Edu
Com
MIT Stanford
Microsoft (Managed by Microsoft) Tigger
252
Chapter 5
Installing and Managing Domain Name Service (DNS)
Each domain is associated with a DNS name server. In other words, for every domain registered in the DNS, there’s some server that can give an authoritative answer to queries about that domain. For example, the chellis.netchellis.net domain is handled by a name server at an Internet provider. This means that any resolver or name server can go straight to the source if it can’t resolve a query by looking in its own cache. Domain names and hostnames must contain only characters a to z, A to Z, 0 to 9, and - (hyphen). Other common and useful characters, like the & (ampersand), / (slash), . (period), and _ (underscore), are not allowed. This is in conflict with NetBIOS’s naming restrictions. However, you’ll find that Windows Server 2003 is smart enough to take a NetBIOS name like Server_1 and turn it into a legal DNS name, like server1.chellis.net.
DNS and the Internet You’re undoubtedly familiar with how DNS works on the Internet; if you’ve ever sent or received Internet e-mail or browsed web pages on the Net, you’ve got firsthand experience using DNS. Internet DNS depends on a set of top-level domains that serve as the root of the DNS hierarchy. These top-level domains and their authoritative name servers are managed by the Internet Network Information Center (www.internic.com). The top-level domains are organized in two ways: by organization and by country. Table 5.1 shows some of the most common top-level domains. TABLE 5.1
Common Top-Level DNS Domains
Common Top-Level Domain Names
Type of Organization
Com
Commercial (for example, globalknowledge.com for Global Knowledge Network).
Edu
Educational (for example, gatech.edu for the Georgia Institute of Technology).
Gov
Government (for example, whitehouse.gov for the White House in Washington, D.C.).
Int
International organizations (for example, nato.int for NATO). This top-level domain is fairly rare.
Mil
Military organizations (for example, usmc.mil for the Marine Corps). There is a separate set of root name servers for this domain.
Net
Networking organizations and Internet providers (for example, hiwaay.net for HiWAAY Information Systems). Many commercial organizations have registered names under this domain, too.
DNS Fundamentals
TABLE 5.1
253
Common Top-Level DNS Domains (continued)
Common Top-Level Domain Names
Type of Organization
Org
Noncommercial organizations (for example, fidonet.org for FidoNet).
AU
Australia.
UK
United Kingdom.
CA
Canada.
US
United States.
JP
Japan.
Beneath each top-level domain, there can be additional subdomains. For example, commercial organizations in Japan will have .co.jp on the end of their domain names. The local Athens, Alabama, police department has a server in the ci.athens.al.us domain: ci for city, Athens because the city’s name is Athens, al for Alabama, and us for the top-level domain.
Servers, Clients, and Resolvers There are a few terms and concepts you will need to know before managing a DNS server. Understanding these terms will make it easier to understand how the Windows Server 2003 DNS server works: DNS servers Any computer providing domain name services is a DNS server. That being said, not all DNS servers are alike. Earlier implementations of DNS (for example, early versions of the popular Berkeley Internet Name Domain, or BIND) were originally developed for Unix, and they handled a fairly small and simple set of RFC requirements. There is also the concept of primary and secondary DNS servers to consider. A primary DNS server is the “owner” of the zones defined in its database. The primary DNS server has the authority to make changes to the zones it owns. Secondary DNS servers receive a read-only copy of zones through zone transfers (discussed later, in the section “Zone Transfers”). The secondary DNS server can resolve queries from this read-only copy but cannot make changes or updates. A single DNS server may contain multiple primary and secondary zones (more on zones in a minute). Any DNS server implementation supporting Service Location Resource Records (see RCF 2052) and Dynamic Updates (RFC 2136) is sufficient to provide the name service for Windows 2000 and newer computers. However, because Windows Server 2003 DNS is designed to fully take advantage of the Windows Active Directory service, it is the recommended DNS server for any networked organization with a significant investment in Windows or extranet partners with Windowsbased systems.
254
Chapter 5
Installing and Managing Domain Name Service (DNS)
Clients A DNS client is any machine issuing queries to a DNS server. The client hostname may or may not be registered in a name server (DNS) database. Clients issue DNS requests through processes called resolvers. Resolvers Resolvers handle the process of mapping a symbolic name to an actual network address. The resolver (which may reside on another machine) issues queries to name servers. When a resolver receives information from name servers, it caches that information locally in case the same information is requested again. When a name server is unable to resolve a request, it may reply to the resolver with the name of another name server. The resolver must then address a message to this new name server in the hope that the symbolic name will be resolved. Queries There are two types of forward lookup queries that can be made to a DNS server: recursive and iterative (we’ll discuss the difference shortly). Root servers When a DNS server processes a recursive query and that query cannot be resolved from local zone files, the query must be escalated to a root DNS server. The root server is responsible for returning an authoritative answer for a particular domain or a referral to a server that can provide an authoritative answer. Because each DNS server is supposed to have a full set of root hints (which point to root servers for various top-level domains), your DNS server can refer queries recursively to other servers with the assistance of the root servers. You can also configure a DNS server to contain its own root zone; you might want to do so if you don’t want your servers to be able to answer queries for names outside your network. DNS Zones DNS servers work together to resolve hierarchical names. If they already have information about a name, they simply fulfill the query for the client; otherwise, they query other DNS servers for the appropriate information. The system works well because it distributes the authority of separate parts of the DNS structure to specific servers. A DNS zone is a portion of the DNS namespace over which a specific DNS server has authority. In order to ensure that naming remains accurate in a distributed network environment, one DNS server must be designated as the master database for a specific set of addresses. It is on this server that updates to hostname-to-IP-address mappings can be updated. Whenever a DNS server is unable to resolve a specific DNS name, it simply queries other servers that can provide the information. Zones are necessary because many different DNS servers could otherwise be caching the same information. If changes are made, this information could become outdated. Therefore, one central DNS server must assume the role of the ultimate authority for a specific subset of domain names.
There is an important distinction to make between DNS zones and Active Directory domains. Although both use hierarchical names and require name resolution, DNS zones do not map directly to AD domains.
DNS and Windows Server 2003 Windows Server 2003 relies on TCP/IP, and Active Directory requires DNS—even if you’re not connected to the Internet. Naturally, Windows Server 2003 includes a DNS server component and adds some features that are even interoperable with other DNS implementations. In the following sections, you will see how DNS integrates with Windows Server 2003.
DNS Fundamentals
255
Dynamic DNS In earlier versions of Windows, when you used Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to clients, you had no way to keep the corresponding DNS records up-to-date. For example, if you had a DNS entry for minuteman.chellis.netchellis.net pointing to 192.168.0.202, that’s okay until minuteman’s DHCP lease is released and it gets a new address. At that point, you’d get the choice of either fixing the DNS record by hand or relying on NetBIOS and WINS for name resolution. You may have a similar problem if you used a dialup ISP—every time you dial up, you get a different IP address. The Dynamic DNS (DDNS) standard, described in RFC 2136, was designed to solve this very problem. DDNS allows DNS clients to update information in the DNS database files. For example, a Windows Server 2003 DHCP server can automatically tell a DDNS server which IP addresses it has assigned and to what machines. Windows 2000 and XP Professional DHCP clients can do this, too, but for security reasons it’s better to let the DHCP server do it. The result: IP addresses and DNS records stay in synch so that you can use DNS and DHCP together seamlessly. Because DDNS is a proposed Internet standard, you can even use Windows Server 2003’s DDNS-aware parts with Unix-based DNS servers.
DNS and Active Directory You can store DNS data in Active Directory (AD) instead of in regular disk files. While it might seem odd to use AD to store information that AD will have to run, it makes sense. Consider a typical DNS zone data file on disk—it’s plain text and easily editable. It’s not replicated, it’s probably not secured, and there’s no way to delegate control over it. All of these limitations go away when you build what Microsoft calls an Active Directory–Integrated (ADI) zone. In an ADI zone, Active Directory stores all of the DNS zone data in AD, so it gains all of the benefits of AD—especially improved security and seamless replication.
How DNS Works Knowing how servers and resolvers communicate with each other, and what kind of queries are passed around, is critical to properly configuring your network. That knowledge begins with understanding what’s actually in the DNS database itself as well as what’s in the zone database file. Once you understand these concepts, you will have a better idea of how DNS resolves names, and you will understand why zone transfers are important. In this section you will also see how to migrate the DNS database files from older systems to Windows Server 2003.
Records in the DNS Database No matter where your zone information is stored, you can rest assured that it contains a variety of DNS information. Although the DNS snap-in makes it unlikely that you’ll ever need to edit these files by hand, it’s good to know exactly what data is contained in there. The first thing to understand is the fact that each zone file consists of a number of resource records (RRs). Each RR contains information about some resource on the network, such as its IP address. There are several types of resource records you need to know about to effectively manage your DNS servers. They are discussed in the sections that follow.
Chapter 5
256
Installing and Managing Domain Name Service (DNS)
Start of Authority (SOA) Records The first record in any database file is the start of authority (SOA) record, which looks like this: @ IN SOA source_host contact_e-mail serial_number refresh_time retry_time expiration_time time_to_live
The SOA defines the general parameters for the DNS zone, including who the authoritative server is for the zone. Table 5.2 lists the attributes stored in the SOA record. TABLE 5.2
The SOA Record Structure
Field
Meaning
Source host
The host on which this file is maintained.
Contact e-mail
The Internet e-mail address for the person responsible for this domain’s database file.
Serial number
The “version number” of this database file. Increases each time the database file is changed.
Refresh time
The elapsed time (in seconds) that a secondary server will wait between checks to its master server to see if the database file has changed and a zone transfer should be requested.
Retry time
The elapsed time (in seconds) that a secondary server will wait before retrying a failed zone transfer.
Expiration time
The elapsed time (in seconds) that a secondary server will keep trying to download a zone. After this time limit expires, the old zone information will be discarded.
Time to live
The elapsed time (in seconds) that a DNS server is allowed to cache any resource records from this database file. This is the value that is sent out with all query responses from this zone file when the individual resource record doesn’t contain an overriding value.
Name Server (NS) Records Name server (NS) records list the name servers for a domain. This allows other name servers to look up names in your domain. A zone file may contain more than one name server record. The format of these records is simple: domain @ IN NS nameserver_host
Domain is the name of your domain, and nameserver host is the FQDN of a name server in that domain. There are a couple of interesting shortcuts that can be used in DNS records, such as the following:
In a zone file, the @ symbol represents the root domain of the zone. The IN in the records stands for Internet.
DNS Fundamentals
257
Any domain name in the database file that is not terminated with a period will have the root domain appended to the end. For example, an entry that just has the name sales will be expanded by adding the root domain to the end, whereas sales.chellis.net won’t be expanded. What do these records actually look like? Here’s a small sample:
@ IN NS ns1.chellis.net @ IN NS ns2.chellis.net
NS records play a key role in the referral process that you’ll be learning about later in the chapter.
The Host Record A host record (also called an address or an A record) is used to statically associate a host’s name to its IP addresses. The format is pretty simple: host_name
IN
A
IP_Address
Here’s an example from our DNS database: minuteman titan
IN IN
A A
192.168.0.204 192.168.3.144
The A record ties a hostname (which is part, you’ll recall, of an FQDN) to a specific IP address. This makes them suitable for use when you have devices with statically assigned IP addresses; in that case, you’d create these records manually using the DNS snap-in. As it turns out, if you enable DDNS, your DHCP server can create these for you; that automatic creation is what enables DDNS to work.
The Pointer (PTR) Record A records are probably the most visible component of the DNS database because Internet users depend on them to turn FQDNs like www.microsoft.com and www.delta-air.com into IP addresses so that browsers and other components can find them. However, the host record has a lesser-known but still important twin: the pointer (PTR) record. The format of a pointer record looks like the following: owner ttl class PTR targeted_domain_name
The A record maps a hostname to an IP address, and the PTR record does just the opposite. Having both types of records makes it possible to do reverse lookups, which occur when a resolver asks a DNS server to cough up the FQDN associated with a particular IP address. This is a useful function for, among other things, preventing people with made-up or illegal domain names from using services like e-mail or FTP servers.
The Alias Record Almost every company on the Web has a URL of www.companyname.com. This is pretty much standard. However, many (if not most) domains don’t actually have a machine named www. Instead, they use DNS alias records (more properly known as canonical name, or CNAME, entries, which allow them to use more than one name to point to a single host). The syntax of an alias record looks like the following:
IN
CNAME
258
Chapter 5
Installing and Managing Domain Name Service (DNS)
Suppose there was a company with a machine whose real A record name was kingkong.intexas .com. The CNAME records can point the names mail.intexas.com and ftp.intexas.com to that machine. A resolver that queried the company’s DNS server for either mail or FTP would actually get the A record for kingkong back. Here’s how they created the alias: mail ftp kingkong
IN IN IN
CNAME CNAME A
kingkong kingkong 172.30.1.14
The Mail Exchange (MX) Record The mail exchange (MX) record tells you which servers can accept mail bound for this domain. Each MX record contains two parameters—a priority and a mail server—as shown in the following example: <domain> IN MX <priority> <mailserver host>
Why use MX records? As an example, consider the domain chellis.net. Users in your organization have addresses of
[email protected]. To make sure that mail is delivered where you want it to go—to your Exchange server—you’d have two MX records: One points to chellis.net, and one points to your ISP’s mail server. When someone on the Internet tries to send SMTP mail to any user whose address ends in chellis.net, their mail server will look to see if that domain contains an MX record. If it does, the sending server will use the host specified in the MX record to deliver the mail. Attentive readers will notice that we said your domain has two MX records. That’s because MX records have preferences attached to them. If multiple MX records exist for a domain, the DNS server uses the mail server with the lowest preference and then tries the other mail servers when the most preferred host can’t be contacted. For example, the two records you used could look like this: chellis.net. IN MX 100 mail.pair.com chellis.net. IN MX 10 mail.chellis.net
Service Records Windows Server 2003 depends on some relatively new services, like Lightweight Directory Access Protocol (LDAP) and Kerberos. These protocols postdate the DNS system by quite a while. Normally, clients use DNS to find the IP address of a machine whose name they already know. Microsoft wanted to extend this system by devising a way for a client to locate a particular service by making a DNS query. For example, a Windows 2000 or XP client can query DNS servers for the location of a domain controller. This makes it much easier (for both the client and the administrator) to manage and distribute logon traffic in large-scale networks. For this approach to work, Microsoft had to have some way to register the presence of a service (or, really, a TCP/IP protocol) in DNS, but none of the RR types you’ve read about so far offer any way to do so. Enter the service (SRV) record. SRV records tie together the location of a service (like a domain controller) with information about how to contact the service. Think of a host record: It ties a name to an IP address. The MX record extends the concept by adding another parameter, the preference.
DNS Fundamentals
259
SRV records take it even further by providing seven items of information. Let’s look at an example to help clarify this powerful concept: ldap.tcp.chellis.net ldap.tcp.chellis.net
SRV SRV
10 20
100 100
389 389
hsv.chellis.net msy.chellis.net
The first field, ldap.tcp.chellis.net, is actually a composite: It contains a service name (ldap for LDAP or kerberos for Kerberos), a transport protocol (TCP or UDP), and the domain name for which the service is offered. Thus, ldap.tcp.chellis.net indicates that this SRV record is advertising an LDAP server for the chellis.net domain. The next field is just the record type— SRV in this case. The two numbers following are the priority and the weight. The priority field specifies a preference, just as the preference field in an MX record does. The SRV record with the lowest priority will be used first. The weight is a little different: Service records with equal priority will be chosen according to their weight. Consider the case of three SRV records of priority 0 and weight 100. That tells the DNS server to answer queries by picking one of the three at random because they have equal weight. If one record had a weight of 50 (instead of 100), it would be chosen twice as often as either of the other records. The next field is the number of the port on which the service is offered: 389 for LDAP or 88 for Kerberos. The final entry in the record defines the DNS name of the server that offers the service (in this case, hsv.chellis.net and msy.chellis.net). You’ll read later how these service records are actually used in DNS queries; for now it’s enough to understand that they exist.
You can define other types of service records. If your applications support them, they can query DNS to find the services they need.
Zone Database Files Let’s assume that you’re not using an ADI zone. The only reason we make that assumption is to illustrate where the zone database files live on a non-ADI server. As it turns out, you can specify names for some, but not all, of these files when you install DNS on your Windows Server 2003 computer. The specific zone database files are discussed in the following sections.
The Domain Name File Each domain that has a forward lookup zone on your server will have its own database file. For example, when you create a new zone named chellis.net on a Windows Server 2003 DNS server, you’ll end up with a new file named chellis.net.dns in the system’s DNS directory (systemroot\system32\DNS). The file is pretty much empty when you create the zone: It contains only an SOA record for the domain and one NS record listing the name of the server you just created. As you add new A records to the domain, they’re stored in this file.
The Reverse Lookup File This database file holds information on a single reverse lookup zone. These zones are usually named after the IP address range they cover. For example, a reverse lookup zone that can handle queries for the 172.30.1.* block will be named 1.30.172.in-addr.arpa. Notice that the network
260
Chapter 5
Installing and Managing Domain Name Service (DNS)
address is reversed. Remember that the reverse lookup database allows a resolver to provide an IP address and request a matching hostname. It looks like the domain database file (for example, it has SOA and name server records), but instead of A records it has one PTR record for each host designated in the reverse lookup zone. DNS reverse lookup is frequently used as a sort of backdoor authentication method. For example, most modern mail servers can be configured to refuse incoming mail from servers whose IP address can’t be resolved with a reverse lookup. This prevents people with real IP addresses but fake DNS names from using those mail servers (thus, preventing spam). Reverse lookups are also valuable for troubleshooting name resolution problems because you can always find the IP address of a machine even if you’re not sure what its domain name is supposed to be.
The Cache File The cache file contains host information needed to resolve names outside the authoritative domains—in short, it holds a list of the names and addresses of root name servers. If your DNS server will be able to connect to the Internet, you can leave this file alone; if not, you can edit it so that it lists the authoritative roots for your private network.
The Boot File Consider what a primary DNS server must do when it boots. It has to figure out what zones it’s supposed to be serving, decide whether it’s authoritative for any of them, and link up with other servers in the zone, if any. You can choose the method by which Windows Server 2003 DNS servers get this information: from AD, from the Registry, or from a BIND-style boot file. The boot file, which must be named systemroot\system32\dns\boot, controls the DNS server’s startup behavior. Boot files support only four commands: directory The directory command specifies where the other files named in the boot file can be found. This is almost always the systemroot\system32\dns directory. You use the command along with a directory path, like this: directory f:\winnt\system32\dns
cache The cache command specifies the file of root hints used to help your DNS service contact name servers for the root domain. This command, and the file it refers to, must be present. For example, cache cache.dns points the DNS server at the default cache.dns file shipped with Windows Server 2003. primary The primary command specifies a domain for which this name server is authoritative, as well as a database file that contains the resource records for that domain. You can use multiple primary commands in a single boot file. Here are a couple of examples: primary chellis.net primary hsv.chellis.net
chellis.net.dns hsv.chellis.dns
secondary The secondary command designates a domain as being one that your server handles as a secondary domain. That means your server is authoritative, but it pulls DNS information from one (or more) of the specified master servers. The command also defines the name of the local file for caching this zone. Multiple secondary command records may exist
DNS Fundamentals
261
in the boot file. The secondary command takes three parameters, as shown by the following syntax: secondary <secondary domain>
<master server>
Secondary entries would look like this: secondary wuolukka.com secondary chellis.com
ns.pair.com wuolukka.dns ns2.pair.com chellis.dns
How DNS Resolves Names There are three types of queries that a client can make to a DNS server: recursive, iterative, and inverse. Remember that the client of a DNS server can be a resolver (what you’d normally call a client) or another DNS server. Iterative queries are the easiest to understand: A client asks the DNS server for an answer, and the server returns the best answer. This type of query is typically sent by one DNS server to another after the original server has received a recursive query from a resolver. The server may not know the answer and may direct you to another server, or it might respond with an actual RR. Most resolvers, however, use recursive queries. In a recursive query, the client sends a query to one name server, asking it to respond either with the requested answer or with an error. The error states one of two things: that the server can’t come up with the right answer or that the domain name doesn’t exist. The name server isn’t allowed to just refer the client to some other name server. In addition, if your DNS server uses a forwarder, the requests sent by your server to the forwarder will be recursive queries. Figure 5.2 shows an example of both recursive and iterative queries. In this example, a client within the Microsoft Corporation is querying its DNS server for the IP address for www.whitehouse.gov. Here’s what happens to resolve the request: 1.
The resolver sends a recursive DNS query to its local DNS server asking for the IP address of www.whitehouse.gov. The local name server is responsible for resolving the name and cannot refer the resolver to another name server.
2.
The local name server checks its zones and finds no zones corresponding to the requested domain name.
3.
The root name server has authority for the root domain and will reply with the IP address of a name server for the Gov top-level domain.
4.
The local name server sends an iterative query for www.whitehouse.gov to the Gov name server.
5.
The Gov name server replies with the IP address of the name server servicing the whitehouse .gov domain.
6.
The local name server sends an iterative query for www.whitehouse.gov to the whitehouse .gov name server.
7.
The whitehouse.gov name server replies with the IP address corresponding to www.whitehouse.gov.
8.
The local name server sends the IP address of www.whitehouse.gov back to the original resolver.
262
Chapter 5
FIGURE 5.2
Installing and Managing Domain Name Service (DNS)
A sample DNS query Iterative queries Root name server
2 3 Local name server
4 5
Recursive 1 query
Gov name server
8 6 7
Whitehouse.gov name server DNS client
Inverse queries use PTR records. Instead of supplying a name and then asking for an IP address, the client first provides the IP address and then asks for the name. Because there’s no direct correlation in the DNS name space between a domain name and its associated IP address, this search would be fruitless without the use of the in-addr.arpa domain. Nodes in the in-addr.arpa domain are named after the numbers in the dotted-octet representation of IP addresses. But because IP addresses get more specific from left to right and domain names get less specific from left to right, the order of IP address octets must be reversed when building the in-addr.arpa tree. With this arrangement, administration of the lower limbs of the DNS in-addr.arpa tree can be given to companies as they are assigned their Class A, B, or C subnet address. Once the domain tree is built into the DNS database, a special pointer record is added to associate the IP addresses to the corresponding hostnames. In other words, to find a hostname for the IP address 206.131.234.1, the resolver would query the DNS server for a pointer record for 1.234.131.206.in-addr.arpa. If this IP address was outside the local domain, the DNS server would start at the root and sequentially resolve the domain nodes until arriving at 234.131.206 .in-addr.arpa, which would contain the PTR record for the desired host. You have several specialized options when you configure DNS resolution, as shown in the following sections.
Caching and Time to Live When a name server is processing a recursive query, it may be required to send out several queries to find the definitive answer. Name servers are allowed to cache all the received information
DNS Fundamentals
263
during this process; each record contains something called a time to live (TTL). The TTL specifies how long the record will be valid until it must be resolved again. The name server owner sets the TTL for each RR on their server. If your data changes a lot, you can use smaller TTL values to help ensure that data about your domain is more consistent across the network on which the name server resides. However, if you make the TTL too small, the load on your name server will go up. That’s because once data is cached by a DNS server, the server begins decreasing the TTL from its original value; when it hits zero, the server flushes the RR from its cache. If a query comes in that can be satisfied by this cached data, the TTL that’s returned with it equals the current amount of time left before flush time. Client resolvers also have data caches and honor the TTL value so that they too know when to flush.
Load Balancing with Round Robin and Netmask Ordering The Windows Server 2003 implementation of DNS supports load balancing through the use of round robin and netmask ordering. Load balancing distributes the network load between multiple network cards if they are available. You can create multiple resource records with the same hostname but different IP addresses for multihomed computers. Depending on the options that you select, the DNS server will respond with one of the multihomed computer’s addresses. If round robin is enabled, the first address that was entered in the database is returned to the resolver and then sent to the end of the list. The next time a client attempts to resolve the name, the DNS server will return the second name in the database (which is now the first name) and then send it to the end of the list and so on. If netmask ordering is enabled, the DNS server will use the first IP address in the database that matches the subnet of the resolver. If none of the IP addresses match the subnet of the resolver, then the DNS server reverts to round robin. If round robin is disabled, the DNS server simply returns the first IP address in the database. If neither round robin nor netmask ordering is enabled, the DNS server always returns the first IP address in the database. This usually isn’t very helpful, so fortunately round robin and netmask ordering are both enabled by default. You will see how to enable and disable round robin and netmask ordering in the section titled “Configuring Advanced Properties.”
BIND Options Earlier we briefly hinted that BIND is a simple DNS implementation primarily used by Unix servers. This is true to an extent, but BIND is really just a set of RFCs that standardize the way DNS operates. Windows Server 2003 is actually compliant with several versions of BIND (specifically, BIND 4.9.7, 8.1.2, 8.2, and 9.1.0), which makes the Server 2003 DNS implementation interoperable with other BIND DNS servers. Windows Server 2003 DNS can also be used on the Internet because BIND is the standard for DNS on almost every computer on the planet. We don’t need to get into the specifics of the different versions of BIND, but you should understand two key points about how BIND can affect your Windows Server 2003 environment:
When Windows Server 2003 sends a zone transfer to a secondary DNS server, it sends several compressed resource records simultaneously. Unfortunately, BIND versions prior to 4.9.4 don’t support compression, and they can only receive one RR at a time. If your
264
Chapter 5
Installing and Managing Domain Name Service (DNS)
secondary servers are running older versions of BIND, you will need to disable these features, as you will see in the section titled “Configuring Advanced Properties.”
Active Directory requires DNS and BIND version 8.1.2. Usually you should use Windows Server 2003 DNS servers with Active Directory–Integrated zones, but some companies have long-established Unix-based DNS servers that they need to continue to use. You may need to upgrade these servers if they don’t meet the minimum BIND requirement and you want to use Active Directory.
Queries for Services Windows Server 2003 uses some special domains (not unlike the in-addr.arpa domain you just read about) to make it possible for domain clients to look up services they need. It turns out that RFC 2052 specifies how this mechanism should work. However, there’s a Microsoft twist: The underscore (_) character isn’t legal in domain names, so Microsoft uses it to mark its special domains and to keep them from colliding with RFC 2052–compliant domains. There are a total of four of these trick Windows Server 2003 domains: _msdcs This domain contains a list of all the Windows Server 2003 domain controllers in a designated normal domain. Each domain controller, global catalog, and PDC emulator is listed here. _sites Each site has its own subdomain within the _sites domain. In AD parlance, a site is a group of connected network subnets that have high bandwidth between them. _tcp This domain lists service records for services that run on TCP: LDAP, Kerberos, the kpasswd password changer, and the global catalogs. _udp This domain lists services that run on UDP: Kerberos and the kpasswd service. When any network client wants to find a service (for instance, a domain controller), it can query its DNS server for the appropriate SRV record. By making a recursive query, the client can force the local DNS server to poke around in the domain until it finds the desired information.
Zone Transfers DNS is such an important part of the network that you simply cannot use a single DNS server. If that server fails, the network fails. Adding a secondary server provides DNS redundancy and helps to reduce the load on the primary server because resolvers can distribute their queries across multiple DNS servers. Secondary DNS servers receive their zone databases through zone transfers. When you configure a secondary server for the first time, you must specify the primary server that is authoritative for the zone and will send the zone transfer. The primary server must also permit the secondary server to request the zone transfer. Zone transfers occur in one of two ways; full zone transfers (AXFR) and incremental zone transfers (IXFR). When a new secondary server is configured for the first time, it receives a full zone transfer from the primary DNS server. The full zone transfer contains all of the information in the DNS database. Some DNS implementations always receive full zone transfers.
DNS Fundamentals
265
After the secondary server receives its first full zone transfer, subsequent zone transfers are incremental. The primary name server compares its zone version number with that on the secondary server and sends only the changes that have been made in the interim. This significantly reduces network traffic generated by zone transfers.
Windows NT 4 does not support incremental zone transfers.
Zone transfers are typically initiated by the secondary server when the refresh interval time for the zone expires or when the secondary server boots. Alternatively, you can configure notify lists on the primary server that notify the secondary servers whenever any changes to the zone database occur. You will see exactly how to accomplish this in the section titled “Setting Zone Properties,” later in this chapter. When you consider your DNS strategy, you must carefully consider the layout of your network. If you have a single domain with offices in separate cities, you want to reduce the number of zone transfers across the potentially slow or expensive WAN links, although this is becoming less of a concern as bandwidth seems to multiply daily. ADI zones do away with traditional zone transfers altogether. Instead, they replicate across Active Directory with all of the other AD information. This process is seamless, and you can only configure a couple of options, as you will see later in the section “Setting Zone Properties.” However, because zone replication is so important, you should monitor replication traffic from time to time, or especially if you encounter DNS zone errors. You will learn how to monitor zone replication later in this chapter in the section “Monitoring DNS in Replication Monitor.”
Migrating the DNS Database Files You can migrate the DNS database files from your older systems to Windows Server 2003 in one of three ways: Upgrade Windows NT4 or 2000 to Windows Server 2003 When you upgrade to Windows Server 2003 from NT 4 or 2000, all of your zone files remain intact and are stored in the same folder locations. Manually move the BIND files Because the Windows Server 2003 DNS service is based on BIND and BIND is based on standardized RFCs, you can literally copy and paste BIND files into the DNS directory on the DNS server. Be aware that some features of Unix BIND files won’t be recognized by Windows Server 2003, but that’s OK because you never would have been able to implement those features anyway. Be aware that the BIND files you receive from your Unix brethren use a different naming convention, as shown in Table 5.3. Migrate using zone transfers You can set up your Windows Server 2003 DNS server with secondary zones for each of your primary zones. Then set up your current primary servers to allow the Server 2003 computer to receive zone transfers and immediately perform a full zone transfer. At this point, the Server 2003 DNS server has everything it needs to be the primary server for the domain. All you need to do is convert the zones on the Server 2003 computer to
266
Chapter 5
Installing and Managing Domain Name Service (DNS)
primary zones. If you want your new primary DNS server to perform zone transfers, you will also need to configure the secondary servers in your network to point to the new server and specify that the secondary servers are valid in the primary server’s properties. TABLE 5.3
BIND Files in Windows and Unix
Windows
Unix
Boot
named.boot
domain_name.dns
db.domain_name
IP_network_reverse_notation.dns
db.IP_network_forward_notation
What’s in a Name? Your company has a network that contains many different information systems that include platforms from companies such as Sun, Novell, Microsoft, and IBM. Most environments are not as clean as the vendors imply through their marketing efforts. For quite a while, these various systems tended to be isolated, providing services and managed at the departmental level. Over the past few years, these systems have been bumping into each other, and interoperability has been the name of the game for IS departments. Of course, all the users want is to be able to grab information regardless of the platform that has control over it. They want to share. With the acceptance of standards such as IP and HTTP, connecting these islands has gotten easier these days. But you need more than common protocols and cables to communicate. How do you label these diverse resources on the network so that the nontechnical users can find what they need? In the real world, this can be more of a political problem than a technical one, although there are surely technical issues. For example, NetBIOS names on Windows 9x and Windows NT are limited to 15 characters, whereas Unix machines have a much larger name space. Before you pull out those disks and install your new OS, take a step back and evaluate how your name space scheme will fit and how it will affect what already exists. What should be your naming standard for a workstation or server? Will that standard help the administrator or the user? Consider that a Windows machine can have more than one name, such as a NetBIOS name and a DNS name. In this situation, it’s advisable to keep the host DNS name and the NetBIOS name in harmony so that name resolution will work properly, whether you take the DNS path or the WINS path. Consistency across the network is a good goal, although it’s not always attainable.
Installing and Configuring a DNS Server
267
Installing and Configuring a DNS Server DNS can be installed before, during, or after installing the Active Directory service. If the Active Directory Installation Wizard cannot locate a DNS server, it will ask you if you would like the Active Directory Installation Wizard to install and configure a DNS server for you. Using this feature is the simplest method of installing a DNS server for the Active Directory service. The following sections describe the steps to manually prepare a DNS server and how to further configure Windows Server 2003 DNS to fully support your network infrastructure.
Installing a DNS Server Installing the DNS server is easy because you install it with the same tools you use to add other components. When you install the DNS server, you get the DNS snap-in installed, too. You can open the DNS snap-in by choosing Start Administrative Tools DNS. The snap-in is shown in Figure 5.3. FIGURE 5.3
The DNS snap-in
As you can see, it follows the standard Microsoft Management Console (MMC) model. The left-hand pane shows you which servers and zones are available; you can connect to servers in addition to the one you’re already talking to. Each server contains subordinate items grouped into folders. Each zone has a folder, which is named after the zone itself. In Figure 5.3, you can see that the server SYBEX1 has a forward lookup zone for sybex1.com.
268
Chapter 5
Installing and Managing Domain Name Service (DNS)
In Windows Server 2003, DNS is installed and zones are configured at the same time in back-to-back wizards. You will install the DNS service after you have read the following section, “Configuring a DNS Server.”
Configuring a DNS Server Configuring a DNS server ranges from very easy to very difficult, depending on what you’re trying to make it do. The simplest configuration is a caching-only server; you don’t have to do anything except make sure the server’s root hints are set correctly. You can also configure a root name server or set up round robin and netmask ordering, as you will see.
Configuring a Caching-Only Server Although all DNS name servers cache queries that they have resolved, caching-only servers are DNS name servers that only perform queries, cache the answers, and return the results. They are not authoritative for any domains, and the information that they contain is limited to what has been cached while resolving queries. Accordingly, they don’t have any zone files, and they don’t participate in zone transfers. When a caching-only server is first started, it has no information in its cache; the cache is gradually built over time. Caching-only servers are very easy to configure. After installing the DNS service, simply make sure that the root hints are configured properly. Right-click your DNS server and choose the Properties command. When the Properties dialog box appears, switch to the Root Hints tab (Figure 5.4). If your server is connected to the Internet, you should see a list of root hints for the root servers maintained by InterNIC. If not, use the Add button to add root hints as defined in the cache.dns file. FIGURE 5.4
The Root Hints tab of the DNS server Properties dialog box
Installing and Configuring a DNS Server
269
Configuring a Root Name Server If your Windows Server 2003 computers aren’t directly connected to the Internet, or if you want to prevent them from ever referring queries to the Internet, you can configure them to contain their own root zone. Remember that root zones are treated as the authoritative source of information for a top-level domain; by creating your own root zones, you can control exactly which domains your clients can resolve queries for. The process of doing this is pretty simple: the Configure A DNS Server Wizard appears automatically after you install the DNS service (see Exercise 5.1 later in this chapter), or you can do it manually by right-clicking the DNS server and selecting the Configure A DNS Server command.
Configuring Advanced Properties Earlier in the chapter you saw how round robin and netmask ordering work to load-balance a DNS host. By default, the Windows Server 2003 implementation of DNS enables both round robin and netmask ordering. If you want to disable or enable either of these features, you should select or deselect the appropriate options in the Advanced tab of the server Properties dialog box. If any of your secondary DNS servers run versions of BIND prior to 4.9.4, they won’t be able to process the compressed packets that your Windows Server 2003 computer sends them. You can enable or disable BIND secondaries in the Advanced tab as well.
Creating New Zones You can use the New Zone Wizard to create a new forward or reverse lookup zone. The process is substantially the same, even though the steps and wizard pages differ somewhat. In either case, you create a new zone first by right-clicking the server you want to host the zone and then selecting New Zone. This starts up the New Zone Wizard. You also create new zones using the Configure A DNS Server Wizard, as you will see in Exercise 5.1, although the steps are slightly different.
Creating a New Forward Lookup Zone Once you dismiss the Welcome page, the first choice you have to make is on the Zone Type page. Here, you can choose what kind of zone you want this to be. You can choose from primary, secondary, and stub, as well as whether or not the zone will be stored in Active Directory. Which option you’ll use depends on what you’re doing:
If you want the DNS server to be authoritative for the zone, select the Primary Zone option.
If you want to set up your server as a secondary zone server, choose the Secondary radio button. Later in the process, you’ll be prompted to specify which primary zone you want to transfer data from.
Stub zones contain only the information necessary to identify the authoritative DNS servers for a zone. You would typically only select the stub zone option if your DNS server has delegated child zones that it needs to keep track of. You will learn more about zone delegation later in this chapter.
If you want to store zone data in Active Directory, be sure to check the Store The Zone In Active Directory option. Note that there’s no such thing as an ADI secondary zone.
270
Chapter 5
Installing and Managing Domain Name Service (DNS)
When to Use Stub Zones Looking at the explanation above of stub zones, you might be wondering to yourself why you would ever use them in the first place. In fact, stub zones become particularly useful in a couple of different scenarios. Consider what happens when two large companies merge: big.com and bigger.com. In most cases, the DNS zone information from both companies must be available to every employee. You could set up a new zone on each side that acts as a secondary for the other side’s primary zone, but administrators tend to be very protective of their DNS databases and they probably wouldn’t agree to this plan. Instead, you could add a stub zone to each side that points to the primary server on the other side. When a client in big.com (which you help administer) makes a request for a name in bigger.com, the stub zone on the big.com DNS server would send the client to the primary DNS server for bigger.com without actually resolving the name. At this point it would be up to bigger.com’s primary server to resolve the name. An added benefit is that even if the administrators over at bigger.com change their configuration, you won’t have to do anything because the changes will automatically replicate to the stub zone just as they would for a secondary server. Stub zones can also be useful when you administer two domains across a slow connection. Let’s change the example above a bit and assume that you have full control over big.com and bigger.com, but they connect through a 56k line. In this case, you wouldn’t necessarily mind using secondary zones because you personally administer the entire network, but it could get messy to replicate an entire zone file across that slow line. Instead, use stub zones, which would refer clients to the appropriate primary server at the other site.
No matter which zone type you choose, the next step is to pick whether you want to create a forward or reverse lookup zone. At this point, we’ll assume you want to create a forward zone (the steps for creating a reverse zone are covered in the next section). Forward zones need to have names. You specify the name you want the zone to have using the Zone Name page of the wizard. For an AD-integrated or primary zone, you have to specify the name (including the suffix—microsoft isn’t a valid name, but microsoft.com would be). If you’re creating a secondary zone, there will be a Browse button you can use to locate the primary zone you want to copy. If you’re building a new AD-integrated zone, you’re done once you specify the name. However, if you’re setting up a standard primary zone, you must specify where you want the zone data stored on the Zone File page (Figure 5.5). The default filename will be the same as the zone name with .dns on the end, but you can modify it freely. You can also combine more than one zone’s data into a single zone file, though that makes it a little harder to sort out what’s what.
Installing and Configuring a DNS Server
FIGURE 5.5
271
The Zone File page of the New Zone Wizard
You can also specify how dynamic updates are handled. Specifically, you can choose to allow dynamic updates, allow only secure dynamic updates (on domain controllers only), or not allow dynamic updates. Because secondary zones have to transfer their zone data from somewhere else, you have to specify where exactly it comes from. Figure 5.6 shows the Master DNS Servers page of the New Zone Wizard. Use the controls here to specify which DNS servers your server will contact to request zone transfers. If you specify more than one server here, your server will try the servers in the order specified. FIGURE 5.6
The Master DNS Servers page of the New Zone Wizard
272
Chapter 5
Installing and Managing Domain Name Service (DNS)
Creating a New Reverse Lookup Zone The process of creating a reverse lookup zone is a little different because reverse lookup zones tie addresses to names. On the Reverse Lookup Zone Name page (Figure 5.7), you can specify the reverse lookup zone’s name in two ways. The easy way is to specify the network ID portion of the network the zone covers, using the Network ID radio button and field. The more complex, but equivalent, way is to fill in the name of the reverse zone itself. These two are mostly the same, just inverted: a network ID of 208.15.144 yields a reverse zone name of 144.15.208 .in-addr.arpa. Unless you’re used to the old Unix method, use the Network ID radio button— it’s less likely that you’ll make a mistake with that route. FIGURE 5.7
The Reverse Lookup Zone Name page of the New Zone Wizard
Once you’ve selected which network you want your reverse zone to point to, you have to select a zone file, just as you did when creating a forward lookup zone (see Figure 5.5 earlier in this chapter). You must also choose how to handle dynamic updates in the same way that you did with the forward lookup zone. In Exercise 5.1, you will install the DNS service on a Windows Server 2003 and configure your first zone. You could use the Add Or Revove Program item in Control Panel to install a DNS server, or you could use the alternate method explained in Exercise 5.1. You’ll get the same result with both methods; the DNS server component is installed and appears in the Administrative Tools program group. Microsoft strongly recommends that you configure your DNS servers to use static IP addresses, and we agree. EXERCISE 5.1
Installing and Configuring the DNS Service 1.
Open the Configure Your Server Wizard by selecting Start Administrative Tools Configure Your Server.
Installing and Configuring a DNS Server
273
EXERCISE 5.1 (continued)
2.
Click Next to dismiss the Welcome screen and click Next again to dismiss the Preliminary Steps screen.
3.
Click the DNS Server item in the Server Role list and click Next to continue.
4.
Click Next on the Summary page to complete the DNS installation. You may need to insert the Windows Server 2003 CD into the CD-ROM drive.
5.
If your computer is configured with a dynamic IP address, you will be prompted to use a static address. The Local Area Connection Properties dialog box will automatically appear. Once you have made the necessary changes, click the OK button.
6.
The Configure A DNS Server Wizard automatically appears. Click Next to dismiss the Welcome screen.
7.
Select the Create Forward And Reverse Lookup Zones radio button and click Next to continue. If you want to create a caching-only server, you can select the Configure Root Hints Only option.
8.
Select Yes, Create A Forward Lookup Zone Now and click Next to continue.
9.
Select the Primary Zone option. If your DNS server is also a domain controller, you should select the Store The Zone In Active Directory option. Click Next when you are ready.
10. Enter a new zone name in the Zone Name field and click Next to continue. 11. Leave the default zone filename and click Next. 12. Select the Allow Dynamic Updates radio button and click Next. 13. Select No, Don’t Create A Reverse Lookup Zone Now and click Next to continue. 14. For now, select the No, It Should Not Forward Queries radio button and click Next to continue. 15. Click Finish to end the wizard. The Configure Your Server wizard reappears and informs you that the DNS service was successfully installed. Click the Finish button.
Setting Zone Properties There are six tabs on the Properties dialog box you get when you use the Properties command on a forward or reverse lookup zone. You use the Security tab only to control who can change properties and make dynamic updates to records on that zone. The other tabs are discussed in the following sections.
Secondary zones don’t have a Security tab, and their SOA tab shows you the contents of the master SOA record, which you can’t change.
274
Chapter 5
Installing and Managing Domain Name Service (DNS)
The General Tab The General tab (Figure 5.8) includes the following:
The Status indicator and the associated Pause button lets you see and control whether this zone can be used to answer queries. When the zone is running, the server can use it to answer client queries; when it’s paused, the server won’t answer any queries it gets for that particular zone.
The Type indicator and Change button allow you to change the zone type between standard primary, standard secondary, and AD-integrated. As you change the type, the controls you see below the horizontal dividing line will change too. The most interesting controls are the ones you see for AD-integrated zones. For primary zones, you’ll see a field that lets you select the zone filename; for secondary zones, you’ll get controls that allow you to specify the IP addresses of the primary servers.
The Replication indicator and Change button allow you to change the replication scope if the zone is stored in Active Directory. You can choose to replicate the zone data to all DNS servers in the Active Directory forest, all DNS servers in a specified domain, all domain controllers in the Active Directory domain (required if you use Windows 2000 domain controllers in your domain), and all domain controllers specified in the replication scope of the application directory partition.
The Allow Dynamic Updates field gives you a way to specify whether or not you want to support Dynamic DNS updates from compatible DHCP servers. DHCP server or DHCP client must know about and support Dynamic DNS in order to use it, but the DNS server has to participate, too. You can turn dynamic updates on or off, or you can require that updates must be secured. By default, a standard primary zone won’t accept dynamic updates, but an AD-integrated zone will. You can change these settings at will.
FIGURE 5.8
The General tab of the zone Properties dialog box
Installing and Configuring a DNS Server
275
The Start Of Authority (SOA) Tab The options in the Start Of Authority (SOA) tab (Figure 5.9) control the contents of the SOA record for this zone:
The Serial Number field indicates which version of the SOA record the server currently holds; every time you change another field, you should increment the serial number so that other servers will notice the change and get a copy of the updated record.
The Primary Server and Responsible Person fields indicate the location of the primary NS for this zone and the responsible administrator, respectively.
The Refresh Interval field controls how often any secondary zones of this zone must contact the primary and get any changes that have been posted since the last update.
The Retry Interval field controls how long secondary servers will wait after a zone transfer fails before they try again. They’ll keep trying at the interval you specify (which should be shorter than the refresh interval) until they eventually succeed in transferring zone data.
The Expires After field tells the secondary servers when to throw away zone data. The default of 24 hours means that a secondary server that hasn’t gotten an update in 24 hours will delete its local copy of the zone data.
The Minimum (Default) TTL field sets the default TTL for all RRs created in the zone; you can still assign different TTLs to individual records if you want.
The TTL For This Record field controls the TTL for the SOA record itself.
FIGURE 5.9
The Start Of Authority tab of the zone Properties dialog box
The Name Servers Tab The name server (NS) record for a zone indicates which name servers are authoritative for the zone. That normally means the zone primary and any secondary servers you’ve configured for the zone (remember, secondary servers are authoritative read-only copies of the zone). You
276
Chapter 5
Installing and Managing Domain Name Service (DNS)
edit the NS record for a zone with the Name Servers tab (Figure 5.10). To be more specific, the tab shows you which servers are listed, and you use the Add, Edit, and Remove buttons to specify which name servers you want included in the zone’s NS record. FIGURE 5.10
The Name Servers tab of the zone Properties dialog box
The WINS Tab The WINS tab (Figure 5.11) allows you to control whether this zone uses WINS forward lookups or not. These lookups pass queries that DNS can’t resolve on to WINS for action. This is a useful setup if you’re still using WINS on your network. You must explicitly turn this option on with the Use WINS Forward Lookup checkbox in the WINS tab for a particular zone. FIGURE 5.11
The WINS tab of the zone Properties dialog box
Installing and Configuring a DNS Server
277
The Zone Transfers Tab Zone transfers are necessary and useful because they’re the mechanism used to propagate zone data between primary and secondary servers. For primary servers (whether AD-integrated or not), you can specify whether or not your servers will allow zone transfers and, if so, to whom. You can use the following controls on the Zone Transfers tab (Figure 5.12) to configure these settings per zone:
The Allow Zone Transfers checkbox controls whether or not the server will answer zone transfer requests for this zone at all—when it’s off, no zone data will be transferred.
The To Any Server setting allows any server anywhere on the Internet to request a copy of your zone data.
The Only To Servers Listed On The Name Servers Tab (the default) limits transfers to only those servers listed in the Name Servers tab for this zone. This is a more secure setting than the default because it limits zone transfers to other servers for the same zone.
The Only To The Following Servers setting, along with its corresponding IP address controls, gives you even more control because you can specify exactly which servers are allowed to request zone transfers—this list can be larger, or smaller, than the list specified on the Name Servers tab.
The Notify button is for setting up automatic notification triggers that are sent to secondary servers for this zone. Those triggers signal the secondary servers that changes have occurred on the primary; that way, the secondary servers can request updates sooner than they would with their normally scheduled interval. The options in the Notify dialog box are similar to those in the Zone Transfers tab. You can enable automatic notification and then choose either Servers Listed On The Name Servers Tab or The Following Servers.
FIGURE 5.12
The Zone Transfers tab of the Zone Properties dialog box
278
Chapter 5
Installing and Managing Domain Name Service (DNS)
Configuring Zones for Dynamic Updates Dynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records. The DNS service allows dynamic updates to be enabled or disabled on a per-zone basis at each server. There are some subtleties that you may not have thought of, though. A Windows 2000 or XP client that has a statically assigned IP address will attempt to register its IP address with a Dynamic DNS server when the IP address changes or when the machine reboots. DHCP clients will update DNS records whenever an IP address assignment changes (for example, when a lease is renewed or issued). In both cases, the DHCP service on the client is responsible for sending the update for all IP addresses assigned to the machine, even those that aren’t using DHCP. What about secure updates? Turning on secure updates has no initial effect on clients because they’ll always try unsecured updates first. If an unsecured update fails, the client will try again with a secure update. If that fails, then the update fails. Secure updates will not work on a client unless the client is in the Computers folder in the Active Directory. What if you’re not using Windows 2000 or XP clients? The Windows Server 2003 DHCP server can register DNS data for machines to which it issues leases. In this role, it’s called a DNS proxy because it’s acting on behalf of another set of machines. Although this gives all your computers access to Dynamic DNS registrations, it opens some worrisome security issues because you must add the DHCP servers you want to act as proxies to the DnsProxyUpdate group in Active Directory. This tells the OS that you want those DHCP servers to be able to register clients, but it also means that any DHCP server running on an AD controller has full access to the DNS registration information—meaning that a malicious DHCP client could potentially poison your DNS information. In Exercise 5.2, you will modify the properties of a forward lookup zone, configuring the zone to use WINS to resolve names not found by querying the DNS name space. In addition, you’ll configure the zone to allow dynamic updates. EXERCISE 5.2
Configuring Zones and Configuring Zones for Dynamic Updates 1.
Open the DNS management snap-in by selecting Start Administrative Tools DNS.
2.
Click the DNS server to expand it and then expand the Forward Lookup Zones folder.
3.
Right-click the zone you want to modify (which may be the one you created in the previous exercise) and choose the Properties command.
4.
Switch to the WINS tab and click the Use WINS Forward Lookup checkbox.
5.
Enter the IP address of a valid WINS server on your network, click Add, and then click OK.
6.
Click the General tab.
Installing and Configuring a DNS Server
279
EXERCISE 5.2 (continued)
7.
Change the value of the Allow Dynamic Updates control to Yes. Click OK to close the Properties dialog box. Notice that there’s now a new WINS Lookup RR in your zone.
Delegating Zones for DNS DNS provides the ability to divide up the name space into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to divide your DNS name space to make additional zones, consider the following reasons to use additional zones:
A need to delegate management of part of your DNS name space to another location or department within your organization.
A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment.
A need to extend the name space by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site.
Each new delegated zone requires a primary DNS server just like a regular DNS zone. When delegating zones within your name space, be aware that for each new zone you create, you will need to place in other zones delegation records that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone. In Exercise 5.3, you’ll create a delegated subdomain of the domain you created back in Exercise 5.1. Note that the name of the server to which you want to delegate the subdomain must be stored in an A or CNAME record in the parent domain. EXERCISE 5.3
Creating a Delegated DNS Zone 1.
Open the DNS management snap-in by selecting Start Administrative Tools DNS.
2.
Expand the DNS server and locate the zone you created earlier.
3.
Right-click the zone and choose the New Delegation command.
4.
The New Delegation Wizard appears. Click Next to dismiss the initial wizard page.
5.
Enter ns1 (or whatever other name you like) in the Delegated Domain field of the Delegated Domain Name page. This is the name of the domain for which you want to delegate authority to another DNS server. It should be a subdomain of the primary domain (for example, to delegate authority for huntsville.chellis.net, you’d enter huntsville in the Delegated Domain field). Click Next to complete this step.
280
Chapter 5
Installing and Managing Domain Name Service (DNS)
EXERCISE 5.3 (continued)
6.
When the Name Servers page appears, use the Add button to add the name and IP address(es) of the servers that will be hosting the newly delegated zone. For the purpose of this exercise, enter the zone name you used in Exercise 5.1. Click the Resolve button to automatically resolve this domain name’s IP address into the IP address field. Click OK when you are done. Click Next to continue with the wizard.
7.
Click the Finish button. The New Delegation wizard disappears and you’ll notice the new zone you just created appear beneath the zone you selected in step 4. The newly delegated zone’s folder icon is drawn in gray to indicate that control of the zone is delegated.
Manually Creating DNS Records From time to time you may find it necessary to manually add resource records to your Windows Server 2003 DNS servers. Although Dynamic DNS will free you from the need to fiddle with A and PTR records, other resource types (including MX records, required for the proper flow of SMTP e-mail) still have to be created manually. You can manually create A, PTR, MX, SRV, and 15 other record types. There are only two important things to remember: You must right-click the zone and use either the New Record command or the Other New Records command, and you must know how to fill in the fields of whatever record type you’re using. For example, to create an MX record, you need three pieces of information (the domain, the mail server, and the priority), but to create an SRV record, you need several more. In Exercise 5.4, you will manually create an MX record for the mailtest server in the domain you created back in Exercise 5.1. EXERCISE 5.4
Manually Creating DNS RRs 1.
Open the DNS management snap-in by selecting Start Administrative Tools DNS.
Installing and Configuring a DNS Server
281
EXERCISE 5.4 (continued)
2.
Expand your DNS server, right-click its zone, and use the New Mail Exchanger (MX) command.
3.
Enter mailtest in the Host Or Child Domain field, and enter mailtest.yourDomain.com (or whatever domain name you used in Exercise 5.1) in the Fully Qualified Domain Name (FQDN) Of Mail Server field and then click OK. Notice that the new record is already visible.
4.
Next, create an alias (or CNAME) record to point to the mail server. (It is assumed that you already have an A record for mailtest in your zone.)
5.
Right-click the target zone and choose Other New Records. When the Resource Record Type dialog box appears, find Alias in the list and select it.
282
Chapter 5
Installing and Managing Domain Name Service (DNS)
EXERCISE 5.4 (continued)
6.
Click the Create Record button. The New Resource Record dialog box appears.
7.
Type mail into the Alias Name field.
8.
Type mailtest.yourDomain.com into the Fully Qualified Domain Name (FQDN) For Target Host field.
9.
Click the OK button and then close the Resource Record Type dialog box.
The Politics of DNS Your company has made a commitment to a complete migration to Windows Server 2003, mainly to keep up with the next version of NT and to take advantage of the lower cost of administration. You know that the tools to realize this lower cost of administration depend on the global policies, which in turn depend on Active Directory. However, the real issue is that Active Directory depends on DNS, specifically Dynamic DNS, for the registration of Windows 2000, XP, and Server 2003 as resources.
Monitoring and Troubleshooting DNS
283
You’ve spent many hours beefing up your DNS knowledge and are ready to strap DNS into the network. But as soon as you bring it up, you get a nasty message, with incredulous tones, from the Unix guys down the hall, asking, “What in the heck do you think you’re doing?” You try to explain how the new version of DNS is dynamic and is used to register services and workstations for the new and improved Windows Server 2003 network. Now that you’ve wasted your breath, you have to dig in and figure out how to interoperate with your Unix brethren. Unless your shop is already completely Windows and is already running the company DNS, it’s very unlikely that the corporate DNS is going to run on a Microsoft platform. It’s also unlikely that the Unix DNS that’s running in your shop supports dynamic updates. You are probably going to have an uneasy period in which you’ll be given your own zone from the authoritative DNS where you’ll create the Windows Server 2003 name space in your own world. This isn’t necessarily a bad thing, but you should prepare for it appropriately. One of the ways you can prepare to work with the Unix side is to understand the Unix DNS as well as the Windows version so that you’ll know how they will work together and what problems could ensue with issues such as sending updates to their servers. The Windows Server 2003 DNS is an excellent implementation that follows all the latest RFC standards and will continue to do so. However, as we have all seen, politics plays a growing role in our information systems as they mature and become more and more important in our corporate lives.
Monitoring and Troubleshooting DNS Now that you have set up and configured your DNS name server and created some resource records, you will want to confirm that it is resolving and replying to client DNS requests. There are tools that allow you to do some basic monitoring and managing. Once you are able to monitor DNS, you’ll want to start troubleshooting. The simplest test is to use the ping command to make sure the server is alive. A more exhaustive test would be to use nslookup to verify that you can actually resolve addresses for items on your DNS server. In the following sections, we’ll look at some of these monitoring and management tools, as well as how to troubleshoot DNS.
Monitoring DNS with the DNS Snap-in You can use the DNS snap-in to do some basic server testing and monitoring. More importantly, you use the snap-in to monitor and set logging options. On the Event Logging tab of the server Properties dialog box (Figure 5.13), you can pick which events you want logged. The more events you select, the more log information you’ll get. This is useful when you’re trying to track what’s happening with your servers, but it can result in a very, very large log file if you’re not careful.
284
Chapter 5
FIGURE 5.13
Installing and Managing Domain Name Service (DNS)
The Event Logging tab of the server Properties dialog box
The Monitoring tab (Figure 5.14) gives you some testing tools. The A Simple Query Against This DNS Server test asks for a single record from the local DNS server; it’s useful for verifying that the service is running and listening to queries, but not much else. The A Recursive Query To Other DNS Servers test is more sophisticated, using a recursive query to see whether forwarding is working okay. The Test Now button and the Perform Automatic Testing At The Following Interval control allow you to run these tests now or later, as you require. FIGURE 5.14
The Monitoring tab of the Server Properties dialog box
Monitoring and Troubleshooting DNS
285
If the simple query fails, check that the local server contains the zone 1.0.0.127 .in-addr.arpa. If the recursive query fails, check that your root hints are correct and that your root servers are running.
In Exercise 5.5, you will enable logging, use the DNS MMC to test the DNS server, and view the contents of the DNS log. EXERCISE 5.5
Simple DNS Testing 1.
Open the DNS management snap-in by selecting Start Administrative Tools DNS.
2.
Right-click the DNS server you want to test and select Properties.
3.
Switch to the Debug Logging tab, check all the debug logging options except Filter Packets By IP Address, and enter a full path and filename in the File Path And Name field. Click the Apply button.
4.
Switch to the Monitoring tab, and check both A Simple Query Against This DNS Server and A Recursive Query To Other DNS Servers.
5.
Click the Test Now button several times and then click OK.
6.
Using Windows Explorer, navigate to the folder that you specified in step 3 and use WordPad to view the contents of the log file.
Monitoring DNS Servers with System Monitor After you install the DNS service, you will be able to select the DNS object in the Windows Server 2003 System Monitor. This object contains many different counters that are related to monitoring DNS server performance and usage.
Chapter 5
286
Installing and Managing Domain Name Service (DNS)
Using the System Monitor, you can generate statistics on the following types of information:
AXFR requests (all-zone transfer requests)
IXFR requests (incremental zone transfer requests)
DNS server memory usage
Dynamic updates
DNS Notify events
Recursive queries
TCP and UDP statistics
WINS statistics
Zone transfer issues
All of this information can be analyzed easily using the Chart, Histogram, or Report views of the System Monitor. Additionally, you can use the Alerts function to automatically notify you (or other system administrators) whenever certain performance statistic thresholds are exceeded. For example, if the total number of recursive queries is very high, you might want to be notified so you can examine the situation. Finally, information from Performance Logs And Alerts can be stored to a log data file.
The System Monitor application in Windows Server 2003 is an extremely powerful and useful tool for managing and troubleshooting systems. You should become familiar with its various functions to ensure that system services are operating properly.
Monitoring DNS Events in the Event Viewer By default, Windows Server 2003 automatically logs DNS events in the event log under a distinct DNS server heading. Conveniently, the DNS snap-in contains a copy of the DNS event log so that you don’t have to switch out of the utility to view the log. Table 5.4 lists some of the more common events. TABLE 5.4
DNS Event IDs
Event ID
Description
2
The DNS server has started. This message generally appears at startup when either the server computer is started or the DNS Server service is manually started.
3
The DNS server has shut down. This message generally appears when either the server computer is shut down or the DNS Server service is stopped manually.
Monitoring and Troubleshooting DNS
TABLE 5.4
287
DNS Event IDs (continued)
Event ID
Description
414
The server computer currently has no primary DNS suffix configured. Its DNS name is currently a single label hostname. For example, its currently configured name is host rather than host.example.microsoft.com or another fully qualified name.
708
The DNS server did not detect any zones of either primary or secondary type. It will run as a caching-only server but will not be authoritative for any zones.
3150
The DNS server wrote a new version of zone zonename to file filename. You can view the new version number by clicking the Record Data tab. This event should appear only if the DNS server is configured to operate as a root server.
6527
Zone zonename expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.
Monitoring DNS in Replication Monitor As you saw earlier, ADI zones do not use traditional zone transfers. Instead, they are replicated along with the other Active Directory information. To diagnose ADI zone replication errors, you should look at AD replication itself. Windows Server 2003 does not include support for AD replication monitoring by default. You must install the support tools included on the Windows Server 2003 CD in order to run the Replication Monitor utility, as shown in Exercise 5.6.
The Windows Server 2003 CD must be in the drive or you must have access to the CD via a remote share in order to complete Exercise 5.6. In addition, you should perform the steps of this exercise and the following exercise on a domain controller that is also configured as a DNS server.
EXERCISE 5.6
Installing and Running Replication Monitor 1.
In Windows Explorer, navigate to the \SUPPORT\TOOLS\ folder on the Windows Server 2003 CD.
2.
Double-click the SUPTOOLS.MSI file that appears in the folder.
3.
The Support Tools Installation Wizard guides you through the installation process. To ensure smooth operation of the support tools, be sure to install them to the default directory.
4.
After the installation is complete, you can run the Replication Monitor by selecting Start Run and entering REPLMON in the Run dialog box.
288
Chapter 5
Installing and Managing Domain Name Service (DNS)
The Replication Monitor window is shown in Figure 5.15. When you first start Replication Monitor, the window is empty. You must manually add servers to monitor, as you will see in Exercise 5.7. In the figure, you can see that a server has already been added. The individual components of Active Directory are displayed under the server name. FIGURE 5.15
The Replication Monitor window
The two most practical uses for Replication Monitor are viewing failed replications and manually initiating replication between domain controllers. If you find that DNS information is not synchronized between servers, you can be sure that replication failed at some point due to any number of reasons (usually a router failure between sites). Replication Monitor will tell you exactly when the replication failed. If you notice a failure and replication isn’t scheduled to occur soon, you should manually initiate replication to get those DNS updates immediately. Exercise 5.7 shows you how to add one or more servers to the Replication Monitor, check for replication failure, and initiate replication manually. EXERCISE 5.7
Working with Replication Monitor 1.
Open Replication Monitor by selecting Start Run and entering REPLMON in the Run dialog box.
2.
To add a server to the Replication Monitor window, right-click Monitored Servers and select Add Monitored Server from the pop-up menu.
3.
The Add Monitored Server Wizard appears. Select either Add The Server Explicitly By Name or Search The Directory For The Server To Add. If you chose the latter option, you must specify a domain to search in the list of domains. Click Next when you are done.
Monitoring and Troubleshooting DNS
289
EXERCISE 5.7 (continued)
4.
Depending on the option you chose in the previous step, you will be prompted to either enter a server name or choose a server from a list. In either case, enter or choose the server to monitor and click Finish.
5.
To search for replication errors, click the Action menu and select Domain Search Domain Controllers For Replication Errors.
6.
The Search Domain Controllers For Replication Failures window appears. Click the Run Search button and enter the name of the domain to search. After a few moments, Replication Monitor should list any failures in the Search Domain Controllers For Replication Failures window. Click Close.
7.
You can manually synchronize either the entire Active Directory or just individual pieces. In order to synchronize the domain DNS zones only, right click the DC=DomainDNSZones,DC=domain,DC=suffix item under the monitored server and select Synchronize This Directory Partition With All Servers from the pop-up menu.
8.
Depending on how your domain is configured, you can choose the Disable Transitive Replication, Push Mode, or Cross Site Boundaries checkboxes. In this case, leave them blank and click OK.
9.
You will be prompted to confirm the replication. Click Yes.
10. Click OK at the success notification.
Troubleshooting DNS When troubleshooting DNS problems, ask yourself the following basic questions:
What application is failing? What works? What doesn’t work?
Is the problem basic IP connectivity, or is it name resolution? If the problem is name resolution, does the failing application use NetBIOS names, DNS names, or hostnames?
How are the things that do and don’t work related?
Have the things that don’t work ever worked on this computer or network? If so, what has changed since they last worked?
Windows Server 2003 provides several useful tools that can help you answer these questions. This section discusses the following tools:
Nslookup, which is used to perform DNS queries and to examine the contents of zone files on local and remote servers
Ipconfig, which is used to view DNS client settings, display and flush the resolver cache, and force a dynamic update client to register its DNS records
The DNS log file, which monitors certain DNS server events and logs them for your edification
Chapter 5
290
Installing and Managing Domain Name Service (DNS)
Using Nslookup Nslookup is a standard command-line tool provided in most DNS server implementations, including Windows Server 2003. It offers the ability to perform query testing of DNS servers and to obtain detailed responses at the command prompt. This information can be useful for diagnosing and solving name resolution problems, for verifying that resource records are added or updated correctly in a zone, and for debugging other server-related problems. You can do a number of useful things with nslookup:
Use it in noninteractive mode to look up a single piece of data
Enter interactive mode and use the debug feature
Perform the following from within interactive mode:
Set options for your query
Look up a name
Look up records in a zone
Perform zone transfers
Exit nslookup
When you are entering queries, it is generally a good idea to enter FQDNs so you can control what name is submitted to the server. However, if you want to know which suffixes are added to unqualified names before they are submitted to the server, you can enter nslookup in debug mode and then enter an unqualified name.
Let’s start with using nslookup in plain old command-line mode: nslookup name server
This code will look up a DNS name or address named name using a server at an IP address specified by server. However, nslookup is a lot more useful in interactive mode because you can enter several commands in sequence. Running nslookup by itself (without specifying a query or server) puts it in interactive mode, where it will stay until you type exit and press Enter. Before that point, you can look up lots of useful stuff. While in interactive mode, you can use the set command to configure how the resolver will carry out queries. Table 5.5 shows a few of the options available with set. TABLE 5.5
Command-Line Options Available with the set Command
Option
Purpose
set all
Shows all the options available with the set option.
set d2
Puts nslookup in debug mode so you can examine the query and response packets between the resolver and the server.
Monitoring and Troubleshooting DNS
TABLE 5.5
291
Command-Line Options Available with the set Command (continued)
Option
Purpose
set domain=domain name
Tells the resolver what domain name to append for unqualified queries.
set timeout=
Tells the resolver which time-out to use. This option is useful for slow links where queries frequently time out and the wait time must be lengthened.
set type=record type
Tells the resolver which type of resource records to search for (for example, A, PTR, or SRV). If you want the resolver to query for all types of resource records, type set type=all.
While in interactive mode, you can look up a name just by typing it: name server. In this example, name is the owner name for the record you are looking for, and server is the server that you want to query. You can use the wildcard character (*) in your query. For example, if you want to look for all resource records that have K as the first letter, just type k* as your query. If you want to query for a particular type of record (for instance, an MX record), use the Set Type command: Set type=mx
This example tells nslookup that you’re only interested in seeing MX records that meet your search criteria. There are a couple of other things you can do with nslookup. You can get a list of the contents of an entire domain with the Ls command. To find all the hosts in the apple.com domain, you’d type Set type=a and then type Ls -t apple.com. You can also simulate zone transfers by using the Ls command with the -d switch. This can help you determine whether or not the server you are querying allows zone transfers to your computer. To do this, type the following: ls -d <domain name>. A successful nslookup response looks like this: Server: Name_of_DNS_server Address: IP_address_of_DNS_server Response_data
Nslookup might also return an error. The following message means that the resolver did not locate a PTR resource record (containing the hostname) for the server IP address. Nslookup can still query the DNS server, and the DNS server can still answer queries: DNS request timed out. Timeout was x seconds. *** Can't find server name for address : Timed out *** Default servers are not available Default Server: Unknown Address: IP_address_of_DNS_server
292
Chapter 5
Installing and Managing Domain Name Service (DNS)
The following message means that a request timed out. This might happen, for example, if the DNS service was not running on the DNS server that is authoritative for the name: *** Request to Server timed-out
The following message means that the server is not receiving requests on UDP port 53: *** Server can't find Name_or_IP_address_queried_for: No response from server
If the DNS server was unable to find the name of IP address in the authoritative domain, you’d get the following message: *** Server can't find Name_or_IP_address_queried_for: Non-existent domain
The authoritative domain might be on the remote DNS server or on another DNS server that this DNS server is able to reach. The following message generally means that the DNS server is running but is not working properly: *** Server can't find Name_or_IP_address_queried_for: Server failed
For example, it might include a corrupted packet, or the zone in which you are querying for a record might be paused. However, this message can also be returned if the client queries for a host in a domain for which the DNS server is not authoritative and the DNS server cannot contact its root servers, or it is not connected to the Internet, or it has no root hints. In Exercise 5.8, you’ll get some hands-on practice with the nslookup tool. EXERCISE 5.8
Using the nslookup Command 1.
Open a Windows Server 2003 command prompt by selecting Start All Programs Accessories Command Prompt.
2.
Type nslookup and press the Enter key. (For the rest of the exercise, use the Enter key to terminate each command.)
3.
Nslookup will start, displaying a message that tells you the name and IP address of the default DNS server. Write these down; you’ll need them later.
4.
Try looking up a well-known address: type www.microsoft.com. Notice that the query returns several IP addresses (Microsoft load-balances Web traffic by using multiple servers in the same DNS record).
5.
Try looking up a nonexistent host: type www.fubijar.com. Notice that your server complains that it can’t find the address. This is normal behavior.
6.
Change the server to a nonexistent host (try making up a private IP address that you know isn’t a DNS server on your network, like 10.10.10.10). Do this by typing server ipAddress. Nslookup will try to turn the IP address into a hostname. Eventually it will display a message telling you that the new default server is using the IP address you specified.
7.
Try doing another lookup of a known DNS name. Type www.microsoft.com. Notice that nslookup is contacting the server you specified and that the lookup times out after a few seconds.
Monitoring and Troubleshooting DNS
293
EXERCISE 5.8 (continued)
8.
Reset your server to the original address you wrote down in step 3.
9.
If doing so won’t disrupt your network, unplug your computer from the network and repeat steps 4–8. Notice the difference in behavior.
Using Ipconfig You can use the command-line tool ipconfig to view your DNS client settings, to view and reset cached information used locally for resolving DNS name queries, and to register the resource records for a dynamic update client. If you use the ipconfig command with no parameters, it displays DNS information for each adapter, including the domain name and DNS servers used for that adapter. Table 5.6 shows some command-line options available with ipconfig. TABLE 5.6
Command-Line Options Available for the ipconfig Command
Command
What It Does
ipconfig /all
Displays additional information about DNS, including the FQDN and the DNS suffix search list.
ipconfig /flushdns
Flushes and resets the DNS resolver cache. For more information about this option, see the section “Configuring a DNS Server” earlier in this chapter.
ipconfig /displaydns
Displays the contents of the DNS resolver cache. For more information about this option, see “Configuring a DNS Server” earlier in this chapter.
ipconfig /registerdns
Refreshes all DHCP leases and registers any related DNS names. This option is available only on Windows 2000 and newer computers that run the DHCP Client service.
Using the DNS Log File You can configure the DNS server to create a log file that records the following information:
Queries
Notification messages from other servers
Dynamic updates
Content of the question section for DNS query messages
Content of the answer section for DNS query messages
Number of queries this server sends
Number of queries this server has received
Number of DNS requests received over a UDP port
294
Chapter 5
Installing and Managing Domain Name Service (DNS)
Number of DNS requests received over a TCP port
Number of full packets sent by the server
Number of packets written through by the server and back to the zone
The DNS log appears in systemroot\System32\dns\Dns.log. Because the log is in RTF format, you must use WordPad or Word to view it. You can change the directory and filename in which the DNS log appears by adding the following entry to the Registry with the REG_SZ data type: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\LogFilePath
Set the value of LogFilePath equal to the name of the file and path where you want to locate the DNS log. By default, the maximum file size of Dns.log is 4MB. If you want to change the size, add the following entry to the Registry with the REG_DWORD data type: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS \Parameters\LogFileMaxSize
Set the value of LogFileMaxSize equal to the desired file size in bytes. The minimum size is 64Kb. Once the log file reaches the maximum size, Windows Server 2003 writes over the beginning of the file. If you make the value higher, data persists for a longer time but the log file consumes more disk space. If you make the value smaller, the log file uses less disk space but the data persists for a shorter time.
Do not leave DNS logging turned on during normal operation because it sucks up both processing and hard disk resources. Enable it only when diagnosing and solving DNS problems.
Summary DNS was designed to be a robust, scalable, high-performance system for resolving friendly names to TCP/IP host addresses. We started by presenting an overview of the basics of DNS and how DNS names are generated. We then looked at the many features available in Microsoft’s version of DNS and focused on how to install, configure, and manage the necessary services. Important points to remember include the following:
DNS is based on a widely accepted standard. It is designed to resolve friendly network names to IP addresses.
DNS names are hierarchical and are read from right (least specific) to left (most specific).
DNS zones are created to create a database of authoritative information for the hosts in a specific domain.
Within DNS zones, servers can assume various roles.
Through the use of replication, multiple DNS servers can remain synchronized.
Exam Essentials
295
Exam Essentials Understand the purpose of DNS. DNS is a standard set of protocols that defines a mechanism for querying and updating address information in the database, a mechanism for replicating the information in the database among servers, and a schema of the database. Understand the different parts of the DNS database. The SOA record defines the general parameters for the DNS zone, including who the authoritative server is for the zone. NS records list the name servers for a domain; they allow other name servers to look up names in your domain. A host record (also called an address or an A record) statically associates a host’s name with its IP addresses. Pointer records (PTRs) map an IP address to a hostname, making it possible to do reverse lookups. Alias records allow you to use more than one name to point to a single host. The MX record tells you which servers can accept mail bound for a domain. SRV records tie together the location of a service (like a domain controller) with information about how to contact the service. Know how DNS resolves names. With iterative queries, a client asks the DNS server for an answer, and the client, or resolver, returns the best kind of answer it has. In a recursive query, the client sends a query to one name server, asking it to respond either with the requested answer or with an error. The error states either that the server can’t come up with the right answer or that the domain name doesn’t exist. With inverse queries, instead of supplying a name and then asking for an IP address, the client first provides the IP address and then asks for the name. Understand the difference between DNS servers, clients, and resolvers. Any computer providing domain name services is a DNS server. A DNS client is any machine issuing queries to a DNS server. A resolver handles the process of mapping a symbolic name to an actual network address. Know how to install and configure DNS. DNS can be installed before, during, or after installing the Active Directory service. When you install the DNS server, the DNS snap-in is installed, too. Configuring a DNS server ranges from very easy to very difficult, depending on what you’re trying to make it do. In the simplest configuration, for a caching-only server, you don’t have to do anything except make sure the server’s root hints are set correctly. You can also configure a root server, a normal forward lookup server, and a reverse lookup server. Know how to create new forward and reverse lookup zones. You can use the New Zone Wizard to create a new forward or reverse lookup zone. The process is substantially the same for both types, but the specific steps and wizard pages differ somewhat. The wizard will walk you through the steps, such as specifying a name for the zone (in the case of forward lookup zones) or the network ID portion of the network that the zone covers (in the case of reverse lookup zones). Know how to configure zones for dynamic updates. The DNS service allows dynamic updates to be enabled or disabled on a per-zone basis at each server. This is easily done in the DNS snap-in. Know how to delegate zones for DNS. DNS provides the ability to divide up the name space into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When delegating zones within your name space, be aware that for each new zone you create, you’ll need delegation records in other zones that point to the authoritative DNS servers for the new zone.
296
Chapter 5
Installing and Managing Domain Name Service (DNS)
Understand the tools that are available for monitoring and troubleshooting DNS. You can use the DNS snap-in to do some basic server testing and monitoring. More importantly, you use the snap-in to monitor and set logging options. The DNS object in the Windows Server 2003 System Monitor contains many different counters that are related to monitoring DNS server performance and usage. In addition, Windows Server 2003 automatically logs DNS events in the event log under a distinct DNS server heading. The Replication Monitor can be configured to resolve DNS errors for ADI zones. Nslookup offers the ability to perform query testing of DNS servers and to obtain detailed responses at the command prompt. You can use the commandline tool ipconfig to view your DNS client settings, to view and reset cached information used locally for resolving DNS name queries, and to register the resource records for a dynamic update client. Finally, you can configure the DNS server to create a log file that records queries, notification messages, dynamic updates, and various other DNS information.
Key Terms Before you take the exam, be certain you are familiar with the following terms: Active Directory–Integrated (ADI) zone
Replication Monitor
DNS client
resolvers
DNS proxy
resource records (RRs)
DNS server
reverse lookups
Dynamic DNS (DDNS) standard
root server
host record
secondary DNS server
name server
service (SRV) record
name server (NS) records
subdomains
pointer (PTR) record
zone
primary DNS server
zone transfers
Review Questions
297
Review Questions 1.
You are the network administrator for a large sales organization with four distinct regional offices situated in different areas of the United States. Your Windows Server 2003 computers are all in place, and you have almost finished migrating all the workstations to Windows 2000 and XP Professional. Your next step is to implement a single Active Directory tree, but you want to put your DNS infrastructure in place before you start building your tree. Because DNS is a critical component for the proper functioning of Active Directory, you want to make sure that each region will have service for local resources as well as good performance. What should you do to realize these requirements? A. Install a single DNS server at your location and create a separate domain name for each
region for resolution of local resources. B. Install a DNS server at each regional location and create a single domain name for all
the regions for resolution of local resources. C. Install a single DNS server at your location and create a single domain name for all the
regions for resolution of local resources. D. Install a DNS server at each regional location and create a separate domain name for
each region for resolution of local resources. 2.
The following diagram outlines DNS name resolution through recursion. Move each item into the correct position so that the flow of DNS traffic is correct. Choices: Client uses IP address to connect to www.company.com. Root-level server resolves name. Server returns IP address and caches name. Client requests IP address. Server cannot resolve name. Forwards request.
Client Machine
Preferred DNS Server
www.company.com Root-Level Server
298
3.
Chapter 5
Installing and Managing Domain Name Service (DNS)
After upgrading your Windows NT network to Windows Server 2003, you decide that you want to implement Active Directory. Your network consists of 3 Windows Server 2003 computers, 65 Windows 2000 and XP Professional workstations, and 3 Unix workstations, one of them running a large laser printer and another a fax server. You’ve been using a DNS server on one of the Unix boxes for Internet browsing only, but now you’ll need DNS for Active Directory. You deploy the Windows Server 2003 DNS service, replacing the DNS on the Unix box and configuring it for dynamic updates. After you deploy Active Directory, everything appears to work fine—the users can connect to resources on the network through hostnames. However, it becomes apparent that the fax server and the laser printer are no longer accessible via their hostnames. What is the most likely cause of this problem? A. You need to disable dynamic updates on the DNS server. B. You need to install WINS to resolve the hostnames on the Unix machines. C. You need to manually add A resource records for the Unix machines. D. You need to integrate the primary DNS zone into Active Directory.
4.
You have been brought into an organization that has a variety of computer systems. Management is trying to tie these systems together and to at least minimize the administrative efforts required to keep the network-provided services running. The systems consist of 4 Windows NT servers, 7 Windows Server 2003 computers, 300 Windows 2000 and XP Professional workstations, 100 Windows NT workstations, 30 Unix clients, and 3 Unix servers. Management wants to continue the migration toward the new versions of Windows and also to expand the number of Unix servers as the need arises. Presently, they are using WINS running on the Windows NT servers and a DNS service on one of the Unix servers that points to an ISP and provides all hostname resolution. What would be your recommendation for providing name resolution service for this organization? A. Install the Windows Server 2003 DNS service on the Windows Server 2003 computer. B. Install the WINS service on the Unix server. C. Upgrade the DNS on the Unix server to the Windows Server 2003 DNS. D. Use the standard DNS service that is already on the Unix server.
5.
Jerry wants to configure a Windows Server 2003 DNS server so that it can answer queries for hosts on his intranet but not on the Internet. He can accomplish this by doing which of the following? (Choose two.) A. Installing the DNS server inside his company’s firewall B. Configuring his server as a root server and leaving out root hints for the top-level domains C. Leaving forwarding turned off D. Disabling recursive lookups
Review Questions
6.
299
Your company has been extraordinarily successful with its e-commerce site. In fact, because your customers have come to expect such a high level of reliability, you want to build several servers that mirror each other; just in case one of them fails, you will still be able to provide excellent service for your customers. The name of the web server is www.stuffforyou.com, which you are duplicating on machines on different subnets, and you have made all the necessary host records in the DNS. After a while you notice that only one machine is responding to client requests. You are not the original administrator for the company, so you suspect some of the default settings were changed before you arrived. What must you check so that all the mirrored web servers can be utilized by your customers? A. Enable DNS sharing. B. Enable IIS sharing. C. Enable round robin. D. Enable request redirector. E. Configure the proper priorities metric for this hostname.
7.
Your company has offices in six cities across the country. Each location is relatively autonomous because the locations provide different services under a larger corporate umbrella. As a result, each network has its own support staff. Even though the locations are fairly independent, their standards and deployed technologies are still overseen by the corporate office, to minimize costs. Part of this centralization is supplying primary DNS name resolution services for all the locations. However, the company also uses slow links between the offices, which is causing name resolution performance issues when the requests are for resources across the WAN. You want to resolve this by installing an additional DNS server at each location without increasing zone transfers across the WAN links. Which type of DNS server should you deploy in each location to ensure the results you desire? A. Slave server B. Caching-only server C. Another secondary server D. Master server
300
8.
Chapter 5
Installing and Managing Domain Name Service (DNS)
You are almost finished with your migration from Windows NT, NetWare, and Banyan to Windows Server 2003. The various operating systems were a result of several companies coming together during a flurry of mergers. The Banyan portion of the network is gone now, and the NetWare migration is well under way. You also have several Unix servers and workstations that are managed by their own group. You are in the process of building the Windows Server 2003 DNS infrastructure. The Unix group has been running DNS BIND 2.4.1 for the organization because it was primarily used for Internet name resolution. Because DNS is critical to the functioning of Windows Server 2003 Active Directory, there is justification for Windows Server 2003 DNS to have the authority to be the primary zone for the network. However, the Unix group will still maintain the DNS server for the group and use the Windows Server 2003 DNS as the authority. When you finally configure the DNS servers, you cannot get the Unix DNS server to receive zone transfers from the Windows Server 2003 DNS. How must you configure the Windows Server 2003 DNS to send zone transfers to the Unix DNS? A. Disable the dynamic updates on the Windows Server 2003 DNS server. B. Enable round robin on the Windows Server 2003 DNS server. C. Enable dynamic updates on the Unix DNS server. D. Configure the BIND secondaries option on the Windows Server 2003 DNS server. E. Enable secure updates on the Windows Server 2003 DNS server.
9.
The company you work for has six locations around the country. You are part of the administrative team based in the central office, and you have finished upgrading the workstations and servers to Windows XP and Server 2003. Your team is now in the process of deploying DNS in order to support your manager’s planned implementation of a single Active Directory tree so you can support the network from your central location. Because you must support name resolution for six offices, you want to provide an efficient and responsive service for the users. Which of the following is the best approach to support your plans for a single Active Directory tree and provide the efficiency and responsiveness for the users in this situation? A. Create a single second-level name and maintain all the DNS servers at your central
office to ease administration. B. Create a single second-level name and deploy a DNS server at each location in the
network. C. Create a second-level name for each city and maintain all the DNS servers at your
central office to ease administration. D. Create a second-level name for each city and deploy a DNS server at each location in
the network.
Review Questions
301
10. You want to quickly verify that your DNS service is running and listening to queries. What would you click on or look at in the dialog box shown in the following exhibit in order to do this?
A. The Name Servers area of the Root Hints tab B. The Add button C. The Monitoring tab D. The Interfaces tab 11. Acme Bowling Pin Company, with offices in 4 states, has been acquired by Roadrunner Enterprises, which has offices in 14 states and is a highly diversified organization. Although the various companies are managed independently, the parent company is very interested in minimizing costs by taking advantage of any shared corporate resources; it also wants to have overall central control. This means that you, the network administrator for Acme Bowling Pin Company, will manage your own DNS name space but will still be under the umbrella of the parent organization. Which of the following will best accomplish these goals? A. Have each location, including yours, register its own name space and manage its DNS
system independently. B. Register a single domain name for Roadrunner Enterprises and use delegated subdomains
on a single DNS server at corporate headquarters to provide name resolution across the enterprise. C. Register a single domain name for Roadrunner Enterprises and use delegated sub-
domains on DNS servers installed at each location to provide name resolution across the enterprise. D. Have each location, including yours, register its own name space and add it on a single
DNS server at corporate headquarters to provide name resolution across the enterprise.
302
Chapter 5
Installing and Managing Domain Name Service (DNS)
12. A DNS client sends a recursive query to its local DNS server, asking for the IP address of www.bigbrother.gov. The DNS server finds no local zones corresponding to the requested domain name, so it sends a request to a root name server. What does the root name server reply with? A. The IP address of the name server for the bigbrother.gov domain B. The DNS name of the Gov top-level domain C. The IP address of www.bigbrother.gov D. The IP address of the name server for the Gov top-level domain 13. You have a private network that contains several DNS zones and servers, including a couple of root name servers. You never need to change any of your DNS data. You find that the load on one of your name servers is inordinately high. What can you do to reduce this load? A. Increase the TTL on the affected name server. B. Decrease the TTL on the affected name server. C. Add a service record to the affected name server. D. Edit the directory command in the DNS boot file. 14. You are charged with upgrading your Windows NT network to Windows Server 2003. You plan on installing Active Directory and upgrading all your client machines to Windows XP Professional. Your company does not allow Internet access because the company president still views it, as well as e-mail, as a time-wasting toy that distracts the employees. Despite what you feel is a shortsighted view by management, you begin to design the upgrade process. You realize that DNS is an important component of Windows Server 2003, even though you won’t be using it to locate resources on the Internet. What DNS records must you include in the configuration of the Windows Server 2003 DNS service in this environment? (Choose all that apply.) A. Host record B. Pointer record C. Alias record D. Name server records E. Start of authority record F. Mail exchange record G. Service record 15. A spammer is attempting to send junk mail through an unsuspecting mail server. The spammer uses a fake DNS name from which he thinks the mail server will accept mail, but he is rejected anyway. How does the mail server know to reject the spammer’s mail? A. The spammer’s DNS name is not in the cache file of the primary DNS server that serves the
mail server’s domain, so it gets rejected. B. A fake DNS name is automatically detected if the IP address isn’t recognized by the
mail server. C. The mail server employs a reverse lookup zone to verify that DNS names are not fake. D. The spammer does not have an MX record in the database of the DNS server that serves the
mail server’s domain.
Answers to Review Questions
303
Answers to Review Questions 1.
B. A DNS server installed at each regional location will provide name and service resolution even if the WAN links go down. The local location will also have better performance because the requests will not have to travel through the WAN links. A single domain name for all the locations is needed because your requirement is to have one Active Directory tree with a contiguous name space.
2. Client requests IP address. Client Machine
Client uses IP address to connect to www.company.com.
Server returns IP address and caches name.
Preferred DNS Server
Server cannot resolve name. Forwards request. Root-level server resolves name.
www.company.com Root-Level Server
The client machine places its request with its preferred DNS server. If the DNS server doesn’t have an entry in its DNS database, it forwards the request to a root-level server. The root-level server resolves the name and sends it back to the preferred DNS server. The DNS server caches the name so that any future requests don’t need to be forwarded, and then it sends the IP address to the client. The client then uses the IP address to reach the intended target. 3.
C. Windows 2000 and newer computers will register themselves in the DNS through dynamic updates. However, the Unix machines will not register themselves in the DNS. These machines will have to be added manually into the DNS so that the other clients can locate them. If you disabled the Dynamic DNS updates, you would then have to add all the workstations on the network to the DNS manually. WINS is useful only for NetBIOS name resolution to IP addresses. Integrating the DNS records into Active Directory will have no effect on retrieving the hostnames of machines that don’t support Dynamic DNS updates.
304
4.
Chapter 5
Installing and Managing Domain Name Service (DNS)
A. Installing the Windows DNS service on the Windows Server 2003 computer will provide dynamic updates to allow the newer Windows machines to publish themselves and locate the Active Directory services through the SRV records that this version of DNS supports. The Windows Server 2003 DNS will also provide standard DNS services to the Unix and Windows NT machines. In addition, it can point to the DNS server that your ISP is supplying for searches beyond the local network. No WINS service is available for Unix. It may remain on the Windows NT server until the upgrade is complete and the NetBIOS name resolution is no longer necessary. The DNS service on the Unix server will work, but the manual updates that are necessary make it impractical to use for providing service for a Windows Server 2003 network.
5.
B, C. Configuring his server as a root server and leaving forwarding off means that the server will either answer a query (for addresses it knows) or return a failure (for addresses it doesn’t know).
6.
C. The round robin option allows you to list a hostname with multiple IP addresses and then, as each request comes into the DNS server, to rotate that list, presenting each of the IP addresses in turn. This will balance out the load across all the servers you have mirrored and configured in the DNS.
7.
B. Caching-only DNS servers don’t perform zone transfers. They build up their information as queries are resolved and thus get smarter over time. If they were deployed in each location, those specific requests would build up in the cache server, thereby reducing the number of requests that would need to be forwarded to the primary DNS server at the corporate office. A slave server forwards requests it cannot resolve to a DNS server that’s specifically used to resolve requests outside your network, so it doesn’t apply to this situation. Another secondary server would increase performance for local resolution but wouldn’t address other requests. Installing a master server would increase traffic because it’s used to perform zone transfers to secondary servers; in this scenario, those servers are already receiving zone transfers from the primary server.
8.
D. The BIND secondaries option on the Windows Server 2003 DNS is used for backward compatibility with older versions of DNS. Before BIND version 4.9.5, only one resource record at a time could be transferred. Windows DNS supports fast zone transfers, in which multiple records are transferred simultaneously. Because the Unix DNS in this case is 2.4.1, the old transfer method needs to be used in order to accept the transfers. Round robin is used to load-balance multiple hosts with the same name using multiple IP addresses. Dynamic updates are not supported in DNS BIND 2.4.1 or even in most current versions of Unix DNS. Secure updates apply only to the DNS zones that are integrated into Active Directory so that access to the records can be controlled by access control lists.
9.
B. Installing a DNS server at each city as well as the central office allows the workstations in each city to obtain their name resolution from local servers, thereby providing good response time. If all the DNS servers were in the central office, name resolution would have to cross the routers, introducing latency and the potential for no service if the link ever went down. The namespace in a single Active Directory tree must be contiguous. If you create a second-level domain for each city, you would need to create multiple Active Directory trees.
10. C. From the Monitoring tab, you can perform simple and recursive queries to see if DNS servers are running and listening to queries. You can either run the tests immediately or set a schedule on which the tests will run.
Answers to Review Questions
305
11. C. DNS has the capability to create subdomains of a central corporate domain, and a subdomain can be delegated to a DNS server in each location for independent management. The entire company could use a single DNS server at corporate headquarters with the multiple domains, but then each name space would not be managed locally at each location. 12. D. The root name server has authority for the root domain and will reply with the IP address of a name server for the Gov top-level domain. 13. A. If the TTL is too small, the load on the DNS server will increase. 14. A, D, E, G. Even though it’s best practice to have all the records associated with DNS as a part of each installation, name resolution will still function properly with just the fundamental records. The host record, or A record, is the basic record that contains the mapping between the logical name and the IP address. This is the heart of DNS. The name server records identify the DNS servers that are available for this network. The start of authority record, or SOA record, contains the basic configuration of the DNS service. The service record, while not essential to a traditional DNS, is critical to Active Directory because it’s used to identify the domain controllers for login and other query information. The pointer record is used for reverse lookups; although it’s very useful, it’s not required for standard functionality. The alias record is needed only if you plan to have different names associated with the same physical address. The mail exchange record is necessary only if you are using DNS to locate mail servers. 15. C. Most mail servers can be configured to reject incoming mail from servers whose IP addresses cannot be resolved with a reverse lookup.
Chapter
6
Administering Security Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Implement secure network administration procedures
Implement security baseline settings and audit security settings by using security templates
Implement the principle of least privilege
Like its predecessor, Windows 2000 Server, Windows Server 2003 enables you to administer security at a granular level to control a variety of options for user rights as well as the behavior of applications and the operating system itself. This is accomplished through the use of security policies at the local or domain level. Security settings can be applied at the site, domain, OU, or local level and are configured through Group Policy. Account policies are used to control the logon process, such as password and account lockout configurations. Local policies are used to define security policies for the computer, such as auditing, user rights, and security options. The Security Configuration and Analysis tool is a Windows Server 2003 utility that you can use to analyze your security configuration. Using any of a set of standardized security templates, this utility compares your actual security configuration to your desired configuration. In this chapter, you will learn about these different security types and tools, as well as how to manage security in a Windows Server 2003 environment using Group Policy and local security policies and how to use the Security Analysis and Configuration utility. Finally, we will look at Windows Server 2003 services. Services range from the print spooler service to the DNS service, and provide a great variety of functionality to the operating system. You will learn how to use the Services utility to start, stop, and examine the services that are enabled on your server.
Microsoft did not include mention of IP Security Extensions (IPSec) in the exam objectives for Exam 70-292, but they did include discussion of IPSec in the exam objectives for Exam 70-296. However, IPSec is a very important topic with which those taking the 70-292 exam should be familiar. Chapter 10, “Planning Network Security,” discusses IPSec in depth, so you should carefully read that chapter before taking the 70-292 exam.
An Overview of User and Group Accounts You might benefit from a quick overview of how user and group accounts operate in the Windows Server 2003 environment. In this section, we’ll cover both local and domain accounts.
User Accounts A computer that is running Windows XP Professional or Windows Server 2003 (configured as a member server) has the capability to store its own user accounts database. The users that are stored at the local computer are known as local users.
An Overview of User and Group Accounts
309
Active Directory is a directory service that is available with the Windows 2000 Server and Server 2003 platforms. It stores information in a central database that allows users to have a single user account for access to resources across the enterprise network. The users and groups that are stored in Active Directory’s central database are called Active Directory users or domain users.
You will learn more about Active Directory in the next section.
If you use local user accounts, they are required on each computer that the user needs access to within the network. For this reason, domain user accounts are commonly used to manage users on medium to large networks. On Windows XP Professional computers and Windows 2003 member servers, you create and manage local users through the Local Users and Groups utility. On Windows Server 2003 domain controllers, you manage users with the Microsoft Active Directory Users and Computers (ADUC) utility, or running dsa.msc, which opens Active Directory Users and Computers in a new MMC window. When you install Windows Server 2003, there are several built-in user accounts that are created by default. The following accounts are the two most important accounts that are created:
The Administrator account, which is a special account that has full control over the computer. You provide a password for this account during Windows Server 2003 installation. The Administrator account can perform all tasks, such as creating users and groups, managing the file system, and setting up printing.
The Guest account, which allows users to access the computer even if they do not have a unique username and password. Because of the inherent security risks associated with this type of user, this account is disabled by default. When this account is enabled, it is given very limited privileges.
By default, the name Administrator is given to the account with full control over the computer. You can increase the computer’s security by renaming the Administrator account, and then creating an account named Administrator without any permissions. This way, even if a hacker is able to log on as Administrator, the intruder won’t be able to access any system resources.
Microsoft recommends that all passwords contain an uppercase character, a lowercase character, a symbol, and a number; for example, instead of using oscar, you might use 0sc@R.
Microsoft recommends that you never log on as a user with administrator privileges because of the security risks that can arise. Many viruses hide themselves on the computer in the form of a Trojan horse. They typically cannot cause damage unless a user logs on as an administrator because of the way permissions work in Windows Server 2003. The best way to avoid this problem and still perform your duties as systems engineer is to use an account with limited permissions
310
Chapter 6
Administering Security Policy
for day-to-day operations and use the runas command whenever you need to perform tasks as an administrator. The runas command allows you to run executable files, Control Panel items, and the Microsoft Management Console (MMC) with administrator permissions that apply to only a particular process. You typically should use the runas command by right-clicking an item and selecting Run As from the pop-up menu. Then you can enter any valid username and password, and that user’s access settings will apply to the file or process that you run.
Group Accounts On a Windows Server 2003 member server, you can use only local groups. A local group resides on the Windows Server 2003 member server’s local database. On a Windows Server 2003 domain controller in Active Directory, you can have security groups and distribution groups. A security group is a logical group of users who need to access specific resources. You use security groups to assign permissions to resources. A distribution group is a logical group of users who have common characteristics. Distribution groups can be used by applications and e-mail programs (for example, Microsoft Exchange). Distribution groups contain no Access Control Lists (ACLs) and therefore have no permissions. This allows these groups to execute at very high speed. Windows Server 2003 domain controllers also allow you to select group scope, which can be domain local, global, or universal. The scope types are used as follows:
Domain local groups are used to assign permissions to resources. Local groups can contain user accounts, universal groups, and global groups from any domain in the tree or forest. A domain local group can also contain other domain local groups from its own local domain.
Global groups are used to organize users who have similar network access requirements. Global groups can contain user and global groups from the local domain.
Universal groups are used to logically organize global groups, and they appear in the global catalog (a special listing that contains limited information about every object in Active Directory). Universal groups can contain users (not recommended) from anywhere in the domain tree or forest, other universal groups, and global groups.
On Windows XP Professional computers and Windows Server 2003 member servers, you create and manage local groups through the Local Users and Groups utility. On Windows Server 2003 domain controllers, you manage groups with the Microsoft Active Directory Users and Computers (ADUC) utility, or running the dsa.msc utility.
Security Policy Types and Tools Windows Server 2003 enables you to manage security settings at either the local computer level or the site, domain, and OU level. Domain security policies override local policies. You manage policies with Group Policy and the appropriate object:
To manage local policies, you use Group Policy with the Local Computer Group Policy Objects (GPOs).
Security Policy Types and Tools
311
To manage domain policies, you use Group Policy with the Active Directory Domain Controller GPOs.
We will begin by discussing Active Directory Group Policies, and see how GPOs apply at different levels within the directory. Then we will look at Group Policies at the local computer level.
Group Policies within Active Directory If Windows Server 2003 is installed with Active Directory, group policies can be applied as Group Policy Objects (GPOs). Group policies contain configuration settings for the following options: Software Software policies are used to configure system services, the appearance of the desktop, and application settings. Scripts Scripts are special instructions that can be configured to run when the user logs on or off the computer or when the computer is started or shut down. Security Security policies define how security is configured and applied at the local computer or through Active Directory. Application and file deployment Application and file deployment policies are used to assign and publish applications or to place files in the user’s desktop, within a specific folder (for example, the Start Menu folder), or within Favorites.
You create GPOs at the domain and OU level through the Active Directory Users and Computers MMC snap-in. You create GPOs at the site level through the Active Directory Sites and Services MMC snap-in.
Before we get into the specifics of how GPOs apply to sites, domains, and OUs, you will need to understand the basic principles behind Active Directory, as we will see in the next section.
Quick Overview of Active Directory Within Active Directory, you have several levels of hierarchical structure. A typical structure will consist of domains, organizational units (OUs), and sites. Other levels exist within Active Directory, but this section focuses on domains, organizational units, and sites in the context of using GPOs.
Domains The domain is the main unit of organization within Active Directory. Within a domain, there are many domain objects (including users, groups, and GPOs). Security can be applied to each domain object to specify who can access the object and the level of access they have. The Active Directory data for each domain is stored on one or more Windows 2000 Server or Windows Server 2003 computers specifically configured as domain controllers. If you use multiple domain controllers (for redundancy or for multiple physical locations) then you must replicate the Active Directory data between them on a regular basis in order to maintain a consistent database.
312
Chapter 6
Administering Security Policy
Determining the Domain Functional Level Windows Server 2003 Active Directory introduces a new concept called domain and forest functionality. This is similar to the idea of mixed mode and native mode in Windows 2000 Active Directory, so much so that those two modes are actually included as a part of domain and forest functionality. However, Microsoft refers to these modes as functional levels, and adds a third functional level appropriately called Windows Server 2003 functional level. When you are installing a Windows Server 2003 domain controller, you must determine which functional level you will support: Windows 2000 Mixed, Windows 2000 Native, or Windows Server 2003. Windows 2000 Mixed domain functional level is the default option when you are installing a domain controller. It is designed to allow backward compatibility with Windows NT 4 and earlier domain models. If you need to support Windows NT domain controllers for one or more domains within your environment, you should choose Windows 2000 Mixed domain functional level for those domains. However, as long as you are using Windows 2000 Mixed domain functional level, certain Active Directory features (such as universal groups and group nesting) are unavailable. If your environment does not require support for Windows NT domain controllers within any of your domains but does require support for Windows 2000 domain controllers, then you can choose to implement your domains in Windows 2000 native domain functional level. Windows 2000 native domain functional level allows for most of the functionality of the Active Directory for all domain controllers, but it does not allow for backward compatibility with Windows NT 4. Since this means that Windows NT domain controllers cannot be used in Windows 2000 native domain functional level Active Directory domains, it’s an important decision. Note also that domains cannot be converted from Windows 2000 native domain functional level back to Windows 2000 mixed domain functional level. Windows 2000 native domain functional level does not offer the full functionality of Active Directory supported by Windows Server 2003, so you should consider upgrading all of your domain controllers if you want to use some of the new features of Active Directory. If you know that you will only be running Windows Server 2003 domain controllers, you can install Active Directory in the Windows Server 2003 domain functional level. This level adds all of the functionality of Active Directory, as shown in Table 6.1. TABLE 6.1
Comparing Domain Functional Levels
Domain Functional Feature
Windows 2000 Mixed
Windows 2000 Windows Native Server 2003
Ability to rename domain controllers
Disabled
Disabled
Enabled
Logon Timestamp updates
Disabled
Disabled
Enabled
Kerberos KDC key version numbers
Disabled
Disabled
Enabled
Security Policy Types and Tools
TABLE 6.1
313
Comparing Domain Functional Levels (continued)
Domain Functional Feature
Windows 2000 Mixed
Windows 2000 Windows Native Server 2003
InetOrgPerson objects can have passwords
Disabled
Disabled
Enabled
Converts NT groups to domain Disabled local and global groups
Enabled
Enabled
SID history
Disabled
Enabled
Enabled
Group nesting
Enabled for Distribution Groups, Enabled disabled for Security Groups (note that Domain Local Security Groups can still have Global Groups as Members)
Enabled
Universal Groups
Enabled for Distribution Groups, Enabled Disabled for Security Groups
Enabled
In addition to domain functional levels, Windows Server 2003 includes added forest functionality over Windows 2000. Forest functionality applies to all of the domains in a forest. There are two levels of forest functionality: Windows 2000 and Windows Server 2003. Windows 2000 forest functionality is the default and supports Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers. All of the new forest functionality features of Windows Server 2003 are supported exclusively by Windows Server 2003. The new features include: Global Catalog replication enhancements When an administrator adds a new attribute to the Global Catalog, only the changes are replicated to other Global Catalogs in the forest. This can significantly reduce the amount of network traffic generated by replication. Defunct schema classes and attributes You can never permanently remove classes and attributes from the Active Directory schema, but you can mark them as defunct so that they cannot be used. When forest functionality is raised to Windows Server 2003, you can redefine the defunct schema attribute so that it occupies a new role in the schema. Forest trusts Previously, system administrators had no easy way of granting permission on resources in different forests. Windows Server 2003 resolves some of these difficulties by allowing trust relationships between separate Active Directory forests. Forest trusts act much like domain trusts, except that they extend to every domain in two forests. Note that all forest trusts are intransitive. Linked value replication Windows Server 2003 introduces a new concept called linked value replication. In Windows 2000, if changes were made to a member of a group, the entire group would be replicated during the replication process. With linked value replication, only the user record that has been changed is replicated. This can significantly reduce network traffic associated with replication.
314
Chapter 6
Administering Security Policy
Renaming domains Although the Active Directory domain structure was originally designed to be flexible, there were several limitations. Due to mergers, acquisitions, corporate reorganizations, and other business changes, you may need to rename domains. You can now change the DNS and NetBIOS names for any domain, as well as reposition a domain within a forest. Note that this operation is not nearly as simple as just issuing a rename command. Instead, there’s a specific process you must follow to make sure that the operation is successful. Fortunately, when you properly follow the procedure, Microsoft supports domain renaming. Other features In addition to the Windows Server 2003 forest functional features just listed, Windows Server 2003 also supports improved replication algorithms and dynamic auxiliary classes. These improvements are designed to increase performance, scalability, and reliability.
Organizational Units Within a domain, you can further subdivide and organize domain objects through the use of organizational units (OUs). This is one of the key differences between Windows NT domains and Windows 2000 and 2003 domains: the NT domains were not able to store information hierarchically. Windows 2003 domains, through the use of OUs, allow you to store objects hierarchically—typically based on function or geography. For example, assume that your company is called ABCCORP. You have locations in New York, San Jose, and Belfast. You might create a domain called ABCCORP.COM with OUs called NY, SJ, and Belfast. In a very large corporation, you might also organize the OUs based on function. For example, the domain could be ABCCORP.COM and the OUs might be SALES, ACCT, and TECHSUPP. Based on the size and security needs of your organization, you might also have OUs nested within OUs. OUs that contain other OUs are called parents, and OUs that are contained within parent OUs are called children. The relationships between nested OUs are called parent-child relationships. As a general rule, you will want to keep your Active Directory structure as simple as possible.
Sites Domains and OUs can be thought of as logical groupings of network resources. In the preceding example, you saw that it might make sense to organize OUs by location or by department, according to your preference or the needs of the network. In contrast, sites organize the Active Directory into distinct physical locations. Sites are primarily used for directory replication purposes. Consider what happens when you have two physically separate locations that share a common directory. Without frequent replication, the two directories would become horribly disjointed and practically useless. However, if you set up sites in the directory for each location, you can schedule replication to occur at regular intervals and maintain a consistent database.
Delegation of Administrative Control OUs are the smallest component within a domain to which permissions and Group Policy can be assigned. Let’s look specifically at how administrative control is set on OUs. The idea of delegation involves a higher security authority that can give permissions to another. As a real-world example, assume that you are the director of IT for a large organization. Instead of doing all of the work yourself, you would probably assign roles and responsibilities to other individuals. For example, you might make one system administrator responsible for all operations within the Sales domain and another responsible for the Engineering domain. Similarly, you could
Security Policy Types and Tools
315
assign the permissions for managing all printers and print queues within the organization to one individual while allowing another to manage all security permissions for users and groups. In this way, the various roles and responsibilities of the IT staff can be distributed throughout the organization. Businesses generally have a division of labor to handle all of the tasks involved in keeping the company’s networks humming along. Network operating systems, however, often make it difficult to assign just the right permissions. Sometimes, the complexity is necessary to ensure that only the right permissions are assigned. A good general rule of thumb is to provide users and administrators with the minimum permissions they require to do their jobs. This ensures that accidental, malicious, and otherwise unwanted changes do not occur. In the world of the Active Directory, the process of delegation is used to define the permissions for administrators of OUs. When considering implementing delegation, there are two main concerns to keep in mind: parent-child relationships and inheritance settings.
Parent-Child Relationships The OU hierarchy you create will be very important when considering the maintainability of security permissions. As we’ve already mentioned, OUs can exist in a parent-child relationship. When it comes to the delegation of permissions, this is extremely important. You can choose to allow child containers to automatically inherit the permissions set on parent containers. For example, if the North America division of your organization contains 12 child OUs, you could delegate permissions to all of them by placing security permissions on the North America division. This feature can greatly ease administration, especially in larger organizations, but it is also a reminder of the importance of properly planning the OU structure within a domain.
You can delegate control only at the OU level and not at the object level within the OU.
Inheritance Settings Now that you’ve seen how parent-child relationships can be useful for administration, you should consider the actual process of inheriting permissions. Logically, the process is known as inheritance. When permissions are set on a parent container, all of the child objects are configured to inherit the same permissions. This behavior can be overridden, however, if business rules do not lend themselves well to inheritance.
Application of Group Policy One of the strengths of Windows operating systems is that they offer users a great deal of power and flexibility. From installing new software to adding device drivers, users can be given the ability to make many changes to their workstation configurations. This level of flexibility is also a potential problem. Inexperienced users might inadvertently change settings, causing problems that can require many hours to fix. In many cases (and especially in business environments), users will require only a subset of the complete functionality provided by the operating system. In the past, however, the difficulty associated with implementing and managing security and policy settings has led to lax security policies. Some of the reasons for this are technical—it can be very tedious and difficult to implement and manage security restrictions. Other problems have been political—
Chapter 6
316
Administering Security Policy
users and management might feel that they should have full permissions on their local machines, despite the potential problems this might cause. One of the major design goals for the Windows Server 2003 platform (and specifically, Active Directory) was manageability. Although the broad range of features and functionality provided by the operating system can be helpful, being able to lock down types of functionality is very important. That’s where the idea of group policies comes in. Simply defined, group policies are collections of permissions that can be applied to objects within Active Directory. Specifically, Group Policy settings are assigned at the site, domain, and OU level and can apply to user accounts, computer accounts, and groups. Examples of settings that a system administrator can make using group policies include the following:
Restricting access to the Start menu
Disallowing the use of Control Panel
Limiting choices for display and Desktop settings
Group Policy Objects and Active Directory GPOs are stored within Active Directory on all domain controllers in the \systemroot \Sysvol folder by default. Within each root folder, there is a policy file called Gpt.ini that contains information about the Group Policy. When GPOs are created within Active Directory there is a specific order of inheritance (meaning how the polices are applied within the hierarchical structure of Active Directory). When a user logs on to an Active Directory domain, depending on where GPOs have been applied within the hierarchical structure of Active Directory, the order of application is as follows: 1.
Local computer policy
2.
Site (group of domains)
3.
Domain
4.
OU
If there are any conflicts between settings, the site policy overrides the local policy. Next, the domain policies are applied. If the domain policy has any additional settings, they will be applied to the configuration. If there are any conflicts in settings, the domain policy overrides the site policy. Next, the OU policies are applied. Again, any additions to the settings will be applied. If there are any conflicts in settings, the OU policy overrides the domain policy. Finally, if there are conflicts between computer and user policy settings, the user policy settings are applied. The following options are available for overriding the default behavior of application of GPOs: No Override The No Override option is used to specify that child containers can’t override the policy settings of higher-level GPOs. In this case, the order of precedence would be that site settings override domain settings and domain settings override OU settings, assuming that No Override is set at both levels. You would use the No Override option if you wanted to set corporate-wide policies without allowing administrators of lower-level containers to override your settings. This option can be set on a per-container basis, as needed. Block Inheritance The Block Inheritance option is used to allow the child container to block GPO inheritance from parent containers. You would use this option if you did not want child containers to inherit GPO settings from parent containers and only wanted the GPO you had set for your container to be applied.
Security Policy Types and Tools
317
If there is a conflict between the No Override and the Block Inheritance settings, the No Override option would be applied.
It is essential that you understand the order in which policies are applied for GPOs, both for the exam and for troubleshooting in the real world.
How Policies Are Applied to Different Network Clients If your network consists of only Windows Server 2003 and 2000 Server computers, you can use GPOs to manage your computers’ configuration settings. By default the following administrative templates, which are used to apply Group Policy settings to the Registry, are used by Windows Server 2003:
System.adm
Inetres.adm
Wmplayer.adm
Conf.adm
Wuau.adm
The function of each template is defined in Table 6.2. TABLE 6.2
Administrative Templates Defined
Administrative Template
Description
System.adm
Template used by Windows 2000 and higher clients.
Inetres.adm
Template used to set Internet Explorer (IE) settings for Windows 2000 and higher clients.
Wmplayer.adm
Template used to set Windows Media Player settings for Windows 2000 and higher clients.
Conf.adm
Template used to set NetMeeting settings for Windows 2000 and higher clients.
Wuau.adm
Template used to set Windows Update settings for Windows 2000 and higher clients.
318
Chapter 6
Administering Security Policy
Administering Local Computer Policy You can manage local computer policies by adding the Group Policy snap-in to the MMC. Once you have added the snap-in, you will see an option called Local Computer Policy. When you expand the Local Computer Policy snap-in, you’ll see Computer Configuration, as shown in Figure 6.1. There are many options here that can be configured for local computer policies. FIGURE 6.1
Local computer policies
The options that can be set are shown in Figure 6.1. The most common options that you would configure for Local Computer Policy are defined in the following sections. You may want to refer back to this image to better understand where in the hierarchy particular policy settings can be found. To conduct your policy management tasks, you can add the Local Computer Policy snap-in to the Microsoft Management Console (MMC). On a domain controller you can access the domain policies by selecting Start Administrative Tools Domain Security Policy. In Exercise 6.1, you will add the Local Computer Policy and Event Viewer snap-ins to your member server.
All of the exercises in this chapter, except Exercise 6.7, should be completed from a member server.
You can also edit Local Computer Policy Settings by using the command-line utility Gpedit.msc. To use this utility, select Start Run and at the Run dialog box, type Gpedit.msc and click the OK button.
Security Policy Types and Tools
319
EXERCISE 6.1
Creating a Management Console for Security Settings 1.
Select Start Run, type MMC in the Run dialog box, and click the OK button to open the MMC.
2.
From the main menu, select File Add/Remove Snap-In.
3.
In the Add/Remove Snap-In dialog box, click the Add button.
4.
Select the Group Policy Object Editor option and click the Add button.
5.
The Group Policy Object specifies Local Computer by default. Click the Finish button.
6.
Select the Event Viewer option and click the Add button.
7.
The Select Computer dialog box appears with Local Computer selected by default. Click the Finish button. Then click the Close button.
8.
In the Add/Remove Snap-In dialog box, click the OK button.
9.
Select File Save As. Save the console as Security in the drive:\Documents and Settings\ All Users\Start Menu\Programs\Administrative Tools folder and click the Save button.
You can now access this console by selecting Start Administrative Tools Security.
Configuring Security Settings You configure security settings through Computer Configuration Windows Settings Security Settings. There are three main options that can be configured for Windows Settings:
Account policies
Local policies
Public key policies
Using Account Policies Account policies are used to specify the user account properties that relate to the logon process. They allow you to configure computer security settings for passwords, account lockout specifications, and Kerberos authentication within a domain. After you have loaded the MMC snap-in for Group Policy, you will see an option for Local Computer Policy. To access the Account Policies subfolders, expand Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and Account Policies. If you are on a Windows Server 2003 member server, you will see two folders: Password Policy and Account Lockout Policy. If you are on a Windows Server 2003 computer that is configured as a domain controller, you will see three folders: Password Policy, Account Lockout Policy, and Kerberos Policy. The account policies available for member servers and domain controllers are described in the following sections.
Chapter 6
320
Administering Security Policy
Setting Password Policies Password policies ensure that security requirements are enforced on the computer. It is important to note that the password policy is set on a per-computer basis; it cannot be configured for specific users. The password policies that are defined on Windows Server 2003 member servers are described in Table 6.3. On Windows Server 2003 domain controllers, all of these policies are configured as “not defined.” TABLE 6.3
Password Policy Options
Policy
Description
Default
Minimum
Maximum
Enforce Password History
Keeps track of user’s password history
Remember 3 passwords
Same as default
Remember 24 passwords
Maximum Password Age
Keep password Determines maximum number of days user can for 42 days keep valid password
Keep password for 1 day
Keep password for 999 days
Minimum Password Age
Specifies how long password must be kept before it can be changed
0 days (password Same as can be changed default immediately)
999 days
Minimum Password Length
Specifies minimum number of characters password must contain
0 characters (no password required)
Same as default
14 characters
Passwords Must Meet Complexity Requirements
Allows you to install password filter
Disabled
Same as default
Enabled
Specifies higher level of Disabled Store Password encryption for stored Using Reversible user passwords Encryption For All Users In The Domain
Same as default
Enabled
The password policies are used as follows:
The Enforce Password History option is used so that users cannot reuse the same password. Users must create a new password when their password expires or is changed.
The Maximum Password Age option is used so that after the maximum number of days has passed, users are forced to change their password.
The Minimum Password Age option is used to prevent users from changing their password several times in rapid succession in order to defeat the purpose of the Enforce Password History policy.
Security Policy Types and Tools
321
The Minimum Password Length option is used to ensure that users create a password, as well as to specify that it meets the length requirement. If this option isn’t set, users are not required to create a password at all.
The Passwords Must Meet Complexity option is used to prevent users from using items found in a dictionary of common names as passwords.
The Store Password Using Reversible Encryption For All Users In The Domain option is used to provide a higher level of security for user passwords.
In Exercise 6.2, you will configure password policies for your computer. It is assumed that for this and the remaining exercises in this chapter, you have completed Exercise 6.1 to create the security management console. EXERCISE 6.2
Setting Password Policies 1.
Select Start Administrative Tools Security and expand the Local Computer Policy snap-in.
2.
Expand the folders as follows: Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy.
3.
Open the Enforce Password History policy. In the Effective Policy Setting field, specify five passwords remembered. Click the OK button.
4.
Open the Maximum Password Age policy. In the Local Policy Setting field, specify that the password expires in 60 days. Click the OK button.
5.
Select Start Command Prompt. At the command prompt, type gpupdate and press Enter.
6.
At the command prompt, type exit and press Enter.
Updating Your Group Policies You are the administrator of a large network. You have been making changes to your member server’s local computer policies and notice that none of the options are being applied. You wait over 30 minutes and the changes are still not there. At this point, you are beginning to think you edited something improperly. If you edit your group policies and your changes are not taking effect, it is because the group policies are only applied every 90 minutes to computers by default. You can force your policies to be updated by typing gpupdate at a command prompt.
Chapter 6
322
Administering Security Policy
Setting Account Lockout Policies The account lockout policies are used to specify how many invalid logon attempts should be permitted. You configure the account lockout policies so that after x number of unsuccessful logon attempts within y number of minutes, the account will be locked for a specified amount of time or until the administrator unlocks it. The account lockout policies are described in Table 6.4. TABLE 6.4
Account Lockout Policy Options
Policy
Description
Default
Minimum
Maximum
Suggested
Account Lockout Threshold
Same as Specifies number of 0 (disabled, account will not default invalid attempts be locked out) allowed before account is locked out
999 attempts
5 attempts
Account Lockout Duration
Specifies how long account will remain locked if Account Lockout Threshold is exceeded
0 (but if Account Lockout Threshold is enabled, 30 minutes)
Same as default
99,999 minutes 5 minutes
Reset Account Lockout Counter After
Specifies how long counter will remember unsuccessful logon attempts
0 (but if Account Same as Lockout Thresh- default old is enabled, 5 minutes)
99,999 minutes 5 minutes
The account lockout policies are similar to the policies banks use to handle ATM access code security. You have a certain number of chances to enter the correct access code. That way, if someone stole your card, they would not be able to continue attempting to guess your access code until they got it right. Typically, after three unsuccessful attempts at your access code, the ATM machine takes the card. Then you need to request a new card from the bank. Account lockout policies work in the same fashion.
In Exercise 6.3, you will configure account lockout policies and test their effects. It is assumed that for this and the remaining exercises for configuring policies, you have access to at least two user accounts other than Administrator that can be deleted if they become corrupted. EXERCISE 6.3
Setting Account Lockout Policies 1.
Select Start Administrative Tools Security and expand the Local Computer Policy snap-in.
2.
Expand the folders as follows: Computer Configuration, Windows Settings, Security Settings, Account Policies, Account Lockout Policy.
Security Policy Types and Tools
323
EXERCISE 6.3 (continued)
3.
Open the Account Lockout Threshold policy. In the Local Policy Setting field, specify that the account will lock after three invalid logon attempts. Click the OK button.
4.
The Suggested Value Changes dialog box appears. Accept the default values for Account Lockout Duration and Reset Account Lockout Counter by clicking the OK button.
5.
Log off as Administrator. Try to log on as any user other than Administrator with an incorrect password three times.
6.
After you see the error message stating that account lockout has been enabled, log on as Administrator.
7.
To unlock the user’s account, open the Local Users and Groups snap-in in the MMC, expand the Users folder, and double-click the locked-out user. In the Account tab of the Properties dialog box, click to remove the check from the Account Is Locked Out checkbox. Then click OK.
Setting Kerberos Policies The Kerberos policies are used to define Kerberos authentication settings. Kerberos version 5 is a security protocol that is used in Windows Server 2003 to authenticate users and network services. This is called dual verification, or mutual authentication. When a Windows Server 2003 is installed as a domain controller, it automatically becomes a key distribution center (KDC). The KDC is responsible for holding all of the client passwords and account information. Kerberos services are also installed on each Windows Server 2003 client and server. The Kerberos authentication involves the following steps: 1.
The client requests authentication from the KDC using a password or smart card.
2.
The KDC issues the client a ticket-granting ticket (TGT). The client can use the TGT to access the ticket-granting service (TGS), which allows the user to authenticate to services within the domain. The TGS issues service tickets to the clients.
3.
The client presents the service ticket to the requested network service. This service ticket authenticates the user to the service and the service to the user, for mutual authentication. The Kerberos policies are described in Table 6.5.
TABLE 6.5
Kerberos Policy Options
Policy
Description
Enforce User Logon Restrictions
Specifies that any logon restrictions will be enforced
Default Local Setting
Effective Setting
Not defined
Enabled
324
Chapter 6
TABLE 6.5
Administering Security Policy
Kerberos Policy Options (continued) Default Local Setting
Effective Setting
Specifies the maximum age of a service ticket before it must be renewed
Not defined
600 minutes
Maximum Lifetime For User Ticket
Specifies the maximum age for a user ticket before it must be renewed
Not defined
10 hours
Maximum Lifetime For User Ticket Renewal
Specifies how long a ticket may be renewed before it must be regenerated
Not defined
7 days
Maximum Tolerance For Computer Clock Synchronization
Specifies the maximum clock synchronization between the client and the KDC
Not defined
5 minutes
Policy
Description
Maximum Lifetime For Service Ticket
Using Local Policies As you learned in the previous section, account policies are used to control logon procedures. When you want to control what a user can do after logging on, you use local policies. With local policies, you can implement auditing, specify user rights, and set security options. To use local policies, first add the Local Computer Policy snap-in to the MMC (see Exercise 6.1). Then, from the MMC, follow this path of folders to access the Local Policies folders: Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies. There are three folders in Local Policies: Audit Policy, User Rights Assignment, and Security Options. These policies are covered in the following sections.
Setting Audit Policies The audit policies are used to audit events that pertain to user management. By tracking certain events, you can create a history of specific tasks, such as user creation and successful or unsuccessful logon attempts. You can also identify security violations that arise when users attempt to access system management tasks that they do not have permission to access. When you define an audit policy, you can choose to audit success or failure of specific events. The success of an event means that the task was successfully accomplished. The failure of an event means that the task was not successfully accomplished. By default, auditing is not enabled, and it must be manually configured. Once auditing has been configured, you can see the results of the audit through the Event Viewer utility. The audit policies are described in Table 6.6.
Security Policy Types and Tools
TABLE 6.6
325
Audit Policy Options
Policy
Description
Audit Account Logon Events
Tracks when a user logs on, logs off, or makes a network connection
Audit Account Management
Tracks user and group account creation, deletion, and management actions
Audit Directory Service Access
Tracks directory service accesses
Audit Logon Events
Audits events related to logon, such as running a logon script or accessing a roaming profile
Audit Object Access
Audits access to files, folders, and printers
Audit Policy Change
Tracks any changes to the audit policy
Audit Privilege Use
Tracks each instance of a user exercising a user right
Audit Process Tracking
Tracks events such as activating a program, accessing an object, and exiting a process
Audit System Events
Tracks system events such as shutting down or restarting the computer, as well as events that relate to the security log within Event Viewer
Auditing too many events can degrade system performance due to the high processing requirements. Auditing can also use excessive disk space to store the audit log. You should use this utility judiciously.
In Exercise 6.4, you will configure audit policies and view their results. EXERCISE 6.4
Setting Audit Policies 1.
Select Start Administrative Tools Security and expand the Local Computer Policy snap-in.
2.
Expand the folders as follows: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.
Chapter 6
326
Administering Security Policy
EXERCISE 6.4 (continued)
3.
Open the Audit Account Logon Events policy. In the Local Policy Setting field, under Audit These Attempts, check the boxes for Success and Failure. Click the OK button.
4.
Open the Audit Account Management policy. In the Local Policy Setting field, under Audit These Attempts, check the boxes for Success and Failure. Click the OK button.
5.
Log off as Administrator. Attempt to log on with an account name that does not exist. The logon should fail (because there is no user account with that username).
6.
Log on as Administrator. Open the MMC and expand the Event Viewer snap-in (added in Exercise 6.1).
7.
From Event Viewer, open the security log. You should see the audited events listed in this log.
Assigning User Rights The user rights determine what rights a user or group has on the computer. User rights apply to the system. They are not the same as permissions, which apply to a specific object. An example of a user right is the Back Up Files And Directories right. This right allows a user to back up files and folders even if the user does not have permissions through the file system. The other user rights are similar in that they deal with system access as opposed to resource access. The user rights assignment policies are described in Table 6.7. TABLE 6.7
User Rights Assignment Policy Options
Right
Description
Access This Computer From The Network
Allows a user to access the computer from the network.
Act As Part Of The Operating System
Allows low-level authentication services to authenticate as any user.
Add Workstations To Domain
Allows a user to create a computer account on the domain.
Adjust Memory Quotas For A Process
Allows a user to change the maximum memory that can be consumed by a process.
Allow Log On Locally
Allows a user to interactively log on to this computer. This is required by logons initiated by pressing the Ctrl+Alt+Del sequence and may be required by some service or administrative applications that can log on users. If you define this policy for a user or group, you must ensure that the Administrators group also has this right!
Security Policy Types and Tools
TABLE 6.7
327
User Rights Assignment Policy Options (continued)
Right
Description
Allow Log On Through Terminal Services
Allows a user to log on as a Terminal Services client.
Back Up Files And Directories
Allows a user to back up all files and directories regardless of how the file and directory permissions have been set.
Bypass Traverse Checking
Allows a user to pass through and traverse the directory structure even if that user does not have permissions to list the contents of the directory.
Change The System Time
Allows a user to change the internal time of the computer.
Create A Pagefile
Allows a user to create or change the size of a page file.
Create A Token Object
Allows a process to create a token if the process uses the NtCreateToken API.
Create Permanent Shared Objects
Allows a process to create directory objects through the Windows Server 2003 Object Manager.
Debug Programs
Allows a user to attach a debugging program to any process.
Deny Access To This Computer From The Network
Allows you to deny specific users or groups access to this computer from the network.
Deny Logon As A Batch Job
Prevents specific users or groups from logging on as a batch job.
Deny Logon As A Service
Prevents specific users or groups from logging on as a service.
Deny Logon Locally
Denies specific users or groups access to the computer locally.
Deny Log On Through Terminal Services
Prevents specific users or groups from logging on to the computer as a Terminal Services client.
Enable Computer And User Accounts To Be Trusted For Delegation
Allows a user or group to set the Trusted For Delegation setting for a user or computer object.
328
Chapter 6
TABLE 6.7
Administering Security Policy
User Rights Assignment Policy Options (continued)
Right
Description
Force Shutdown From A Remote System
Allows the system to be shut down by a user at a remote location on the network.
Generate Security Audits
Allows a user, group, or process to make entries in the security log.
Increase Scheduling Priority
Specifies that a process can increase or decrease the priority that is assigned to another process.
Load And Unload Device Drivers
Allows a user to dynamically unload and load Plug and Play device drivers.
Lock Pages In Memory
This user right is no longer used in Windows Server 2003 (it was originally intended to force data to be kept in physical memory and not allow the data to be paged to the page file).
Log On As A Batch Job
Allows a process to log on to the system and run a file that contains one or more operating system commands.
Log On As A Service
Allows a service to log on in order to run the specific service.
Manage Auditing And Security Log
Allows a user to manage the security log.
Modify Firmware Environment Variables.
Allows a user or process to modify the system environment variables.
Perform Volume Maintenance Tasks
Allows a user or group to run maintenance tasks (for instance, remote defragmentation) on a volume. Beware that this provides file system access and is thus a security risk.
Profile Single Process
Allows a user to monitor nonsystem processes through tools such as the Performance Logs and Alerts utility.
Profile System Performance
Allows a user to monitor system processes through tools such as the Performance Logs and Alerts utility.
Remove Computer From Docking Station
Allows a user to undock a laptop through the Windows Server 2003 user interface.
Replace A Process Level Token
Allows a process to replace the default token that is created by the subprocess with the token that the process specifies.
Security Policy Types and Tools
TABLE 6.7
329
User Rights Assignment Policy Options (continued)
Right
Description
Restore Files And Directories
Allows a user to restore files and directories regardless of file and directory permissions.
Shut Down The System
Allows a user to shut down the local Windows Server 2003 computer.
Synchronize Directory Service Data
Allows a user to synchronize data associated with a directory service.
Take Ownership Of Files Or Other Objects
Allows a user to take ownership of system objects.
In Exercise 6.5, you will apply a local user rights assignment policy. EXERCISE 6.5
Setting Local User Rights 1.
Select Start Administrative Tools Security and expand the Local Computer Policy snap-in.
2.
Expand folders as follows: Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment.
3.
Open the Log On As A Service user right. The Local Security Policy Setting dialog box appears.
4.
Click the Add User Or Group button. The Select Users Or Groups dialog box appears.
5.
Enter a valid user. Click the Add button. Then click the OK button.
Defining Security Options Security options are used to configure security for the computer. Unlike user rights, which are applied to a user or group, security options apply to the computer. Windows Server 2003 features over 70 potential security options, depending on how your server is configured. Unlike its predecessor, Windows 2000 Server, which lumped all of the nearly 40 options together, Windows Server 2003 organizes the security options under subcategories. Table 6.8 describes the new categories of security options.
330
Chapter 6
TABLE 6.8
Administering Security Policy
Security Options Categories
Category
Description
Accounts
Options that control the status of (Enabled/Disabled) and allow you to rename the Administrator and Guest accounts, as well as an option to limit local account use of the blank password to local logon only
Audit
Options that control security related to auditing, including the option to shut down the system immediately if unable to log security audits
Devices
Options that control access to removable media, printers, docking stations, and that control unsigned driver installation behavior
Domain Controller
Options that apply specifically to security on domain controllers
Domain Member
Options for digital encryption, machine account passwords, and session keys
Interactive Logon
Options for logging on interactively, including whether to display the last username, whether or not to require Ctrl+Alt+Del, whether to display a custom message for users attempting to log on, and the number of previous logons to cache in the event a domain controller is not available
Microsoft Network Client
Options to configure digitally signed communications and unencrypted passwords
Microsoft Network Server
Options to configure digitally signed communications, session idle time, and whether to disconnect clients when logon hours expire
Network Access
Options to configure 10 anonymous network access settings
Network Security
Options to configure network security at a granular level
Recovery Console
Options to configure behavior of the Recovery Console, including floppy access and automatic administrative logon
Shutdown
Options to allow system shutdown without requiring logon and/or to clean the virtual memory page file on shutdown
System Cryptography
Options related to encryption, hashing, and signing
System Objects
Options to configure the behavior of system objects, including whether to require case insensitivity for non-Windows systems
System Settings
Options to configure additional settings (it is unlikely that you will need to change them)
Administering the Local Computer’s System Policies
331
In Exercise 6.6, you will define some security options and see how they work. For this exercise, it is assumed that you have completed all of the previous exercises in this chapter. EXERCISE 6.6
Defining Security Options 1.
Select Start Administrative Tools Security and expand the Local Computer Policy snap-in.
2.
Expand folders as follows: Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
3.
Open the policy Interactive Logon: Message Text For Users Attempting To Log On. In the Local Policy Setting field, type Welcome to all authorized users. Click the OK button.
4.
Open the policy Interactive Logon: Prompt User To Change Password Before Expiration. In the Local Policy Setting field, specify three days. Click the OK button.
5.
Select Start Command Prompt. At the command prompt, type gpupdate and press Enter.
6.
At the command prompt, type exit and press Enter.
7.
Log off as Administrator and log on as another user.
8.
Log off and log on as Administrator.
Using Public Key Policies Using public key policies allows you to set options so that computers can automatically submit requests to Certificate Authorities in order to install and access public keys, which are associated with cryptography. You can also specify the Data Recovery Agents that are used in conjunction with Encrypting File System (EFS).
Administering the Local Computer’s System Policies System policies are accessed from the Local Computer Policy MMC snap-in under Computer Configuration, Administrative Templates, System. You are likely to configure the following policy settings through System Policies:
User profiles policies
Logon policies
Disk quota policies
332
Chapter 6
Administering Security Policy
Group Policy policies
Windows file protection policies
To edit a policy, double-click the policy name. For the most part, you only have two options: Enabled or Disabled. In a few cases, you must specify a single numeric value, such as in the Timeout For Dialog Boxes policy, but configuring policies is never more complicated than that. Each of these are discussed in more detail in the following sections.
User Profiles Policies In Windows 2000 Server, user profile policy settings were grouped with the logon policy settings. Windows Server 2003 separates them under a new category, User Profiles, for a cleaner administrative interface. Table 6.9 describes the most commonly configured options available. TABLE 6.9
User Profiles Policy Options
User Profiles Policy
Description
Delete Cached Copies Of Roaming Profiles
Specifies that a local copy of the roaming profile should not be saved to the local computer. Normally, you want to save a local copy of a roaming profile because loading a copy locally is faster than loading from a network drive.
Do Not Detect Slow Network Connections
By default, the system will try to detect slow links and respond to slow links differently than it does to faster links. Setting this policy disables the detection of slow links.
Slow Network Connection Timeout For User Profiles
Allows you to specify what a slow network connection is.
Wait For Remote User Profile
Specifies that if a roaming profile is used, the roaming (network) copy of the profile should be used rather than a locally cached copy of the profile.
Prompt User When Slow Link Is Detected
Notifies users of a slow link and prompts them to select whether they will use a locally cached copy of a user profile or the roaming (network) copy.
Timeout For Dialog Boxes
Allows you to configure the default time-out value that will be used to display dialog boxes.
Administering the Local Computer’s System Policies
TABLE 6.9
333
User Profiles Policy Options (continued)
User Profiles Policy
Description
Log Users Off When Roaming Profile Fails
Specifies that if a roaming profile is not available, the user should be logged off. If you do not enable this option and a roaming profile fails to load, the user will use a locally cached copy or the default user profile.
Maximum Retries To Unload And Update User Profile
Determines the number of retries the system will take if it tries to update the portions of the Registry that store user profile information and the update is not successful.
Script Policies Script policies are used to specify how logon events, such as logon scripts and access of user profiles, are configured. The logon policy options are described in Table 6.10. TABLE 6.10
Script Policy Options
Script Policy
Description
Run Logon Scripts Synchronously
Specifies that the logon scripts should finish running before the Windows Explorer interface is run. Configuring this option can cause a delay in the appearance of the Desktop.
Run Startup Scripts Asynchronously
Allows the system to run startup scripts asynchronously, that is, simultaneously. Otherwise, if you have multiple startup scripts, a startup script can’t run until the previous script has finished running.
Run Startup Scripts Visible
Displays the startup script instructions as they are run.
Run Shutdown Scripts Visible
Displays the shutdown script instructions as they are run.
Maximum Wait Time For Group Policy Scripts
Specifies the maximum amount of time that the system will wait for scripts (logon, startup, and shutdown) to be applied before scripts stop processing and an error is recorded. This value is 600 seconds (10 minutes) by default.
Disk Quota Policies Disk quota policies are used to specify how the computer will be used for disk quota configuration. The disk quota policy options are described in Table 6.11.
334
Chapter 6
TABLE 6.11
Administering Security Policy
Disk Quota Policy Options
Disk Quota Policy
Description
Enable Disk Quotas
Forces the system to enable disk quota management on all NTFS volumes for the computer.
Enforce Disk Quota Limit
Specifies that if disk quotas are configured, they should be enforced.
Default Quota Limit And Warning Level
Allows you to configure the default quota limit for quota management and the disk use threshold at which users see a warning message.
Log Event When Quota Limit Exceeded
Specifies that if users reach their quota limit, an entry will be added to the Event Viewer application log.
Log Event When Quota Warning Level Exceeded
Specifies that if users reach their warning limit, an entry will be added to the Event Viewer application log.
Apply Policy To Removable Media
Extends the disk quota policies that are applied to fixed disks to removable media that are formatted as NTFS.
Group Policy Policies Group Policy policies are used to specify how group policies will be applied to the computer. The Group Policy policy options that are commonly configured are described in Table 6.12. TABLE 6.12
Group Policy Options
Group Policy
Description
Turn Off Background Refresh Of Group Policy
Prevents group policies from being updated if the computer is currently in use.
Apply Group Policy For Users Asynchronously During Startup
Specifies that the computer can display the Windows Desktop before it finishes updating the computer’s Group Policy.
Group Policy Refresh Intervals For Computers
Specifies the interval rate that will be used to update the computer’s Group Policy. By default, this background operation occurs every 90 minutes, with a random offset of 0–30 minutes.
Administering the Local Computer’s System Policies
TABLE 6.12
335
Group Policy Options (continued)
Group Policy
Description
Group Policy Refresh Intervals For Domain Controllers
Specifies the interval rate that will be used to update the domain controller’s Group Policy. By default, this background operation occurs every 5 minutes.
User Group Policy Loopback Processing Mode
Specifies how group policies are applied when a user logs on to a computer with this option configured. You can specify that the Group Policy is replaced or merged with other policy settings.
Group Policy Slow Link Detection
Defines what a slow link is for the purpose of applying and updating group policies.
Registry Policy Processing
Specifies how Registry policies are processed, such as whether Registry policies can be applied during periodic background processing.
Internet Explorer Maintenance Policy Processing
Determines when Internet Explorer Maintenance polices can be applied.
Software Installation Policy Processing
Determines how often software installation policies are updated. This option does not apply to local policies.
Folder Redirection Policy Processing
Specifies how folder redirection policies are updated.
Scripts Policy Processing
Specifies how shared script policies are updated.
Security Policy Processing
Specifies how security policies are updated.
IP Security Policy Processing
Specifies how IP security policies are updated.
EFS Recovery Policy Processing
Specifies how encryption policies are updated.
Disk Quota Policy Processing
Specifies how disk quota policies are updated.
Windows File Protection Policies The Windows file protection policies are used to specify how Windows file protection will be configured. The Windows file protection policy options are described in Table 6.13.
336
Chapter 6
TABLE 6.13
Administering Security Policy
Windows File Protection Policy Options
Windows File Protection Policy
Description
Set Windows File Protection Scanning
Determines the frequency of Windows File Protection scans.
Hide The File Scan Progress Window
Suppresses the display of the File Scan Progress window.
Limit Windows File Protection Cache Size
Specifies the maximum amount of disk space that can be used by Windows File Protection.
Specify Windows File Protection Cache Location
Specifies an alternate location to be used by the Windows File Protection cache.
Analyzing Security Configurations with the Security Configuration and Analysis Tool Windows Server 2003 includes a utility called Security Configuration and Analysis, which you can use to analyze and help configure the computer’s local security settings. This utility works by comparing your actual security configuration to a security template configured with your desired settings. The following steps are involved in the security analysis process: 1.
Using the Security Configuration and Analysis utility, specify a working security database that will be used during the security analysis.
2.
Import a security template that can be used as a basis for how you would like your security to be configured.
3.
Perform the security analysis. This will compare your configuration against the template that you specified in step 2.
4.
Review the results of the security analysis.
5.
Resolve any discrepancies indicated through the security analysis results.
The Security Configuration and Analysis utility is an MMC snap-in. After you add this utility to the MMC, you can use it to run the security analysis process, as described in the following sections.
Analyzing Security Configurations with The Security Configuration and Analysis Tool
337
Specifying a Security Database The security database is used to store the results of your security analysis. To specify a security database, take the following steps: 1.
In the MMC, right-click the Security Configuration and Analysis snap-in and select the Open Database option from the pop-up menu. If you select the Security Configuration and Analysis snap-in in the MMC, the contents of the right pane explain how to open an existing database and how to create a new one, as shown in Figure 6.2.
FIGURE 6.2
Opening a security database
2.
The Open Database dialog box appears. In the File Name text box, type the name of the database you will create. By default, this file will have a .sdb (for security database) extension. Then click the Open button.
3.
The Import Template dialog box appears. Select the template that you want to import. You can select a predefined template through this dialog box. In the next section, you will learn how to create and use a customized template file. Make your selection and click the Open button.
Importing a Security Template The next step in the security analysis process is to import a security template. The security template is used as a comparative tool. The Security and Configuration Analysis utility compares the security settings in the security template to your current security settings. You do not set security through the security template. Rather, the security template is where you organize all of your security attributes in a single location.
338
Chapter 6
Administering Security Policy
As an administrator, you can define a base security template on a single computer and then export the security template to all the servers in your network.
In the following sections you will see how to import a security template, which actually consists of two steps: creating a template and then opening it for further analysis.
Creating a Security Template By default, Windows Server 2003 ships with a variety of predefined security templates, which are stored in systemroot\Security\Templates. Each of the templates defines a standard set of security values based on the requirements of your environment. The template groups that are included by default are defined in Table 6.14. TABLE 6.14
Default Security Templates
Standard Security Template
Description
Default Templates
Default security (Setup security.inf)
Created during installation for each computer. Setup security Used to set security back to the default values as configured during installation, with the exception of user rights. User rights are modified by some applications so that the applications will run properly. If user rights were also set back to default values, some of the applications that were installed on the computer might not function.
Compatible (Compatws.inf)
Used for backward compatibility. This option Compatws relaxes the default security used by Windows 2000 and higher so that applications that ran under Windows NT and are not certified for Windows 2000 and higher will still run. This template is typically used on computers that have been upgraded and are then having problems running applications.
Secure (Secure*.inf)
Implements recommended security settings Securedc, Securews for Windows 2000 and higher in all security areas except for files, folders, and Registry keys.
Highly secure (Hisec*.inf)
Hisecdc, Hisecws Defines highly secure network communications for Windows Server 2003 computers. If you apply this security template, Windows Server 2003 computers can communicate only with other Windows Server 2003 computers. In this case, the computers would not communicate with clients such as Windows 95/98 or even Windows NT 4 computers.
Analyzing Security Configurations with The Security Configuration and Analysis Tool
TABLE 6.14
339
Default Security Templates (continued)
Standard Security Template
Description
Default Templates
Dedicated domain controller (DC Security.inf)
Provides a higher level of security for dedicated domain controllers. This option assumes that the domain controller will not run server-based applications, which would require a more lax security posture on the server.
DC security
System root security (rootsec.inf)
Defines the root permissions. By default, these Rootsec permissions are defined for the root of the system drive. Can be used to reapply root directory permissions if they are inadvertently changed, or the template can be modified to apply the same root permissions to other volumes. This template propagates only the permissions that are inherited by child objects and does not overwrite permissions explicitly defined on child objects.
You create security templates through the Security Templates snap-in in the MMC. You can configure security templates with the items listed in Table 6.15. TABLE 6.15
Security Template Configuration Options
Security Template Item
Description
Account Policies
Specifies configurations that should be used for password policies, account lockout policies, and Kerberos policies
Local Policies
Specifies configurations that should be used for audit policies, user rights assignments, and security options
Event Log
Allows you to set configuration settings that apply to Event Viewer log files
Restricted Groups
Allows you to administer local group memberships
Registry
Specifies security for local Registry keys
File System
Specifies security for the local file system
System Services
Sets security for system services and the startup mode that local system services will use
340
Chapter 6
Administering Security Policy
After you add the Security Templates snap-in to the MMC, you can open a sample security template and modify it, as follows: 1.
In the MMC, expand the Security Templates snap-in and then expand the folder for \systemroot\Security\Templates.
2.
Double-click the sample template that you want to edit. There are several sample templates, including securews (for secure Windows server) and securedc (for secure domain controller).
3.
Make any changes you want to the sample security template. Changes to the template are not applied to the local system by default. They are simply a specification for how you would like the system to be configured.
4.
Once you have made all of the changes to the sample template, save the template by highlighting the sample template filename, right-clicking, and selecting the Save As option from the pop-up menu. Specify a location and a filename for the new template. By default, the security template will be saved with an .inf extension in the \systemroot\Security\Templates folder.
Opening a Security Template Once you have configured a security template, you can import it for use with the Security Configuration and Analysis utility, assuming that a security database has already been configured. To import a security template, in the MMC, right-click the Security Configuration and Analysis utility and select the Import Template option from the pop-up menu. Then highlight the name of the template file you wish to import and click the Open button.
Performing a Security Analysis The next step is to perform a security analysis. To run the analysis, simply right-click the Security Configuration and Analysis utility and select the Analyze Computer Now option from the pop-up menu. You will see a Perform Analysis dialog box that allows you to specify the location and filename for the error log file that will be created during the analysis. After this information is configured, click the OK button. When the analysis is complete, you will be returned to the main MMC window. From there, you can review the results of the security analysis.
Reviewing the Security Analysis and Resolving Discrepancies The results of the security analysis are stored in the Security Configuration and Analysis snapin, under the security item you’ve configured (see Table 6.15). For example, to see the results for password policies, double-click the Security Configuration and Analysis snap-in, doubleclick Account Policies, and then double-click Password Policy. Figure 6.3 shows an example of security analysis results for password policies. The policies that have been analyzed will have an x or a check mark next to them, as shown in Figure 6.3. An x indicates that the template specification and the actual policy do not match. A check mark indicates that the template specification and the policy do match. If any security discrepancies are indicated, you should use the Group Policy snap-in to resolve the security violation.
Analyzing Security Configurations with the Security Configuration and Analysis Tool
FIGURE 6.3
341
Viewing the results of a security analysis
In Exercise 6.7, you will use the Security Configuration and Analysis utility to analyze your security configuration. In this exercise, you will add the Security and Configuration Analysis snap-in to the MMC, specify a security database, create a security template, import the template, perform an analysis, and review the results. For this exercise, it is assumed that you have completed all of the previous exercises in this chapter. EXERCISE 6.7
Using the Security Configuration and Analysis Tool Adding the Security and Configuration Analysis Snap-In
1.
Select Start Administrative Tools Security.
2.
Select File Add/Remove Snap-In.
3.
In the Add/Remove Snap-In dialog box, click the Add button. Highlight the Security Configuration and Analysis snap-in and click the Add button. Then click the Close button.
4.
In the Add/Remove Snap-In dialog box, click the OK button.
Specifying the Security Database
5.
In the MMC, right-click Security Configuration and Analysis and select Open Database.
6.
In the Open Database dialog box, type sampledb in the File Name text box. Then click the Open button.
342
Chapter 6
Administering Security Policy
EXERCISE 6.7 (continued)
7.
In the Import Template dialog box, select the template securews and click the Open button.
Creating the Security Template
8.
In the MMC, select File Add/Remove Snap-In.
9.
In the Add/Remove Snap-In dialog box, click the Add button. Highlight the Security Templates snap-in and click the Add button. Then click the Close button.
10. In the Add/Remove Snap-In dialog box, click the OK button. 11. Expand the Security Templates snap-in and then expand the \systemroot\Security\ Templates folder.
12. Double-click the securews file. 13. Select Account Policies and then Password Policy. 14. Edit the password policies as follows:
Set the Enforce Password History option to 10 passwords remembered.
Enable the Passwords Must Meet Complexity Requirements option.
Set the Maximum Password Age option to 30 days.
15. Highlight the securews filename, right-click, and select the Save As option. 16. In the Save As dialog box, place the file in the default folder and name the file servertest. Click the Save button. Importing the Security Template
17. Highlight the Security Configuration and Analysis snap-in, right-click, and select the Import Template option.
18. In the Import Template dialog box, highlight the servertest filename and click the Open button. Performing and Reviewing the Security Analysis
19. Highlight the Security Configuration and Analysis snap-in, right-click, and select the Analyze Computer Now option.
20. In the Perform Analysis dialog box, accept the default error log file path and click the OK button.
21. When you return to the main MMC window, double-click the Security Configuration and Analysis snap-in.
22. Double-click Account Policies and then double-click Password Policy. You will see the results of the analysis for each policy, indicated by an x or a check mark next to the policy.
Managing Windows Server 2003 Services
343
Managing Windows Server 2003 Services A service is a program, routine, or process that performs a specific function within the Windows Server 2003 operating system. You manage services through the Services window, shown in Figure 6.4. You can access this window in a variety of ways, including through the Computer Management utility (right-click My Computer in the Start menu, select Manage, expand Services and Applications, and then expand Services), through Administrative Tools, or as an MMC snap-in. FIGURE 6.4
The Services window
For each service, the Services window listing shows the name, a short description, the startup type, and the logon account that is used to start the service. To configure the properties of a service, double-click it to open its Properties dialog box. This dialog box contains four tabs of options for services, which are described in the following sections.
Configuring General Service Properties The General tab of the service Properties dialog box (see Figure 6.5) allows you to view and configure the following options:
The service display name
A description of the service
The path to the service executable
The startup type, which can be automatic, manual, or disabled
The current service status
Startup parameters that can be applied when the service is started
344
Chapter 6
Administering Security Policy
You can use the buttons in the Service Status section of the dialog box to start, stop, pause, or resume the service. FIGURE 6.5
The General tab of the service Properties dialog box
Configuring Service Log On Properties The Log On tab of the service Properties dialog box, shown in Figure 6.6, allows you to configure the logon account that will be used to start the service. You can choose to use the local system account or specify another logon account. FIGURE 6.6
The Log On tab of the service Properties dialog box
Managing Windows Server 2003 Services
345
At the bottom of the Log On tab, you can select hardware profiles to associate the service with. For each hardware profile, you can set the service as enabled or disabled.
Configuring Service Recovery Properties Use the Recovery tab of the service Properties dialog box, shown in Figure 6.7, to configure what action will be taken if the service fails to load. For the first, second, and subsequent failures, you can select from the following actions:
Take No Action
Restart The Service
Run A File
Reboot The Computer
FIGURE 6.7
The Recovery tab of the service Properties dialog box
If you choose to run a file, you then specify the file and any command-line parameters. If you choose to reboot the computer, you can then configure a message that will be sent to users who are connected to the computer before it is restarted.
Checking Service Dependencies The Dependencies tab of the service Properties dialog box, shown in Figure 6.8, lists any services that must be running in order for the specified service to start. If a service fails to start, you can use this information to determine what the dependencies are and then make sure that each dependency service is running.
346
Chapter 6
FIGURE 6.8
Administering Security Policy
The Dependencies tab of the service Properties dialog box
At the bottom of the Dependencies tab, you can see if any other services depend on this service. You should verify that there are no services that depend on a service that you are about to stop.
Using Windows Server 2003 Services Your company uses several applications that require a user to be logged on as a service. Some of the applications have specific instructions for setup, whereas other applications leave the specific configuration up to the administrator. The problem with many of the applications is that they require the service to log on as a user with administrative rights. This could easily be a potential security violation, but there are steps you can take to manage your service accounts. Consider using a naming convention so that you can easily identify the service accounts. For example, you could place a # sign in front of all service accounts. If you have a virus scanner that uses a service account, you would create #VirScan as the user account that will be used to log on. Under user rights, you will typically assign this user account the Logon As A Service right. You should also make sure that the user account has a difficult password composed of alphanumeric and nonalphanumeric characters. If your domain uses password restrictions, you should configure the service accounts so that their passwords never expire.
Exam Essentials
347
Summary In this chapter, you learned about the security features of Windows Server 2003. We covered the following topics:
Security settings can be applied at the local or domain level. To manage local security policies, use Group Policy with the local computer Group Policy Object. To manage domain security policies, use Group Policy with the domain policy Group Policy Object.
Account policies control the logon process. The three types of account policies are password, account lockout, and Kerberos policies.
Local policies control what a user can do at the computer. The three types of local policies are audit, user rights assignment, and security options policies.
The Security Configuration and Analysis utility is used to analyze your security configuration. You run this utility to compare your existing security settings to a security template configured with your desired settings.
The Services utility is used to manage startup options for services, stop services, configure logon and service recovery properties, and check service dependencies.
Exam Essentials Understand how to configure security settings using Group Policy Objects. Know which options can be configured through GPOs. Understand how GPOs are applied through Active Directory. Understand the order of application of GPOs. Know how to override the default behavior of GPO execution. Know how to define and configure account policies. Understand how to configure the options for password policies, account lockout policies, and Kerberos policies. Know how to define and configure local policies. Understand how to configure the options that can be configured in the Audit Policy, User Rights Assignment, and Security Options folders. Know how to define and configure system policies. Understand how to configure User Profiles, Logon, Disk Quota, Group Policy, and Windows File Protection options. Be able to use the Security Configuration and Analysis Tool. Know how to use the Security Configuration and Analysis utility along with security templates to analyze the security of your Windows Server 2003 computers. Know how to manage services You manage services through the Services window. For each service, the Services window listing shows the name, a short description, the startup type, and the logon account that is used to start the service. To configure the properties of a service, double-click it to open its Properties dialog box.
348
Chapter 6
Administering Security Policy
Key Terms Before you take the exam, be certain you are familiar with the following terms: account lockout policies
Kerberos policies
account policies
key distribution center (KDC)
Active Directory
local group
Active Directory users
local policies
Active Directory Users and Computers (ADUC) local users Administrator
Local Users and Groups
audit policies
logon policies
delegation
mutual authentication
disk quota policies
organizational units (OUs)
distribution group
password policies
domain
Security Configuration and Analysis
domain local groups
security group
domain policies
security options
domain users
sites
global groups
universal groups
Group Policy policies
user profile
Guest
user rights
inheritance
Windows file protection policies
Review Questions
349
Review Questions 1.
You recently made changes to the GPOs on your Windows Server 2003 domain controller. You notice that the changes are not being applied automatically when new users log on. Using the following exhibit, which option can you set so that new changes to the GPO are applied within 10 minutes for any computers that are logged onto the network?
A. Enable and configure the Group Policy for Apply Group Policy For Computers Asyn-
chronously During Startup. B. Enable and configure the Group Policy for Apply Group Policy For Users Asynchro-
nously During Startup. C. Enable and configure the Group Policy for Group Policy Refresh Interval For Computers
to 10 minutes. D. Enable and configure the Group Policy for Group Policy Refresh Interval For Domain
Controllers to 10 minutes.
350
2.
Chapter 6
Administering Security Policy
You are the administrator of the TESTCORP.COM domain. You have configured Local Security Options for the Default Domain Policy object. You have delegated administrative control to the DENVER.TESTCORP.COM domain and the BELFAST.TESTCORP.COM domain to the respective local administrators. You want to make sure the local administrators do not define any group policies that might conflict with the settings you have specified. What should you configure? A. Configure the No Override option on the TESTCORP.COM domain GPO. B. Configure the Block Inheritance option on the TESTCORP.COM domain GPO. C. Configure the Always Apply Root Level GPO option on the TESTCORP.COM
domain GPO. D. Nothing. Your options will override any local options by default. 3.
You suspect that someone is attempting to log on to your domain using the Administrator account. You want to track when users log on successfully or unsuccessfully in the domain. Based on the following exhibit, which auditing event should you enable?
A. Audit Account Logon Events B. Audit Account Management C. Audit Logon Events D. Audit Process Tracking
Review Questions
4.
351
You are the administrator of a Windows Server 2003 network that uses Active Directory. Your network includes Windows Server 2003 domain controllers, Windows Server 2003 member servers, and XP Professional computers. You are concerned that the security on your network is susceptible to network attacks. You want to use the Security Configuration and Analysis snap-in to tighten the network’s security. Which of the following options can be applied using this tool? (Choose all that apply.) A. Track changes to security options. B. Create and apply group policies. C. Set a working database of security options. D. Import an existing security template.
5.
You are an IT Manager with a staff of 7, including junior and senior administrators and help desk staff. There is a mixture of NT 4 (both Workstation and Server), Windows 2000 (both Professional and Server), Windows XP Professional, and Windows Server 2003 computers currently on the network. You are going to migrate the network from an NT-based domain to an Active Directory– enabled Windows Server 2003 domain. All of your subordinates will be members of the Account Operators group on the first domain controller that is installed. In preparation for the migration, you want to ensure that all computers will have a computer account in Active Directory. Your senior administrator plans to install the Windows Server 2003 servers and create the Active Directory–enabled domain. The help desk staff will then log on to the new domain from each computer to make sure all computers can connect. Which of the following additional steps can your staff execute in order to create computer accounts for all computers in the domain? A. Upgrade the NT 4 Workstation computers to Windows 2000. Create computer
accounts for these computers using the Active Directory Users and Computers console. B. Upgrade all NT computers to Windows 2000. Create computer accounts for all com-
puters using the Active Directory Users and Computers console. C. Create computer accounts for all computers using the Active Directory Users and Com-
puters console. D. Add the help desk staff to the Domain Administrators global group so that when they
log in to the new domain from a particular computer for the first time, a computer account will be created automatically within Active Directory. 6.
You need to quickly edit the Group Policy for a Windows Server 2003 member server. Which of the following command-line utilities could you use to access the Local Computer Policy utility? A. EditGPO.exe B. GPOEdit.exe C. EditGPO.msc D. Gpedit.msc
352
7.
Chapter 6
Administering Security Policy
One common use of the Services utility is to disable the Print Spooler service in order to stop a queue of print jobs. What steps would you take to stop the Print Spooler service, and then restart it? Choose all options that apply. A. Select Start All Programs Accessories Services. B. Select Start Administrative Tools Services. C. Double-click the Print Spooler service. D. Right-click the Print Spooler service and select Edit from the pop-up menu. E. Click the Pause button, then click the Start button. F. Click the Stop button, then click the Start button. G. Choose Manual from the Startup Type list.
8.
Your network requires an extraordinary level of security. You want to configure the Windows Server 2003 domain controllers so that only Windows 2000 clients can communicate with them. Based on your requirements, which of the following security templates should you apply to your servers? A. Securedc.inf B. Hisecdc.inf C. Dedicadc.inf D. W2kdc.inf
9.
You are concerned about network security. You want to know as much as you can about the security protocols that are used in conjunction with Windows Server 2003. Which of the following security protocols is used with Windows Server 2003 to authenticate users and network services? A. Kerberos version 5 B. C2\E2 Security C. KDS Security D. MS-CHAP
10. You are the administrator of the TESTCORP.COM domain. You have configured a GPO for your domain so that users have to change their passwords every 45 days. You want to ensure that users do not immediately reuse their old password. Which password policy specifies that users cannot reuse passwords until they have cycled through a specified number of unique passwords? A. Enforce Password History B. Use Unique Passwords C. Require C2/E2 Encryption Standards D. All Passwords Must Use High Level Standards
Review Questions
353
11. You suspect that one of your administrators is creating new users so that they can look at the Payroll folder, which has folder auditing enabled. Which audit policy should you enable so that you can track when a user or group is created, deleted, or has management actions generated? A. Audit Object Access B. Audit Logon Events C. Audit Account Management D. Audit Process Tracking 12. You are the Director of IT for a startup that creates XML-based web applications. The Engineering department has a test environment with two IIS servers that are separate from the production IIS servers. The Director of Engineering informs you that once again, one of the Engineers in your company copied code to the production server instead of to the test server and the mistake has seriously destabilized the production environment. You want to find the culprit so you can ensure that he or she stops making this mistake. All engineers are members of the group Engineers. You instruct one of your administrators to enable auditing for successful writes to the directories where code is stored on the production IIS servers. The administrator reports to you that he enabled auditing of successful object access for the domain containing the production IIS servers. He further reports that he configured auditing on the directories where code is stored on the production IIS servers by enabling tracking of successful Create Files/Write Data access by the Engineers group. He tells you that he accepted all other default settings. The next week, the problem recurs. You know that someone overwrote data in several subfolders of one of the directories where code is stored on the production IIS servers, but there is no record of successful writes in the Security log. Which of the following options is the reason successful writes were not audited? A. The Computer Configuration settings of the GPO are disabled, or the GPO is not linked
to the appropriate object. B. The Administrator applied auditing only to the parent folder. C. The Administrator did not correctly enable auditing at the domain-level. D. The Administrator did not configure the appropriate object access to be audited. 13. Your Windows Server 2003 computer also acts as an IIS server that allows anonymous access. You want to minimize security risks as much as possible. Which of the following security options will enable you to specify additional restrictions for anonymous connections? A. Additional Restrictions For Anonymous Users B. Impose Additional Security For Anonymous Users C. Tight Security For Anonymous Users D. Audit Access Of Anonymous Users
354
Chapter 6
Administering Security Policy
14. You have recently applied security options for your Windows Server 2003 computer. When you attempt to verify the security settings, they appear as if they have not been applied. What command-line utility can you use to force an update of the new security policies? A. secupdate B. gpupdate C. secrefresh D. secpol 15. Which of the following administrative templates are included by default in Windows Server 2003? (Choose all that apply.) A. System.adm B. Inetres.adm C. Windows.adm D. Winnt.adm E. Wuau.adm F. Conf.adm
Answers to Review Questions
355
Answers to Review Questions 1.
C. Group Policy Refresh Intervals For Computers specifies the interval rate that will be used to update the computer’s Group Policy. By default, this background operation occurs every 90 minutes.
2.
A. The No Override option is used to specify that child containers can’t override the policy settings of higher-level GPOs. In this case, the order of precedence would be that site settings override domain settings and domain settings override OU settings. The No Override option would be used if you wanted to set corporate-wide policies without allowing administrators of lower-level containers to override your settings. This option can be set on a per-container basis as needed.
3.
A. The Audit Account Logon Events policy is used to track events such as when a user logs on, logs off, or makes a network connection. The Audit Logon Events policy is used to track events such as running a logon script or accessing a roaming profile.
4.
C, D. Through the Security Configuration and Analysis snap-in, you can analyze an existing template against your current configuration to identify any weakness in your security settings. This utility, Analyze Computer Now, does not configure any security options. The Configure Computer Now utility does change the security settings and should only be used with extreme caution.
5.
C. In this scenario, your staff can use the Active Directory Users and Computers console to create computer accounts for all computers on the network. Computer accounts are created for any computer that joins the domain that is running Windows NT, Windows 2000, Windows XP Professional, or Windows Server 2003. Therefore, there is no need to upgrade any of the computers on your network. There is no need to add the help desk staff to the Domain Administrators global group. Computer accounts are not created automatically within Active Directory the first time a user with administrative rights logs on to the new domain from a particular computer. Typically, when installing a new client computer, you would create the computer account as a part of the installation process when you join the computer to the domain. This process can be automated.
6.
D. You can edit group policies through the Group Policy MMC snap-on or by using the command-line utility Gpedit.msc. To use this utility, select Start Run and, at the Run dialog box, type Gpedit.msc and click the OK button.
7.
B, C, F. First, select Start Administrative Tools Services. Then, double-click the Print Spooler service. Finally, click the Stop button, then click the Start button.
8.
B. The Hisecdc.inf security template defines highly secure network communications for Windows Server 2003 computers. If you apply this security template, Windows Server 2003 computers can communicate only with other Windows Server 2003 computers. In this case, the computers would not communicate with older clients such as Windows 95/98 or even Windows NT 4 computers.
9.
A. Windows Server 2003 uses the Kerberos version 5 security protocol to authenticate users and services through a mutual authentication process.
356
Chapter 6
Administering Security Policy
10. A. When the Enforce Password History option is set, users cannot reuse the same password. Users must create a new password when their password expires or is changed. 11. C. The Audit Account Management policy is used to track user and group creation, deletion, and management actions. 12. A. The Administrator enabled auditing correctly at the domain level by enabling auditing of successful object access for the production domain. He also configured the appropriate object access to be audited. Furthermore, he accepted the default settings, which apply auditing to the folder, subfolders, and files. The only option presented that could explain why auditing did not occur is option A. 13. A. The Additional Restrictions For Anonymous Users security option allows you to impose additional restrictions, such as not allowing access without explicit anonymous permissions. 14. B. If you edit your security policy and notice that your changes are not taking effect, it may be because the group policies are only applied periodically. You can force your policies to be updated by issuing the command secedit /refreshpolicy machine_policy for computers and secedit /refreshpolicy user_policy for user settings. 15. A, B, E, F. Windows Server 2003 does not include support for older operating systems by default. Windows 2000 Server included user interface settings for Windows NT and 9x with the Winnt.adm and Windows.adm templates, but these are no longer included.
MCSE Upgrade Exam
PART
II
Chapter
7
Planning and Implementing Server Roles MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Configure security for servers that are assigned specific roles. Plan security for servers that are assigned specific roles. Roles might include domain controllers, Web servers, database servers, and mail servers.
Deploy the security configuration for servers that are assigned specific roles.
Create custom security templates based on server roles.
Plan a framework for planning and implementing security.
Plan for security monitoring.
Plan a change and configuration management framework for security.
Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services.
In today’s networks, it’s increasingly common to find specialized servers that are dedicated to a specific task such as domain controller services, Web services, mail, or database services. Each of these functional roles carries its own unique security challenges and requirements. An effective plan for secure network infrastructure design takes into consideration the novel requirements of each server type based on its intended function. Server-level security is an important element of a secure network infrastructure. We’ll begin this chapter with an introduction of server roles, which determine what jobs and tasks your servers are required to perform. For instance, a DNS server is designed to keep records of DNS names and answer DNS queries, while a DHCP server is designed to lease IP addresses to local network clients. Of course, servers can reprise multiple roles simultaneously, and in this chapter we will see why you would want to do this and when this might not work so well. When you combine your knowledge of server roles with your knowledge of network security presented in Chapter 6, "Administering Security Policy," you should have a firm understanding of how to plan security for the various server implementations that Microsoft offers. Security configuration management is an ongoing process. The servers and clients on your network must be kept up-to-date with the latest critical patches and operating system fixes, especially with regard to security. Many organizations employ a tool for enterprise software configuration management such as Microsoft Systems Management Server, which not only manages Windows patches, but also controls the deployment of operating systems, applications, and client configuration standards throughout an organization. If you don’t already use such a tool in your network, you'll learn how to plan security updates using the tools included with Windows Server 2003.
Much of the background information for these objectives was covered in Chapter 6. You must be thoroughly familiar with the content presented in Chapter 6 in order to prepare for the objectives presented in this chapter.
Defining Server Roles Corporate networks exist to provide specialized services to clients. Some of these services, such as e-mail, are highly visible to the end user. However, many critical services, such as DNS and DHCP, are completely transparent to the end user.
Defining Server Roles
361
A server that is installed to provide a specific service on the network is said to be functioning in a server role. A server role describes the functional purpose of a network server. There are roles for application servers, such as e-mail, Web, database, and media servers. There are roles for servers that host network resources, such as file and print servers. There are also roles for servers that provide network infrastructure services, such as name resolution and connectivity. Although a single server can host multiple services, it is frequently desirable to plan a server strategy that employs specialized servers for mission-critical and resource-intensive functions, such as domain controller services. Some services can be provided by a single server—for example, file and print services. Other functions could present a huge security risk if they were provided by the same server—for instance, it would be a very bad idea to install a domain controller that also provided Web services to the public. Some of the most common server roles in a Windows Server 2003 network are listed here: File Servers File servers provide and manage access to files. You would configure a computer as a file server if you plan to use disk space on the computer to store, manage, and share information such as files or to host applications that users can access over the network. In Windows Server 2003, file server features include the ability to implement disk quotas on NTFS volumes. This enables you to monitor disk space usage and limit the amount of disk space available to individual users. The Indexing Service can also be implemented to enable users to quickly and securely search for information on the server or across the network. You can search for files in different formats and even in multiple languages, through the Start Search command or through a browser interface. Print Servers Print servers provide and manage access to printers. You would configure a computer as a print server if you plan to use the server to share printers with network clients. In Windows Server 2003, print server features include the ability to connect to network printers using Web point-and-print for single-click installation of a shared printer. This is a continuation of functionality from the Windows 2000 Server family. Network-attached printers, also known as TCP/IP printers, are installed more simply through a new standard port monitor. There’s also built-in command line functionality for print server management through the Windows Management Instrumentation (WMI) Print Provider. WMI is Microsoft’s management API for monitoring local and remote system components. The WMI Print Provider enables you to use Visual Basic scripts to administer print devices and print servers. This helps you automate routine tasks and free time for more important administrative work.
Since the mid-nineties, Microsoft has referred to physical printers as “print devices” and the logical software components of the print redirector as the “printer.” Adhere to the Microsoft nomenclature for the exam.
362
Chapter 7
Planning and Implementing Server Roles
Domain Controller Servers Domain controllers store directory data and manage communication between users and domains. They service user requests for logon, authentication, and directory searches. You must configure at least one server as a domain controller if you’ll be enabling Active Directory. Additional domain controllers are recommended to provide redundancy and fault tolerance, as well as to balance the load. It’s best to locate a domain controller in each site in order to optimize network performance between sites. You want client logon processes to be handled within the local site, not crossing a slower connection and creating unacceptably slow logon times and excessive traffic between sites. DNS Servers The Domain Name Service (DNS) is a standardized name service used on the Internet and in TCP/IP networks. The DNS service registers names and resolves queries for DNS domain name-to-IP address mappings. The service enables clients (which can be end users or other servers) to locate and access resources offered by remote computers on private networks, such as the corporate network or a VPN-connected extranet, or on public networks, such as the Internet. If you will publish resources to be available on the Internet, for instance an internally hosted corporate Web site, you’ll need to have a DNS server. Most corporate networks will require at least one DNS server, and it’s best to have multiple DNS servers for fault tolerance and load balancing.
Your DNS server does not have to be a Windows Server 2003 computer—in fact, Unix servers were the first and are still the most common server providers of DNS services. The Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol that allows users to query and update information in a directory service. LDAP was established by the Internet Engineering Task Force (IETF), and it has been used by Unix OSs for a very long time. Because Active Directory uses an LDAP name structure, Windows DNS services can interoperate with Unix-based DNS services.
If your network will be directly connected to the Internet (which is usually the case), you’ll need to decide on a globally unique domain name. Then you must register the domain name with an authorized Internet registrar, such as VeriSign/Network Solutions, Inc. (NSI) or your ISP. The Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) are responsible for ensuring globally unique domain name and IP assignments on the Internet.
In the past, DNS domain name assignment and registration was the exclusive territory of InterNIC (part of ICANN). Now it is transitioning to a shared registration system.
Defining Server Roles
363
WINS Servers The Windows Internet Name Service (WINS) provides a distributed database for name resolution services in legacy Microsoft networks. The WINS service registers names and resolves queries for NetBIOS computer name-to-IP address mappings. WINS is the best choice for NetBIOS name resolution in routed networks that use NetBIOS over TCP/IP (NBT). You should configure a WINS server if you need to support NetBIOS computer name-to-IP address name resolution in your network. WINS is gradually being phased out in favor of networks that are entirely DNS-based, so there are no substantial improvements to WINS in Windows Server 2003. However, most Windows networks need to support older NetBIOS-aware operating systems (Windows NT/9x) or NetBIOS-aware applications such as Microsoft Exchange Server. DHCP Servers The Dynamic Host Configuration Protocol (DHCP) provides centralized IP address management and dynamic address allocation to client computers. You’ll almost certainly want to configure at least one DHCP server on your corporate network, and you’ll likely install multiple DHCP servers for fault tolerance and load balancing. DHCP works together with Active Directory, DNS, and WINS to efficiently allocate IP configuration information to clients. Web Application (IIS) Servers Internet Information Services (IIS) 6 is a Web application server that is used to host Web sites and File Transfer Protocol (FTP) sites. You will want to configure a server as a Web application server in order to host Web content on that server for internal use within a corporate intranet or for public viewing on the Internet. For security, IIS installs only static Web server features by default. After completing the server installation, you can run the IIS Security Lockdown Wizard, which allows you to enable full server functionality.
Running IIS on a domain controller is not recommended. The networking and processor load used by domain controller processes, such as authentication, will result in severe performance degradation for IIS activities. More importantly, adding users to a group with log on locally privileges on a domain controller is a huge security risk.
IIS 6 offers an MMC snap-in management console, and can also be administered using scripts, the command-line or by editing a plain text configuration file. Remote administration is possible through the Terminal Services Web Client or Web Interface for Remote Administration (an HTML interface). In Windows Server 2003, IIS version 6 has been enhanced to better prevent Web application failures and to keep such failures from affecting other Web sites and applications running on the same server. Features of IIS 6 include the ability to isolate a single Web application or multiple sites into a self-contained process that speaks directly to the kernel. This capability prevents one errant application or site from disrupting the Web services or other Web applications on the
364
Chapter 7
Planning and Implementing Server Roles
server. IIS also has health monitoring capabilities that enable you to prevent, discover, and recover from Web application failures. Mail (POP3) Servers Windows Server 2003 includes Post Office Protocol, version 3 (POP3) and Simple Mail Transfer Protocol (SMTP) components that can be used to provide e-mail services. The POP3 service implements the standard POP3 protocol for mail retrieval and pairs with the SMTP service for mail transfer. You should configure a server as a mail server if you plan to use the server to provide e-mail transfer and retrieval services to client computers. The Post Office Protocol (POP3) service is used to store and manage e-mail accounts on the mail server. Users can connect to the mail server and retrieve e-mail to their local computer using an e-mail client that supports the POP3 protocol (such as Microsoft Outlook). The Simple Mail Transfer Protocol (SMTP) service is used to send outgoing e-mail.
The simple mail server provided with Windows Server 2003 is not the same as Microsoft Exchange Server, which is a standalone solution for enterprise messaging.
Routing and Remote Access Servers The Routing and Remote Access Service (RRAS) provides software routing services and secure internetworking services such as Virtual Private Networking (VPN) services. You’ll want to configure a routing and remote access server as an IP router if you plan to use software routing in your organization. If you need a secure solution for connecting remote users to the corporate network, you’ll want to configure a routing and remote access server as a remote access or VPN server. Remote access services are often used in combination with Terminal Services to support the latest Windows operating systems and applications on legacy hardware and across slow WAN links. Terminal Services Servers Terminal Services provides remote computers with a centralized point of access for Windows applications and operating systems. You’ll want to configure a Terminal Services server if you want to support the latest Windows operating systems and applications on legacy systems that would otherwise not meet the minimum hardware requirements. You will also want to configure a Terminal Services server if you want to support clients that require access to remotely hosted applications and resources across slow WAN links. It acts as a multi-user operating system to enable multiple clients to have simultaneous independent sessions that run on the Terminal Services server, not on the local node. Clients behave like dumb terminals. Users can run applications, access resources, and view the session console as though they were working on the local Desktop.
Defining Server Roles
365
However, all processing occurs on the Terminal Services server, and only I/O data (keyboard and mouse input from the client, and video output from the server) is transmitted across the wire. In Windows Server 2003, Terminal Services has a new tool for remote desktop administration. As in Windows 2000 Server, you can use Terminal Services for remote administration of servers and clients. Streaming Media Servers Windows Media Services delivers, manages, and archives Windows Media content such as streaming audio and video over networks that range from low-bandwidth, dial-up Internet connections to high-bandwidth LANs. You should configure a server as a streaming media server if you plan to deliver digital media content in real time over dial-up Internet connections or within LANs. In the following sections, you’ll learn about two tools that novice Windows administrators will find especially helpful for configuring and managing server roles: the Configure Your Server Wizard and the Manage Your Server tool.
Using the Configure Your Server Wizard Server roles can be initially configured and the relevant services installed using the Configure Your Server Wizard. The Configure Your Server Wizard makes it easy for an administrator to install or remove many of the services available on a Windows Server 2003 computer. You can also use the wizard to remove a role in which you previously configured the server. You can configure a server with multiple roles. You’ll see how this wizard works in Exercise 7.1. This exercise walks you through using the Configure Your Server Wizard to add or remove a server role, depending on whether or not the role has already been configured. For instance, if a server has already been configured for a certain role, such as a file server, then you are presented with the option to remove the role. EXERCISE 7.1
Using the Configure Your Server Wizard 1.
Launch the wizard by going to Start Administrative Tools Configure Your Server Wizard. Choose Next to continue.
2.
The Preliminary Steps page displays the preliminary steps, prompting you to make sure all cabling and hardware is in place, peripherals are connected, and Internet connectivity is established if the computer will be used for Internet connectivity. You are also reminded to have your Windows Server 2003 CD on hand. Choose Next to continue.
366
Chapter 7
Planning and Implementing Server Roles
EXERCISE 7.1 (continued)
3.
After the wizard detects the network settings, the Server Role page is displayed.
Note that in this example, the Web application server role has been configured and a link to the Manage Your Server tool is provided. You can configure a server for multiple roles, as shown. Also note that there is a link to view the Configure Your Server log. Highlight a role and choose Next to add or remove that server role.
4.
If you choose to remove a role, the Role Removal Confirmation page is displayed.
Defining Server Roles
367
EXERCISE 7.1 (continued)
Note that you need to enable a checkbox to confirm removal of a role. Enable the checkbox, and choose Next to continue.
5.
The Applying Selections page will appear, displaying a status bar. Once the removal is complete, the Windows Components Wizard appears and prompts you through any additional steps necessary in the process of applying your selections.
6.
When the wizard finishes, you can view the Configure Your Server log or simply choose Finish to close the wizard.
As an alternative, you can use the Add or Remove Programs applet in the Control Panel to add or remove Windows components, including all of the services related to the server roles mentioned here with the exception of the routing and remote access server role and the domain controller server role. In addition, The Active Directory Installation Wizard (dcpromo) is normally used to promote or demote a domain controller, although the Configure Your Server Wizard could also be used to accomplish this task. The Routing and Remote Access MMC console is used to configure servers as IP routers and to configure servers for remote access/VPN server roles, although the remote access/VPN server role can be initially added or removed using the Configure Your Server Wizard.
Planning a Strategy to Implement Web Services As the network administrator for a large corporation with locations spread across North America, you are charged with planning the strategy to enable users to access localized internal corporate information. Users at each location require access to information from their human resources group. In addition, certain departments, including Marketing and Engineering, require access to departmental information, and access to this information needs to be restricted to just the users in the relevant department. Users will access the information on an occasional basis, so you do not foresee a need to plan for heavy traffic. However, critical information updates must be immediately available. This information should be easy to find and navigate, and it should be stored in a central location so users can retrieve the information on demand. Finally, you want a solution that will be cost-effective and easy to implement. The expenses will come from the local IT budgets, which were recently slashed to meet corporate efficiency objectives. You decide to use a strategy incorporating a local Web server at each location to host localized intranet sites. To meet your cost objectives, you use a single Windows Server 2003 server running Web Edition at each location. Each intranet Web server hosts several sites: one for Marketing, one for Engineering, and two for Human Resources. Human Resources will have two sites. One site will have confidential information and will be restricted. The other HR site will be used to publish details about benefits, events, and other information that users throughout the location need to know.
368
Chapter 7
Planning and Implementing Server Roles
You secure the solution by placing the Web servers within the local private network, using a private addressing scheme to refer to the Web servers so that they are available only from inside the corporate network. Because Web Edition supports only a single VPN connection, you use a separate RRAS server to enable remote users to reach the corporate network and access the intranet sites. Each local IT administrator can manage the Web servers and also delegate administration to authoritative users within a department by adding those users to the Web Operators group. This strategy enables you to deploy a manageable, cost-effective solution that meets the local business needs of your organization. Web Edition is optimized for Web site hosting, and it can handle the traffic needs of multiple sites. This solution enables you to get the information to your users quickly and make it accessible through an easy-to-navigate HTML interface. Archived data, such as sales data for fiscal year 2002, is especially easy to find through a Web interface. Your plan also makes it easy to restrict data access to internal users only, and you can further restrict data access to authorized groups only.
Using the Manage Your Server Tool After running the Configure Your Server Wizard, you can manage the server roles using the Manage Your Server tool located in the Administrative Tools group. The Manage Your Server tool provides a central interface from which an administrator can manage services installed through the Configure Your Server Wizard. The Manage Your Server tool, shown in Figure 7.1, opens automatically the first time you log on to the server under an account with administrative permissions. Notice that you can search from the main window. There are links to open management consoles, launch specific tasks such as Add A Printer Driver, and read additional background information about a server role. Also notice in the upper-right corner the Tools and Updates section, which includes the Administrative Tools, Windows Update, and Computer And Domain Name Information, which are from the System Properties dialog box. The Manage Your Server tool is a portal to the various MMC consoles and other utilities used to administer the different server functions. For junior administrators and other technical staff, using this tool is an easy way to find the relevant console for a given administrative task. For advanced Windows administrators, launching the intended console or creating custom consoles for common and delegated management tasks is usually faster. In Exercise 7.2, you will learn how to use the Manage Your Server tool.
Defining Server Roles
FIGURE 7.1
369
The Manage Your Server tool
EXERCISE 7.2
Using the Manage Your Server Tool 1.
Launch this tool on a domain controller by going to Start Administrative Tools Manage Your Server.
2.
The main page of the Manage Your Server tool shows the roles that are configured for this server. Click Add Or Remove A Role at the top of the screen to launch the Configure Your Server Wizard. Choose Cancel to return to the main page of the Manage Your Server tool.
3.
Scroll down to the Domain Controller (Active Directory) role. It has options to manage users and computers in Active Directory, manage domains and trusts, and manage sites and services. Each of these options launches the corresponding MMC console for Active Directory. Click Manage Users And Computers In Active Directory. Notice that Active Directory Users And Computers console is launched. Close the console to return to the main page of the Manage Your Server tool.
370
Chapter 7
Planning and Implementing Server Roles
EXERCISE 7.2 (continued)
4.
In the section for the Domain Controller (Active Directory) role, click Review The Next Steps For This Role. Clicking this text opens Help and displays a checklist for completing additional tasks. The checklist is populated with checks indicating the steps that you have already completed, and it shows you the steps you have yet to take to finish configuring this role. Close Help to return to the main page of the Manage Your Server tool.
5.
Click Computer And Domain Name Information in the upper-right corner of the page. This opens the System Properties page with the Computer Name tab active. Click Cancel to return to the main page of the Manage Your Server tool.
6.
Exit the Manage Your Server tool.
Planning a Security Update Infrastructure Operating systems, just like hardware drivers and user applications, are constantly being improved. Patches and updates are frequently published on the Internet, where home and corporate users can download them. Staying current with the latest up-to-date fixes from the vendor is important in order to ensure the best performance and administrative efficiency.
Configuring updates was covered in Chapter 1, “Installing, Licensing, and Updating Windows Server 2003.” Now, we will examine the factors involved with planning for software updates.
Unix and other OS vendors often use the terms “patch” or “fix” to describe singular or bundled improvements to an operating system version. Microsoft prefers the euphemistic terms “update” or “service pack.” These terms are used interchangeably and essentially mean the same thing.
Good practice includes using current patches, services packs, and critical security fixes for configuration management. Standardizing security configurations is also considered to be good practice. One of the biggest advantages to maintaining the current versions of all OS patches is that it makes troubleshooting easier. In fact, keeping current with Windows updates frequently eliminates problems before they arise. Every veteran administrator carries battle scars from various esoteric problems that he spent hours troubleshooting, only to find that the issue was fixed in an existing patch. In addition, security plays an increasingly important role in today’s networks. Because security holes are constantly being discovered and exploited, staying current with the latest critical security patches is essential. The wise network administrator will also have a plan for maintaining standardized security configurations across all clients and servers in the network. Earlier in this chapter, you learned how to use security templates to deploy standardized security configurations to servers and clients across the network. Windows Server 2003 has two
Planning a Security Update Infrastructure
371
more tools to assist you in planning for and maintaining the most current operating system updates and security configurations: Microsoft Software Update Services (SUS) and Microsoft Baseline Security Analyzer (MBSA).
Using Microsoft Software Update Services Microsoft Software Update Services (SUS), is a simplified solution targeted for medium-sized enterprises as a means to manage and distribute critical Windows patches. You can think of SUS as an intranet-hosted version of the Windows Update service. Advantages of SUS include more efficient administration of critical updates. In the past, it was necessary for an administrator to check the Windows Update Web site or the Microsoft Security Web site to see what was new. Then she had to manually download and deploy the patches to each affected node. For those users with Windows Update rights, additional administrative effort was required to stop the downloading of patches and updates that were not tested or approved by the system administrators. SUS solves these problems by dynamically downloading and automatically distributing critical Windows updates. SUS is particularly powerful in combination with Active Directory, though AD is not a requirement.
SUS or SMS? SUS was created to get critical Windows 2003, 2000, and XP updates to distributed nodes in your network as quickly as possible. You may already have a solution for enterprise software distribution in place in your organization. For example, you may be using Microsoft Systems Management Server (SMS) to manage configurations and deploy new software. If this is the case, you should continue using that solution—you don’t need SUS.
SUS features server-side and client-side components. An intranet-hosted Windows Update server hosts the updates and services client HTTP requests for those updates. The administrative interface is web-based and, therefore, allows for internal remote administration via HTTP or HTTPS using Internet Explorer 5.5 or higher.
SUS Server-Side Components The synchronization service enables an administrator to define a schedule for retrieving updates from the public Windows Update service. You can also synchronize the hosting server manually (through the Synchronize Now button). An administrator can also control deployment—he can test and approve updates before deploying them on the corporate intranet. For multiserver deployments, you can employ server-to-server synchronization, so that one authoritative server downloads the updates, and other servers point to it instead of Windows Update for the latest patches. This enables you to bring the updates closer to your desktops and servers. You can also download to a central site for testing, and then point clients to the Microsoft download sites for approved updates. This is an ideal strategy for large networks spread over geographically disparate sites.
372
Chapter 7
Planning and Implementing Server Roles
SUS Client-Side Components The client-side components are based on the Windows Automatic Updates technology, which was significantly enhanced in XP. Automatic Updates is the proactive pull service that enables users with administrative rights to automatically download and install Windows updates such as critical Windows security patches and operating-system fixes. Client-side features include customized installation of only those updates that are applicable to the computer. Bandwidth-throttling keeps updates from interfering with other network tasks by using only idle bandwidth. Chained installation enables multiple updates to be installed in a bundle so that a single restart will suffice (if a restart is necessary). Administrative security can be handled through Group Policy. The basic procedures for setting up Software Update Services are listed here: 1.
Download the Software Update Services program from Microsoft’s Web site.
2.
Install and configure SUS on the server.
3.
Point Windows Update on the client machines to the SUS server.
4.
On the server, run Windows Update.
5.
Approve the updates.
Implementing Microsoft Software Update Services You are the IT administrator for a regional division of a large corporation headquartered in Madison, Wisconsin. The regional division is located in New York City. The task of keeping all Microsoft operating systems up-to-date with the latest critical security patches and operating system fixes has been delegated to you. You are to handle the updates independently from the main corporation at a regional level. You want to design a strategy for implementing Microsoft Software Update Services in the regional division to meet specific objectives. These objectives include:
Testing all critical updates before deploying them to client computers on the network
Ensuring that all users are up-to-date with the latest fixes and security patches from Microsoft as soon as they are available
You decide to use the following approach to meet these objectives. On the server-side, you design a strategy to enable you to review, test, and approve updates before they are deployed to client computers across the network. You set up two servers running Software Update Services. The first is used as a test server and the second is used a production server. You configure an Automatic Updates policy so that a small number of computers specifically designated to test updates point to the test server to download updates. You set up another Automatic Update policy to point the rest of the network computers to the production server to download updates. The production server points to the test server to download updates.
Planning a Security Update Infrastructure
373
Using the synchronization feature of Software Update Services, you schedule an interval to download updates from the Windows Update Web Web site. Then you use the test server to approve updates for testing on the target computers. Upon successful completion of the tests, you approve the updates for the production server. To ensure that all fixes are downloaded and updated as soon as they are available from Microsoft, you set up a synchronization schedule to check the Windows Update server for new updates every day at 5:30 P.M. EST. At 5:45 P.M., you deploy the updates from the test server onto the test computers. After confirming that the updates were successfully deployed, you approve the updates on the test server so that they can be downloaded to the production server. The production server is scheduled to query for updates from the test server daily at 7:00 P.M. EST. After the updates are downloaded, they are available to be deployed to servers and clients throughout the network. All production computers are set up to automatically synchronize with the production SUS server daily at 9:00 A.M. EST. The following morning, clients will query the SUS server after booting up to find out if there are any new updates. If a client does not boot up or connect to the network that day prior to 9:00 A.M. EST., synchronization will occur at the next scheduled interval. For added fault tolerance and load balancing, you could implement multiple production SUS servers and/or randomize the synchronization schedule.
Software Update Services will help you manage general operating system patches. You also need a tool for managing security updates and configurations, which we consider next.
Using Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (MBSA) is a tool that can be used to perform local or remote scans of servers and workstations. It’s commonly used to check for security updates, verify service pack status, and identify common security misconfigurations.
SMS 2.0 has a Software Update Services Feature Pack that provides enterprise customers with a security patch management solution using MBSA technology.
How MBSA Works MBSA and Windows Update analyze systems in different ways. For instance, Windows Update manages critical updates for the Windows operating system only, whereas MBSA (through HFNetChk) will report missing security updates and security misconfigurations for the Windows operating system and other Microsoft products such as IIS, Exchange, and SQL Server.
374
Chapter 7
Planning and Implementing Server Roles
Previously, the Microsoft Personal Security Advisor (MPSA) was used to scan for misconfigured system settings, and HFNetChk was used to scan for missing security updates and service pack status. With the release of MBSA v1.1, all of this functionality and more is integrated into one tool. In addition to handling security updates and service packs, MBSA examines Windows computers for common security best practices such as the use of strong passwords, guest account status, the type of file system to use (NTFS is preferred), available file shares, and members of the Administrators group. It checks for misconfigured security zone settings in Internet Explorer, Outlook, and Microsoft Office. It also scans IIS and SQL servers for common security misconfigurations. The MBSA tool includes graphical (mbsa.exe) and command line (mbsacli.exe) interfaces that run on Windows Server 2003, 2000, and XP systems. Also required are IE 5.01 or later and the Workstation and Server services. The MBSA is available for download from Microsoft’s download site (http://download.microsoft.com). Updates are associated with Microsoft security bulletins, which are numbered in the format “MS02-008.” MBSA uses the HFNetChk tool technology to scan for missing security updates and service packs for the following products: Windows NT 4, 2000, 2003, and XP; IIS 4 and 5; SQL Server 7 and 2000; IE 5.01 and later; Exchange 5.5 and 2000; and Windows Media Player 6.4 and later. MBSA runs its checks against the file mssecure.xml, which is downloaded from Microsoft upon MBSA’s initial run and is continuously updated afterward. This file contains productspecific information about which security updates are available. The information includes references to relevant security bulletins, the files in each update package and their versions and checksums, Registry changes, information about which updates supersede others, and related Microsoft Knowledge Base article numbers. As an alternative, you can use MBSA to perform the security updates portion of a scan against a local SUS server. This portion of the scan will then be performed against the list of approved security updates on the local SUS server, rather than against the complete list of available security updates listed in the mssecure.xml file downloaded by the tool at runtime. This includes updates that have been superseded. You would choose to run the scan in this way because it enables you to test updates and deploy only approved updates from a centralized distribution point. MBSA will also scan for system misconfigurations in the following products: Windows NT 4, Windows 2000, Windows Server 2003, Windows XP, Internet Information Server (IIS) 4, 5, and 6, SQL Server 7 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002.
If you intend to perform remote scans of IIS servers, you must install the IIS Common Files on the computer from which you will run the MBSA tool.
Target systems must have the Server service, Remote Registry, and File & Print Sharing enabled. The MBSA tool will create and store individual XML security reports for each computer scanned and will display the reports in HTML format when using the GUI. By default, security reports are stored as XML files in the userprofile\SecurityScans directory.
Summary
375
Troubleshooting MBSA Scans When planning the combination of tools to use for your security update infrastructure, you need to understand some behavioral quirks of the various tools. MBSA makes sure that the latest version of the update is always installed on the target system. A target computer may have the original version of a security update that has been rereleased, such as the MS02-008 or MS02-009 update, in which case MBSA will tell you that the update isn’t installed, because a newer release of that particular update is available. However, Windows Update, SUS, and SMS use different rules to identify elements on the system that indicate whether or not an update is present. Therefore, inconsistencies can occur if you are managing updates using multiple tools. You may not be informed that a newer version is available, or different tools may return different results. Eventually MBSA, Windows Update, Microsoft Software Update Services, and SMS security patch management will all use the same rules for determining the presence of an update on Windows systems. For now, if MBSA reports an update as missing, view the security bulletin for those updates to ensure that you actually have installed the most recent version. You may also receive incorrect security update reports from MBSA or HFNetChk even after you install updates flagged in the scan results. This can happen when the update includes a warning or workaround rather than a patch. For instance, some updates, such as MS99-041, provide a tool to modify a specific service. In these cases, the tool itself cannot finish applying the update—additional action is required. These types of security bulletins are referred to as “note” or “warning” messages, and they are marked with yellow Xs in the scan reports to indicate that the tool could not confirm if the security bulletin fix was applied. They will continue to be included in the scan results unless you override the default display options, because the tool cannot directly confirm that they were applied. Finally, updates can be flagged as having greater file versions than expected. This happens when files are updated by non-security related updates after a previous security-related update was applied to the system. MBSA scans for security updates only, using file versions and checksums from the mssecure.xml file. Therefore, it cannot determine if files have been patched by other non-security updates. Understanding the seemingly incomprehensible behavior of the update tools will help you determine how best to plan for automated security updates in your network.
Summary In this chapter, you learned:
How to plan server installations based on functional server roles. Server roles include providing specialized file, print, DNS, DHCP, WINS, Web, and domain controller services.
How to plan a security update infrastructure. Microsoft Software Update Services and the Microsoft Baseline Security Analyzer tool are used to manage critical OS and security updates.
376
Chapter 7
Planning and Implementing Server Roles
Exam Essentials Know how to plan server installations based on functional server roles. Server roles include providing specialized file, print, DNS, DHCP, WINS, Web, and domain controller services. The Configure Your Server Wizard provides an easy interface for adding server roles, and the Manage Your Server tool provides a portal to management consoles and utilities and help information organized by server role. Know how to plan a security update infrastructure. Understand the tools that are available to manage critical OS and security updates. These tools include Microsoft SMS, Microsoft Software Update Services, and the Microsoft Baseline Security Analyzer tool.
Key Terms Before you take the exam, be certain you are familiar with the following terms: Microsoft Baseline Security Analyzer (MBSA) server role
Software Update Services (SUS)
Review Questions
377
Review Questions 1.
What are the requirements for computers that will be used to run MBSA scans? A. Windows Server 2003, 2000, or XP; IE 5.01 or later; the Workstation and Server services B. Windows Server 2003, 2000, or XP; IE 5.01 or later C. Windows Server 2003, 2000, or XP; IE 5.5 or later; the Workstation and Server services D. Windows Server 2003 or XP; IE 5.5 or later; the Workstation and Server services
2.
Which of the following computers can be clients of Microsoft Software Update Services (SUS)? A. Windows 200x, Windows XP, and Windows NT B. Windows 200x, Windows XP, Windows NT, and Windows 9x C. Windows Server 2003 and Windows XP D. Windows 200x, Windows XP, and Windows NT 4 E. Windows 200x and Windows XP
3.
You are the CIO of a biotechnology company. Your company is in the midst of exciting research breakthroughs and requires a high degree of security to protect its findings so that the research can be translated into a marketable product. One of the security requirements that you have identified for your staff is the need to keep all Windows-based servers and workstations in compliance with best practices for security configurations. Your staff must therefore devise a strategy to analyze and discover misconfigurations so that they can be corrected. Which of the following options will enable you to meet your objective? A. Install an SUS server and control all security configurations by specifying that all com-
puters must install the authorized updates from this computer only. B. Install an SUS server and configure it to run MBSA scans. Create scripts using the
mbsacli.exe utility to scan all Windows-based computers on the network. C. Download the MBSA utility from Microsoft’s website and install it on any 32-bit
Windows server that is not a domain controller. From this central location, scan remote nodes for security misconfigurations and take action based on the results of those scans. D. Download the MBSA utility from Microsoft’s website and install it on your Windows
XP desktop. From this central location, scan remote nodes for security misconfigurations and take action based on the results of those scans. E. Install the MBSA snap-in on any Windows 2000 or higher computer. From this central
location, scan remote nodes for security misconfigurations and take action based on the results of those scans.
378
4.
Chapter 7
Planning and Implementing Server Roles
The CIO of your company has mandated that all clients must be updated with the latest updates from Microsoft as soon as they are available. You decide to implement Software Update Services as follows: One SUS server is scheduled to pull updates from the Microsoft website daily at 5:00 P.M. PST. The clients are configured to pull updates from the SUS server daily at 9:00 P.M. EST. You realize that although updates are being downloaded to the SUS server, they are not being deployed to any clients. Which of the following options represents the most likely reason why updates are not being deployed to clients? A. The updates are timing out; it is necessary to configure a shorter interval between the
time that updates are downloaded from the Microsoft website and the time that clients check for updates. B. The updates are not synchronized between the SUS server and the SUS clients. C. The updates are not authorized on the SUS clients. D. The updates are not approved on the SUS server. 5.
You are the network administrator of a large network. You use a SUS server to keep your client software up to date. You have configured the SUS server so that you have to manually approve all updates. You want to view the Synchronization log and Approve Updates. Which of the following options will allow you to manage the SUS Server? A. Administrative Tools SUS Admin B. Control Panel SUS Admin C. Services SUS Service D. Internet Explorer
6.
You are the network administrator of a large network. You want to deploy a Web server using IIS. Which of the following server types would be the worst choice for hosting the IIS components? A. Domain Controller B. Member server C. Stand-alone server D. Print server
7.
You are the network administrator for a small network without a domain. The company plans to expand in the near future, and you want to run Active Directory. What is the minimum number of domain controllers required to run a single Active Directory domain? A. 0 B. 1 C. 2 D. One for each user
Review Questions
8.
379
You are the network administrator for a small network without a domain. The company plans to expand in the near future, and you want to run Active Directory. What is the recommended number of domain controllers used to run a small Active Directory domain? A. 0 B. 1 C. 2 D. One for each user
9.
You are the network administrator for a small network without a domain. The company plans to expand in the near future, and you want to run Active Directory. You just installed Windows Server 2003, and you are running the Active Directory Installation Wizard to create the first domain controller. What other server type must you have in order to run Active Directory? A. Active Directory requires a DHCP server B. Active Directory requires an IIS server C. Active Directory requires a DNS server D. Active Directory requires an RRAS server
10. You are the network administrator for a small network without a domain. Your company is growing, and you want to add a domain that is connected to and available on the Internet. What must you do in order to successfully implement a DNS solution? A. Configure a DNS server with mycompany.com, where mycompany is the USPTA trade-
marked name of your company B. Register a unique domain name with ICANN and the IANA C. Register a shared domain name with an authorized Internet registrar D. Register a unique domain name with an authorized Internet registrar 11. You are the network administrator for a small network without a domain. Currently, each machine is configured manually with network information. The company is growing, and you want to quickly add new machines to the network. What is the best server solution to meet your needs? A. Configure a WINS server and deploy the new client machines as needed B. Configure a WINS server and configure each new machine to point to the WINS
server’s IP address C. Configure multiple DHCP servers and deploy the new client machines as needed D. Configure a DHCP server and deploy the new client machines as needed
380
Chapter 7
Planning and Implementing Server Roles
12. You are the network administrator for a large company network. You recently upgraded all of your servers to Windows Server 2003, partly to benefit from the new features in IIS 6.0. Specifically, which features are new in IIS 6.0? Choose all that apply. A. The ability to isolate a single Web application into a self-contained process for fault
tolerance B. New Web application health monitoring features C. The ability to run multiple web sites on a single server D. The ability to integrate with DNS and the Active Directory 13. You are the network administrator for a small network that is connected to the Internet. You want to add a new office in a distant city, but they must be able to connect back to the main office at any time. You want to keep costs to a minimum, so you decide to deploy a VPN solution. What server type is required? A. Domain controller B. IIS server C. DNS server D. RRAS server 14. You are the network administrator for a large company network that is connected to the Internet. You frequently travel around the country, but you need to be able to administer your company’s servers while on the road. What server role should you configure to allow remote administration? A. Terminal Server B. IIS server C. DNS server D. RRAS server 15. You are the system administrator for a large corporation with regional branches. You want to ensure that the branches are kept up-to-date with the latest critical operating system and security updates from Microsoft. However, you also want to ensure that all updates are tested before they are deployed to clients. You are currently using Microsoft SMS for enterprise-wide software configuration management. Which of the following solutions is needed to test, deploy, and manage Windows updates and security updates from Microsoft’s website? A. A centralized Software Update Services solution, employing a test server at the main site
and production servers at regional branches. B. A centralized Software Update Services solution, employing test and production servers
at the main site and production servers at regional branches that are separated by slow WAN links. C. A decentralized Software Update Services solution, employing test and production servers
at each regional branch. The Baseline Security Analyzer can be used on all SUS servers to further manage security configurations across the network. D. None of the above.
Answers to Review Questions
381
Answers to Review Questions 1.
A. The MBSA tool includes graphical (mbsa.exe) and command-line (mbsacli.exe) interfaces that run on Windows Server 2003, 2000, and XP systems. Also required are IE 5.01 or later and the Workstation and Server services.
2.
E. Microsoft SUS is based on Windows Update technology and therefore allows you to automatically deploy operating system patches to only Windows 2003, 2000, and XP clients.
3.
D. The MBSA tool is used to analyze and discover security misconfigurations in order to enforce security best practices such as the use of strong passwords. The tool is downloaded from the Microsoft website and can only be run on Windows 2000, XP, or 2003 computers. MBSA can scan remote computers of many different types, including NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4 and 5, IE 5.01 and higher, Microsoft SQL Server 7 and 2000, Office 2000 and XP, and Windows Media Player versions 6.4 and higher.
4.
D. Before clients can retrieve updates on the SUS server, those updates must be approved on the server. It is not necessary to specify a particular interval for synchronization. Option B says that the updates are not synchronized between the SUS server and the SUS clients, which sums up the problem but doesn’t explain why it’s happening. The clients were already configured to pull updates from the server, so no further authorization is necessary on the client side.
5.
D. If the SUS Administration website is not open, you can open it from Internet Explorer through the URL http://yourservername/SUSAdmin. Through SUS Admin you can configure the SUS server options, set synchronization, approve updates, view the synchronization log, view the approval log, and monitor the SUS server.
6.
A. Web servers typically generate a lot of traffic, and domain controllers are usually busy handling domain authentication. Putting both services on the same server will hurt performance. In addition, exposing your domain controller to the Internet poses a huge security risk, so running web services on a domain controller is not recommended.
7.
B. A single domain only requires a single domain controller.
8.
C. A single domain only requires a single domain controller. However, you should always have at least two domain controllers per domain in case one of them fails. If a single domain controller goes down, then the entire network is useless.
9.
C. In addition to a domain controller, you must also have a DNS server to run the Active Directory. The DNS service can run on the domain controller, and if you don’t have a DNS server available when you set up the first domain controller, the Active Directory Installation Wizard will prompt you to configure one automatically.
10. D. In order to provide DNS services on the Internet, you must have a globally unique domain name that is registered with an authorized registrar. Trademarks are not used to define domain names. The public generally does not deal directly with ICANN or IANA.
382
Chapter 7
Planning and Implementing Server Roles
11. C. In this case the best solution is to deploy several DHCP servers to automatically allocate IP addresses to the new machines. A single DHCP server would work, but would not provide sufficient fault tolerance and load balancing. Windows clients are configured to receive their addresses through DHCP by default, so you just need to plug them in to the network and they should work properly. 12. A, B. In Windows Server 2003, IIS version 6 has been enhanced to better prevent Web application failures and to keep such failures from affecting other Web sites and applications running on the same server. Options C and D have been available in IIS for years. 13. D. VPN is configured on an RRAS server. Domain controllers, IIS servers, and DNS servers all serve different purposes. 14. A. Using remote desktop for administration on terminal services you can administer the server from any remote location. None of the other server roles listed are required for this solution. 15. D. Microsoft SMS is a comprehensive solution for enterprise-wide software configuration management. It is a standalone product that includes all of the functionality of Software Update Services and the Baseline Security Analyzer, so no additional tools are needed to manage Windows updates or security configurations in environments where SMS is already in use.
Chapter
8
Planning the Domain Name Service (DNS) MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan a host name resolution strategy.
Plan a DNS namespace design.
Plan zone replication requirements.
Plan a forwarding configuration.
Plan for DNS security.
Examine the interoperability of DNS with third-party DNS solutions.
Back in Chapter 5, “Installing and Managing Domain Name Service (DNS),” you learned about Microsoft’s implementation of DNS in Windows Server 2003. However, we didn’t really examine the recommended planning procedures that help minimize DNS problems down the road. For instance, if you don’t plan ahead, you could find that you don’t have enough DNS servers to accommodate your network. Or you might find that you should have installed ADI zones instead of standard primary zones. In this chapter, you will learn how to plan a DNS namespace, how to plan DNS zones, how to plan DNS zone replication and delegation, how to plan forwarding, how to plan the server resources to support DNS, how to integrate DNS with WINS.
Planning a DNS Namespace The importance of planning a DNS namespace for an organization is analogous to the importance of laying a solid foundation for a building. The building could be a factory, or it could be a retail store where customers should be able to locate it. The building could be as simple as a five-room office or as large as a skyscraper—and these different buildings have different needs. In a similar fashion, planning your DNS namespace is a task that should be customized to the needs of your business. Planning a DNS namespace involves examining your existing network environment to see if there are any factors that could affect the DNS design or performance. You must also consider the need for Internet access as well as multiple namespace considerations. Then you can design a namespace that fits your needs. DNS name resolution is a vital component in the Windows Server 2003 network infrastructure. Without proper name resolution, users cannot find the network resources they need. The tasks involved include identifying the DNS namespace to be registered for use on the Internet. If you don’t register the name on the Internet, you should still choose a unique name. Then you create the DNS namespace with Active Directory in mind, and make sure that the namespace that resides on the Internet does not conflict with the internal namespace. Use different internal and external namespaces. For instance, you could use a namespace such as microsoft.com as the name by which people outside of the network reach the company. For internal use, you could use a unique namespace such as microsoft.net or a subdomain of the external name such as corp.microsoft.com. If you already have an existing DNS namespace, using a subdomain to distinguish internal network resources is easy. You can assign different departments, sites, or organizations to different subdomains such as marketing.microsoft.com and engineering.microsoft.com.
Planning a DNS Namespace
385
Make sure that internal servers contain name server (NS) records for only those resources that are meant for internal use, and vice versa. You should not overlap internal and external namespaces, because the usual result is that computers receive incorrect IP addresses from DNS and can’t find the resources they need. Your namespace needs will vary depending on how you plan to actually use DNS. For instance:
Will the namespace only be for internal use? If so, you can implement your own DNS root, use any domain name you want, and even use illegal characters in the domain name.
Will the namespace be used on the Internet? If this is the case now, or if there is any possibility that this will be the case in the future, then you should register a unique domain name of your own by using the Internet root servers. This means that you must ensure that the name uses only legal characters.
Are you using or do you plan to use Active Directory? This will affect the storage of zone data, replication, security, and the types of servers you will configure.
In the following sections, you will learn about domain names and options for planning a DNS namespace.
DNS Namespace Options When selecting a DNS namespace, you can use an existing namespace, a delegated namespace such as a subdomain, or a new, unique namespace (such as microsoft.net instead of microsoft.com).
Be forewarned that configuring hosts in separate DNS namespaces so that they can locate each other is a complicated task that requires separate devices such as proxy servers.
You can choose one of the following options when you plan your internal namespace:
Use the existing external namespace as the internal namespace (for example, acme.com for both external and internal use).
Use a unique internal namespace that is different from the existing external DNS namespace (for example, acme.com for external use and acme.net for internal use).
Use a delegated domain of the existing external namespace as the internal namespace (for example, acme.com for external use and corp.acme.com for internal use).
Use a DNS child domain to represent the organization for the root of Active Directory instead of using the registered DNS domain name. This method enables you to isolate all Active Directory data in its domain or domain tree.
The option you choose will depend on your business requirements and the existing DNS environment. Using a single DNS domain name for both the external and the internal namespace makes it necessary to ensure that the internal namespace is not accessible from the Internet. If you use an existing namespace, users can access a single domain name when they access resources both internally and externally. Additional administration is required to ensure that appropriate records are stored on internal and external DNS servers.
386
Chapter 8
Planning the Domain Name Service (DNS)
Using separate public and private namespaces has the following benefits:
Resources are easy to manage and secure.
Existing DNS zones and DNS topology can remain unchanged.
Existing DNS server content does not need to be replicated to the DNS servers for the internal namespace.
Internal resources are not accessible from the Internet, because the internal namespace is not exposed.
Using a delegated namespace resembles creating separate public and private namespaces. However, in this case you are creating a single subdomain within the namespace in which the DNS servers for the namespace will reside, rather than dividing the namespace into public and private portions. In this model, you would enable internal clients to resolve both internal and external DNS namespaces, but deny access to the internal namespace to external clients. A separate DNS server or servers is required for the delegated internal domain. This method has minimal impact on the existing namespace and requires minimal administrative effort.
Make sure that the name you use for your internal namespace is a name that you can and will register with a registrar. You also want to avoid a situation where two companies will merge and use the same name for their Active Directory namespace.
Planning a DNS Namespace for a Windows NT Server Migration As the network administrator of Contoso, Ltd., an auto parts manufacturer, you are responsible for planning the DNS namespace. The company is planning a migration from NT Server to Windows Server 2003. The company uses WINS for name resolution and has no DNS servers at present. Contoso wants to host its website, www.contoso.com, internally after the migration. Active Directory will be implemented after the migration is completed. Clients need access to the Internet. How will you plan the DNS namespace to meet current and future business needs? In this scenario, you would retain the existing external namespace and host it on an externally accessible DNS server. A separate internal DNS server will service the internal namespace. The DNS servers communicate with each other to resolve external names for internal clients, but they do not resolve internal names for Internet clients. You would brainstorm on possible names for the internal namespace, such as contosocorp.com or contoso.net, that could be used for Active Directory. You would check the availability of these names, and then present the available namespace candidates to the Contoso decision makers and get buy off on the final name, which you will then register.
Planning DNS Zones
387
Planning DNS Zones Your DNS strategy needs to include a plan for DNS zones and zone configurations. This involves determining zone requirements, identifying zone types and security requirements, and configuring zones and zone forwarding. The zone type you choose will depend on whether or not you are running Active Directory and whether the zone will be integrated with Active Directory. If you are not running Active Directory, you will need to determine where the primary server and any secondary servers should be placed.
We examined the different zone types in Chapter 4, so you should be familiar with them by now.
Determining zone security requirements involves choosing a method of secured dynamic updates: in Active Directory, dynamic updates from DNS, or dynamic updates from DNS clients. Next, you will need to determine whether to store the zone data in an Active Directory– Integrated zone, in a traditional zone, or in a combination of the two. Forwarding comes into play when a request needs to be resolved on behalf of a client, but the name server with the information resides in a different network. In the following sections, you will learn how to plan DNS zones.
Selecting the Appropriate Zone Type DNS offers different zone types that are suitable for different scenarios. Each zone type solves a specific requirement, so the DNS zone type you choose will influence where you locate DNS servers. Three zone types are used with the standard DNS zones that are stored on disk. These are primary, secondary, and stub zones. But before we discuss them, you should understand the standard zone file. Standard zone files, also called traditional DNS zone files, are stored as text files on the server’s hard drive. To use standard zone files, you create a zone on a DNS server that then becomes the primary zone server where all updates occur. These updates may include things like resource record additions or deletions. You can use secondary zone servers to provide load balancing and a certain degree of fault tolerance by pointing them to the primary zone server to get a copy of the zone file. With primary zones, the default for a newly created zone, the server has a read/write copy of the zone information and acts as the point of update for the zone. The server periodically replicates its zone file to the secondary zone server to ensure that the secondary zone server’s copy of the file is current. At first the server transfers a complete copy of the zone file. Later transfers consist of changes only. The primary zone server can administer zone information separately. Secondary zones have a complete, local, read-only copy of the zone information. They are used to improve availability and performance at local and remote locations. The secondary zone
388
Chapter 8
Planning the Domain Name Service (DNS)
can be placed in screened subnets to be accessed by Internet users. Secondary zone servers continue to respond to DNS queries, so they provide only limited fault tolerance. Furthermore, they cannot perform updates because they have only a read-only copy of the zone file. Windows Server 2003 DNS supports incremental zone transfers (IXFR), which means that the primary zone server sends only changes since the last replication. A stub zone functions like dynamic delegation. The stub zone server will periodically query the target name servers for updates. This is used to keep the DNS server that hosts the parent zone aware of its child zone for more efficient name resolution. The DNS server that hosts both the parent zone and the stub zone maintains a current list of authoritative DNS servers for the child zone by regularly updating a stub zone for its child zone. Stub zones keep delegated zone information current as well as simplify DNS administration.
How Stub Zones Work Stub zones are used to enable a DNS server to perform recursion by using a list of target name servers, instead of querying a root server for the DNS namespace. By using stub zones you can distribute a list of the authoritative DNS servers for a zone instead of using secondary zones. Stub zones and secondary zones serve different purposes, as stub zones do not provide redundancy and load sharing. Also, a DNS server configured with a stub zone is not authoritative for that zone. The stub zone only identifies the DNS servers that are authoritative for the zone.
Selecting the Zone Data Location Depending on whether or not you are running Active Directory, you need to identify where the DNS zone files will be located. You can store DNS data by any of three methods: in traditional DNS zones, in Active Directory–Integrated zones, or in a combination of both.
Be careful not to unintentionally create root servers. The Dcpromo Wizard can create root servers, which can unintentionally allow internal clients to reach external clients or parent domains. If the “.” zone exists, it means that a root server has been created and might need to be removed for proper name resolution.
Traditional DNS Zones Traditional DNS zones store the zone information in a file on a computer running Windows Server 2003 and DNS. Traditional DNS zones have the following characteristics:
They utilize a single master model for storing and replicating zone information. Primary zones are the only zone types that have a read/write copy of the zone information. There can be only one primary zone for each namespace. Read-only copies of the zone information can, however, be replicated to any number of secondary DNS servers.
Planning DNS Zones
389
They replicate in two ways: incrementally or by transferring the complete zone contents.
They function exactly the same way as BIND-based DNS servers.
Choose this zone type when you have an existing DNS infrastructure that does not support Active Directory, such as a BIND-based DNS infrastructure hosted on Unix servers.
Active Directory–Integrated Zones Active Directory–Integrated zones store DNS zone information within Active Directory. These zones have the following characteristics:
They utilize a multimaster model of read/write copies of the zone information. You can make updates to the original zone or to replicated copies. Fault tolerance is possible, because you can still perform updates to the DNS zone information if a DNS server fails.
They are replicated by Active Directory.
They are required for secured, dynamically updated DNS zones. You can also set permissions for the parties (users, groups, or computers) that can update the DNS zone information, adding an additional layer of security.
They enable the administrator to control the scope of replication. For example, you can replicate DNS data to a DNS server within a forest, domain, or specific domain controllers, as well as traditional secondary zones outside the domain.
They appear and are treated as a traditional primary zone by BIND-based DNS servers or for that matter any DNS server on the Internet.
Choose this zone type when you want to integrate DNS within an existing AD structure and have a single point of support for both. Use Active Directory– Integrated zones if your DNS strategy includes dynamic updates to DNS. Traditional DNS zones are not multimaster; therefore, if the DNS server hosting a primary zone fails, dynamic updates cannot occur.
Securing Zones Securing DNS access from private and public networks is an important goal that can be accomplished through several methods. The security measures you choose will depend on how you have planned your zones. Later in the chapter, in the section titled “Securing DNS,” we’ll discuss the three levels of security for a DNS infrastructure. In this section, we’ll discuss methods of securing DNS zones through dynamic updates and zone permissions.
Choosing a Method for Dynamic Updates Because clients and servers can perform dynamic updates themselves, securing the method of dynamic updates is important. These methods include secured dynamic updates in Active Directory, dynamic DNS updates from DHCP, and dynamic updates from DNS clients.
Chapter 8
390
Planning the Domain Name Service (DNS)
Secured Dynamic Updates in Active Directory Active Directory–Integrated zones can use the Active Directory security features to provide secured dynamic updates (configured as the Secure Only option in DNS). The DNS console offers access control list (ACL) editing features that can be used to add and remove users, groups, and computers from the ACL for an entire zone or for an individual resource record. Permissions to update the DNS zone are configured within Active Directory. Computers must be in the Computers folder to take advantage of dynamic updates. Dynamic DNS updates from DHCP servers can be very useful in scenarios such as the following:
The DNS client operating system is older than Windows 2000.
You want to protect against the security risks of unauthorized computers impersonating authorized computers. These risks could be introduced by allowing individual DNS clients to update DNS entries.
The administrative effort it would take to assign permissions for each user, group, and computer that needs to update its respective DNS entry would be far too much effort.
Dynamic Updates from DNS Clients Newer DNS clients running Windows 2000, XP Professional, or Server 2003 can directly update DNS automatically by themselves. This can be an appropriate solution in the following situations:
When the client computer has a manually assigned static IP address.
When the amount of administrative effort needed to assign the appropriate permissions to enable the client to update its own DNS entries is manageable.
When no potential security risks are introduced by allowing individual DNS clients to update their own DNS entries. By default, dynamic updates are not allowed. This setting prevents an attacker from updating DNS zones and records, so it is the most secure option. The best solution is to store DNS zones in Active Directory and use the Secure Only dynamic update feature to enable computers to securely update DNS data.
Default Zone Permissions Active Directory stores a discretionary access control list (DACL) on the DNS zones it stores. A DACL is the part of an object’s security descriptor that grants or denies permission for access of the object to specific users and groups. You can thereby control the permissions for the Active Directory users and groups that may control the DNS zones. Table 8.1 lists the default group and user permissions for DNS zones stored in Active Directory. TABLE 8.1
Default Permissions for DNS Zones
Group/User
Permissions
Administrators
Read, Write, Create All Child objects, Special Permissions
System
Full Control, Read, Write, Create All Child objects, Delete Child objects
Planning DNS Zones
TABLE 8.1
391
Default Permissions for DNS Zones
Group/User
Permissions
Authenticated Users
Create All Child objects
Everyone
Read, Special Permissions
DnsAdmins
Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions
Domain Admins
Full Control, Read, Write, Create All Child objects, Delete Child objects
Enterprise Admins
Full Control, Read, Write, Create All Child objects, Delete Child objects
Enterprise Domain Controllers
Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions
Creator Owner
Special Permissions
Pre–Windows 2000 Compatible Access
Special Permissions
Planning a Strategy for DNS Zones As the systems engineer for Contoso, you have decided on a namespace strategy (the Active Directory root and internal namespace will be contoso.net). You are now turning your attention to planning the zones. Contoso is about to open a new office for the customer service call center. This office will have a redundant T-1 link back to the corporate offices. There are going to be two domain controllers at the main office, and you have the budget to add a domain controller to the call center location. You must consider security and network traffic requirements. What kind of zone strategy should you create for contoso.net? In this scenario, you should create an Active Directory–Integrated zone on the corporate network’s DNS servers. This zone will replicate to all other DNS servers in the domain, including the call center, using a multimaster model. You should also make the domain controller in the call center a DNS server. Then you should specify Secure Only updates.
392
Chapter 8
Planning the Domain Name Service (DNS)
The built-in security features of Active Directory enable you to assign permissions and delegate control of the DNS zones. The DNS data is replicated along with the existing Active Directory replication. Local client queries can all be locally handled so that no unnecessary traffic is created across the WAN. Another feature of Active Directory–Integrated zones is that zone transfers are encrypted, and in this case they are secured going across the WAN link.
Integrating DNS and WINS In networks that use both DNS and WINS for name resolution, you can use WINS servers to look up names not resolved by the DNS servers. This is accomplished by sending a request that is unresolvable in the DNS namespace to the WINS server, which then checks its NetBIOS namespace. You can do this by taking a fully qualified domain name such as mail.microsft.com and dropping off microsoft.com and then forwarding mail to the WINS server. By allowing DNS clients to resolve host names found in the WINS service, you can eliminate the necessity of creating DNS zone entries for every computer on the network. Forwarding for these queries can also be set on a zone-by-zone basis. To integrate DNS and WINS, there are two special resource record types: the WINS and WINS-R records. In the following sections, we’ll look at these records in turn, and then review considerations and recommendations for WINS integration.
WINS Resource Records In a heterogeneous environment, you might have hosts such as Unix computers that are unable to query and register with WINS themselves. You might also have resources on hosts such as Windows NT 4 or Windows 95/98 that can only dynamically register NetBIOS names with WINS and cannot dynamically register with DNS. With WINS integration, the UNIX hosts could resolve the Windows hosts names through DNS. The WINS resource record helps to resolve the unresolved DNS queries. It does this by listing the WINS servers to which a name query can be sent.
The WINS record applies only to the topmost level of a zone and does not apply to subdomains within the zone.
The WINS resource record follows a specific syntax as follows: owner class WINS [LOCAL] [Lookup_timeout] [Cache_timeout] wins_server_ip
Following is an example of a WINS resource record (the zone root is assumed to be the current origin): @ IN WINS 10.0.0.12 @ IN WINS LOCAL L1 C10 10.10.10.12 10.10.10.13 10.10.10.14
Planning DNS Zones
393
Table 8.2 describes the various fields that are used with the WINS resource record. TABLE 8.2
WINS Resource Record Fields
Field
Description
Owner
Indicates the owner domain for this record. This field should always be set to @ to indicate that the current domain is the same as the zone origin.
Class
Indicates the class for this record. This field should always be set to “IN” because the Internet class is the only supported class for DNS servers running Windows Server 2003.
LOCAL
When used, indicates that the WINS resource record is only to be used locally at the DNS server and is not to be included during zone replication with other DNS servers. This field corresponds to the Do Not Replicate This Record checkbox that is selected or cleared during the process of configuring WINS lookup at the DNS console. If the checkbox was cleared, this field will not be included when the record is written to the zone.
lookup_timeout
This is the time-out value that is applied for this record.
Cache_timeout
This is the cache time-out value that is applied for this record.
Wins_ip_addresses
This is used to specify one or more IP addresses of WINS servers. At least one IP address of a valid WINS server is required.
WINS-R Resource Records The WINS-R resource record provides the same functionality, literally in reverse. It is used in a reverse lookup zone for reverse queries that were not found in the DNS zone. DNS can’t send a reverse name lookup to WINS because the WINS database is not indexed by IP. Instead, DNS queries WINS in a roundabout way. DNS sends a node adapter status request directly to the IP address, so that it can retrieve the NetBIOS name. Then it appends the DNS domain name to the NetBIOS name, and it forwards the FQDN to the requesting client. To use the WINS-R resource record, you therefore have to specify the parent domain so that it can be appended to the NetBIOS computer name. The other fields used have the same functionality as their compatriots in the WINS forward lookup record. This record also has a specific syntax, as follows: owner class WINS [LOCAL] [Lookup_timeout] [Cache_timeout] Domain_to_append
Here’s an example (once again, the zone root is assumed to be the current origin): @ IN WINS-R LOCAL L1 C10 sample.microsoft.com. @ IN WINS-R wins.sample.microsoft.com.
394
Chapter 8
Planning the Domain Name Service (DNS)
WINS Integration Considerations WINS integration can best be accomplished by adhering to the following recommendations:
Designate a subdomain within the DNS namespace that will be used as a placeholder for WINS names. This subdomain should contain no entries except for the WINS and WINS-R resource records. If you are using separate private and public namespaces, this subdomain belongs under the private namespace.
Unresolved DNS queries should be forwarded to the delegated subdomain as follows:
For any domain names that are within the organization’s namespace, you can specify that the DNS queries be forwarded to a delegated subdomain for WINS first if you want to resolve names with WINS prior to checking other domains.
Conversely, you can specify that the DNS queries be forwarded to a delegated subdomain for WINS last if you want to attempt to resolve names by searching other domains prior to resolving them within WINS. Enable WINS resolution on a zone and specify the WINS server in the zone configuration. You can specify more than one WINS server to be used for unresolved DNS queries. You can even specify the order in which to search the servers by ordering the IP addresses. Multiple WINS servers are recommended to improve the availability of your DNS solution.
If multiple WINS servers share the WINS database, you can create unique DNS zones for each of the WINS servers.
WINS Integration Examples You work for a multinational European company that has a WINS server with records for only Amsterdam and has another WINS server with records for only London. If you create separate DNS zones for Amsterdam and London, you can also create different subdomain names for the Amsterdam and London WINS servers. If desired, you can create a single DNS zone listing both WINS servers so that the WINS resolution takes place within a single subdomain name.
Planning DNS Zone Replication and Delegation After planning a DNS namespace and zone requirements, it’s time to plan other aspects of DNS zones. Some important things that you need to consider include identifying server configurations, zone delegation, and fault-tolerance requirements. You will need to determine if a zone should be delegated to improve performance, as well as identify fault-tolerance requirements.
Planning DNS Zone Replication and Delegation
395
Additional secondary zones can be created when you want to introduce redundancy and load balancing. You can choose to delegate management for one or more zones in order to extend the namespace, balance the load between several servers, and authorize individuals or groups to manage zones. The important tasks that you need to complete in planning DNS zone replication and delegation are to create secondary zones where necessary, design zone transfers and replication, secure zone transfers, and delegate zones. These subjects will be covered in the following sections.
Creating Secondary Zones Secondary zones can increase availability and fault tolerance. Different environments have different requirements. The following guidelines and best practices will help you determine the need for and placement of secondary zones.
Add additional DNS servers to provide zone redundancy. This enables DNS name resolution in the zone to continue if a primary server for the zone stops responding. As you add servers that are authoritative for a given zone, the likelihood that queries will be unanswered for resources in that zone is reduced.
Add DNS servers to reduce network traffic. You can benefit from adding a DNS server to the remote side of a low-bandwidth WAN link to make traffic more efficient and eliminate unnecessary traffic. In general, locate servers as close as possible to the client populations they serve.
Add secondary servers to reduce the load on a primary server. Secondary servers should be used to service queries from only local clients and not clients throughout the network.
When you use secondary servers, you will need to plan for secure zone replication and zone transfers. Make sure that these processes only take place with the hosts that you intend.
Zone Transfers and Replication Maintaining the availability of zones is a critical service provided by the DNS infrastructure. You have seen that you should ensure availability and fault tolerance by using multiple DNS servers. The replication methodology depends on whether or not you use Active Directory. If you use Active Directory, you must use zone replication. If you use the traditional DNS zone structure, you must use zone transfers. Implementing secure zone transfers will depend on your replication methodology and requirements. We’ll look at these methods next, as well as how to improve performance for zone replication.
Zone Transfers A zone transfer is a pull operation that begins with a secondary server within a zone. The secondary server requests a transfer of zone information from its configured master servers, which can be any other DNS server that loads the zone. Possible master servers include the primary server for the zone or another secondary server. A master server can reply with a partial transfer or a full transfer of the zone information.
396
Chapter 8
Planning the Domain Name Service (DNS)
Incremental zone transfers (IXFRs) are now supported in Windows 2000 Server and higher. (Older implementations of DNS required a full transfer of the entire zone database just to receive updates.) Just like an incremental backup, an incremental zone transfer enables the secondary server to pull just the changes it needs in order to synchronize its copy of the zone data with its configured source. Zone transfers are completed much more quickly and with far less network traffic generated.
Windows NT 4 does not support incremental zone transfers. Incremental zone transfers must be supported on both ends—by the server that is acting as the source for a zone and also by any servers that pull the zone changes from that source.
Active Directory Replication Active Directory replication, the process of synchronizing the data in the Active Directory database across all Active Directory servers, is more advantageous than zone transfers, because it uses a multimaster replication model. This means that multiple masters can update the zone. A master is any domain controller running Active Directory–Integrated DNS. Any of the domain controllers for the domain can modify the zone and replicate changes to the other domain controllers. This is better than standard DNS replication, in which only the primary server for a zone can modify the zone. Unlike DNS full zone transfers, in which the entire zone is propagated, only relevant changes are propagated in Active Directory replication. Unlike incremental zone transfers, in which all changes made since the last change are propagated, only the final result of a series of changes to a record will be sent in Active Directory replication.
Within Active Directory, DNS zones are stored in the domain or application directory partitions.
Improving Performance for Replication Traffic Network administrators are always looking for ways to reduce network traffic, make traffic more efficient, and improve data transmission rates. Zone replication will definitely have its impact on heavily used network segments. You can improve performance through the following methods:
By setting the replication schedule for secondary zones so that replication only occurs during off-peak hours
By using fast zone transfers, which compress the zone replication data
By using incremental zone replication
Windows NT 4 DNS does not perform incremental zone transfers. BIND version 8.2.1 or later is required to support incremental zone transfers. Older versions of BIND also lack support for fast zone transfers.
Planning DNS Zone Replication and Delegation
397
Securing Zone Transfers Whether you use zone transfers or Active Directory replication to perform updates, you will need to secure the zone replication traffic. This can be accomplished by many different methods, which include:
Restricting zone transfers to only authorized IP addresses
Implementing IPSec and VPN tunnels to encrypt all zone replication traffic transmitted across public networks
Using Active Directory–Integrated zones to provide encryption and authentication services.
Windows Server 2003 provides a secure configuration for DNS by default. By default the Zone Transfers tab is not checked to allow any zone transfers. When you check it, it defaults to allowing zone transfers “To Any Server.” You can and should increase the level of security by changing the setting to “Only To Servers On The Name Servers Tab” to allow zone transfers only to specified IP addresses. The security administrator will still be responsible for protecting against IP spoofing so that a malicious party cannot impersonate one of the authorized IP addresses.
If you change this setting so that you allow zone transfers to any server, you will expose the DNS data to an attacker who is footprinting your network.
DNS zone replication can occur across the Internet and other public networks. When doing so, it is imperative that you protect the names and IP addresses being replicated over such inherently unsecure networks against unauthorized access from malicious parties. Methods of protecting replication traffic include using IPSec, VPN tunnels, and/or Active Directory–Integrated zones. You must encrypt all replication traffic sent over public networks to ensure security. We recommend encrypting replication traffic by using IPSec or VPN tunnels, using the strongest level of encryption and VPN tunnel authentication. Active Directory–Integrated zones provide inherent security by encrypting all replication traffic between DNS servers. In addition, all DNS servers that have Active Directory–Integrated zones must be registered with Active Directory.
Delegating Zones Zone delegation provides a way to assign responsibility for a part of a DNS namespace to another organization, workgroup, or department. Delegation involves assigning authority over portions of a DNS namespace to other zones. The NS record is used to specify a delegated zone and the DNS name of the server that is authoritative for that zone. You might choose to delegate zones for a number of reasons, including:
You want to add several subdomains so that you can extend the namespace (for example, if you need to support a new branch or site within the organization).
You want to delegate administration of a DNS domain to different organizations or departments within your organization.
398
Chapter 8
Planning the Domain Name Service (DNS)
You want to enhance performance and add fault-tolerance by using multiple name servers to distribute the load of DNS services.
Once you have created the DNS zones, you may benefit from delegating zones. Windows Server 2003 DNS servers measure round-trip intervals for name resolution queries over a period of time for every DNS server. The DNS servers develop intelligence and can find the closest DNS server. This is especially helpful in cases when multiple name server records exist for a delegated zone, and those records point to a number of available DNS servers. The NS records identify DNS servers for each zone, and they appear in all forward and reverse lookup zones. This means that if a DNS server needs to resolve a name in a delegated zone, it will simply reference the NS records for DNS servers in the target zone. Every time you create a new zone, you need to have delegation records in other zones that point back to the authoritative DNS servers for the new zone. You need to do this so that you can transfer authority from those zones and correctly refer to other DNS servers that are authoritative for the new zone.
Zone delegations are checked first before forwarders. However, it is possible to configure a forwarders list that may override the standard behavior of zone referrals, assuming that your zone delegations are correctly configured.
Planning Zone Replication and Delegation for a Newly Acquired Company As the systems engineer for Contoso, you have created a namespace and zone strategy. Now you are ready to proceed to the next phase of your implementation. You need to make a plan for zone replication and delegation. Senior management advises you that Contoso has just acquired Fabrikam, an auto parts invention factory. Management may decide that Fabrikam will take on the Contoso name, but this won’t happen for a while. You need to figure out a technology strategy to support the acquisition of Fabrikam. Fabrikam has a Unix-based network infrastructure, and it uses five BIND version 8.3.3 DNS servers. You need to enable the two companies to share data and eventually merge the data infrastructures. You also need to integrate Fabrikam’s DNS with Contoso’s DNS infrastructure in such a way that resources can be shared securely between the two companies. You want to place a Windows Server 2003 domain controller running DNS on the Fabrikam network. However, you also want to maintain the existing DNS infrastructure. A large number of file shares will be on the Windows Server 2003 computer, and client/server traffic between the two companies will steadily increase. Fabrikam wants to reduce the DNS load on the Windows Server 2003 by utilizing the existing BIND servers. How can you integrate the DNS infrastructures of the two companies to meet these requirements?
Planning DNS Caching and Forwarding
399
First, you can create secondary zones on the BIND servers. This method will allow each BINDbased DNS server to resolve names in the Contoso zone, thereby reducing the load on the Fabrikam local Windows Server 2003 server. Next, you can specify the IP addresses of the BIND secondary servers to allow them to perform zone transfers with the Fabrikam Windows Server 2003 DNS server. This method ensures security for zone transfers. To enable Fabrikam to administer its own zone information, you can create a Fabrikam subdomain within the Contoso zone and delegate the domain to the DNS servers on the Fabrikam side. This is a good method for enabling Fabrikam to autonomously administer its DNS information.
Planning DNS Caching and Forwarding DNS caching and forwarding support different needs and target objectives. Four types of servers can be configured, depending on your business and technical objectives:
Caching-only servers
Stub zones
Conditional forwarders
Forward-only servers
In the following sections, you will learn the differences between caching-only servers, stub zones, conditional forwarders, and forward-only servers. You will also learn the situations in which you would choose each type of server.
Planning Caching-Only Servers Caching-only servers resolve names on behalf of clients and cache the results. The cache contains the most frequently requested names and their IP addresses, so that the information is available to speed up subsequent queries. Caching-only servers are not authoritative for a zone. They also do not store standard primary or standard secondary zones. They do, however, help to reduce WAN traffic because they do not generate zone transfer traffic, and because cached queries reduce the amount of name resolution traffic that needs to cross the WAN.
Use caching-only servers when you have a remote office with a limited bandwidth connection to corporate headquarters.
Assume that you have a remote office that needs to resolve queries for names at the corporate office, and that the connection to corporate headquarters has low available bandwidth. You can configure a caching-only server at the remote office to send recursive queries to a DNS server at the corporate office. The DNS server at corporate headquarters, which has more bandwidth available for intranet and Internet connections, assumes the responsibility for resolving the query.
400
Chapter 8
Planning the Domain Name Service (DNS)
Planning Stub Zones The purpose of a stub zone is to keep a DNS server that hosts a parent zone aware of the authoritative DNS servers for its child zone. This makes DNS name resolution more efficient. When redundancy and load balancing are not required or have already been provided through other means, stub zones can be used instead of secondary zones to distribute a list of the authoritative DNS servers for a zone. A stub zone contains the following information:
The IP address of one or more master servers that can update the stub zone.
One or more DNS servers that are authoritative for the child zone can serve as master servers for a stub zone. The master server is usually the DNS server that hosts the primary zone for the delegated domain name.
Resource records for the delegated zone, including SOA, NS, and glue A resource records.
The start of authority (SOA) resource record indicates the starting point or original point of authority for information stored in a zone. The SOA record is the first resource record that is created when you add a zone. Other computers use the parameters in this record to determine how long the information for the zone will be used and how often updates will be required.
In the context of zones, name server (NS) resource records designate the DNS domain names for authoritative DNS servers for the zone.
The glue address (glue A) resource record provides the address of the host specified in the NS record. A delegation resource record that is used to locate the authoritative DNS servers for a delegated zone. These records “glue” zones together and provide an effective path for delegation and referral that other DNS servers can follow in the process of resolving a name.
Use stub zones when you want a DNS server hosting a parent zone to remain aware of the authoritative DNS servers for one of its child zones. The stub zone keeps the server updated on the list of new or additional DNS servers authoritative for the child zone and also helps to resolve names from different namespaces.
Stub zones are useful when you want a DNS server hosting a parent zone to stay updated with the name servers that are authoritative for its delegated child zones. Make sure you understand the behavior of a stub zone. A DNS server hosting a stub zone in one network will reply to queries for names in the other network with only a list of all the authoritative DNS servers for that zone. It will not respond with the specific DNS servers that are designed to handle the name resolution traffic for that zone.
Planning Conditional Forwarders A conditional forwarder will forward DNS queries for external DNS names to DNS servers outside of its own network. This type of DNS server forwards DNS queries based on the domain name in the query. You could, for example, specify that a DNS server will forward all queries for names that end in acme.com to the IP address of a DNS server or servers.
Planning DNS Caching and Forwarding
401
Using conditional forwarding, you would configure the domain names for which the DNS server will forward queries and configure one or more DNS server IP addresses for each domain name you specify. Conditional forwarders behave this way: 1.
A DNS server first attempts to resolve received queries by using its own local data: the primary and secondary zones and cache.
2.
The server will forward an unresolved query to the DNS server designated as a forwarder.
3.
The server sends a recursive query to the forwarder, as opposed to the iterative query used in standard name resolution without a forwarder.
4.
The first DNS server waits briefly for the forwarder to reply with an answer. Then it will contact the DNS servers specified in its root hints.
Use conditional forwarding when DNS clients in separate networks resolve each others’ names without having to query a DNS server on the Internet.
When would you use conditional forwarders? You may have a scenario in which clients in different networks need to resolve each other’s names. In this situation, you will most likely want to enable name resolution without relying on the DNS servers sending queries to root hints servers on the Internet. What you should do, then, is create a direct method for the DNS servers in both networks to contact each other for name resolution. In each network, the DNS servers should be configured to forward queries for names in the other network to a DNS server or servers that can resolve the queries for names in that network. That server or servers will eventually build a sizeable cache, and this will decrease the amount of recursion. Stub Zones versus Conditional Forwarders Both conditional forwarders and stub zones allow a DNS server to respond to a query by forwarding to a different DNS server (conditional forwarders) or by providing a referral for a different DNS server (stub zones). However, they are used to accomplish very different objectives. Conditional forwarding tells the DNS server to forward a received query to a DNS server depending on the DNS name contained in the query. Stub zones keep the DNS server hosting a parent zone aware of all DNS servers that are authoritative for a child zone. You would not use a conditional forwarder to do this, because every time the authoritative DNS servers for the child zone changed, you would have to manually configure the conditional forwarder setting on the DNS server hosting the parent zone with the new information. This would be a cumbersome and inefficient solution.
402
Chapter 8
Planning the Domain Name Service (DNS)
Planning Forward-Only Servers A DNS server that is configured to use forwarders cannot always resolve a query, either through its local information or by using its configured forwarders. Under normal circumstances, the server then uses standard recursion to attempt to resolve the query. However, there is another way to resolve requests in this instance. If you configure a DNS server to not use recursion when forwarders fail, the server fails the query. This type of server is known as a forward-only server. A forward-only server builds up a cache and uses it in its attempts to resolve domain names. A nonrecursive DNS server is different from a forward-only DNS server. It won’t build up a cache, nor will it perform recursion if the query fails.
The different types of DNS servers that use forwarders will all attempt to resolve the query using their authoritative data before using their forwarders.
You can disable recursion on the entire DNS server, which will prevent you from using forwarders on that server, or you can disable recursion on a per–domain name basis. Forwarders are best used to manage the DNS traffic between your network and the Internet. You can configure the firewall to permit only one DNS server to communicate with the Internet. You can then configure the other DNS servers to forward any unresolved queries to the first DNS server. The Internet-capable DNS server can then query its configured root hints servers on the Internet to attempt to resolve failed queries.
Use forwarders to manage DNS traffic between the local network and the Internet.
Planning DNS Server Resources When designing a DNS infrastructure, make sure that you remember to plan for the server resources. This involves several considerations:
Determine the server requirements. How many servers do you need? What system resources do they require? For instance, one of the most critical system components for a DNS server is its RAM.
Determine how many servers you need and where to place them. Your choices will be as unique as your network topology and business structure. Factors that will affect your decisions include whether or not you are running Active Directory and the speed of interoffice connections.
Determine the level of security you will implement based on your specified security objectives.
In the following sections, we’ll discuss all of these factors to consider in planning DNS server resources.
Planning DNS Server Resources
403
Planning General DNS Server Requirements To plan DNS server resources, start with the server requirements. Determine the following factors:
Hardware requirements for new and existing DNS servers
How many servers you need
Whether the server will be a domain controller or a member server
Which servers will host primary zones, and which will host secondary zones
Where you will place the servers on the network to provide for the most efficient traffic, including replication traffic
Whether you need to plan support for a heterogeneous deployment, including interoperability with BIND-based DNS servers Many of these factors have been answered elsewhere in the chapter.
Planning for Server Capacity Server capacity planning involves many factors involving the overall network, as well as individual servers. Identify the number of client queries that a given DNS server will service. Plan the size of each zone the server will service based on the size of the actual zone file and the number of resource records in the zone. Also identify the number of zones the server will host. The following sections discuss planning for hardware requirements, DNS server placement, and the number of servers.
Planning for Hardware Requirements One of the best investments you can make in your DNS server is to provide it with plenty of RAM. The DNS server service has to load all configured zones into memory. Therefore, if a server has to load many zones, and especially if there are frequent dynamic updates of client information, you should throw memory at the problem. A typical DNS server uses memory for each zone or resource record. Resource records consume memory at the average rate of 100 bytes each, so a zone with 1000 resource records needs about 100KB of memory.
You can use the DNS-related counters in the Windows Server 2003 monitoring tools to baseline DNS server performance and determine needs.
Planning DNS Server Placement Usually, you will place a DNS server on each subnet. You want the servers to be close to the users who will be serviced by them. Make sure that clients can access at least one other DNS server in case the first DNS server fails to respond. This is especially important when some of the DNS server’s clients are on remote subnets. You also want to plan for availability and balance the load of client requests across multiple servers. In a small LAN on a single subnet, you could configure a single DNS server to simulate both the primary and secondary servers for a zone. When you have reliable high-speed links, you
404
Chapter 8
Planning the Domain Name Service (DNS)
might be able to get away with one DNS server for a larger network area spanning multiple subnets. Conversely, if you have a single subnet with a large number of clients, the best solution may be to add a redundant DNS server to the subnet so that clients have another option for name resolution if the server stops responding.
Planning the Number of Servers The number of servers you need will be affected by zone transfers and DNS query traffic, especially across slower links. A well-planned DNS infrastructure will help reduce broadcast traffic between local subnets. Nonetheless, traffic will be generated between servers and clients. When implementing DNS in a network that has a complex routing topology, you especially need to pay attention to how traffic is generated. Evaluate how zone transfers across slow links will affect other network traffic. Incremental zone transfers and caching can help reduce traffic. However, if you have short DHCP leases, they will result in more frequent dynamic updates in DNS and thereby increase traffic. In situations where you need to connect a remote office across a WAN link, a good solution is to set up a caching-only DNS server at remote locations. Figure out how much fault tolerance you need for your network. Usually, you will use at least two DNS servers for each zone for fault tolerance. DNS was actually designed to use two servers for each zone, one as the primary server and the other as a backup or secondary server.
Securing DNS Securing your DNS infrastructure is critically important in your overall DNS implementation plan. A poorly designed DNS implementation can leave your network open to a variety of attacks and is a serious compromise to your network’s security. DNS has three levels of security:
Low-level security
Medium-level security
High-level security
In the following sections, we’ll discuss the features of each level of security so that you can make your organization’s DNS infrastructure more secure.
Low-Level Security Low-level security simply describes a standard DNS deployment with no configured security precautions. The only case in which you would use this level is when you have absolutely no reason to be concerned for the security of the DNS information. For instance, you may choose this level of security (or nonsecurity) in a private network that has no connection to the Internet and where there is no threat of someone compromising the DNS data. Characteristics of this level of security include the following:
The DNS data is fully exposed, so this configuration is not recommended if you have Internet connectivity.
Every DNS server is configured with root hints pointing to the root servers for the Internet.
UDP and TCP ports 53 are open on the network firewall for both source and destination addresses.
Planning DNS Server Resources
All DNS zones can have dynamic updates.
Cache pollution prevention is disabled.
Every DNS server in the network performs standard DNS resolution.
Zone transfers are permitted to and from all servers.
Multihomed DNS servers listen on all of their IP addresses.
405
Medium-Level Security Medium-level security uses DNS security features, but not the advanced security that is available when you run DNS servers on domain controllers and use Active Directory–Integrated zones. Characteristics of this level of security include the following:
The DNS data has limited exposure to the Internet.
Internal servers communicate with external servers through the firewall with a limited list of source and destination addresses allowed. The external DNS servers in front of the firewall are configured with root hints pointing to Internet root servers.
Resolution of Internet names is accomplished through proxy servers and gateways.
DNS servers only allow zone transfers to servers that are listed in the Zone Transfers tab of their zones.
Every DNS server is configured to use forwarders to point to specific internal DNS servers.
Dynamic updates are not allowed for any zones.
Cache pollution prevention is enabled.
DNS servers listen only on specified IP addresses.
High-Level Security High-level security uses all of the DNS security features of medium-level security, and adds the advanced security that is available when you run DNS servers on domain controllers and use Active Directory–Integrated zones. In this configuration, there is no DNS communication at all with the Internet. If Internet connectivity isn’t a requirement, we recommend using this configuration. Characteristics of this level of security include the following:
There is no Internet communication with the internal DNS servers.
You use an internal DNS root and namespace in which all authority for zones is internal.
Internal servers are configured with root hints that point to the internal DNS servers that host the root zone for the internal namespace.
Forwarding servers forward only to internal DNS servers.
All zone transfers are limited to only specified IP addresses on every server.
Zones are configured for secure dynamic updates except the top-level and root zones, which do not allow any dynamic updates.
Cache pollution prevention is enabled.
DNS servers only run on domain controllers, with a DACL configured to control administrative access to the DNS Server service.
406
Chapter 8
Planning the Domain Name Service (DNS)
All zones are Active Directory–Integrated, with a DACL configured so that only certain people have access to create, delete, or modify DNS data.
DNS servers listen only on specified IP addresses.
Securing the DNS Infrastructure DNS services are up and running for Contoso. Now your attention turns to security. You realize that all of the DNS servers on the network are vulnerable to attack because the firewall allows DNS traffic to and from all of the DNS servers. You cannot accept the security risk of direct Internet communication with the DNS servers, and you must make some immediate changes. You want to limit outbound DNS traffic so that it originates from a single DNS server on the network. This traffic should only come from the intranet DNS servers to the outbound DNS server. How can you implement the desired changes? What should you do to make it so? You should configure medium-level security in this scenario, because Contoso needs the ability to communicate with Internet servers. Configure the DNS servers on the intranet as forwardonly servers. Queries that are authoritative for their own zone data will be answered, and all other queries will be forwarded to the outbound DNS server. If the forwarder fails, recursive query will not be attempted. As time goes by, the intranet servers will build up a cache, and this will help to reduce the amount of traffic sent through the firewall to answer a query.
Summary In this chapter, you learned:
What the Domain Naming Service (DNS) is and how it works. DNS is a hierarchical, distributed database that provides computer-name-to-IP-address mappings. DNS provides name registration and resolution services similar to those provided by WINS.
How to plan a DNS namespace. Choices include using the same namespace for internal and external name resolution, using a delegated namespace such as a subdomain name for external versus internal traffic, and using a child domain for internal traffic.
How to plan DNS zones. Considerations include the zone type, the location for zone data, zone security, and WINS integration.
How to plan DNS zone replication and delegation. This may involve creating secondary zones, configuring zone transfers and Active Directory replication, securing the zone transfers, and delegating zone transfers.
How to plan DNS forwarding. Possibilities for servers include caching-only servers, stub zones, conditional forwarders, and forwarding-only servers.
How to plan resources for DNS servers. Considerations include planning for server capacity and securing DNS.
Key Terms
407
Exam Essentials Understand how DNS works. DNS is a distributed, hierarchical database that resolves host names to IP addresses. DNS has a variety of concepts with which you should be familiar. For example, you must know the different server and resource record types used in DNS. You must also know how the concepts of zones and forwarding fit into the big picture. Be able to plan a DNS namespace. The namespace decisions you make will depend on your business and technical requirements. Know how to plan for internal and external namespaces as well as how and when to use delegated subdomains. Be able to plan a DNS zoning strategy. Choose primary, secondary, and stub zones to meet different objectives. Understand the differences between traditional and Active Directory– Integrated DNS zones. Secure the zones by choosing the appropriate method of dynamic updates and by configuring DACLs on the DNS zones. Integrate DNS and WINS. Create a plan for DNS forwarding. Choose between caching-only servers, stub zones, conditional forwarders, and forward-only servers to meet different business and technical requirements. Plan the server resources for DNS. Plan hardware requirements, server placement, and server number based on the organization’s requirements. Choose between low-level, medium-level, and high-level security configurations.
Key Terms Before you take the exam, be certain you are familiar with the following terms: Active Directory replication
medium-level security
caching-only servers
multimaster replication model
conditional forwarder
nonrecursive DNS server
delegated namespace
primary zones
delegation resource record
secondary zones
discretionary access control list (DACL)
secured dynamic updates
DNS namespace
standard zone files
forward-only server
stub zone
full zone transfers
traditional DNS zones
glue address (glue A) resource record
WINS resource record
high-level security
WINS-R resource record
incremental zone transfers (IXFRs)
zone delegation
low-level security
408
Chapter 8
Planning the Domain Name Service (DNS)
Review Questions 1.
You are the network administrator for your company. The network is running Active Directory in Native mode. All servers are Windows Server 2003, and all clients are XP Professional. All of the client machines are configured to use the server named DNS1 for name resolution. Recently, users of the client computers have been complaining that they cannot access resources on the Internet, but they are still able to access all of the resources in the local domain. Identify the most likely cause of the problem. A. The name server is configured as a root server. B. The server does not support dynamic updates. C. The server’s root hints file is not configured or updated. D. The name server has only one network card.
2.
You are the network administrator for your company, Contoso, Ltd. The network is running Active Directory in Native mode. All servers are Windows Server 2003, and all clients are Windows XP Professional. The company has recently acquired a former competitor, Fabrikam, and you are charged with planning zone replication and delegation for the newly acquired company. Fabrikam’s network infrastructure is Unix-based and has four BIND version 8.3.2 servers. You have added a Windows Server 2003 domain controller running DNS on Fabrikam’s network. You want to enable resource sharing and name resolution between the two companies using the existing infrastructure and using the least possible administrative effort. In the future, the namespaces could be combined, so you want a plan that offers flexibility for the future. What type of zones should you implement on the BIND-based DNS servers, and how should you configure zone transfers and/or forwarding? A. Create primary zones on the BIND-based DNS servers and forward them to the DNS
servers that are authoritative for the main corporate namespace at Contoso. B. Create secondary zones on the BIND-based DNS servers and configure them to perform
zone transfers with the Windows Server 2003 DNS server on the Fabrikam local network. C. Create primary zones on the BIND-based DNS servers and configure them to perform
zone transfers with the Windows Server 2003 DNS server on the Fabrikam local network. D. Create secondary zones on the BIND-based DNS servers and forward them to the DNS
servers that are authoritative for the main corporate namespace at Contoso.
Review Questions
3.
409
You are the network administrator for your company. The network is running Active Directory in Mixed mode. Thirty servers are Windows Server 2003, and the remaining twelve servers are Windows NT Server. All clients are Windows XP Professional. The network also has multiple DNS, WINS, and DHCP servers running exclusively on Windows Server 2003. Zones are configured to allow Secure Only updates. The XP clients are configured to use secure dynamic updates in Active Directory. The NT Server computers are configured to use dynamic DNS updates via DHCP. You intended for this to relieve the necessity of manually configuring permissions to enable the Windows NT Server computers to update its own DNS entries. Windows XP and Windows Server 2003 computers are able to update their own DNS entries. Despite your efforts, however, dynamic updates to the DNS entries are not working for the Windows NT Server computers. What should you do? A. Upgrade the Windows NT Server computers to Windows 2000 Server or higher. Enable
secure dynamic updates on these computers. B. Enable secure dynamic updates on the Windows NT Server computers. C. Add the DHCP server computers to the DnsUpdateProxy group. D. On the DNS server, specify the DHCP server as the only computer that is authorized to
update the DNS entries. 4.
You administer the network shown in the following diagram. The London location contains the main company headquarters and is where you spend most of your time. You are solely responsible for the DNS needs of your network, which consists of a single domain. Select and place the appropriate zone types in the different office locations. Note that some options might be used more than once and some options might not be used at all. Primary DNS Zone Secondary DNS Zone Stub Zone
London T3 Dial-up Paris T3 Casablanca
Rome
410
5.
Chapter 8
Planning the Domain Name Service (DNS)
You administer the network shown in the following diagram and you are responsible for the company’s DNS solution. You primarily work out of the London office, with occasional visits to the remote sites. Your company recently received a considerable amount of funding from a private investor, some of which you used to upgrade the network. You upgraded all of the WAN links to T3 lines, and upgraded all of your machines to Windows Server 2003 and XP Professional computers in an Active Directory configuration. Each location sports its own domain controller. Select and place the appropriate DNS server types that you should configure at each location. ADI Zone Primary DNS Zone Secondary DNS Zone
London T3
Stub Zone
T3 Paris T3 Casablanca
6.
Rome
You administer a large network with a very complex DNS infrastructure consisting of several DNS servers and a root server. The root server needs to be shut down for hardware maintenance. How will this affect the network? A. The DNS servers will not be able to support dynamic updates. B. The DNS servers will not be able to answer any queries. C. The DNS servers will be able to answer recursive queries but not simple queries. D. The DNS servers will be able to answer simple queries but not recursive queries.
7.
You were recently hired to administer the DNS solution for your company’s network. You are responsible for a primary DNS server at the main office and several secondary servers at remote locations. When you came on board, you noticed that zone transfers were configured for incremental zone transfers. Why would this be? A. The links between offices are probably slow, so DNS zone transfer traffic is minimized. B. DNS zone transfer traffic increases but the processing burden on the slow computers at
the remote sites is minimized. C. The number of zones increases so that you don’t have to transfer as much data for
each zone. D. The number of zones is limited, reducing the number of zones required for transfers.
Review Questions
8.
411
You are an employee of a small ISP and you’ve been tasked with testing the beta version of Exchange Server 2003. You set up two small networks. Each network consists of a Windows Server 2003 machine running as a Domain Controller and a DNS server, and a separate server running the beta version of Exchange Server 2003. After you set up the machines, you send a test message from one network to the other, and the message is not delivered properly. You are sure that the Exchange servers are configured properly. What must you do to ensure that mail is delivered successfully? A. In each DNS database, add a PTR record that points to the name of the local
Exchange server. B. In each DNS database, add a PTR record that points to the name of the remote
Exchange server. C. In each DNS database, add an MX record that points to the name of the local
Exchange server. D. In each DNS database, add an MX record that points to the name of the remote
Exchange server. 9.
You are an administrator for a medium sized company, and you are responsible for the network’s DNS configuration. The network uses Active Directory for administration. You add two DNS servers to the network in order to maintain redundancy. You need to ensure that dynamic updates are not disrupted if one of the DNS servers fails. What is the best solution? A. Enable netmask ordering on each DNS server. B. Configure a standard primary zone on each DNS server. C. Configure one of the DNS servers as a root name server. D. Use Active Directory–Integrated zones on each DNS server.
10. Your network is shown in the following diagram. You need to implement a DNS solution for the company. The London location contains the main company office and you spend most of your time there. You decide to set up a primary DNS server in London, and secondary servers at all other locations. Users in Casablanca complain that their line is almost always in use and they are having difficulty performing normal file transfers and resource access across their link. What should you do? A. Install a root server at Casablanca. B. Install a root server at London. C. Install a caching-only server at Casablanca. D. Install a caching-only server at London.
412
Chapter 8
Planning the Domain Name Service (DNS)
11. You administer a network consisting of several Windows Server 2003 machines and about 1000 Windows XP Professional machines. Your IP solution includes a DHCP server administering addresses to all of the workstations, and the servers are all configured manually. Now you need to configure DNS before promoting the first domain controller. You start up the DNS service, then start 10 workstations to test the configuration. The workstations can connect to each other by address but not by name. What should you do next? A. Make sure that all of the clients have address reservations in the DHCP server. B. Convert all of the workstations to static addressing. You cannot mix dynamic and static
IP addresses in the same network. C. Give the users permissions to the DNS server so they can keep their records updated
properly. D. Enable Dynamic DNS. 12. You administer a very large network that is grossly underfunded. The network includes a Windows Server 2003 machine that acts as a Domain Controller, DNS server, and RRAS server for 3000 clients. Fortunately, the DNS records rarely change, so what should you do to minimize DNS traffic and help free some of the burden on the server? A. Decrease the TTL for the workstation resource records. B. Increase the TTL for the workstation resource records. C. Manually flush the DNS cache for each machine once per day. D. Manually flush the DNS cache for each machine once per hour. 13. You work at a branch office and manage its DNS server. The DNS server is configured to forward any queries it can’t resolve to a root server at the company headquarters. Now, your DNS server returns iterative queries properly, but recursive queries always fail. What diagnostic steps should you take? (Choose all that apply.) A. Check to make sure forwarding is set on your DNS server. B. Check to make sure the forwarder is listed by IP address. C. Flush the cache of the client to remove bad mappings. D. Ping the DNS server at Corporate by IP. E. Verify that you have your pointer records configured properly. F. Force a zone transfer to update the records to the corporate DNS server. 14. You administer a small network that is connected to the Internet. The network includes a local DNS server that must resolve local queries, but nothing else. You want to use an external DNS server for Internet queries. What are some of the steps you must take to meet these requirements? (Choose all that apply.) A. Specify the local DNS server in the network configuration of the client machines. B. Specify the remote DNS server in the network configuration of the client machines. C. Turn on forwarding on the local DNS server. D. Turn off forwarding on the local DNS server. E. Configure the local DNS server as a root server and leave out root hints for the top-level
domains.
Review Questions
413
15. You are the network administrator for your company. The network runs Active Directory in Native mode. All servers are Windows Server 2003, and all clients are Windows XP. You have created a DNS namespace, configured zones and designed a replication strategy. Now you must create a plan for DNS caching and forwarding. You need a solution that will enable you to manage the DNS traffic between your local network and the Internet. Which server type should you configure? A. Caching-only server B. Stub zone C. Conditional forwarder D. Forward-only server E. Nonrecursive server
414
Chapter 8
Planning the Domain Name Service (DNS)
Answers to Review Questions 1.
C. When a DNS server processes a recursive query that cannot be resolved from local zone files, the query must be escalated to a forwarder or a root DNS server. Each standards-based implementation of DNS includes a cache file (or root server hints) that contains entries for root servers of the Internet domains.
2.
B. In this scenario, the best solution is to create secondary zones on the BIND-based DNS servers and configure them to perform zone transfers with the Windows Server 2003 DNS server on the Fabrikam local network. This method will allow each BIND-based DNS server to resolve names in the Contoso zone, thereby reducing the load on the Fabrikam local Windows Server 2003 server. The next logical step to take is to specify the IP addresses of the BIND secondary servers to allow them to perform zone transfers with the Fabrikam Windows Server 2003 DNS server. This method ensures security for zone transfers. To enable Fabrikam to administer its own zone information, you can create a Fabrikam subdomain within the Contoso zone and delegate the domain to the DNS servers on the Fabrikam side. This is a good method for enabling Fabrikam to autonomously administer its DNS information.
3.
C. In networks with multiple Windows Server 2003 DHCP servers and zones configured to allow secure only updates, you must use Active Directory Users and Computers to add the DHCP server computers to the built-in group DnsUpdateProxy Group. This grants the secure rights required so that your DHCP servers will perform updates by proxy for any DHCP clients. Upgrading the NT computers would work, but that option was not mentioned in the scenario.
4.
The primary zone is authoritative for the domain, meaning that DNS configuration changes can only be made on that DNS server, so it makes sense to put this server at the London location where you spend most of your time. The Paris and Rome offices sport fast lines that can realistically support significant zone transfers. The Casablanca site would struggle with zone transfers, so it makes sense to add a stub zone to that location that points to the primary server in London. This means that the users in Casablanca must query the primary server for every DNS name, but that’s preferable to transferring a large zone file across a dial-up connection.
Primary DNS Zone London T3
Secondary DNS Zone
Dial-up Paris Stub Zone Casablanca
T3
Secondary DNS Zone Rome
Answers to Review Questions
5.
415
In this case, it makes the most sense to use ADI zone at each location. All four sites have fast lines and domain controllers that will be replicating between each other anyway, so you might as well include the DNS information in the replication regimen. ADI zones offer other advantages, such as increased security and delegation, so there’s really no reason not to use them in this case.
ADI Zone London T3
ADI Zone
T3 Paris ADI Zone Casablanca
T3
ADI Zone Rome
6.
D. When a DNS server processes a recursive query and a query cannot be resolved from local zone files, the query must be escalated to a root DNS server. Each standards-based implementation of DNS includes a cache file, also called a root server hints file, that contains entries for root servers of the Internet domains. If the cache file is damaged or removed, recursive queries to the Internet root will fail.
7.
A. Incremental zone transfers limit the traffic generated by DNS zone transfer records because only the changes are replicated across the network. With a regular zone transfer, the entire record is transferred whenever any item is updated.
8.
C. MX records are used to deliver SMTP traffic to the appropriate local e-mail server. You don’t add a record that points to the remote server, because if that were the case then production ISP DNS servers would need records pointing to every remote mail server in the world! PTR records are used for reverse lookup, so they wouldn’t help you in this situation.
9.
D. Active Directory–Integrated zones are used to store and replicate DNS zone information in all of the domain controllers. Because of this, dynamic updates can be made to any DNS server, including those on remote subnets. You also need to make sure that all clients on all subnets have the addresses of all of the DNS servers. With a standard primary zone, only the DNS server that hosts that zone can receive the client’s dynamic updates. Forwarding refers to sending recursive queries to external DNS servers, and round robin is not related to dynamic updates.
10. C. The result of putting a DNS caching-only server across the slow link will be that most DNS name resolution can occur locally and the requests crossing the links will be lowered, minimizing traffic. DNS cache servers store the queries that they have resolved for future use by other clients. They have the advantage of not having zone files, so they do not participate in zone transfers that consume network bandwidth.
416
Chapter 8
Planning the Domain Name Service (DNS)
11. D. Dynamic DNS (DDNS) is the integration of DHCP and DNS. As the addresses are delivered to the client, the mappings are updated in the DNS server. There are two basic methods for DDNS: One is that the clients make the modification, and the other is the DHCP server makes the modification for the client. The latter is considered the best practice because the DHCP server is considered more secure. 12. B. The TTL determines how long to keep a resource record in the DNS cache before it’s flushed. A lower TTL means that the resource record will be flushed more often and is useful when DNS data changes frequently. The downside is that it creates more network traffic, so increasing the TTL can relieve an overburdened DNS server. 13. A, B, D. If the DNS server can resolve local requests, it is likely that it is functioning properly. Before you start spending a lot of time working on your side of the DNS system, it is a good idea to verify that the DNS server to which you are forwarding requests can resolve recursive queries. 14. A, B, D, E. If you configure the server as a root server and leave forwarding off, the server will either answer a query (for addresses it knows) or return a failure (for addresses it doesn't). You must configure the clients with the IP addresses of both DNS servers so that if they receive a failure notice from the local server, they can switch out to the remote DNS server. 15. D. Use forwarders to manage DNS traffic between the local network and the Internet. A DNS server that is configured to use forwarders cannot always resolve a query, either through its local information or by using its configured forwarders. Under normal circumstances, the server then uses standard recursion to attempt to resolve the query. However, there is another way to resolve requests in this instance. If you configure a DNS server to not use recursion when forwarders fail, the server fails the query. This type of server is known as a forward-only server. A forward-only server builds up a cache and uses it in its attempts to resolve domain names. A nonrecursive DNS server is different from a forward-only DNS server. It won’t build up a cache, nor will it perform recursion if the query fails. The different types of DNS servers that use forwarders will all attempt to resolve the query using their authoritative data before using their forwarders.
Chapter
9
Planning, Implementing, and Maintaining Server Availability MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan services for high availability.
Plan a high availability solution that uses clustering services.
Plan a high availability solution that uses Network Load Balancing.
Most organizations run mission-critical business applications (such as corporate e-mail and databases) that require a high degree of availability. The system engineer’s goal is to maximize the availability and scalability of network servers. High availability ensures minimal downtime, while scalability ensures that systems can grow to meet increasing demands. Downtime is bad for business because it results in lost productivity and can also result in lost faith from customers and business partners. Increasing availability is one area where IT solutions can have a direct impact on the bottom line. Both availability and scalability can be increased by using fault-tolerant hardware solutions and, in general, by using best practices in your network infrastructure planning. Windows Server 2003 also offers two types of clustering technologies to help you meet your availability and scalability goals. Server clustering is a solution that increases availability, and Network Load Balancing (NLB) is a special type of clustering that increases scalability. A cluster is simply a group of independent computers that work together to provide a common set of services. If one computer in the cluster fails, the others take over so that there is no loss of service. In this chapter, we’ll cover the essential factors in planning an availability and scalability solution. We’ll begin with an evaluation of these solutions, discuss planning server clusters and NLB, discuss monitoring NLB, and cover the techniques for recovering from cluster node failure.
Evaluating Availability and Scalability Solutions Clustering technologies can be combined depending on the needs of the company. You should be familiar with two types of clustering technologies: Server Clusters Server clusters provide high availability for more complex, stateful applications and services. Stateful applications (such as SQL Server) have data that is constantly being updated. Other examples of stateful applications include back-end databases, messaging, and file and print services. Server clusters are used to enable resources to be dynamically relocated in the event of a failure. This process is transparent to the client.
Server clusters run only on Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition. They can contain up to eight nodes.
Evaluating Availability and Scalability Solutions
419
In server clusters, individual computers called nodes share access to data. Nodes can be either active or passive, depending on the operating mode (active or passive) and how failover is configured in the cluster. Each node is attached to one or more cluster storage devices, which allow different servers to share the same data. This means that increasing the number of nodes in a server cluster will proportionally increase the availability of the services and applications running on that server cluster. This is because spreading the workload over a greater number of nodes allows each node to run at a lower capacity. In addition, a failover is less likely to result in a decline in performance, because more servers are available to accept the workload of the failed node and because the servers involved will be running at lower capacity. Network Load Balancing Network Load Balancing (NLB) clusters are groups of identical, typically cloned computers that can operate independently. All of the nodes in an NLB cluster are active. You can use NLB for applications that are stateless or can otherwise be cloned with no decline in performance. Stateful applications such as Exchange Server or SQL Server are frequently updated, making them difficult to clone and therefore not acceptable for hosting on NLB clusters.
NLB is supported on all editions of Windows Server 2003. Up to 32 nodes are supported on all editions.
NLB is designed for stateless applications, such as front-end Web servers, FTP servers, and VPNs. Stateless applications treat each client request as an independent operation. This type of application can independently load-balance each client request. Stateless applications often have read-only data or data that changes infrequently. Groups of clustered computers can be used to load-balance traffic requests. You can scale out NLB clusters by adding additional servers as demand on the cluster increases. The applications are usually cloned, so that multiple instances of the same code run against the same dataset. Table 9.1 compares the number of nodes supported in both server clustering and NLB. TABLE 9.1
Windows Server 2003 Support for Clustering
Operating System Edition
Server Clusters
Network Load Balancing
Windows Server 2003, Web Edition
N/A
32
Windows Server 2003, Standard Edition
N/A
32
Windows Server 2003, Enterprise Edition
8
32
Windows Server 2003, Datacenter Edition
8
32
420
Chapter 9
Planning, Implementing, and Maintaining Server Availability
Component Load Balancing (CLB) is a third type of clustering that addresses the unique scalability and availability needs of middle-tier business applications that use the COM+ programming model. CLB is a feature of Microsoft Application Center 2000 and is not covered on the exam or in this book.
Sometimes it’s appropriate to run all three types of clustering. For example, assume that a business runs an e-commerce Web site, in which the front-end Web servers are configured in NLB clusters that receive client requests. Middletier applications, such as Microsoft’s BizTalk Server, use CLB clusters running on Windows Application Center 2000. The applications integrate with SQL database servers on the back-end. The SQL servers are configured in a server cluster.
Availability is the ability to provide end users with access to a service for a high percentage of time while reducing unscheduled outages. Availability can be expressed as: Percentage of availability = (total time – downtime)/total time Different applications will have different availability needs. Print servers usually don’t require 24/7 availability; however, an e-commerce site cannot afford any downtime, because a company would lose sales and might also lose the faith of its customers. If you strive to achieve 99.9 percent availability, then this allows you 8 hours and 45 minutes of downtime per year. Reliability is related to availability, and it describes the time between failures, expressed as: Mean time between failures (MTBF) = (total elapsed time – sum of downtime)/number of failures Fault tolerance increases the reliability of a system. It describes the ability of a system to continue functioning when part of the system fails. This is achieved by designing the system with a high degree of hardware redundancy. In the following sections, you’ll be introduced to concepts of server clustering. You’ll also learn how to evaluate clustering solutions. We’ll start by identifying the potential threats to availability.
Identifying Threats to High Availability The idea behind high availability is to make sure that no single point of failure can render a server or network unavailable. To ensure availability, you must guard against several types of failures, including: Application or Service Failures When an application or service fails, you can have another instance of the application or service running on another server in order to provide continual service to end users. Hardware and System Failures A Redundant Array of Inexpensive Disks (RAID) is one of the most common ways to protect against storage device failures. Third-party solutions for hardware redundancy should be implemented. Hot-swapping components (such as hard disks and memory) will enable you to replace failed devices and other hardware without affecting system uptime.
Evaluating Availability and Scalability Solutions
421
RAID-5 describes disk striping with parity. RAID-1 describes disk mirroring.
Most enterprise server platforms provide internal hardware redundancy through redundant power supplies, fans, and other hardware components. Hot-swappable components ensure that failed hardware can be replaced without system downtime. Network Connectivity and Site Failures Site failures are caused by events such as natural disasters, power outages, and connectivity outages. Your network topology should provide redundant links and hardware, such as routers and cabling, so that connectivity is ensured in a failure scenario. In such events, mission-critical applications can be deployed across geographically dispersed sites. Data centers are frequently deployed in this way.
Sites can be active-active (where all sites carry some of the load) or active-passive (where one or more sites are on standby).
Evaluating Scalability Methods Scalability describes the ability of a network service or application to grow to meet increasing demands. In the context of clustering, scalability describes the ability to incrementally add systems to an existing cluster when the overall load of the cluster exceeds the cluster’s capabilities. The two types of scalability are listed here: Scaling Up Scaling up involves adding redundant or more robust system resources (such as processors, RAM, disks, and network adapters). Scaling Out Scaling out involves adding servers to meet demand. Both methods help you to improve application and server response time.
Evaluating Clustering Technologies As stated above, a cluster consists of two or more computers working together to provide higher availability, reliability, and scalability than can be obtained by using a single system. The failover process ensures the continuous availability of applications and data. Failover automatically redirects and redistributes the workload of the failed server. Server clusters do have limitations, including:
They are designed to keep applications available, rather than keeping data available. Cluster technology does not protect against failures caused by viruses or software errors.
Applications and services must be compatible with the Cluster Service (the service that runs server clusters) in order to respond appropriately to a failure.
Administrators must be able to configure where an application stores its data on the server cluster.
422
Chapter 9
Planning, Implementing, and Maintaining Server Availability
The clustered application or service must allow clients that are accessing it to reconnect to the cluster virtual server after a failure has occurred and a new cluster node has taken over the application.
Services and applications must be TCP/IP based.
The File Replication Service (FRS) isn’t supported.
Third-party tools are required if you want to use dynamic disks on shared cluster storage.
For more information about using dynamic disks on shared cluster storage, see Microsoft Knowledge Base article 237853, “Dynamic Disk Configuration Unavailable for Server Cluster Disk Resources.”
Both clustering and fault-tolerant hardware protect your system from failures of components and are frequently used together. Clusters can also be used to maintain availability during an upgrade, service pack installation, or hotfix without taking a cluster offline.
Planning Server Clusters As you’ve seen, server clusters ensure the availability of network services and applications in the event of any type of system downtime. This includes both unexpected failures and planned maintenance. Each organization has different availability needs. Applications or services that will be hosted on a server cluster will also have requirements that you’ll have to consider. In Windows Server 2003, clusters require:
Two or more computers
Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition
Hardware that is listed in the Windows Server Catalog
Consistent hardware architecture. (You cannot use x86-based and Itanium architecture– based computers in the same server cluster.) Two or more network cards are required for each node.
An ideal configuration puts the clustered computers on their own private network. Private network traffic is limited to traffic related to intra-cluster communication and configuration. This method uses one network adapter to connect a node to the other nodes in the cluster on a private network. The second adapter connects the cluster to both an external network, such as the corporate intranet, and the private network.
Server clusters now support the Kerberos version 5 authentication protocol. Windows Server 2003 also adds remote management functionality to the server cluster.
Planning Server Clusters
423
The Cluster Service is supported on 64-bit versions of Server 2003. You cannot, however, use GUID partition table (GPT) disks for shared cluster storage. A GPT disk is an Itanium-based disk partition style in the 64-bit versions of Windows Server 2003. For these versions, you must partition cluster disks on a shared bus as master boot record (MBR) disks and not as GPT disks.
In the following sections, you’ll learn the terminology relevant to server clusters. We’ll cover what you need to know to consider business and application requirements and application deployment, how to choose a cluster model, how to plan multisite clusters and what to consider for networking the cluster.
Understanding the Terminology You need to know several terms in order to understand how to plan a server cluster deployment, so we’ll tackle those terms now:
A node, also known as a cluster host, is an individual computer that is a member of a server cluster. Windows Server 2003 supports up to eight nodes in a server cluster.
A resource is any physical or logical entity that is capable of being managed by a cluster, brought online, taken offline, and moved between nodes. At any point in time, a resource can be owned only by a single node.
A resource group is a collection of one or more resources that can be started and stopped as an indivisible unit and independently from other groups. Resource groups are hosted on only one node and are moved to a different node in a failover scenario. Resources can have dependencies, just like services in Windows Server 2003.
A virtual server is a collection of services that appear to clients as a physical Windowsbased server but are not associated with a specific server. A virtual server is typically a resource group that contains all of the resources needed to run a particular application and can be failed over like any other resource group. All virtual servers must include a Network Name resource and an IP Address resource.
Failover describes the process of taking resource groups offline on one node and bringing them back online on another node. The order of processes is important because of resource dependencies. Resources upon which other resources are dependent are brought online before or taken offline after the resources that are dependent on them.
Failback describes the process of relocating resources back to their original node after the failed node (which had previously failed) rejoins the cluster and comes back online.
The quorum resource (also called the quorum disk) is a disk that stores the configuration data and all of the changes that have been applied to the cluster database. This data is needed to recover the cluster in the event of failure. The quorum resource is generally accessible to other cluster resources so that each cluster node has access to the most recent database changes. By default, each cluster has only one quorum resource.
In majority node set clusters, the quorum data is stored on each node. This model is used for geographically dispersed clusters.
424
Chapter 9
Planning, Implementing, and Maintaining Server Availability
A Storage Area Network (SAN) is a set of interconnected storage devices (for instance, disks and tapes) and servers that are connected to a common data transfer infrastructure to provide a pool of storage with multiple server access.
Analyzing Business and Application Requirements A company’s high availability needs depend on a few different factors, such as the length of acceptable downtime, contractual obligations with business partners (for instance, a Quality of Service or QoS agreement), and the need to prevent lost sales and lost employee productivity resulting from system downtime. Start by answering questions such as the following:
How much downtime can you allow for a given application?
How many total node failures does the cluster need to protect against?
How many users depend on a particular application?
If multiple applications will be running on the server cluster, which ones (if any) take priority? This may become critical if more than one node fails and the remaining ones do not have the capacity to take on the entire workload. After evaluating business needs, you need to make sure your application can run on a server cluster. Good candidates for clustering share the following characteristics:
The application is IP-based.
The application attempts to recover from network failures, such as reconnecting user sessions.
You can configure where application data is stored.
You need to have a good understanding of an application’s needs and behavior. Make sure you know where application data is stored and whether or not the application can be upgraded while the cluster is online. Also make sure that you can anticipate how the application will behave during failover. Keep in mind that not all applications will react to cluster events. An application must be cluster-aware (meaning that it can communicate with the Cluster API). Otherwise, it will not receive the necessary status and notification information from the cluster. Most older applications are not cluster-aware; however, they can still run in a server cluster and even failover. Such applications are capable of only rudimentary failure detection and cannot interact with the cluster, so they would not be as highly available as cluster-aware applications.
Make sure that you contact the software vendor or consult the software documentation to verify that an application can be run in a clustered configuration. This will determine how you install the application, as well as how you upgrade the application after installing it in the cluster.
If you install Exchange 2000 Server or Exchange Server 2003 on a server cluster, the log files and database in each storage group must be on the cluster’s shared disk. Otherwise, the log files and the storage group databases cannot failover to another node if the virtual server goes offline.
Planning Server Clusters
425
Make sure to test a server cluster before deploying it in a production environment. You need the certainty that your failover policies actually work, and that there is enough capacity available to allow for failover of resources.
Evaluating Application Deployment Considerations Applications can be deployed through one of two methods (the method you choose depends entirely on the application itself): Single-Instance Applications With single-instance applications, only one application instance is running on the cluster at any time, and the application typically has data sets that cannot be partitioned across multiple nodes. The Dynamic Host Configuration Protocol (DHCP) service is an example of a single-instance application. The set of leased IP addresses that the application provides is small, but they would be complicated to replicate across a cluster. Therefore, the DHCP instance exists as a single instance, and high availability is provided by failing over the instance to another node in the cluster. Multiple-Instance Applications With a multiple-instance application, either multiple instances of the same code, or different pieces of code that cooperate to provide a single service, can run on a cluster. In both cases, the client or end user sees only one partition of an application. Applications can be either cloned or partitioned to create multiple instances in a cluster. Multiple-instance applications can be cloned or partitioned. Cloned applications work best in NLB clusters of stateful applications, where they can run against the same, relatively static dataset. Figure 9.1 shows an example of a cloned application. FIGURE 9.1
A cloned application
Application Instance
Application Instance
Node A
Application Instance
Node B
Application Instance Node C
Node D
Partitioned applications work well for server clusters of stateless applications that have frequent updates to memory. An example is a database, where records A through M can reside on one partition, and N through Z can reside on another partition. Other types of applications can partition the functionality rather than the actual data. For instance, billing inquiries could be directed to a separate billing node, which has sole access to the billing database. Catalog inquiries could be directed to a separate catalog node, which has sole access to the catalog database. This example would provide scalability, but not availability because there is no option for failover. Figure 9.2 shows an example of a partitioned application. In all of these deployment types, client requests are transparently split across the instances. You could host one or several single-instance applications, and you could host one or several multiple-instance applications in your server cluster. Additional considerations for application deployment include planning storage methods, server capacity, and failover policies. We’ll discuss each in turn in the following sections.
426
Chapter 9
FIGURE 9.2
Planning, Implementing, and Maintaining Server Availability
A partitioned application
Example 1
Catalog A–M Records
Catalog N–Z Records
Example 2
Billing
Catalog
Accounting
Determining Storage Methods In a cluster, two types of information must be stored:
The application information, which will be shared between nodes
The cluster configuration data
Most Windows Server 2003 clusters use either parallel SCSI or Fibre Channel. The only supported storage interconnect technology supported for clusters greater than two nodes is switched Fibre Channel fabric (FC-SW).
SCSI is supported only on 32-bit versions of Windows Server 2003, Enterprise Edition.
You need a dedicated disk to use for the quorum resource, which stores the cluster configuration data. The disk must be a minimum of 50MB and ideally should have 500MB or more of space. You should use hardware RAID to provide fault tolerance. Ideally—and especially in deployments of greater than two nodes—you should use a SAN for data storage so that you have the optimal level of fault tolerance. Many third-party vendors (such as Network Appliance, IBM, EMC, and Hewlett-Packard) provide SAN solutions, including the actual hardware as well as software management tools.
The Mountvol utility can be used to configure a server cluster in a SAN. It provides a means of creating volume mount points and linking volumes without requiring a drive letter.
In a SAN deployment, you can use either zoning or LUN masking to isolate and protect server cluster data. Zoning allows you to create clouds, or storage entities, in order to control host access to storage devices as well as to control traffic flow within the SAN. Zoning is implemented
Planning Server Clusters
427
at the hardware level and also provides security for SANs. Figure 9.3 demonstrates how zoning works. FIGURE 9.3
Zoning is used to control access to devices in a SAN.
SC1
SC2
Switch
Node A
Node B
Node C
This is a logical diagram of two SAN zones, each with their own controller. In this example, Node C can access data only from SC2 and not from SC1. Traffic between ports would be routed to only the segments of the fabric that are in the same zone. LUN masking refers to logical disks implemented at the controller level to provide access control. The controller enforces access policies for specific devices. This allows for zoning at the port level, so it is a more granular level of security than zoning. Figure 9.4 shows a sample deployment where Zones A and B overlap, and the storage controller resides in both zones. The LUNs on Cluster A can be shared with or masked (that is, hidden) from Cluster B. FIGURE 9.4 zones.
LUN masking is used to control access to devices in a SAN with overlapping
SCA
Cluster A
Cluster B
Switch Zone A
Zone B
428
Chapter 9
Planning, Implementing, and Maintaining Server Availability
If you deploy clustering in a SAN, keep in mind the following requirements and recommendations:
Host bus adapters (HBAs) are interface cards that connect a cluster node to a SAN, just as a network adapter connects a server to a LAN. For best results, use matching HBAs throughout the SAN. You would use multiple HBAs so that the host sees multiple paths to the same disks, and you must load the multipath driver so that the I/O subsystem can see the devices correctly. Otherwise, the second device will be disabled because the OS thinks they are two disks with the same signature.
Each cluster on a SAN must be deployed in its own zone so that you can separate the cluster traffic from traffic coming from other clusters or nonclustered computers.
All device drivers in a cluster, including storage and HBA drivers, must share the same software version.
To avoid data corruption, never allow multiple nodes access to the same storage devices unless they are in the same cluster.
When using hardware snapshots with cloned disks, it is critical that only one disk with a given disk signature be exposed to the server cluster at one time. Otherwise, using multiple disks with the same disk signature can degrade performance. It could also result in data corruption if you expose a hardware snapshot to a node on the cluster.
Planning Server Capacity You need to answer some important questions before you can deploy the clustered application:
What is the number of servers you can use in the cluster?
How much capacity does each server have?
What is the acceptable level of performance in the event of a failover, and for how long can you tolerate this level of service?
From how many separate node failures should the cluster be able to recover?
The workload of a server both before and after failover is closely tied to your server resource planning. The way your application adapts to the server cluster depends on how much of the server resources it consumes. The consumption of server resources affects the number of servers you need to ensure high availability for the application, in addition to how many servers are required to pick up the workload for a given node in the event of a failover.
To best allow for future growth and increased capacity needs, try increasing your initial estimates for server capacity by 30 percent (to give you a buffer for unforeseen capacity needs), and then add a little more for future growth.
Planning Server Clusters
429
For example, imagine that you have a two-node cluster, consisting of Node A and Node B. If Node A fails over, Node B must continue processing its own jobs in addition to processing the jobs that failed from Node A. This means that prior to failover, both nodes can operate at a maximum of 50 percent capacity. After failover, Node B operates at 100 percent capacity. When any server operates under maximum capacity, performance is severely reduced. However, reduced performance is better than losing all of Node A’s workload. If you add a third node to the above example and all three nodes operate at 50 percent, the two remaining nodes can divide the workload of a failed node. If Node A fails over, Node B and Node C assume Node A’s work and operate at 75 percent capacity, which provides better application performance than a single server operating at 100 percent capacity (which is referred to as bottlenecked). However, if two nodes in this cluster were to failover, the remaining node would not be able to take on the entire cluster’s workload. As previously mentioned, Windows Server 2003 (Datacenter and Enterprise editions) supports up to eight nodes in a cluster. With additional nodes, you have more options for distributing the workload in a cluster. The following illustrations of a simple four-node cluster demonstrate how server load can be balanced across nodes. These examples also demonstrate the relationship between hardware resources, fault tolerance, and availability. Figure 9.5 shows a cluster in which all four nodes are operational, each running at 25 percent capacity. FIGURE 9.5
A four-node cluster
Node A 25%
Node B 25%
Node C 25%
Node D 25%
Figure 9.6 shows what happens after one of the nodes fails. The remaining three nodes each receive a share of the failed node’s work. FIGURE 9.6
A four-node cluster with one failed node
Node A 33%
Node B 0%
Node C 33%
Node D 33%
Figure 9.7 shows what happens after two nodes fail. The remaining two nodes are each operating at 50 percent capacity.
430
Chapter 9
FIGURE 9.7
Planning, Implementing, and Maintaining Server Availability
A four-node cluster with two failed nodes
Node A 50%
Node B 0%
Node C 50%
Node D 0%
Figure 9.8 shows what happens after three nodes fail. The remaining node has barely enough capacity to take over the clusters’ entire workload. However, application performance will be seriously compromised now that the server is operating at 100 percent capacity. FIGURE 9.8
A four-node cluster with three failed nodes
Node A 0%
Node B 0%
Node C 100%
Node D 0%
Planning Failover Policies When there is a failure in a simple two-node cluster, the failover process is simple—redirect the resources of the failed node to the surviving node. When you have three or more nodes in a cluster, you can configure failover policies to control the behavior of the cluster. You can choose different solutions, such as:
The number of nodes available for failover
The specific resources to be failed over, and the nodes to which the resources will be redirected
How the application load will be distributed or partitioned
How resource groups will be configured
One of the biggest decisions you’ll make is in determining a balance between availability and cost. For instance, you can use a dedicated standby server for each active node in a cluster— but this will double the cost of the hardware investment. The hardware used must be almost identical, because any latency between the cluster updates can queue to the point that the entire cluster fails. In the following sections, we’ll cover the different types of failover policies you can configure.
Planning Server Clusters
431
N+I Configuration In the N+I configuration, there are active nodes and standby nodes. N nodes are hosting applications and I (idle) nodes are on standby. This is the most common type of failover policy. For the highest level of availability, you could have a standby server for each active node, but this would double the investment in hardware. The benefit of N+I configurations is that they are scalable and can gracefully handle multiple failures. Figure 9.9 shows an example of a simple 3+3 N+I configuration. This example would allow an application to keep running with no decrease in performance, because the application will failover to a node that is 100 percent available and that is not already in use. FIGURE 9.9
N+I Configuration
Application
Application
Application
Node A
Node B
Node C
Idle
Idle
Idle
Node D
Node E
Node F
Standby Server Configuration A standby server configuration is a type of N+I that ensures a certain performance level and response time after failover. Figure 9.10 shows a three-node version of this type of failover policy.
Planning an N+I Server Cluster for Exchange 2003 Server You are the network administrator for a large organization. You need to come up with a high availability solution for the organization’s messaging services. The company uses Exchange 2003 Server for e-mail. Exchange Server 2003 is well-suited for an N+I server cluster deployment. Exchange 2003 supports both Active/Active clustering and Active/passive (N+I) clustering. You decide to implement a four-node cluster in a 3+1 configuration, with three active nodes and one node on standby. Although only one node failure can be supported in this configuration, this cluster enables failover to a node that has 100 percent available resources. This is a good approach, because Exchange Server is a resource-intensive application.
432
Chapter 9
FIGURE 9.10
Planning, Implementing, and Maintaining Server Availability
Standby server configuration Idle
App1
App2 Node A
Node B
Node C
Can only host one application in the event of a failure
Standby servers are a good choice for resource-intensive applications, because applications are hosted on separate servers. In the example, App1 and App2 need to run on separate servers, because one server would not have enough capacity to run both applications. Assume that Node A fails. App1 would be relocated to Node B, keeping the applications hosted on separate nodes. Planning server capacity for this failover policy is easy. Spare servers need to have enough capacity to take on the workload of the largest node, and each active node needs enough capacity for the application it will host. A disadvantage of the standby server is that it introduces a single point of failure. For example, assume that both Node A and Node B fail. There is nowhere else for App1 to go, so the application can’t be relocated. Node C doesn’t have the resources to run both applications at the same time. To resolve this problem, you can combine up to eight nodes so that you avoid having a single point of failure.
Failover Pairs Configuration A failover pairs configuration is usually used with four or more nodes. These configurations set up pairs of nodes so that each application can failover between two nodes. Figure 9.11 shows an example using a four-node cluster. Failover pairs improve upon standby servers, because they allow a different failover node to be dynamically assigned. They tend to work well for databases and other resource-intensive applications. FIGURE 9.11
Failover pairs configuration Pair
Pair
Failover
Failover
App1
App2 Node A
Node B
Node C
Node D
Planning Server Clusters
433
The disadvantage with failover pairs is that as little as 50 percent of the cluster resources will be used at a given moment. Also, when you have multiple failures you may have to manually failback the cluster resources when you bring the nodes back online.
Random and Customized Failover Policies Windows Server 2003 has the ability to randomly failover an application to a new location. This is a good solution when you have multiple application instances running in a two or three node cluster and when each node has enough capacity to host several of these application instances at once. With clusters of four or more nodes, there are too many possible failure scenarios that could result in unequal workload distribution, so random failover policies would not be a good solution. Benefits of random failover policies include the ability to handle multiple failures and the ability to load balance applications. Disadvantages of random failover policies include the inability to predict where applications will failover or the performance of the applications after failover.
When the node hosting a resource group fails, the Cluster Service will randomly assign the failover target for a resource group when the group has an empty preferred owners list.
With large and complex server clusters, you may want to exert stronger control over failover by configuring customized policies. This enables you to target specific applications to specific nodes when there is a failure. This gives you full control and makes it easy to plan capacity. Customized failover policies work with a feature known as group affinity. Group affinity describes a dependency between groups that determines the groups’ relative location in the server cluster. Some resource groups can be hosted anywhere on the cluster because they have no specific configuration requirements or hardware needs. In some circumstances, however, the location of one group can affect the location of other groups. Groups can have strong or weak affinity. Groups with strong affinity are located together on the same node, if possible. Groups can also be configured with strong or weak anti-affinity. With strong anti-affinity, groups will be kept apart if at all possible. Running more than one instance of Exchange on the same node is not recommended, so Exchange virtual servers are a good example of groups that use anti-affinity. A disadvantage of customized failover policies is that they are difficult to configure for multiple applications, because accounting for all the possible combinations of application and server failures in the event of multiple failures is difficult.
Determining the Cluster Model After determining failover policies, you should next consider the type of cluster model you will use. A cluster model describes how the quorum resource is accessed in a server cluster. This method is important because the entire point of a cluster is to have several physical servers that act as a single virtual server, and therefore every server must share the same understanding of the cluster’s configuration.
434
Chapter 9
Planning, Implementing, and Maintaining Server Availability
The quorum resource has a critical role to play because it enables the nodes in a cluster to keep their databases in sync. After a failed node comes back online, the other nodes will update the failed node’s copy of the cluster database.
The cluster database is part of the Windows Server 2003 Registry on each cluster node.
The quorum resource can be owned by only a single node at any given moment in time. A node has to have control of the quorum resource before it can form a cluster. A node cannot join or stay in a cluster unless it can communicate with the node that has ownership of the quorum resource. Servers in a cluster negotiate with each other for ownership of the quorum resource. Clustered servers try to avoid split-brain scenarios. A split-brain happens when some of the nodes fail and the cluster loses quorum. Nodes lose communication with one another. The result is that each partition thinks it’s the only instance of the cluster, which will ultimately cause data corruption. A quorum ensures that only the partition that owns the quorum resource will survive a splitbrain scenario. All other partitions of the cluster, which have “lost quorum,” will not survive, and Cluster Service is terminated on those nodes. The actual cluster configuration data is stored within the quorum log file, which contains configuration details about the servers and resources in the cluster. The log file also identifies the state (online or offline) of resources. This file acts as the definitive version of the cluster configuration, and will ordinarily be located on a shared disk that all nodes in the cluster can access. A quorum resource must be located on an NTFS file system. You choose the type of quorum resource based on your cluster model, and there are three types of cluster models you can use:
Local quorum cluster
Single quorum device cluster
Majority node set cluster A local quorum cluster has only one node and is usually used for testing.
You might also use a local quorum cluster to host file shares for home directories.
The single quorum device cluster, also known as the standard quorum model, is the most common cluster model. Figure 9.12 shows how the cluster configuration data is stored on a single device connected to all nodes in the cluster.
Planning Server Clusters
FIGURE 9.12
435
A single quorum device cluster
Network
Cluster
Node A
Node B
Quorum
Node C
Data 1
Node D
Data 2
Windows Server 2003 introduced a new type of cluster model, the majority node set cluster (also called a majority node set quorum), which is commonly used in geographically dispersed clusters. In this model, every node maintains its own copy of the cluster configuration data. The quorum resource maintains the consistency of this data on all nodes. With a majority node set cluster, you can take a quorum disk offline without interfering with the cluster operation. Unlike single quorum device clusters, which can survive with a single node, majority node set clusters require that a majority of the cluster nodes survive a failure or the server cluster stops working. Figure 9.13 shows an example of the majority node set cluster. FIGURE 9.13
A majority node set cluster
Network
Cluster
Node A
Node B
Quorum
Node C
Quorum
Node D
Quorum
Quorum
436
Chapter 9
Planning, Implementing, and Maintaining Server Availability
You would use majority node set clusters when you have a customized configuration in which you need to ensure strong consistency and in which you are not using shared disks. We’ve already discussed multisite clusters. Another example is for file replication of relatively static data.
Planning Multisite Clusters Multisite clusters are used to provide fault tolerance to protect against a single site failure. The nodes in one site can directly access the storage in that site without any dependencies on the other site.
Windows Server 2003 supports just two sites for multisite clusters, and requires third-party tools to replicate the application data between sites.
Figure 9.14 shows a simple two-site configuration for a geographically dispersed server cluster. FIGURE 9.14
A geographically dispersed server cluster
Network
Site 1
Node A
Site 2
Node B SCA
Node C
Node D
SCB
Disk A
Disk C
Disk B
Disk D
Notice how Nodes A and B are both connected to a local storage array hosted by Storage Controller A, and Nodes C and Node D are connected to a different local storage array on Storage Controller B. Mirroring is used to make the disks in the storage array appear as a single logical device that can failover between Nodes A, B, C, and D.
Planning Server Clusters
437
Mirroring can be implemented either at the controller level or at the host level.
There are three critical requirements for a multisite cluster. First, both sites need a separate copy of the data. If data is read-only, then it can simply be cloned, with a single instance running at each site. If data will change, then you must consider how replication will occur between sites. Second, the application must be restarted at a site when there is a failure at the other site. Third, you must ensure that all hardware is supported, and you will most likely need some third-party software to make the multisite cluster work. All nodes have to be located on the same subnet. This is a network requirement of all server clusters and is especially important for multisite clusters. Clusters are usually located on a private network connected to the public network. You can create VLANs so that the public and private network connections appear as a single LAN even though the nodes are on different physical networks. Make sure that there is not a single point of failure at the network level. Each VLAN should fail independently of any of the other cluster networks.
Make sure that the roundtrip communication latency between any two nodes does not exceed 500 milliseconds, otherwise the Cluster Service will assume that a node has failed.
There are three levels at which data can be replicated between sites:
Replication at the block level, which is known as disk-device-level replication or mirroring and is handled by the storage controllers or by mirroring the software.
Replication at the file-system level
Replication at the application level In the following sections, we will discuss different methods for data replication.
Synchronous versus Asynchronous Replication There are two types of data replication: synchronous replication and asynchronous replication. Synchronous replication occurs when an operation is not considered to be complete until the change has made it to the other site. A change is made on one node at one site, but the operation is not completed until the change is made on the other site. Assume that you have a multisite cluster, and that you are using synchronous block-level replication. In such a scenario, an application at Site 2 could write a block of data to a local resource that is mirrored to Site 1. Until the change has been made to the disk at Site 1, the I/O operation will not be completed. Application performance can be much slower for synchronous replication because of the latency between the time an operation is executed and when it is completed. Asynchronous replication occurs when a write operation is performed at Site 2 and considered completed before the change is also written to disk at Site 1. The I/O operation is complete the moment the write to the local disk is completed. With asynchronous replication, data can therefore be out of sync between the sites at any given moment in time.
438
Chapter 9
Planning, Implementing, and Maintaining Server Availability
Make sure that the vendor for your replication solution preserves the order of operations, because some vendors do not do this. In Windows Server 2003, ensuring that the order of I/O operations is preserved is critical for multisite clusters using asynchronous replication. This method ensures crash consistency between sites rather than applying I/O operations in an arbitrary order that can cause the application to think that the replicated data is corrupt. Third-party vendors also provide a variety of solutions for mirroring and replication. These solutions always involve a disk for which there is a master copy, which is written to first, and at least one secondary copy to which changes are then propagated. Master disks can be located at either site. If the master, or primary, disk fails, it is demoted to a secondary and a secondary disk is promoted to the master.
Majority Node Set Quorum Majority node set quorum clusters are the most common cluster model for multisite clusters. This method stores the quorum on the local hard disk of each node. Failover is much more complex in a multisite cluster than it is in a single-site cluster. In addition, a split-brain scenario is much more likely to happen in a multisite cluster. With a loss of communication between two sites, the cluster nodes don’t know whether the other site is still alive and the communication link is down, or whether the other site is dead. A single-quorum resource in the cluster needs to serve as the tiebreaker in order to avoid split-brain scenarios. As in a single-site, single-quorum cluster, one of the partitions needs to take control of the quorum resource. Unlike a single-site, single-quorum cluster, however, a server cluster configured as a majority node set quorum can only start or continue running if a majority of the nodes are operational, and if all of those nodes can still communicate with each other. This requirement means that you need to carefully plan the number of nodes in the server cluster.
Single Quorum You can use a single quorum disk resource in a multisite cluster by using a method such as disk mirroring to replicate the quorum across sites. You cannot, however, use asynchronous replication for the quorum data because this method could result in data corruption during the replication.
Networking the Cluster In server clusters, a network can perform one of the following roles:
The private network role is used for internal cluster communication.
The public network role enables clients to access clustered applications and services.
A mixed network role combines the functionality of the private and public networks.
No role (otherwise known as disabling the network for cluster use).
Anticipating the cluster-related network traffic will be helpful to the planning process. With single quorum device clusters, there is no need for the Cluster Service to use the network for internal traffic. You may, however, need to plan for other traffic related to the cluster. For instance, traffic may need to pass the network in both directions to reach a domain controller for authentication.
Planning Server Clusters
439
You should use identical network adapters on all nodes within a cluster network. This means using the same make, model, and firmware version. As for throughput, the public network can require 10Mbps to 100Mbps of throughput, although the private network can require 400Mbps to 1Gbps of throughput.
QLogic’s new HBA system is 2Gbps.
Considerations for networking clusters include ensuring network availability and establishing domain controller access.
Ensuring Network Availability A good design for the cluster network will ensure network availability. Avoid having a single point of failure by configuring two or more cluster networks for internal cluster communication. In fact, Windows Server 2003 does not even support a server cluster with nodes that are connected by just one network. Make sure that each cluster network fails independently of other cluster networks. This means you must use different hardware components for any two networks. With multihomed nodes, the adapters must also reside on separate subnets. The Cluster Service can only see one network adapter per node per subnet, so don’t connect multiple adapters on a single multihomed node to the same network. You can team network adapters (meaning to group them together on multiple ports to a single physical network segment) in order to provide fault tolerance. In fact, this is the single best method to provide fault tolerance to your cluster network. However, teaming network adapters is supported only on networks that aren’t dedicated to internal cluster traffic. For those networks that are dedicated to intra-cluster traffic, there are other ways to provide redundancy, such as by adding a second private network dedicated to the internal cluster traffic.
If you have a communication problem on a cluster network on which you have teamed network adapters, try disabling teaming to see if that resolves the problem.
Establishing Domain Controller Access The Cluster Service account must be validated in the local domain, or the Cluster Service will not start. You must therefore make sure that every node can locate a domain controller. Clustered applications (for example, Exchange Server and SQL Server) may also require account validation. There are three ways in which you could provide domain controller access:
Install cluster nodes as member servers in a Windows Server 2003 domain. Make sure they have a fast, dependable connection to a domain controller.
440
Chapter 9
Planning, Implementing, and Maintaining Server Availability
Put a domain controller within the server cluster if you can’t otherwise provide fast and reliable access.
Install the cluster nodes themselves as domain controllers.
You really want to avoid installing the cluster nodes as domain controllers. A node could be busy functioning as a domain controller, and this could prevent the Cluster Service from accessing the quorum. The Cluster Service might interpret this as a resource failure and initiate a failover. In addition, running too many services takes system resources away from clustered applications. However, if you must configure the cluster nodes as domain controllers, consider the following important points:
At least two nodes in a cluster must be configured as domain controllers, so that you can have failover assurance for the domain controller services.
You have to first run dcpromo to promote a server to a domain controller before adding the node to a cluster.
An idle domain controller also running the Cluster Service can use between 130MB and 140MB of RAM. If replication is required, replication traffic can saturate bandwidth and degrade overall performance.
Cluster nodes that are the only domain controllers need to also be global catalog and DNS servers. The DNS servers must support dynamic updates.
If you redistribute the single-master operation roles among the nodes, and a node fails over, the single-master operation roles that the failed node was providing will be unavailable. (By default, the first domain controller takes on the single-master operation roles in a Windows Server 2003 domain.)
Be very, very careful if you have to demote a domain controller that also happens to be a cluster node, because this action changes the security settings and causes certain domain accounts and groups to revert back to the default built-in accounts and groups. For example, the SID for the Domain Admins group will change to the local Administrators group. This can create problems validating the Cluster Service.
Be cautious when applying global policy settings to a domain controller; these settings could interfere with the cluster role.
Planning Network Load Balancing NLB is a special type of server clustering that provides availability and scalability for TCP- and UDP-based applications by distributing application load across multiple servers. NLB is frequently implemented to load balance Web applications. For instance, server farms of IIS servers can be created to balance the load of client requests as well as to provide fault tolerance. Unlike standard server clusters, NLB works on all editions of Windows Server 2003.
Planning Network Load Balancing
441
NLB and Round Robin DNS You are the network administrator for Contoso. The company is going to expand its Internet presence and will deploy a new high-volume Web site for e-commerce running on IIS 6. You need to determine how to make this happen. Remember that NLB offers scalability through one of two methods. You could scale out applications within a single cluster, or you can scale out by using multiple clusters. In the case of multiple clusters, you would then distribute the client traffic across the multiple NLB clusters in the Web farm by using round robin DNS. You build a test lab and determine that your current network infrastructure can support up to seven clustered hosts on each VLAN. Client traffic is expected to be very heavy, so you want to reserve 45 total cluster hosts to handle the traffic. This means you’ll need to scale out to seven clusters. The Web farm is listed in DNS as www.contoso.com. The DNS zone for contoso.com contains multiple entries for www.contoso.com, with each entry pointing to an NLB cluster in the Web farm. In this system, round robin DNS distributes client traffic among the separate clusters, and NLB then distributes client traffic within the clusters. With this solution, you can take individual cluster hosts offline, but you need to make sure that you do not take entire clusters offline, because round robin DNS will continue directing traffic to those clusters and clients will experience service interruptions.
With NLB, each node runs a separate instance of the application. NLB transparently distributes client requests across the various cluster hosts. NLB can also work together with round robin DNS to distribute client traffic across multiple clusters. Clients access the cluster through one or more virtual IP addresses. The cluster appears to clients as a single server. The most important distinction between planning server clusters and planning NLB is that NLB is intended for stateless applications such as Web applications and VPNs. NLB provides fault tolerance through redundant cluster hosts that provide the same applications and services. You should also include application-level monitoring, for instance with Microsoft’s Application Center 2000. To provide a complete high-availability solution, you should include the following components in addition to NLB:
Use fault-tolerant hardware, such as redundant and hot-swappable components.
442
Chapter 9
Planning, Implementing, and Maintaining Server Availability
Ensure that the network infrastructure itself is fault tolerant.
Use only signed device drivers and software within the cluster.
Employ application-level monitoring for clustered applications. We’ll discuss monitoring and remotely administering NLB next.
Monitoring NLB NLB can be monitored by using the Network Load Balancing Manager, as shown in Figure 9.15. You open the NLB Manager from the Start menu by choosing Start Administrative Tools Network Load Balancing Manager. FIGURE 9.15
The Network Load Balancing Manager
By right-clicking the server, you can access its Properties dialog from the context menu (see Figure 9.16). You can configure host parameters, cluster parameters, cluster IP addresses, and port rules using the various tabs of the Properties dialog box. Notice that you can configure properties at the cluster level or at the individual node level. By right-clicking the cluster, you can access its Properties dialog from the context menu (see Figure 9.17). You can configure cluster parameters, cluster IP addresses, and port rules using the various tabs of the Properties dialog box.
Planning Network Load Balancing
FIGURE 9.16
An NLB Cluster Node’s Properties page
FIGURE 9.17
An NLB Cluster’s Properties page
443
The first tab shown is the Cluster Parameters tab. On this tab, you can set the IP address and subnet mask for the cluster as well as the full Internet name in the format cluster.domain.com. You can also set either Unicast or Multicast mode. Notice that this tab is where you enable the checkbox to Allow Remote Control.
444
Chapter 9
Planning, Implementing, and Maintaining Server Availability
The Cluster IP Addresses tab, shown in Figure 9.18, is simply where you would add the IP addresses of additional nodes in the cluster. The Port Rules tab, shown in Figure 9.19, is where you can define port rules to direct TCP and UDP traffic. A single default rule is shown, and you can edit or add rules as needed. FIGURE 9.18
The Cluster IP Addresses tab
FIGURE 9.19
The Port Rules tab
Planning Network Load Balancing
445
Figure 9.20 displays the Add/Edit Port Rule dialog box, reached by clicking either the Add or Edit button. You can choose to apply the rule to a single IP address within the cluster or to all addresses in the cluster. You can specify a port range (the default includes all 65,536 ports, from 0 to 65,535). You can choose to apply the port rule to TCP, UDP, or both types of traffic. FIGURE 9.20
The Add/Edit Port Rule dialog box
The radio buttons in the Filtering Mode section allow you to choose three options:
Multiple Host Filtering specifies that multiple hosts in the cluster handle network traffic for the port rule. This filter mode provides scalable performance in addition to fault tolerance, because you can distribute the network load among the hosts. You can do this equally, or you can indicate that each host should handle a specific load weight.
Single Host Filtering specifies that network traffic for the rule will be handled by a single cluster host according to the specified handling priority. This mode provides port-specific fault tolerance but not scalable performance.
Disabling specifies that the port range blocks all traffic to the specified ports and is used to increase security.
Selecting Multiple Host filtering enables you to specify one of the Affinity options: None, Single, or Class-C. Affinity describes how the cluster handles multiple connections from the same client. These options should be chosen as follows:
Use None (disable affinity) when you want multiple connections from the same client to be able to be handled by any of the nodes in the cluster. This option maximizes scaled performance and provides the most effective load balancing. Use this option with the TCP option and not with the UDP or Both options.
446
Chapter 9
Planning, Implementing, and Maintaining Server Availability
Use Single (the default) to direct connections from the same client to the same cluster host. You need to use this option for applications that maintain session state, such as server cookies.
Use Class-C to direct requests from a Class-C address range to the same cluster host. This option is used when you have multiple proxy servers in use at a client site, making it look as though the client requests are coming from multiple computers. Class C affinity can also be used for applications that maintain session state, such as server cookies; however, you should use Single affinity to maximize scaled performance unless you need the capabilities of Class C.
Administering NLB Remotely You can remotely administer an NLB cluster by using either the Network Load Balancing Manager or by calling nlb.exe from the command line. The Network Load Balancing Manager is the preferred tool for remote administration.
Enabling the remote control option so that you can use nlb.exe for remote administration of NLB introduces a number of security risks and is not advisable.
Other types of remote administration tools such as Windows Management Instrumentation (WMI) can also be used. Terminal Services is not an effective means of administering a node within an NLB cluster because the incoming connection request would simply be assigned to the next available node in the cluster.
Recovering from Cluster Node Failure Performing regular backups of a server cluster is critical to ensure availability. The following sections describe the type of data you’ll need to back up as well as the steps you’ll take in different cluster failure scenarios using the Windows Backup and Recovery Wizard and Automated System Recovery (ASR) to restore data.
Backup Operators do not by default have the necessary rights to create an ASR backup on a cluster node. To grant the group permission to perform this task, add the group to the security descriptor for the Cluster Service by using Cluster Administrator or cluster.exe.
Backing Up Cluster Data A server cluster requires four critical groups of data to operate: Cluster Disk Signatures and Partitions You can back up the cluster disk signatures and partitions using Automated System Recovery in the Backup Wizard. Do this before you back up the
Recovering from Cluster Node Failure
447
actual data on the server cluster nodes. This is needed to restore the signature of the quorum disk. For example, you may later experience a complete system failure, and the signature of the quorum disk may have changed since the last backup. Cluster Quorum Data When you back up data on a server cluster node, you should also back up the cluster quorum data. The cluster quorum contains the current cluster configuration, Registry information, and the cluster recovery log. You can back up this data by using the Backup Wizard to perform a System State data backup from any node on which the Cluster Service is running. Data on the Cluster Disks To back up all cluster disks owned by a node, perform a full backup from that node. You cannot back up a cluster disk on a remote computer, only on a local node. Data on the Individual Cluster Nodes You don’t need to back up the quorum on all nodes; you can back up the cluster quorum disk on just one node. A System State Data backup automatically backs up the quorum data as long as the Cluster Service is running. You’ll want to make sure to back up application data as well.
Recovering from Cluster Failure You might encounter several different failure scenarios that will require you to restore the cluster. The steps you must take are determined by the type of failure experienced. If the cluster just isn’t functioning as it should after a configuration change, you can simply roll back the cluster to an earlier configuration by using Windows Backup. In the following sections, you’ll learn how to recover from many different types of cluster node failure.
Cluster Disk Data Loss If you’ve lost files and folders on one of your cluster disks, but not on the disk containing the cluster quorum, you can use the Windows Backup and Recovery Wizard to restore that data. You must restore the cluster disk data from the node that owns the cluster disk.
Cluster Quorum Corruption In the case of corrupted files on the quorum disk, or a failed quorum disk, the cluster nodes will be able to boot, but the Cluster Service will fail to start because the quorum resource cannot come online. You must follow the steps in the appropriate scenario listed below to recover. If you’ve recovered from quorum corruption by creating a new quorum log, some resources may fail to come online and the configuration data may be out of sync. This means you’ll have to restore the matching checkpoints before the quorum resource can come back online. One way you can do this is by restoring the cluster quorum as described in the following scenarios.
Cluster Disk Corruption or Failure If a cluster disk cannot come online, you can run the chkntfs command to determine if the disk is corrupted.
448
Chapter 9
Planning, Implementing, and Maintaining Server Availability
The Windows Server 2003 Resource Kit contains utilities that will enable you to restore a corrupted cluster disk without any downtime. Otherwise, you can simply use Windows Backup to restore the cluster disk, but this procedure will have to be performed offline. If you have an ASR backup for the node, use the confdisk utility from the Windows Server 2003 Resource Kit, along with Windows Backup, to restore the data on the cluster disk.
If you use the confdisk utility to restore your cluster disks, the checkpoints may not match.
If you do not have an ASR backup for the node, use the Cluster Recovery utility from the Windows Server 2003 Resource Kit and start the Cluster Service with the /fixquorum startup parameter. After the restored node comes back online, restart the Cluster Service on the remaining nodes. In a cluster quorum disk failure, the cluster nodes can boot up, but the Cluster Service fails to start because the quorum resource cannot come online. Entries in the Event Log indicate hardware failures. To recover from this failure, you would use the same tools and methods as for a cluster disk failure. As an alternative, you can create a new quorum on another node, restart the cluster using the /fixquorum Cluster Service startup parameter, and switch to the new quorum resource.
Single Cluster Node Corruption or Failure If a node cannot join the cluster and the Event Log indicates that the cluster database on the local node is corrupted, you can perform a System State data restore on that node to replace the local cluster database. As an alternative, copy the latest checkpoint file (named CHK###.TMP) from the quorum disk to the Windows\Cluster directory. Next, rename the file as clusdb, and finally, restart the Cluster Service on that node. If the node failure is due to system disk or other hardware failure, follow these steps to rebuild the node and rejoin the cluster: 1.
Move all cluster resource groups to other nodes.
2.
Replace the failed hardware.
3.
Perform an ASR restore on the failed node.
4.
Restore the files or application data for that node.
5.
For each cluster group and resource, verify that the newly recovered node appears as a possible owner in Cluster Administrator. Then move a resource group to the newly recovered node and verify that the move is successful.
In the event that you do not have an ASR backup of the node, you would evict the node and then add a new node to the cluster.
Majority Node Set Cluster Failure The majority node set cluster model does not use cluster disks. Instead, the cluster database is stored locally on each node rather than on a cluster disk central to all nodes. To restore the data for individual nodes, simply use the backup set for the node. The Cluster Service
Recovering from Cluster Node Failure
449
will automatically replicate the latest version of the cluster database to all other nodes in the cluster. If you need to restore an older version of the cluster database, follow these steps: 1.
Stop the Cluster Service on all nodes of the cluster.
2.
Delete the local copies of the database on those nodes. This includes all the files under the \MSCS\ folder.
3.
Restore the cluster database to just one node and restart the Cluster Service on every node.
The Cluster Service will automatically replicate the restored version of the cluster database to all other nodes. A split-brain occurs when some of the nodes fail and the cluster loses quorum. In this instance, you can force the remaining nodes to form a quorum and restart the cluster.
If the cluster database is not backed up or the database files are corrupt, you can create new cluster database files on a node by starting the Cluster Service on that node with the /resetquorumlog parameter. Then simply restart the remaining nodes.
Complete Cluster Failure Even in the unlikely event that all nodes fail in a cluster and the quorum disk cannot be repaired, you can still recover the cluster. None of the nodes will be able to boot, so you must follow these steps to recover: 1.
Use Automated System Recovery on each node in the original cluster to restore the disk signatures and the partition layout of the cluster disks (quorum and nonquorum).
2.
Re-create the original cluster, join all nodes to the cluster, and re-create the original cluster group.
3.
Using the Backup and Recovery Wizard, restore the cluster quorum on all nodes.
4.
Install cluster applications on each cluster node and re-create the cluster resources using the same names as before.
5.
Restore your application data from backup data sets.
If you do not have an ASR backup of each node, you cannot restore the cluster. Instead, you must re-create your cluster from scratch.
450
Chapter 9
Planning, Implementing, and Maintaining Server Availability
Summary In this chapter, you learned:
The uses of server clusters and Network Load Balancing (NLB). Server clusters are used to increase availability. NLB clusters are used to increase scalability.
How to evaluate clustering technologies. The technology you choose depends largely on the applications to be hosted.
How to plan a server clustering deployment. Important considerations include the type of failover policies, cluster model, and quorum type you will implement in your server cluster.
How to plan an NLB deployment. You must understand how to plan the default port rules and how to plan unicast or multicast methods of balancing incoming client requests.
How to monitor NLB clusters, which you accomplish by using the Network Load Balancing Monitor MMC snap-in or the WLBS cluster control utility.
How to recover from a cluster node failure. Recovery tools include Windows Backup, ASR, the chkntfs and confdisk Resource Kit utilities, and the /fixquorum and /resetquorum startup parameters for the Cluster Service.
Exam Essentials Understand the different purposes for server clusters and NLB clusters. Server clusters are used to increase the availability of services and stateful applications such as back-end database and messaging applications. NLB clusters are a special type of clustering technology and are used to increase scalability of services and stateless applications such as front-end Web servers. Know the key considerations in planning a clustering solution. Key considerations include the type of application to be hosted and the levels of availability and reliability and scalability required. Plan a server clustering deployment. Plan a server cluster using given business and availability requirements. Choose failover policies, the cluster model, and quorum type. Plan an NLB deployment. Understand the behavior of the default port rules and when to create a custom port rule. Know whether to balance incoming client traffic using the unicast or the multicast method. Know what tools and services are available to monitor NLB clusters. NLB clusters can be monitored using the Network Load Balancing Monitor MMC snap-in or the WLBS cluster control utility.
Key Terms
451
Be able to recover from a cluster node failure. Know the types of data to back up for clusters. Know how to recover from various types of cluster node failures by using Windows Backup and Restore Wizard and ASR. Know when to use the chkntfs and confdisk utilities and when to use the /fixquorum or /resetquorum startup parameters for the Cluster Service.
Key Terms Before you take the exam, be certain you are familiar with the following terms: affinity
node
asynchronous replication
partitioned applications
availability
quorum resource
cloned applications
reliability
cluster
resource
cluster host
resource group
Cluster Service
scaling out
cluster-aware
scaling up
failback
server clusters
failover
single quorum device cluster
failover pairs configuration
single-instance applications
fault tolerance
split-brain
group affinity
standby server configuration
local quorum cluster
stateful applications
majority node set cluster
stateless applications
majority node set clusters
Storage Area Network (SAN)
multiple-instance application
synchronous replication
N+I configuration
virtual server
Network Load Balancing (NLB) clusters
452
Chapter 9
Planning, Implementing, and Maintaining Server Availability
Review Questions 1.
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You must plan a solution for the Web application server farm to provide higher availability and complete fault tolerance, including recoverability of data. Additionally, you must ensure a strong level of client response time even in the event of a single node failure in order to meet your Quality of Service (QoS) agreement with your business partner. Money is no object; however, you want to spend the least amount necessary to accomplish your objectives. Which of the following options should you implement? A. Use a four-node server cluster in an N+I configuration with hardware-based
RAID-0. B. Use a two-node server cluster in an N+I configuration with hardware-based
RAID-5. C. Use a four-node NLB cluster with hardware-based RAID-5. D. Use a four-node NLB cluster in an N+I configuration. 2.
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You must plan a solution for the Web application server farm to provide high availability and scalability for the e-Commerce operations of the company’s Web site. Additionally, you must ensure that incoming client requests are evenly distributed among available nodes in a way that is transparent to end users. You also want to use existing infrastructure services to accomplish your objective. Which of the following features of DNS will help you to accomplish your objective? A. Stub zones with conditional forwarding B. Zone transfers with LUN masking C. Round robin DNS D. LUN masking with stub zones
Review Questions
3.
453
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You must plan a solution for the SQL Server database application server farm to provide high availability for the order processing operations of the company’s e-Commerce Web site. Additionally, you must ensure that the incoming client requests for data are evenly distributed among available nodes in a way that is transparent to end users. You want to configure the disks to allow for fast data access and data recoverability. You want to use the lowest-cost solution that will enable you to meet your objectives as well as provide for future scalability. Which of the following options should you implement? A. Install Windows Server 2003, Standard Edition and configure a two-node server cluster.
Configure the application to store configuration and user data on a hardware-based RAID-5 array. B. Install Windows Server 2003, Enterprise Edition and configure a four-node server cluster.
Configure the application to store configuration and user data on a hardware-based RAID-5 array. C. Install Windows Server 2003, Web Edition and configure a four-node server cluster.
Configure the application to store configuration and user data on a hardware-based RAID-5 array. D. Install Windows Server 2003, Standard Edition and configure a four-node NLB cluster.
Configure the application to store configuration and user data on a hardware-based RAID-5 array. E. Install Windows Server 2003, Enterprise Edition and configure a four-node NLB cluster.
Configure the application to store configuration and user data on a hardware-based RAID-5 array. F. Install Windows Server 2003, Web Edition and configure a two-node NLB cluster.
Configure the application to store configuration and user data on a hardware-based RAID-5 array. 4.
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You must plan a solution to implement high availability for the back-end database application that your company uses. The application is a proprietary accounting application from a thirdparty vendor. You must choose the appropriate server cluster configuration. Which of the following server cluster configurations is not supported in Windows Server 2003? A. Two-node server clusters on Enterprise Edition B. Four-node server clusters on the 64-bit version of Datacenter Edition C. Four-node server clusters on the 32-bit version of Datacenter Edition D. Two-node server clusters on the 32-bit version of Enterprise Edition
454
5.
Chapter 9
Planning, Implementing, and Maintaining Server Availability
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003, and all clients are Windows XP. You must plan a solution to implement high availability for the back-end database application that your company uses. The application is a proprietary accounting application from a thirdparty vendor. You must choose the appropriate server cluster configuration. Which of the following options describe benefits of the N+I configuration for a server cluster? Choose two. A. Achieves the highest level of availability of all failover policies. B. Optimizes the hardware investment. C. Good for handling multiple failures. D. Each node is guaranteed an idle failover node.
6.
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You must plan a solution to implement high availability for a back-end database application used for order processing. You decide to implement a four-node server cluster. Because of severe budgetary restrictions, you are forced to use two existing domain controllers as part of the solution. Which of the following options describes a recommended configuration for this deployment? (Choose all that apply.) A. Ensure that a minimum of 128MB of RAM is on the nondedicated servers. B. The servers must also be global catalog servers. C. You must configure all four servers as domain controllers in order to have failover
assurance for the domain controller services. D. You must promote a cluster node to a domain controller by using the Active Directory
Installation Wizard before you create a cluster on that node or add it to an existing cluster. E. You can easily demote the domain controllers when the budget permits you to buy new,
dedicated servers. 7.
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You must plan a solution to implement high availability for the messaging application servers. You need to ensure that you design the cluster network appropriately. Which of the following options describes a configuration recommendation for the cluster network? A. You can configure multihoming nodes as long as the adapters reside on the same subnet. B. Teaming network adapters on all cluster networks concurrently will provide fault
tolerance and load balancing. C. You should design each cluster network so that it fails independently of other cluster
networks. D. Windows Server 2003 does not support grouping network adapters on multiple ports
to a single physical segment to provide fault tolerance to your cluster network.
Review Questions
8.
455
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You must plan a solution to implement high availability for the database application servers, which are located at two sites. You need to ensure that you design the cluster network appropriately. You are choosing between the synchronous and asynchronous methods of replication. Which of the following options describes a configuration recommendation for replication? A. Geographically dispersed server clusters must never use asynchronous replication
unless the order of I/O operations is preserved. B. For every disk, there are two master copies in asynchronous replication. C. In synchronous replication, I/O operations are completed immediately. D. With asynchronous replication, the data at one site can never be out of date with respect
to the other site at any point in time. 9.
You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You need to plan a strategy for remote administration of your NLB cluster using the least amount of administrative effort. The security administrator advises you that you must plan the securest possible remote administration strategy that provides the least amount of privilege necessary to accomplish all of the server administration tasks. She further advises you that it is not acceptable to introduce any new security risks such as a Denial of Service (DoS) attack on the clustered computers. Which of the following options should you implement? A. Use a scripted solution with Windows Management Instrumentation (WMI) to call the
nlb.exe program. Monitor the servers only from a Windows Server 2003 computer. B. Enable the remote control option on all nodes in the cluster. Use the Network Load
Balancing Manager to call the nlb.exe program. C. Enable the remote control option on only the primary node in the cluster. Use the
Network Load Balancing Manager to call the nlb.exe program. D. Use the Network Load Balancing Manager to remotely monitor the clustered servers. 10. You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You are planning the recovery strategy for your server farm of SQL Server 2003 computers. The SQL Server computers are configured in a four-node server cluster. Your current backup plan includes a System State data backup for all servers, including the clustered computers. Choose three of the following options to ensure that all of the data is backed up on the SQL Server 2003 computers. Each option represents a partial solution. A. The disk signatures and partitions of the cluster disks B. The cluster quorum data C. The data on the cluster disks D. The data on the individual cluster nodes
456
Chapter 9
Planning, Implementing, and Maintaining Server Availability
11. You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You have a server farm of Exchange Server 2003 computers configured in a four-node server cluster. Performance has suddenly degraded, and you confirm that one of the cluster disks cannot come online. Which of the following steps should you take first to attempt to resolve this problem? A. Use the confdisk utility to restore your cluster disks. B. Use the Cluster Recovery utility from the Windows Resource Kit and start the Cluster
Service with the /fixquorum startup parameter. C. Create a new quorum on another node, restart the cluster using the /fixquorum Cluster
Service startup parameter, and switch to the new quorum resource. D. Create a new quorum on another node, restart the cluster using the /resetquorum Cluster
Service startup parameter, and switch to the new quorum resource. E. Run the chkntfs command to determine if the disk is corrupted. 12. You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You have a server farm of SQL Server 2003 computers configured in a majority node set cluster. A split-brain occurs, and the cluster loses quorum. The Event Log indicates that the cluster database on the local node is corrupted. List the two steps you must take in the order in which you must take them in order to resolve this problem. Each step represents a partial solution. Force the remaining nodes to form a quorum and restart the cluster. Restore the cluster database to just one node. Restore the cluster database to all nodes. Replicate the restored version of the cluster database to all other nodes. Start the Cluster Service on that node with the /resetquorumlog parameter to create new cluster database log files. Start the Cluster Service on all nodes with the /resetquorumlog parameter to create new cluster database log files. Start the Cluster Service on that node with the /fixquorumlog parameter to create new cluster database log files. Start the Cluster Service on all nodes with the /fixquorumlog parameter to create new cluster database log files. Stop the Cluster Service on all nodes of the cluster. Restart the remaining nodes. Delete the local copies of the database on those nodes.
Review Questions
457
13. You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You have a server farm of SQL Server 2003 computers configured in a four-node server cluster. Performance has suddenly degraded, and you confirm that one of the cluster disks cannot come online. Further troubleshooting indicates that the problem is due to a disk controller failure. You do not have an ASR backup of the node. List the two steps you must take in the order in which you must take them to resolve this problem. Each step represents a partial solution. A. Run the chkntfs command to determine if the disk is corrupted. B. Create a new quorum on another node, restart the cluster using the /fixquorum Cluster
Service startup parameter, and switch to the new quorum resource. C. Create a new quorum on another node, restart the cluster using the /resetquorum Cluster
Service startup parameter, and switch to the new quorum resource. D. Evict the node. E. Use the confdisk utility to restore your cluster disks. F. Use the Cluster Recovery utility from the Windows Resource Kit and start the Cluster
Service with the /fixquorum startup parameter. G. Add a new node to the cluster. 14. You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You have a server farm of Exchange Server 2003 computers configured in a four-node server cluster. One of the nodes cannot join the cluster. You isolate the problem to a system board failure on the local node. You have an ASR backup of the node. Indicate the five steps you must take in the order you must take them to recover from this problem. Each step presents a portion of the solution. Perform an ASR restore on the failed node. Perform a System State Data restore on the failed node to replace the local cluster database. Replace the failed hardware. Evict the node on which the failure occurred. Rename the checkpoint file to clusdb. Move a resource group to the newly recovered node and verify that the move is successful. Move all cluster resource groups to other nodes. Restart the cluster service on that node. Add a new node to the cluster. Copy the latest checkpoint file from the system quorum disk to the Windows\Cluster directory. For each cluster group and resource, verify that the newly recovered node appears as a possible owner in Cluster Administrator. Restore the files or application data for that node.
458
Chapter 9
Planning, Implementing, and Maintaining Server Availability
15. You are the system administrator for your company. The company runs Active Directory in Native mode. All servers are Windows Server 2003 and all clients are Windows XP. You have a server farm of Exchange Server 2003 computers configured in a four-node server cluster. One of the nodes cannot join the cluster. The Event Log indicates that the cluster database on the local node is corrupted. You have an ASR backup of the node. You need to recover this node as quickly as possible. Indicate the three steps you must take in the order you must take them to recover from this problem. Each step presents a portion of the solution. Perform an ASR restore on the failed node. Perform a system state restore on the failed node to replace the local cluster database. Replace the failed hardware. Evict the node on which the failure occurred. Rename the checkpoint file to clusdb. Move a resource group to the newly recovered node, and verify that the move is successful. Move all cluster resource groups to other nodes. Restart the Cluster Service on that node. Add a new node to the cluster. Copy the latest checkpoint file from the system quorum disk to the Windows\Cluster directory. For each cluster group and resource, verify that the newly recovered node appears as a possible owner in Cluster Administrator. Restore the files or application data for that node.
Answers to Review Questions
459
Answers to Review Questions 1.
C. NLB clusters are designed for stateless applications, such as Web application servers, and provide greater scalability and availability, but they do not provide fault tolerance for data. For this reason, you should implement a four-node NLB cluster with hardware-based RAID-5. Options A and B are incorrect because server clusters are designed for stateful applications such as back-end database and messaging applications. Option D is wrong because it does not provide for the recoverability of data. For this you need a separate solution, ideally hardware-based RAID-5.
2.
C. Round robin DNS is the feature of DNS that distributes client traffic to the clusters, and then NLB distributes client traffic within the cluster. LUN masking is a method used to configure server clusters to allow for port-level zoning. It uses logical disks implemented at the controller level to provide access control. Stub zones, conditional forwarding, and zone transfers are all features of DNS, but they are not related to distributing incoming client traffic within an NLB cluster.
3.
B. Stateful applications such as back-end database server applications are good candidates for server clustering. Server clusters are only supported on 32-bit versions of the Enterprise and Datacenter Editions of Windows Server 2003. NLB is used for stateless applications such as Web application servers.
4.
B. Windows Server 2003 supports up to eight nodes in a server cluster on the 32-bit versions of Enterprise and Datacenter Editions.
5.
A, C. Benefits of the N+I configuration include providing the highest level of availability of all failover policies, and providing good failover for handling multiple failures.
6.
B, D. Ideally, you should not run domain controller services within a cluster of database application servers. However, if you cannot use fully dedicated servers, you must promote a cluster node to a domain controller by using the Active Directory Installation Wizard before you create a cluster on that node or add it to an existing cluster.
7.
C. Best practices for designing cluster networks include designing each cluster network so that it fails independently of other cluster networks.
8.
A. Geographically dispersed server clusters must never use asynchronous replication unless the order of I/O operations is preserved. If this order is not preserved, the data that is replicated to the second site can appear corrupt to the application and be totally unusable.
9.
D. The Network Load Balancing Manager is the best solution for remote administration of an NLB cluster. Other potential options include WMI or the nlb.exe program. However, the nlb.exe program requires that you enable the remote control option and introduces security risks such as data tampering, denial of service (DoS), and information disclosure.
10. A, C, D. A System State data backup includes the cluster quorum data. In order to ensure that all data is backed up, you must add the following to the backup plan: the disk signatures and partitions of the cluster disks, the data on the cluster disks, and the data on the individual cluster nodes.
460
Chapter 9
Planning, Implementing, and Maintaining Server Availability
11. E. The first step you should take when a cluster disk cannot come online is to run the chkntfs command to determine if the disk is corrupted. 12. Start the Cluster Service on that node with the /resetquorumlog parameter to create new cluster database log files. Restart the remaining nodes. A split-brain occurs when some of the nodes fail and the cluster loses quorum. In this instance, you can force the remaining nodes to form a quorum and restart the cluster. If there is no backup of the cluster database or the database files are corrupt, you can create new cluster database files on a node by starting the Cluster Service on that node with the /resetquorumlog parameter. Then simply restart the remaining nodes. 13. D, G. In the event that a node cannot join the cluster due to a hardware failure, and you do not have an ASR backup of the node, you would evict the node and then add a new node to the cluster. 14. Move all cluster resource groups to other nodes. Replace the failed hardware. Perform an ASR restore on the failed node. Restore the files or application data for that node. For each cluster group and resource, verify that the newly recovered node appears as a possible owner in Cluster Administrator, then move a resource group to the newly recovered node and verify that the move is successful. Because the problem has been isolated to a hardware failure, you would follow these steps to recover: First, move all cluster resource groups to other nodes. Next, replace the failed hardware. Perform an ASR restore on the failed node. Restore the files or application data for that node. Finally, for each cluster group and resource, verify that the newly recovered node appears as a possible owner in Cluster Administrator, and then move a resource group to the newly recovered node and verify that the move is successful. If you did not have an ASR backup of the node, you would evict the node and then add a new node to the cluster. 15. Copy the latest checkpoint file from the system quorum disk to the Windows\Cluster directory. Rename the checkpoint file to clusdb. Restart the Cluster Service on that node. If a node cannot join the cluster and the Event Log indicates that the cluster database on the local node is corrupted, you can copy the latest checkpoint file (named CHKxxx.TMP) from the quorum disk to the Windows\Cluster directory. Next, rename the file as clusdb, and finally, restart the Cluster Service on that node. As an alternative, you could perform a System State Data restore on that node to replace the local cluster database. However, in this situation, you need to recover as quickly as possible, so the first option is preferable.
Chapter
10
Planning Network Security MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan security for data transmission.
Secure data transmission between client computers to meet security requirements.
Secure data transmission by using IPSec.
Plan secure network administration methods.
Create a plan to offer Remote Assistance to client computers.
Plan for remote administration by using Terminal Services.
Plan a backup and recovery strategy.
Identify appropriate backup types. Methods include full, incremental, and differential.
Plan a backup strategy that uses volume shadow copy.
Plan system recovery that uses Automated System Recovery (ASR).
With the need for connectivity expanding beyond the network to encompass a variety of remote users, the potential for security compromises is increasing. Today’s networks face a number of security threats just as they face the ever-increasing need for connectivity. A critical part of your role involves planning secure network access. You can provide IP-level security to defend against network attack and protect IP packets by using IPSec policies. IPSec provides data encryption, mutual authentication, packet filtering, and data integrity. Windows Server 2003 has introduced several new tools for planning, managing, and troubleshooting IPSec. You can implement IP protocol security through the IP Security Policy Management snap-in or through the Group Policy under Computer Configuration Windows Settings Security Settings IP Security Policies on the local machine or within Active Directory. IPSec policies can be monitored through the IP Security Monitor snap-in, and you can determine how the IPSec effective policy is affecting a local machine via the Resultant Set of Policy (RSoP) snap-in. In this chapter, we'll also cover remote administration. Remote administration functionality has improved as the Windows server operating systems evolved, making it easier for an administrator to keep tabs on his network even from his own desktop. Windows Server 2003 now offers two new remote administration features: Remote Desktop and Remote Assistance. Remote Desktop is used to administer both server and client computers, and it enables you to take remote control of a remote computer. Remote Assistance is a type of help desk tool that offers a means for end users to request assistance from an expert user. In this chapter, we’ll round out our coverage of planning a network infrastructure in Windows Server 2003 by exploring the techniques and best practices for IPSec policy management and remote administration.
We covered backup and recovery in Chapter 3, “System Recovery and Web Services.” Please review that chapter for more information on the objectives related to those topics.
Evaluating IP Security The original specifications for the IP protocol made no provisions for protocol security. As the Internet expanded, it became clear that robust authentication and privacy protection were
Evaluating IP Security
463
essential needs. As the installed base of IP-capable devices grew, so too did the complexity of devising a security protocol that would interoperate with those devices. The Internet Engineering Task Force (IETF) devised a solution, and the result was the Internet Protocol Security Extensions (IPSec). In the late 1990s, vendors began releasing products that applied the IP Security Extensions to IPv4, version 4 of the IP specification and the current version of IP for most TCP/IP networks. Internet Protocol security (IPSec) is a framework of open standards for ensuring private, secure communications over IP networks, through the use of cryptographic security services. These services allow for authentication, integrity, access control, and confidentiality. Like TCP/IP, IPSec is vendor-neutral. Microsoft considers IPSec to be the long-term direction for secure networking.
Major vendors, including Microsoft, Cisco, Nortel, and RSA Security, are shipping IPSec products. However, the standard itself is in transition, so if you are considering implementing IPSec in a mixed-vendor network, you must ensure that all devices can communicate with each other.
IPSec provides services that are similar to Secure Sockets Layer (SSL), but far more powerful. IPSec operates at the network layer as a set of extensions to the basic Internet Protocol (IP). This enables protocol security to extend to all protocols in the IP suite and to be completely transparent to applications. Any IP protocol can be used over IPSec. You can create encrypted tunnels (VPNs) or just encrypt traffic between computers. IPSec scales gracefully to meet the needs of networks of all sizes. IPSec is based on an end-to-end security model that establishes trust and security from a source to a destination IP address. What this means is that only the sending and receiving computers need to know anything about the traffic being secured. They assume that the data is being transmitted over an unsecure medium, and each handles security at its own end. Other computers that would only route the data don’t even have to support IPSec, assuming that there is no firewall-type packet filtering or NAT happening between the two computers. Secure end-toend links are provided for private network users within or across the enterprise boundary. Enterprise scenarios in which IPSec can now be deployed, therefore, include:
Client/server and peer-to-peer LANs
Router to router and gateway to gateway across a WAN
Remote access, including dial-up and VPN clients
An IPSec client is the computer that attempts to establish a connection to another machine, and an IPSec server is the target of that connection. Any Windows 2000, XP, or Windows Server 2003 computer may be an IPSec client or server. IPSec provides two crucial services: a method for computers to decide if they trust each other (authentication) and a method to keep network data private (encryption).
IKE is discussed in RFC 2409. Refer to RFC 1825 for additional information on IPSec.
464
Chapter 10
Planning Network Security
Windows Server 2003 implements IPSec as policy-based security through Group Policy. You can set policies that configure individual computers, groups of computers within an organizational unit or domain, or all Windows 2000, XP, or Server 2003 computers on your network. IPSec policies are applied either to the local computer or within Active Directory to objects such as computers, domains, sites, and OUs. You create policies through a combination of rules, actions, and filters. Rules govern how and when an IPSec policy applies to communication. Through rules, you can secure communications based on the source, destination, and type of IP traffic. This is known as IP packet filtering. IPSec can be used in one of two modes:
Transport mode is the default mode and uses IPSec for end-to-end communications to encrypt or authenticate a direct connection between two computers. Network traffic is protected before it leaves the originating machine, and it remains secured until it is decrypted by the receiving machine. Transport mode encrypts only the payload. Typical IP payloads include TCP segments, UDP messages, and ICMP messages.
Tunnel mode encrypts traffic that passes through a tunnel established by L2TP. Tunnel mode encrypts the entire IP packet (both the header and the payload).
In the following sections, we will look at the fundamentals of IPSec, how to use IPSec, and how to plan an IPSec Deployment.
In this chapter, and on the exam, assume that the phrase “IPSec Tunnel mode” refers to the use of IPSec for tunneling, not for VPN traffic. L2TP usually refers to “L2TP/IPSec.”
IPSec Fundamentals IPSec has two goals. First, it defends against network attacks by providing packet filtering and secure authentication to enforce trusted communication. Second, it protects IP packets by providing data encryption. IPSec accomplishes its goals through a combination of cryptography-based protection services, security protocols, and dynamic key management. It can even be used to block receipt or transmission of specific traffic types. IPSec can be used to achieve data security by the following means:
Data encryption
Data integrity
Mutual authentication
Packet filtering Next you’ll see how IPSec provides protection through authentication and encryption.
Authentication Authentication protects your network, and the data it carries, from tampering. This tampering might take the form of a malicious attacker sitting between a client and a
Evaluating IP Security
465
server, altering the contents of packets (the so-called “man in the middle” attack), or it might take the form of an attacker joining your network and impersonating either a client or a server. IPSec uses an authentication header (AH) to digitally sign the entire contents of each packet. This signature provides three separate benefits: Protection against Replay Attacks If an attacker can capture packets, save them until a later time, and send them again. They can impersonate a computer after that computer is no longer on the network. This is called a replay attack. IPSec’s authentication mechanism prevents replay attacks by including the sender’s signature on all packets. Protection against Tampering Tampering is a form of attack that involves altering data in transit. IPSec’s signatures provide data integrity, meaning that interlopers can’t selectively change parts of packets to alter their meaning. Protection against Spoofing Spoofing is a form of attack in which an attacker assumes the identity of another computer. Authentication refers to the process of a client or server verifying another machine’s identity. IPSec authentication headers provide authentication because each end of a connection can verify the other’s identity. Encryption Authentication protects your data against tampering, but it doesn’t do anything to keep people from seeing it. For that, you need encryption, which actually obscures the payload (data) contents so that a man in the middle can’t read the traffic as it goes by. To accomplish this, IPSec provides the Encapsulating Security Payload (ESP). ESP is used to encrypt the entire payload of an IPSec packet, rendering it undecipherable by anyone other than the intended recipient. ESP only provides confidentiality, but it can be combined with AH to gain maximum security. The following sections cover IPSec in Windows Server 2003, IPSec protocols, security methods, IPSec policy components, and the default policies used in IPSec.
IPSec in Windows Server 2003 The IPSec implementation in Windows Server 2003 involves a large number of changes to the TCP/IP stack. Microsoft’s IPSec implementation is actually licensed from, and was written by, Cisco, and therefore it guarantees good compatibility with other standards-based IPSec clients. In the following sections, we’ll introduce new features of IPSec in Windows Server 2003, including new management consoles, Group Policy, RSoP, support for L2TP/IPSec, NAT support, certificate to account mapping, default traffic exemptions, and command-line management with netsh.
Configuring IPSec with the New Management Consoles In Windows Server 2003, IPSec policies are configured using the IP Security Policy Management MMC snap-in and monitored using the IP Security Monitor MMC snap-in. IPSecmon is no longer used to manage IP security. You’ll learn how to use the management consoles later in this chapter. The IP Security Policy Management MMC snap-in is covered in the section titled “Implementing IPSec.”
466
Chapter 10
Planning Network Security
Applying IPSec through Group Policy Windows Server 2003 has some other features that make IPSec more useful. In a large network of heterogeneous computers, computers can automatically take advantage of IPSec if both parties to a communication session support IPSec. You also want to ensure that the security settings you want are applied to all IPSec-capable machines. With Windows NT, and with most other operating systems, that could require hand-configuring each IPSec computer to use the settings you want. Windows Server 2003 enables you to streamline this configuration process by using Group Policy. First, you specify the IPSec settings you want to use on your network. Then, each Windows 2000, XP, or Server 2003 computer runs a service called the IPSec Policy Agent. When the system starts, the Policy Agent connects to an Active Directory server, fetches the IPSec policy, and then passes it to the IPSec code.
You will learn more about the IPSec Policy Agent later in this chapter in the section titled “Deploying IPSec Policies.”
Using the Resultant Set of Policy (RSoP) The Resultant Set of Policy tool (also known as RSoP) is a new feature of Group Policy, and it enables you to accomplish two very important tasks:
To view the results of a set of policies before you actually apply them
To view the current policy set in effect on a remote computer
This new policy analyzer enables an administrator to forecast the effective result of multiple policies before deploying them throughout the network. This functionality will enable you to quickly and effectively implement policies that ensure secure data transmission without preventing communication from occurring.
L2TP and NAT Support You can now use Layer Two Tunneling Protocol over IPSec (L2TP/IPSec), which enables you to implement an IPSec-based VPN, or you can allow an IPSec connection to pass through a NAT, which benefits you if you want to use IPSec-protected applications across a NAT interface. Windows Server 2003 supports L2TP/IPSec for the highest possible protocol security. Clients that support 128-bit encryption keys can use L2TP/IPSec. You should set a standard for your remote users to encrypt data with the highest level of data encryption possible. Windows XP and the Windows Server 2003 family support 128-bit encryption keys. Older clients (such as Windows 98 with the latest service pack) can also handle L2TP/IPSec. IPSec ESP packets can now pass through NATs that allow UDP traffic. IPSec over NAT functionality is a great new feature that allows the following deployment options:
L2TP/IPSec VPN clients that are behind NATs can now use IPSec ESP transport mode to establish IPSec-secured communications over the Internet.
RRAS servers can establish gateway-to-gateway IPSec tunnels when one of the RRAS servers is behind a NAT.
Clients and servers can send IPSec-secured TCP and UDP packets to other clients or servers using IPSec ESP transport mode when one or both computers are behind a NAT.
Evaluating IP Security
467
Certificate-to-Account Mapping When you enable certificate-to-account mapping in IPSec, IKE maps a computer certificate to a computer account in Active Directory. If you use either Kerberos or certificate authentication, you can allow or deny the following computers access to a Windows Server 2003 server:
Computers that are members of a specific domain.
Computers with a certificate from a specific issuing certification authority.
A specific computer or groups of computers. In this case, you restrict access by configuring Group Policy security settings and assigning either the “Access this computer from the network” or the “Deny access to this computer from the network” user right to a computer or group of computers.
Default Traffic Exemptions Security is dramatically improved in Windows Server 2003 because only IKE traffic, which is required for establishing secure communication, is exempted from IPSec filtering. You can set specific filters for broadcast and multicast traffic. IPSec does not negotiate security associations (SAs) for broadcast or multicast traffic.
Command-Line Management with netsh The netsh command has a new context: the netsh IPSec context, which replaces the Ipsecpol.exe tool from the Windows 2000 Server Resource Kit. This enables you to script and automate IPSec configuration. There are many commands available that you can use to configure IPSec. Two of the security features you can configure for greatly increased security are computer startup security and persistent policy. IPSec now provides stateful filtering of network traffic during system startup to limit traffic to DHCP traffic, outbound traffic initiated by the computer, and responses to that traffic. You can exempt other traffic types from this filtering. You can also use netsh to create and apply a persistent policy that the IPSec Policy Agent will apply to the computer before any local or Active Directory–based policies. A persistent policy remains in effect regardless of whether other policies are applied. This enables you to secure a computer in the event that another policy cannot be applied.
IPSec Protocols IPSec appears to be a single protocol, but it’s actually implemented using three different protocols plus a number of Windows Server 2003 drivers and services, all of which will be discussed in the following sections.
Local or Active Directory–based policies add to the persistent policy (if configured). If there is a conflict between a persistent policy and either a domain or a local policy, the persistent policy will prevail.
468
Chapter 10
Planning Network Security
ISAKMP The Internet Security Agreement/Key Management Protocol (ISAKMP) provides a way for two computers to agree on security settings and exchange a security key that they can use to communicate securely. Information is secured with a combination of an algorithm and a key. Internet Key Exchange (IKE) services dynamically exchange and manage keys between computers. IKE also dynamically negotiates a common set of security settings, so it is not necessary for both parties to have identical IPSec policies defined. Dynamic rekeying during exchanges over unsecured session pipes blocks most impersonation and interception attacks. A security association (SA) provides all the information needed for two computers to communicate securely. The SA contains a policy agreement that controls which algorithms and key lengths the two machines will use (for instance, it can say use 128-bit RC5 and SHA-1), plus the actual security keys used to securely exchange information. Think of this agreement like a contract: It specifies what each party is and is not willing to do as part of the agreement. This process has two steps. First, the two computers use the ISAKMP to establish a security agreement. This is called the ISAKMP SA. To establish the ISAKMP SA, the two computers must agree on the following three things:
Which encryption algorithm (DES, triple DES, 40-bit DES, or none) they’ll use
Which algorithm they’ll use for verifying message integrity (MD5 or SHA-1)
How connections will be authenticated: using a public-key certificate, a shared secret key, or Kerberos
Once the ISAKMP SA is in place, the two machines can use the Oakley protocol to securely agree on a shared master key. This key, called the ISAKMP master key, is used along with the algorithms negotiated in the ISAKMP SA to establish a secure connection. After the secure connection is brought up, the two machines start another round of negotiations. These negotiations cover the following:
Whether the Authentication Header protocol will be used for this connection
Whether the Encapsulating Security Payload protocol will be used for this connection
Which encryption algorithm will be used for the ESP protocol
Which authentication protocol will be used for the AH protocol
After these negotiations are finished, the two machines end up with two new SAs: one for inbound traffic and another for outbound traffic. These SAs are called IPSec SAs to distinguish them from the ISAKMP SA. At this point, Oakley is used again to generate a new set of session keys. The master ISAKMP key is used whenever new SAs are negotiated; once the SA negotiation finishes, though, the communications using that SA are protected using the SA-specific keys.
The Authentication Header (AH) The AH protocol provides data integrity and authentication, but how? The answer lies in how the IPSec packet is actually constructed. Figure 10.1 shows a sample AH packet (note that this example shows a TCP packet, but AH works the same way for UDP).
Evaluating IP Security
FIGURE 10.1
469
An AH packet
IP
AH
TCP
GET /index.html
signature
Two features lend AH its security. The first security feature is that the packet signature (which is contained in the AH itself) is computed on the entire packet: payload and headers. That means that an attacker can’t modify any part of the packet, including the IP or TCP/UDP header. The second security booster is that the AH is placed between the IP header and the TCP or UDP header; this adds further tamper-proofing.
The Encapsulating Security Payload (ESP) The ESP protocol is designed to deliver message confidentiality. Take a look at a sample ESP packet, shown in Figure 10.2, to see how it accomplishes this. FIGURE 10.2
An ESP packet
signature IP
ESP header
application data
ESP trailer
ESP auth
encryption
The first thing you’ll probably notice is that this packet is more complex in construction than the AH packet, because ESP alone provides authentication, replay-proofing, and integrity checking. It does so by adding three separate components: an ESP header, an ESP trailer, and an ESP authentication block. Each of these components contains some of the data needed to provide the necessary authentication and integrity checking. To prevent tampering, an ESP client must sign the ESP header, application data, and ESP trailer into one unit; of course, ESP is used to encrypt the application data and the ESP trailer to provide confidentiality. The combination of this overlapping signature and encryption operation provides good security.
Security Methods Each IPSec connection uses a security method, which is a prespecified encryption algorithm with a negotiated key length and key lifetime. You can use one of the two predefined security methods (High or Medium), or you can create your own by specifying which security protocols (AH or ESP), encryption algorithms, and key lifetimes you want to use for a particular connection. When your computer is negotiating with a remote IPSec peer, the ISAKMP service works its way down the list of methods you’ve specified and attempts to use the most secure method first. The first method on which both ends agree is used. Windows Server 2003 supports the DES and 3DES encryption algorithms. 3DES is more secure than DES because it encrypts each block of data three times with three different keys.
470
Chapter 10
Planning Network Security
IPSec Policy Components An IPSec policy is a set of one or more rules that determine IPSec behavior. There is no method for specifying the order in which to apply rules in a policy. The IPSec driver automatically orders rules based on the most-specific to least-specific filter list. For example, a rule containing a filter list specifying individual IP addresses and ports would be applied before a rule containing a filter list that specified all addresses on a subnet. Each rule contains filters and other configurable settings, which will be discussed in the following sections.
Make sure that you understand the purpose and function of the different IPSec policy components. Understand what happens when you configure filter lists and filter actions, and how they will behave in different scenarios.
IP Filter List A security filter ties security protocols to a particular network address. The filter contains the source and destination addresses involved (either for specific hosts or networks, using a netmask), the protocol used, and the source and destination ports allowed for TCP and UDP traffic. For example, you can define a filter that specifies exactly what kind of IPSec negotiations you’re willing to allow when a computer in your domain contacts a computer in the microsoft.com domain. As you might remember from our earlier discussion, IPSec connections have two sides: inbound and outbound. That means that for each connection you need to have two filters: one inbound and one outbound. The inbound filter is applied when a remote computer requests security on a connection, and the outbound filter is applied before sending traffic to a remote machine. Let’s say that you want to create a rule to allow any computer in the globalitcertification.com domain to use IPSec when talking to any computer in the microsoft.com domain. For this to work, you need the following four filters:
A filter for the globalitcertification.com domain for outbound packets with a source of *.globalitcertification.com and a destination of *.microsoft.com. (Yes, you can use DNS names and wildcards in filters.)
A filter for the globalitcertification.com domain for inbound packets, this time with a source of *.microsoft.com and a destination of *.globalitcertification.com.
An inbound filter in the microsoft.com domain that specifies a source of *.globalitcertification.com and a destination of *.microsoft.com.
An outbound filter in the microsoft.com domain that specifies a source of *.microsoft .com and a destination of *.globalitcertification.com.
If any of these filters are missing or misconfigured, the IPSec negotiation process will fail and IPSec won’t be used. If they’re all there, though, when you try to establish an FTP connection from delta.globalitcertification.com to exchange.microsoft.com, the outbound filter on your domain will fire, and it will trigger IPSec to request a security negotiation with Microsoft’s machine. Assuming everything goes well and that the filters are okay, you’ll end up with two IPSec SAs on your machine, and the connection will be secured.
Evaluating IP Security
471
You normally group filters into filter lists for ease of management. Because you can stuff any number of individual filters into a filter list, you can easily build rules that enforce complicated behavior, then distribute those rules throughout your network as necessary. For each rule, a single filter list is selected that contains one or more predefined packet filters that describe the type of traffic to which the configured filter action for the rule is applied.
Filter Action Filters specify a source and destination, but they also need to specify what action should take place when the criteria specified in the filter match. A filter action specifies how traffic matching the filter will be handled (i.e., dropped, encrypted, etc.). You can use the following actions in each filter:
The Permit action tells the IPSec filter to take no action. It neither accepts nor rejects the connection based on security rules, meaning that it adds zero security. This action is sometimes called the passthrough action, since it allows traffic to pass through without modification. In general, you’ll use it for applications like WINS servers, where there’s no securitysensitive data involved.
The Block action causes the filter to reject communications from the remote system. This prevents the remote system from making any type of connection, with or without IPSec.
The Accept Unsecured and Allow Unsecured actions allow you to interoperate with computers that don’t speak IPSec. The Accept Unsecured Communication, But Always Respond Using IPsec policy says that it’s okay to accept unsecured connections but that your machines will always ask for an IPSec connection before accepting the unsecured request. This policy allows you to handle both unsecured and secured traffic, with a preference for IPSec when it’s available. The Allow Unsecured Communication With Non-IPsec Aware Computers action allows your machines to accept unsecure connections without attempting to use IPSec; as such, we recommend that you not use it in favor of the “Accept unsecured” action.
The Use These Security Settings option lets you specify which security methods you want used on connections that trigger this filter. This option allows you to specify custom settings for either individual computers or remote networks.
The filter action rule should be examined to ensure that the cryptographic, hashing, and session key regeneration settings are suitable for a company’s needs.
The upcoming section “Managing Rules with the Rules Tab” discusses when to use, or not use, each of these actions.
Authentication Methods IPSec supports three separate authentication methods: Kerberos version 5, certificates, and preshared keys. Since the first thing an IPSec client and server want to do is authenticate to each other, they need some way to agree on a set of credentials to use. The Windows Server 2003 version of IPSec supports three different authentication methods, which are used only during the initial authentication phase of building the SAs, not to generate encryption keys. We will look at each of these in the following sections.
472
Chapter 10
Planning Network Security
KERBEROS V5
Kerberos v5 is the default authentication method used by Windows 2000, XP, and Server 2003 clients and servers. It’s also the default authentication method for Active Directory. Kerberos replaces the older and less secure NT LAN Manager authentication scheme. Kerberos is a widely supported open standard that offers good security and a great deal of flexibility. Many third-party IPSec products include Kerberos support. Note that only Windows 2000 and Server 2003 domain controllers support Kerberos authentication. Windows 2000 and Server 2003 member servers and NT 4 servers do not. However, if the member server is part of an Active Directory domain, an authentication request is forwarded to a domain controller (DC) and the DC will use Kerberos first to authenticate. Supported clients include Windows 2000, Windows XP Professional, and Windows Server 2003 clients that are members of the same or trusted Active Directory domains. Kerberos engages in mutual authentication (also known as dual verification) to verify both the identity of the user and of network services. Tickets are granted for accessing network services. The process is transparent to the user except when entering a password or smart card credentials. When a Windows Server 2003 is installed as a domain controller, it automatically becomes a Key Distribution Center (KDC). The KDC is responsible for holding all of the client passwords and account information. Kerberos services are also installed on each Windows Server 2003 client and server. The Kerberos v5 authentication process works as follows: 1.
The client authenticates to the KDC using a password or smart card.
2.
The KDC issues the client a ticket-granting ticket (TGT). The client can use the TGT to access the ticket-granting service (TGS), which allows the user to authenticate to services within the domain.
3.
The TGS issues a service ticket to the clients.
4.
The client presents the service ticket to the requested network service. This service ticket authenticates the user to the service and the service to the user, for mutual authentication.
Clients use a DNS lookup to locate the nearest DC, which then becomes the preferred KDC during the user’s logon session.
Kerberos v5 is not supported on Windows XP Home clients or on any clients that are not members of an Active Directory domain.
PUBLIC KEY CERTIFICATES
A public key infrastructure (PKI) provides certificate-based authentication of computers and resolves many security problems by presenting security credentials without compromising them in the process. Public key certificates are like digital passports. They are used to verify the identities of nonWindows computers, standalone computers, computers that do not belong to a trusted domain, and computers that do not support Kerberos v5. Public key certificates can be used in situations including Internet access, remote access to corporate resources, extranets, and with computers that do not run Kerberos v5.
Evaluating IP Security
473
At least one trusted certification authority and associated certificate must be configured. Windows 2000, XP, and Windows Server 2003 support X.509 version 3 certificates, including computer certificates generated by commercial certification authorities. When you use certificate-based authentication, each end of the connection can use the other’s public certificate to verify a digitally signed message. This provides great security, with some added overhead and infrastructure requirements. As you add machines to a domain in Windows Server 2003, they’re automatically issued machine certificates that can be used for authentication. If you want to allow users and computers from other domains or organizations to connect to your IPSec machines, you’ll need to explore certificate solutions that allow cross-organization certification. Certificates enable secure communication with computers that do not belong to a trusted Windows 2000 Server or Windows Server 2003 domain and with non-Windows computers, and they support restricting access to a smaller group of computers than can be accomplished with domain authentication. PRESHARED KEYS
Preshared keys are essentially reusable passwords. The preshared key itself is just a word, code, or phrase that functions as a secret key that both computers share for authentication purposes. The two machines agree to use this key to establish a trust, but they don’t send the plain-text phrase over the network. This method is the simplest to use and must be manually configured. During security negotiation, information is encrypted by using a session key, which is created using a Diffie-Hellman algorithm and the shared, secret key. The same key decrypts the information on the other end. Inside the packet is a hash of the preshared key, and IPSec peers can authenticate each other’s packets by decrypting and verifying the hash. Packets that fail authentication are discarded. Preshared keys are a relatively weak authentication method because the unencrypted key is stored in Active Directory in readable hexadecimal format. It is stored in plain text in the Registry as well. Anyone who can see the key can impersonate the computer. In addition, a weaker form of encryption is produced compared to the other two methods. Microsoft recommends against using it in production. Preshared key authentication is provided for interoperability and adherence to IPSec standards. You should use preshared keys only for testing purposes and use either Kerberos or certificates in production. However, you may need to use this mode to support a third-party IPSec product that doesn’t yet support certificate or Kerberos authentication.
Only one authentication method can be configured between two computers. If there are multiple rules that apply to the same set of computers, make sure that the authentication method is configured identically in all rules so that the pair can use the same method.
Be certain to know which authentication method to use to meet different technical scenarios and objectives.
474
Chapter 10
Planning Network Security
Tunnel Endpoint The tunnel endpoint specifies whether the traffic is tunneled and, if so, the IP address of the tunnel (destination) endpoint.
Connection Type The connection type specifies whether the rule applies to LAN connections, dial-up connections, or both.
Default Policies Windows XP and Windows Server 2003 include three default IPSec policies. These policies are intended to serve as examples and are not intended for operational use without modification. You should create new, custom policies for operational use. (In fact, you’ll have to create your own policies for things like DHCP and remote access servers.) The default policies allow a computer to receive unsecured traffic and are intended for use on intranets in Active Directory domains. There are three default policies:
The Client (Respond Only) policy enables the Windows 2000, XP, or Server 2003 computer on which it is active to respond to requests for secured communications.
The Server (Request Security) policy provides the best balance between security and interoperability. Computers using this policy always request secure communication on outbound requests, but allow unsecured communication with non-IPSec-aware computers.
The Secure Server (Require Security) policy mandates secure IP communications. Only the initial inbound communication request is allowed to be unsecured. In this case, DNS, WINS, Web requests, and all other IP traffic must be secured with IPSec or it will be blocked. This policy is meant for computers on an intranet that require highly secure communications.
Understanding the behavioral differences between the three default policies is extremely important, both for the exam and in real world implementations of IPSec.
The Client (Respond Only) policy has a single rule. This rule is the same as the third rule used in the other two policies. The rule enables a computer to respond to requests for secured communications. The Server (Request Security) policy has three rules. The first rule requests security for all traffic, the second rule permits ICMP traffic, and the third rule responds to requests for security from other computers. The Secure Server (Require Security) policy also has three rules. The first rule requires security for all traffic, the second rule permits ICMP traffic, and the third rule responds to requests for security from other computers. Settings for rules in each of the three default policies are discussed in more detail in the following sections.
Evaluating IP Security
475
Client (Respond Only) The Client (Respond Only) policy has the following settings: FIRST RULE (DEFAULT RESPONSE RULE)
This is the default response rule, which can be used for all policies. The rule is activated by default for all policies and can be deactivated but not deleted. IP Filter List: Indicates that the filter list is not configured, but that filters are automatically negotiated during the IKE negotiation exchange. Filter Action: Default Response The Negotiate Security filter action will be used. Authentication: Kerberos Tunnel Setting: None
Server (Request Security) The Server (Request Security) policy has the following settings: FIRST RULE
IP Filter List: All IP Traffic Filter Action: Request Security (Optional) Authentication: Kerberos Tunnel Setting: None Connection Type: All SECOND RULE
IP Filter List: All ICMP Traffic Filter Action: Permit Authentication: N/A Tunnel Setting: None Connection Type: All THIRD RULE
IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All
476
Chapter 10
Planning Network Security
Secure Server (Require Security) The Secure Server (Require Security) policy has the following settings: FIRST RULE
IP Filter List: All IP Traffic Filter Action: Require Security Authentication: Kerberos Tunnel Setting: None Connection Type: All SECOND RULE
IP Filter List: All ICMP Traffic Filter Action: Permit Authentication: None Tunnel Setting: None Connection Type: All THIRD RULE
IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All The best procedure is to start with the default policies, compare them to your organization’s needs, and adjust the policy settings to meet your specific needs. For example, you may want to use the default policy Secure Server (Require Security) because it requires all outgoing communications to be secured. However, this policy could actually leave you open to a DoS attack. How? The computer will continue to try to negotiate security with all incoming traffic it receives.
To protect against a DoS attack while using the default policy Secure Server (Require Security), you could clear the checkbox Accept Unsecured Communication But Always Respond Using IPSec on the Filter Action, Security Methods page on the server, and configure the clients to initiate security with the server rather than use the default response rule.
You assign policies to computers in a number of ways. The easiest way is to store the policy in Active Directory and let the IPSec Policy Agent take care of applying it to the applicable machines. Once an IPSec policy is assigned to a computer through Active Directory, it remains assigned—even after the computer leaves the site, domain, or organizational unit (OU) that gave it the original policy—until another policy is provided. You can also assign policies directly to individual machines. In either case, you can manually unassign policies when you no longer want a policy in place on a specific machine.
Evaluating IP Security
477
You must be able to determine which policy to choose for computers in different roles, as well as on which computers you will apply a given default or custom policy within an Active Directory hierarchy.
IPSec in Practice Let’s see how the process actually works in practice. As an example, a computer named NYCCLIENT2 will establish a connection to a file server named NYCSERVER1. NYCCLIENT2 and NYCSERVER1 are both members of the same Windows Server 2003 domain, so they can use the Windows Server 2003 default of Kerberos authentication. Keep in mind that this entire process is utterly transparent to users on both machines, as well as applications and even most intervening routers and network devices. When NYCCLIENT1 boots, the IPSec Policy Agent service starts. It connects to Active Directory and downloads the current IPSec policy for the domain. If this connection attempt fails, NYCCLIENT1 will keep trying until it successfully retrieves an IPSec policy. When the policy is retrieved, policy settings are passed to the ISAKMP/Oakley subsystem and to the actual IPSec drivers in the kernel. When NYCCLIENT1 initially attempts to make a connection to any foreign machine, its IPSec driver will check the active IPSec policy to see whether any IP filters are defined. These filters specify destination networks, traffic types, or both; for the destination or traffic type, the filter also specifies whether IPSec is mandatory, optional, or forbidden. After NYCCLIENT1’s IPSec driver determines that it’s allowed to use IPSec when talking to computers on NYCSERVER1’s subnet, it will use ISAKMP to establish an ISAKMP SA with NYCSERVER1. When NYCSERVER1 sees the incoming ISAKMP request from NYCCLIENT1, its ISAKMP service replies to the request, and the two computers negotiate an ISAKMP SA as described earlier. This SA includes a shared secret key that can be used to establish connection-specific SAs. Now that an ISAKMP SA has been established, the two computers have everything they need to establish a pair of IPSec SAs. Once those negotiations are complete, each computer has two IPSec SAs in place: one for outbound traffic and one for inbound. NYCCLIENT1’s request (whatever it is) is processed by its IPSec stack. IPSec uses AH and/ or ESP to protect the outbound packets, and then it transfers them to the lower-level parts of the IP stack for delivery to NYCSERVER1. When NYCSERVER1 gets the packets, its IPSec stack will decrypt them (if necessary), verify their authenticity, and pass them up the TCP/IP stack for further processing.
Planning an IPSec Deployment When you evaluate IPSec for your organization, you should consider some potential disadvantages. If you decide to use IPSec policies, you have many things to consider when deploying them. We’ll discuss these topics in the following sections.
478
Chapter 10
Planning Network Security
Considerations for Planning IPSec The following are some factors to consider when determining whether and how to deploy IPSec in your organization:
IPSec-knowledgeable IT staff members must be available to plan, configure, modify, assign, deploy, and troubleshoot IPSec policies.
The sophisticated cryptographic functions IPSec performs are processor-intensive. Some network interface cards (NICs) are capable of performing these calculations on-board and can be used to speed performance and offload your CPU.
A Group Policy plan and ideally an Active Directory infrastructure should be in place.
Non–Active Directory environments require a public key infrastructure (PKI) or defined procedures for computers to obtain certificates.
Non–Active Directory environments require a plan for deploying local computer policies on each computer to execute an IPSec policy.
Deployment Options for IPSec Policies IPSec policies can be deployed by using local policies or Active Directory. Both options can be used in heterogeneous client environments. In addition, the netsh IPSec command can be used to configure persistent policies. This option would come in handy if you want to ensure IP security whether or not a local or Active Directory–based policy can be found.
Deploying IPSec with Local Computer Policies Each Windows XP, Windows 2000, or Windows Server 2003 computer has a local Group Policy Object (GPO) known as the Local Computer Policy. Local policies are defined in the Registry and can include standalone computers and computers that do not belong to a trusted Windows 2000 or Windows Server 2003 domain. Local policies can also be used in Active Directory environments, but they will be overwritten if a GPO exists for the computer’s site, domain, or an OU to which it belongs. If IPSec policies are not configured in the Active Directory GPO, however, the local policy’s IPSec settings will not be overwritten. Local policies can be used if there is no Active Directory infrastructure in place or if there is no need to deploy IPSec policies automatically to a large number of computers in an Active Directory environment. Here are a few important facts to note when considering deploying IPSec through local computer policy:
If you use local policies and choose not to use Kerberos, or if Active Directory has not been installed, then determine if there is a certificate infrastructure set up that can be used as an authentication method.
With a Microsoft certificate authority, you can use autoenrollment to automatically store computer certificates as an actual property of an Active Directory computer account. As an alternative, you can manage computer certificates manually for any computers that need them.
You will need to determine how to deploy IPSec policies, because you can’t use Active Directory to do so. Policies have an import and export feature with which you can copy them to multiple computers.
Implementing IPSec
479
Deploying IPSec with Active Directory–Based Policies IPSec policies can be assigned to a GPO that is then applied to a site, domain, or OU. The IPSec policy is propagated to all computers affected by that GPO. Active Directory–based policies are managed using the IP Security Policy Management console or the netsh command. Use Active Directory to deploy IPSec policies if there is an Active Directory infrastructure in place, if there is a substantial number of computers requiring IPSec policy assignment, and/or if you want to centralize the IPSec strategy for the company. Use local policies in the opposite scenarios. Here are a few important facts to note when considering deploying IPSec within Active Directory:
You can reduce administrative effort and configuration by using the highest possible level of the Active Directory hierarchy to assign a policy.
The list of all IPSec policies will be available to assign at any level in the Active Directory hierarchy.
Only one IPSec policy can be assigned at any given level in Active Directory.
If needed, you can create new OUs to organize your computer accounts, then apply a GPO to the OU to enforce IP security.
IPSec policies from different OUs are never merged.
Active Directory–based policies are added to a persistent policy, if configured, and override local policies.
IPSec policies must be included with the Group Policy backup strategy for Active Directory in order to maintain consistency.
Policies remain in effect unless they are unassigned, so you should unassign a policy before deleting that policy object.
Active Directory–based policy can be managed using the IP Security Policy Management console or by using the netsh command with the IPSec context. More considerations for Active Directory environments are discussed in the section titled “Deploying IPSec Policies” later in this chapter.
Implementing IPSec The components necessary for a Windows Server 2003 computer to act as an IPSec client are already installed by default when you install Windows Server 2003. However—also by default—there’s no policy that requires the use of IPSec, so the default behavior for Windows Server 2003 machines is not to use it. The good news is that you don’t really have to “install” IPSec; you just have to open the tool you use to manage it, and then start assigning policies and filters to get the desired effect. In the following sections, you’ll learn how to use the IP Security Policy Management Console, how to manage and configure IPSec policies, and how to configure IPSec for tunnel mode.
480
Chapter 10
Planning Network Security
Using the IP Security Policy Management Console IPSec is managed through the IP Security Policy Management snap-in (which we will refer to as the IPSec snap-in from now on). There’s no prebuilt MMC console that includes this snap-in, so you need to create one by opening a MMC console and adding the snap-in to it. When you install the IPSec snap-in, you must choose whether you want to use it to manage a local IPSec policy, the default policy for the domain your computer is in, the default policy for another domain, or the local policy on another computer. This gives you an effective way to delegate control over IPSec policies, should you choose to do so. Exercise 10.1 leads you through the process of installing the snap-in for managing a local policy and then activating IPSec on the local computer. This process in and of itself doesn’t do much to improve your security posture, because all it does is enable your local computer to accept IPSec connections from other computers. The real payoff comes when you start applying IPSec policies in Active Directory, which you’re about to do. You can configure IPSec by modifying the default policies, creating your own policies that embody the rules and filters you want to use, and controlling how policies are applied to computers in your management scope. Because Group Policy management is outside the range of this book, the following sections will focus instead on how you customize and control the IPSec settings themselves. EXERCISE 10.1
Network Protocol Security and Enabling IPSec on the Local Computer 1.
Select Start Run and type mmc to launch MMC.exe. An empty MMC console window appears.
Implementing IPSec
481
EXERCISE 10.1 (continued)
2.
Select the File Add/Remove Snap-In command. When the Add/Remove Snap-In dialog box appears, click the Add button.
3.
In the Add Standalone Snap-In dialog box, scroll through the snap-in list until you see the one marked IP Security Policy Management. Select it and click the Add button.
482
Chapter 10
Planning Network Security
EXERCISE 10.1 (continued)
4.
The Select Computer dialog box appears. Select the Local Computer (which is the default setting) radio button, and then click the Finish button.
5.
Click the Close button in the Add Standalone Snap-In dialog box.
6.
Click the OK button in the Add/Remove Snap-In dialog box.
7.
Select the IP Security Policies On Local Computer node in the MMC. Note that the right pane of the MMC lists the three predefined policies discussed earlier in this chapter.
Implementing IPSec
483
EXERCISE 10.1 (continued)
8.
Right-click the Server (Request Security) policy and choose Assign.
9.
Verify that the entry in the Policy Assigned column for the selected policy has changed to Yes. If the policy is assigned but not applied, a message will indicate this in the Policy Assigned column as shown.
Managing Policies You manage policies at a variety of levels, depending on where you want them applied. However, you always use the IPSec snap-in to manage them, and the tools you use to create new policies or edit existing ones are the same whether you’re using local or Active Directory policy storage. The following sections will discuss creating and deploying IPSec policies.
Creating a Policy You create new policies by right-clicking the IP Security Policies folder in the snap-in and choosing the Create IP Security Policy command. That activates the IP Security Policy Wizard, which allows you to create a new policy, but you still have to manually edit the policy settings after it’s created.
If you choose not to use the default response rule, the wizard will skip the steps described in the following text and take you directly to the completion page.
The first page of the wizard basically tells you what the wizard does. The second page allows you to enter a name and description for the policy. We will look at the rest of the IP Security Policy Wizard in the following sections.
Setting the Default Response Rule The Requests For Secure Communication page, shown in Figure 10.3, asks you whether you want to use the default response rule or not. The default rule governs security when no other filter rule applies. For example, let’s say you’ve set up security filters to accept secure connections from *.microsoft.com, *.cisco.com, and *.apple.com. When your server gets an incoming IPSec request from delta.globalitcertification.com, you’d probably expect IPSec to
484
Chapter 10
Planning Network Security
reject the connection—and it will, unless you leave the default response rule turned on. That rule will basically accept anyone who requests a secure connection. Paradoxically, for maximum security, you might want to turn it off so that you only accept IPSec connections from known hosts. However, you can customize the settings associated with the default rule; that’s the wizard’s primary purpose. FIGURE 10.3
The Requests For Secure Communication page
Choosing an Authentication Method for the Default Response Rule If you choose to use the default response rule, you still have to configure an authentication method for it. To do so, you use the Default Response Rule Authentication Method page, as shown in Figure 10.4. You can choose one of the three authentication methods mentioned earlier; by default, Kerberos is selected, but you can choose a certificate authority or a preshared key instead. (If you choose to use a preshared key, make sure that you enter the same key on both ends of the connection.)
Finishing the Policy Wizard When you complete the IP Security Policy wizard, the completion page contains a checkbox labeled Edit Properties. This is the most interesting part of the wizard because it gives you access to the actual settings embedded within the policy.
Deploying IPSec Policies So far, you’ve read only about managing policies that apply to the local computer. You can also use the IPSec snap-in to create and manage policies that are stored in Active Directory, from which they can be applied to any computer or group of computers in the domain.
Implementing IPSec
FIGURE 10.4
485
The Default Response Rule Authentication Method page
You actually accomplish this application by completing these three separate, but related, steps: 1.
Target the IPSec snap-in at Active Directory, and then open it while logged on with a privileged account.
2.
Edit or create the policy you want to apply using the tools in the snap-in.
3.
Use the Group Policy snap-in to attach the policy to a site, domain, or organizational unit.
The first two steps are discussed throughout this chapter, but you should first take a minute to read about the third step. Because you can assign group policies to any site, domain, or organizational unit, you have the ability to fine-tune IPSec policy throughout your entire organization by using an appropriately targeted policy. For example, in Active Directory Users And Computers, you can create an organizational unit and then create a new Group Policy object (GPO) that applies only to that OU. Finally, you can change the settings in that GPO so they enforce the IPSec policy you want applied to computers in that OU. You don’t actually use the IPSec snap-in to assign policies; you use it to configure them and to create policies that live in Active Directory. When you want to actually apply a policy to some group in the directory, you use the Group Policy snap-in itself. Exercise 10.2 explains how to assign an existing policy as the default policy for a domain. In this exercise, you will configure a default IPSec policy for all domain computers. You must have administrative access to the domain for this to work. EXERCISE 10.2
Enabling IPSec for an Entire Domain 1.
Select Start Run and type mmc to launch MMC.exe. An empty MMC console window appears.
2.
Select the File Add/Remove Snap-In command. When the Add/Remove Snap-In dialog box appears, click the Add button.
486
Chapter 10
Planning Network Security
EXERCISE 10.2 (continued)
3.
In the Add Standalone Snap-In dialog box, scroll through the snap-in list until you see the one marked Group Policy Object Editor. Select it and click the Add button.
4.
The Select Group Policy Object dialog appears. Click the Browse button to bring up the Browse For A Group Policy Object dialog box.
5.
Select the Default Domain Policy and click the OK button. We do not recommend that you choose Default Domain Policy for testing purposes in a production environment!
6.
Click the Finish button in the Select Group Policy Object dialog box.
7.
Click the Close button in the Add Standalone Snap-In dialog box, and then click the OK button in the Add/Remove Snap-In dialog box.
8.
Expand the Default Domain Policy node until you find the IPSec settings by selecting Default Domain Policy, Computer Configuration, Windows Settings, Security Settings, IP Security Policies On Active Directory (domain name).
Implementing IPSec
487
EXERCISE 10.2 (continued)
9.
Select the IP Security Policies On Active Directory (domain name) item. The right side of the MMC window lists the available policies, including the three predefined policies and any new ones you’ve added using the IP Security Policy Wizard and then imported.
10. Right-click the Server (Request Security) policy and select Assign. Notice that the Policy Assigned column for that policy now reads Yes.
11. Save the console on the desktop (using Save As) and name it IPSec.msc. This console will be used in Exercise 10.3.
The following sections will discuss the order in which rules are applied, assigning and unassigning IPSec policies, forcing a Group Policy update, and importing and exporting IPSec policies.
The Order in Which Rules Are Applied IPSec policies are subject to the same rules to which other objects assigned by group policy are subject. Even though this book isn’t about group policy objects, understanding those rules is useful so you’ll know how IPSec policy assignment really works. The first rule is simple: A policy applied at the domain level will always override a policy assigned to the local computer (when you’re logged on to the domain, of course). The second rule is equally simple: A policy applied to an organizational unit always takes precedence over domain-level policies. That means that if you have conflicting policies at the domain and OU levels, the settings in the OU policy will be used. This of course assumes that overrides are not used. The third rule is a little more complex: If you have a hierarchy of OUs set up in Active Directory, the policy for the lowest-level OU overrides the others. For example, let’s say you have an OU named Sales, with subordinate OUs for North America and South America. If you assign
488
Chapter 10
Planning Network Security
two different IPSec policies to the Sales and North America OUs, the North America settings will override for the users and/or computers in this OU. The fourth rule is subtle but important: If you assign an IPSec policy through Group Policy and then remove the Group Policy Object that assigned the policy, the policy remains in effect. When the IPSec Policy Agent looks for the policy while the GPO is missing, the agent assumes that the GPO server is temporarily unavailable. It then uses a cached copy of the policy, which means that you have to unassign the policy before removing the GPO that assigns it, and then either refresh the policy on each client computer or wait for the automatic refresh to take place.
Assigning and Unassigning IPSec Policies Whether you’re defining policies that affect one computer or a multinational enterprise network, you assign and unassign IPSec policies the same way—by right-clicking the policy in question and using the Assign and Unassign commands. Assigning a policy makes it take effect the next time IPSec policies are refreshed—you may recall that the IPSec Policy Agent downloads the policy information for a computer when the computer is restarted. If you’re using Group Policy to distribute your IPSec settings, you can force a policy update using the Group Policy snap-in.
Remember to unassign IPSec policies before you delete them. Otherwise the policy will remain in effect, but you will be unable to manage it.
Forcing a Group Policy Update If you want to force one computer to update its IPSec policy, just stop and restart the IPSec Policy Agent service on that machine. When the service starts, it attempts to retrieve the newest available policy from Active Directory or the local policy store. Once the policy has been loaded, it’s immediately applied. Restarting the policy agent forces it to retrieve and reapply the correct policy—this can be useful when you’re trying to troubleshoot a policy problem, or when you want to be sure that the desired policy has been applied. By default, the IPSec Policy Agent will retrieve policies every 180 minutes anyway, although you can change that setting (as you’ll see in a bit). Alternatively, you can use the gpupdate/ target:computer /force command to refresh the local computer’s policy settings.
Importing and Exporting IPSec Policies You can take actions on IPSec policies by right-clicking IP Security Policies; the context menu that appears allows you to rename them, delete them, or import and export them. These latter commands might seem unnecessary, but they occasionally come in handy if you’re not using Active Directory. For example, let’s say you have a small network of computers using Windows 2000 and XP Professional. You can create local IPSec policies on one machine, and then export them and import them on the remaining machines. Doing so ensures a consistent set of IPSec policies without requiring that you have an Active Directory domain controller present.
Implementing IPSec
489
Planning an IPSec Strategy to Secure Communications Between Business Partners You are the system administrator of TravelSoft, a software development company specializing in applications for the travel industry. Management has just informed you that the company will be teaming up with Go2theMoon, a former rival, in a joint venture to produce a new XMLbased Web portal service designed for travel agencies. This new alliance means that source code will need to be shared. This is a highly competitive area, and you are informed that it is imperative that all data transmissions between the two companies occur over a secure connection. A conference call with the other company’s IT Director gets you the rest of the technical details you need to know. You learn that like you, she is running Windows Server 2003 in Native mode and is employing IPSec to secure other data transfers. You create inbound and outbound security filters for both domains. First, you create an outbound security filter with the source: TravelSoft.com and destination: Go2theMoon.com. The other administrator creates a security filter with the exact opposite configuration. Next, you create an inbound security filter with the source: Go2theMoon.com and destination: TravelSoft.com. The other administrator creates an inbound security filter with the exact opposite configuration. This enables both companies to control the IPSec security protocols and designate IPSec communication between the two company networks. A final consideration is the need to ensure that service packs match. Both companies are using SMS for enterprise software configuration management, so you agree on an automated strategy for maintaining service packs to ensure compatibility.
Configuring IPSec Policies Once you create a new policy using the IP Security Policy Wizard, you still have to customize it to make it do anything useful. You do this with the policy Properties dialog box, from which you can add, remove, and manage rules, filter lists, and security actions. The Properties dialog box has two separate tabs. The General tab covers general policyrelated settings like the policy name, and the Rules tab gives you a way to edit the rules associated with the policy. We will look at each in the following sections. We’ll also explore managing filter lists and actions.
Setting General Properties The General tab of the IPSec policy Properties dialog box (see Figure 10.5) is accessed by rightclicking the policy and selecting Properties. With this tab, you can change the policy name and description, which appear in the IPSec snap-in. It’s a good idea to use meaningful names for your policies so that you’ll remember what each one is supposed to be doing.
490
Chapter 10
FIGURE 10.5
Planning Network Security
The General tab of the IPSec policy Properties dialog box
The Check For Policy Changes Every: X Minutes field lets you change the interval at which clients who use this policy will check for updates. The default value of 180 minutes is okay for most applications because you’re unlikely to be changing the policies that frequently. The Settings button allows you to change the key exchange settings used by this particular policy, via the Key Exchange Settings dialog box, as shown in Figure 10.6. You can use the controls in this dialog box to control how often the policy requires generation of new keys, either after a certain amount of time (8 hours by default) or a certain number of sessions. The Master Key Perfect Forward Secrecy (PFS) option specifies whether or not you want to re-authenticate the SA for every session. Enabling this option provides a higher level of security than leaving it disabled, but performance could be adversely affected. FIGURE 10.6
The Key Exchange Settings dialog box
Implementing IPSec
491
The Methods button displays a list of security methods that will be used to protect the key exchange. The method list included when you create a new policy always tries the highest-level security first, such as 3DES, and then it drops down to less secure methods if the remote end can’t handle them.
Managing Rules with the Rules Tab The Rules tab of the IPSec policy Properties dialog box allows you to change the rules included with the IPSec policy. Take a look at Figure 10.7, and you’ll see what the rule set for the Server (Request Security) policy looks like. FIGURE 10.7
The Rules tab of the Server (Request Security) Properties dialog box
Here are the most important things to recognize on this tab:
There are three rules, each of which ties a filter list to a filter action and authentication method. A single policy can contain an arbitrary number of rules. Having a number of rules that are applied in different situations is common. Having many different policies defined in a single Active Directory domain or local policy store is also common.
Each rule has a checkbox next to it that controls whether or not the rule is actually applied. You can use these checkboxes to turn on or off individual rules within a policy.
The Add, Edit, and Remove buttons let you manipulate the list of rules. Note that rules aren’t evaluated in any particular order, so there’s no way to reorder them.
The Use Add Wizard checkbox controls whether or not the Security Rule Wizard is used to add a new rule (by default, this box is checked). When it’s unchecked, you’ll go to the rule’s Properties dialog box to set up things by hand.
492
Chapter 10
Planning Network Security
The Edit Rule Properties dialog box, which is associated with each rule, has five different tabs. You’ll see this dialog box when you select a rule and click the Edit button, or when you create a new rule with the Use Add Wizard checkbox cleared. The wizard basically asks you questions and fills out the tabs for you, so knowing what settings belong with each rule will enable you to successfully create them by hand or with the wizard’s help. Therefore, instead of going through each step of the wizard, you should know what’s on each tab.
The IP Filter List Tab The IP Filter List tab, as seen in Figure 10.8, shows which filter lists are associated with this rule. You manage which filter lists exist using a separate set of tools, which will be covered in a later section. For now, it’s enough to know that all the filter lists defined on your server will appear in the filter list; you can choose any one of them to be applied as a result of this rule. If you like, you can add or remove filter lists here or in the Manage IP Filter Lists And Filter Actions dialog box, which is covered in the next section. FIGURE 10.8
The IP Filter List tab of the Edit Rule Properties dialog box
The Filter Action Tab The Filter Action tab, seen in Figure 10.9, shows all of the filter actions defined in the policy; you can apply any filter action to the rule. Remember that you combine one filter list with one filter action to make a single rule, but you can group any number of rules into one policy. The Add, Edit, and Remove buttons do what you’d expect. The Use Add Wizard checkbox controls whether adding a new filter action fires up the corresponding wizard (which you’ll get to in the next section) or dumps you into the Properties dialog box.
Implementing IPSec
FIGURE 10.9
493
The Filter Action tab of the Edit Rule Properties dialog box
The Authentication Methods Tab The Authentication Methods tab, seen in Figure 10.10, allows you to define one or more authentication methods that you want a particular rule to use. You can have multiple methods listed; if so, IPSec will attempt to use them in the order of their appearance in the list (thus the Move Up and Move Down buttons). You have the same three choices mentioned earlier: Kerberos, certificates, or preshared keys.
The Tunnel Setting Tab Use the Tunnel Setting tab to specify that this rule forms an IPSec tunnel with another system (or tunnel endpoint).
You’ll read more about it in the section on configuring IPSec in Tunnel mode, later in this chapter (see the section “Configuring IPSec for Tunnel Mode”).
494
Chapter 10
FIGURE 10.10
Planning Network Security
The Authentication Methods tab of the Edit Rule Properties dialog box
The Connection Type Tab The Connection Type tab, as seen in Figure 10.11, allows you to specify to which kind of connections this IPSec rule applies. For example, you might want to specify different rules for dialup and LAN connections depending on who your users are, from where they’re connecting, and what they do while connected. FIGURE 10.11
The Connection Type tab of the Edit Rule Properties dialog box
Implementing IPSec
495
You use three radio buttons to select which type of connections this rule applies to. The All Network Connections button is selected by default, so when you create a new rule, it will apply to both LAN and remote access connections. If you only want the rule to cover LAN or RAS connections, just select the corresponding radio button.
Managing Filter Lists and Actions Although you can manage IP filter lists and filter actions from the Edit Rule Properties dialog box, using the management tools provided in the IPSec snap-in makes more sense. This is because the filter lists and actions live with the policy, not inside individual rules, the filter lists and actions you create in one policy scope (say, the default domain policy) are available to all policies within that scope. While you can manage filter lists and filter actions using the corresponding tabs in the Edit Rule Properties dialog box, this obscures the fact that these items are available to any policy. Instead, you can use the Manage IP Filter Lists And Filter Actions command from the context menu (right-click the IP Security Policies item or anywhere in the right-hand pane of the IPSec snap-in). This command displays the Manage IP Filter Lists And Filter Actions dialog box, which has two tabs. Most of the items on these tabs are self-explanatory because they closely resemble the controls you’ve already seen. Instead of rehashing the controls in the following sections, we will look at the process of defining a new filter list and an action to go with it.
Adding IP Filter Lists and Individual Filters Windows Server 2003 includes two IP filter lists by default: one for all IP traffic, and one for all ICMP traffic. Perhaps you have more specific needs. For instance, you may want to create an IPSec policy to secure Web traffic between your company and its law firm. You’d first have to open the Manage IP Filter Lists And Filter actions dialog box, at which point you’d see the Manage IP Filter Lists tab shown in Figure 10.12. FIGURE 10.12
The Manage IP Filter Lists tab
496
Chapter 10
Planning Network Security
Because filter lists aren’t used in order, there’s no way to reorder items in the list, although you can add, edit, and remove them using the controls beneath the list. When you edit or add a filter list, you’ll see the IP Filter List dialog box, as shown in Figure 10.13. This dialog box allows you to name and describe the filter list, and then add, remove, or edit the individual filters that make up the list. FIGURE 10.13
The IP Filter List dialog box
When you edit or add an individual filter, you need to know the following:
The source and destination addresses you want the filter to use. These can be single IP addresses, single DNS names (at any level, so that mail.globalitcertification.com, globalitcertification.com, and com are all valid), or IP subnet. You can also use special “my” and “any” addresses (e.g., “My IP Address,” “Any IP Address”) to indicate the source and destination.
Whether you want the filter to be mirrored. A mirrored filter automatically filters its opposite—if you set up a filter from your IP address to a remote address and configure it to allow only port 80, with mirroring you’ll also get a filter that allows traffic from the remote end back to you on port 80.
To which protocols and ports you want the filter to apply. You can choose any protocol type (including TCP, UDP, ICMP, EGP, RDP and RAW), and you can either select individual source and destination ports or use the “any port” buttons you’ll meet in a minute.
You would use the Filter Properties dialog box to get these details. When you use the Add or Edit buttons in the IP Filter List dialog box, you’ll see the Properties dialog box for the appropriate filter (the new one or whichever one you selected before clicking the Edit button). This dialog box has three tabs in it: The Description Tab The Description tab is used for naming and describing the filter. The Address Tab The Addresses tab, as shown in Figure 10.14, is where you specify the source and destination addresses you want this filter to match. For the source address, you can
Implementing IPSec
497
choose to use the IP address assigned to the IPSec server (“My IP Address”), any IP address, a specific DNS domain name or IP address, or a specific IP subnet. Likewise for the destination address, you can choose the IPSec computer’s address, any IP address, or a specified DNS name, subnet, or IP address. You use these in combination to specify how you want the filter to trigger. For example, you could create a rule that says, “Match any traffic from my address to IP address a.b.c.d”. You could also create a rule that does what the “All IP Traffic” filter does: match any traffic from your IP address (on any port) to any destination. You can also use the Mirrored checkbox to specify a reciprocal rule. For example, the mirrored rule of the All IP Traffic rule matches traffic coming from any IP address on any port back to your IP address. Mirroring makes it easy to set up filters that cover both inbound and outbound traffic. FIGURE 10.14
The Addressing tab of the Filter Properties dialog box
The Protocol Tab The Protocol tab, as shown in Figure 10.15, lets you match traffic coming from or sent to a particular port, using a specified protocol. This is useful, because UDP source port 80 and TCP destination port 80 are entirely different. You use the Select A Protocol Type: pull-down menu and the Set The Ip Protocol Port Control group to specify the protocols and ports you want this filter to match.
Adding a New Filter Action The Manage Filter Actions tab, as shown in Figure 10.16, shows you which filter actions are defined in the current group of IPSec policies. You can add, edit, or remove filter actions to meet your needs. As part of Windows Server 2003, you get three filter actions—Permit, Request Security (Optional), and Require Security—that will probably meet most of your needs, but knowing how to create policies yourself instead of depending on Microsoft to do it for you is still a good idea.
498
Chapter 10
Planning Network Security
FIGURE 10.15
The Protocol tab of the Filter Properties dialog box
FIGURE 10.16
The Manage Filter Actions tab
The Add button lets you add new filter actions that can be used in any policy you define. The Use Add Wizard checkbox is normally on, so by default you’ll get the IP Security Filter Action Wizard. However, for now click the Add button with the Use Add Wizard checkbox off. The first thing you see is the Security Methods tab of the New Filter Action Properties dialog box, as shown in Figure 10.17.
Implementing IPSec
FIGURE 10.17
499
The Security Methods tab of the New Filter Action Properties dialog box
You use this tab to select which methods you want this filter action to use. In addition to the Permit and Block methods, you can use the Negotiate Security radio button to build your own custom security methods, choosing whatever AH and ESP algorithms meet your needs. The two checkboxes at the bottom of the Security Methods list control what this IPSec computer will do when confronted with a connection request from a computer that doesn’t speak IPSec. A third checkbox controls the method of generating new session keys. The options include the following:
The Accept Unsecured Communication, But Always Respond Using IPSec checkbox configures this action so that incoming connection requests will always be answered with an IPSec negotiation message. If the other end doesn’t speak IPSec, the computer is allowed to accept the incoming request without any security in place.
The Allow Unsecured Communication With Non IPSec-Aware Computer checkbox configures the action to allow any computer—IPSec-capable or not—to communicate. Any computer that can’t handle IPSec will get a normal, unsecure connection. By default, this box isn’t checked; if you check it, you must be certain that your IPSec policies are set up properly. If they’re not, some computers that you think are using IPSec may connect without security.
The Use Session Key Perfect Forward Secrecy checkbox configures the action to renegotiate new master key keying material every time a new session key is required, rather than deriving new session keys from current master key keying material. Configuring this option provides greater security, but this may come at the expense of performance and throughput.
In Exercise 10.2, you assigned the Server (Request Security) policy so that it would always be used. Now, Exercise 10.3 walks you through modifying the console to better meet your needs. In this exercise, you’ll modify the local computer’s “Server (Request Security)” policy settings to
500
Chapter 10
Planning Network Security
improve its interoperability. By default, all IPSec policies you create will be Transport mode (as opposed to Tunnel mode) policies. This is also true of the default local computer and domain IPSec policies. EXERCISE 10.3
Customizing and Configuring the Local Computer IPSec Policy and Rules for Transport Mode 1.
Open the IPSec policy you saved on your desktop in Exercise 10.2.
2.
Select the IP Security Policies on Active Directory node in the MMC. In the right-hand pane of the MMC, right-click the “Server (Request Security)” policy and choose the Properties command. The Server (Request Security) Properties dialog box appears.
3.
Select the All IP Traffic rule, and then click the Edit button. The Edit Rule Properties dialog box appears. Read the Description.
4.
Switch to the Filter Action tab. Select the Request Security (Optional) filter action, and then click the Edit button. The filter action’s Properties dialog box appears.
5.
Click the Add button. When the New Security Method dialog box appears, click the Custom radio button, and then click the Settings button.
Implementing IPSec
501
EXERCISE 10.3 (continued)
6.
In the Custom Security Method Settings dialog box, check the Data And Address Integrity Without Encryption (AH) checkbox. In the drop-down list, select SHA1. Using the dropdown lists under (ESP), set Integrity to SHA1 and Encryption to 3DES.
7.
First check the Generate A New Key Every checkbox and set the key generation interval to 24,000KB (it must be in the range 20,480–2,147,483,647KB.) Then click the Generate A New Key Every checkbox and specify a key generation interval of 1800 seconds.
8.
Click the OK button in the Custom Security Method Settings dialog box, and then click OK in the New Security Method dialog box.
9.
When the Filter Properties dialog box resurfaces, use the Move Up button to move the custom filter you just defined to the top of the list.
10. Click the OK button in the Filter Properties dialog box. 11. Click the Close button in the Edit Rule Properties dialog box, and then click the OK button in the Server (Request Security) Properties dialog box.
Configuring IPSec for Tunnel Mode To this point, we’ve discussed implementing IPSec in Transport mode. As you read earlier, you can also use IPSec in Tunnel mode. You can use IPSec tunnels to do a number of useful and interesting things. For example, you can establish a tunnel between two subnets—effectively linking them into an internetwork—without requiring a private connection between them. IPSec tunneling isn’t intended as a way for clients to establish remote access VPN connections; instead, it’s what you’d use to connect your Windows Server 2003 network to a remote device (say, a 3Com OfficeConnect ISDN LAN Modem) that doesn’t support L2TP + IPSec or PPTP. You can also build a tunnel that directly connects two IP addresses.
502
Chapter 10
Planning Network Security
Either way, you establish the tunnel by building a filter that matches the source and destination IP addresses, just as you would for an ordinary Transport mode. You can use ESP and AH on the tunnel to give you an authenticated tunnel (AH only), an encrypted tunnel (ESP only), or a combination of the two. You control this behavior by specifying a filter action and security method. However, when you build a tunnel, you can’t filter by port or protocol; the Windows Server 2003 IPSec stack doesn’t support it. To construct a tunnel properly, you actually need two rules on each end: one for inbound traffic and one for outbound traffic. Microsoft warns against using mirroring on tunnel rules; instead, if you want to link two networks (let’s say Atlanta and Seattle), you’d need to specify settings as shown in Figure 10.18. Each side’s rule has two filter lists. The Atlanta filter lists specify a filter for outgoing traffic that has the Seattle router as a tunnel endpoint, and it specifies another filter for incoming traffic from any IP subnet that points back to the Atlanta tunnel endpoint. In conjunction with these filter lists, of course, you’d specify a filter action that provided whatever type of security was appropriate for the connection.
Make sure you understand the technical scenarios in which you would configure IPSec tunnels.
FIGURE 10.18
Filter lists for a simple tunnel
Implementing IPSec
503
You specify whether a connection is tunneled or not on a per-rule basis using the Tunnel Settings tab of the Edit Rule Properties dialog box. Select Server (Request Security), right-click and select Properties, select All IP Traffic and click Edit, and finally click the Tunnel Setting tab, shown in Figure 10.19. The two radio buttons specify whether this rule establishes a tunnel or not. The default button, “This rule does not specify an IPSec tunnel,” is self-explanatory. To enable tunneling with this rule, select the other button, “The tunnel endpoint is specified by this IP address,” and then fill in the IP address of the remote endpoint. FIGURE 10.19
The Tunnel Setting tab of the Edit Rule Properties dialog box
In Exercise 10.4, you’ll configure a policy for IPSec Tunnel mode. This lab requires you to use two separate computers to which you have administrator access. Let’s call them computer A and computer B. Before you start, you’ll need their IP addresses, and you’ll need to have their local IPSec policies open in an MMC console.
504
Chapter 10
Planning Network Security
EXERCISE 10.4
Configuring a Policy for IPSec Tunnel Mode Configure Computer A:
1.
Right-click the IP Security Policies on Local Computer node, and then choose the Create IP Security Policy command.
2.
The IP Security Policy Wizard appears. Click Next.
3.
Name your policy Tunnel to B, and then click the Next button.
4.
On the Requests For Secure Communication page, turn off the Activate Default Response Rule checkbox, and then click the Next button.
Implementing IPSec
EXERCISE 10.4 (continued)
5.
When The Completing The IP Security Policy Wizard page appears, make sure the Edit Properties checkbox is on, and then click Finish. The Tunnel To B Properties dialog box appears. Click the Add button on the Rules tab.
6.
The Welcome To The Create IP Security Rule Wizard begins. Click Next.
505
506
Chapter 10
Planning Network Security
EXERCISE 10.4 (continued)
7.
In the Tunnel Endpoint page, select The Tunnel Endpoint Is Specified By The Following IP Address and enter the IP address of Computer B. Click Next.
8.
In the Network Type page, select Local Area Network (LAN). Click Next.
Implementing IPSec
507
EXERCISE 10.4 (continued)
9.
On the IP Filter List page, select the All IP Traffic radio button. Click Next.
10. On the Filter Action page, select the Request Security (Optional) radio button. Click Next.
508
Chapter 10
Planning Network Security
EXERCISE 10.4 (continued)
11. In the Authentication Method page, select Active Directory Default (Kerberos V5 protocol). Click Next.
12. The Completing The Security Rule Wizard page appears. Make sure the Edit Properties checkbox is checked (the default) and click Finish. The New Rule Properties dialog box appears. Verify the settings that you configured, and click OK to return to the Tunnel to B properties page. Click OK to return to the console.
Planning Secure Remote Administration Methods
509
EXERCISE 10.4 (continued)
Configure Computer B:
1.
Now repeat Steps 1–12 on computer B, creating rules using the appropriate IP addresses and names (for example, Tunnel to A, the IP address to Computer A in Steps 2–7).
Planning Secure Remote Administration Methods Remote administration is an invaluable functionality that reduces administrative effort, empowers IT staff to accomplish more in less time, and increases the efficiency of help desk operations. Windows Server 2003 supports two new remote administration methods: Remote Desktop for Administration and Remote Assistance. Remote Desktop for Administration allows you to remotely administer a Windows Server 2003 server from virtually any computer in the organization. For example, a network administrator at corporate headquarters could access and administer a server located in a remote field office. Remote Assistance is a tool that enables users to request assistance from a technical expert. For example, a junior administrator troubleshooting a Windows Server 2003 Web server in the Network Operations Center (NOC) could ask a more seasoned administrator to remotely walk him through the process. An end user with questions about a feature in the new Microsoft Office suite could ask a help desk specialist to demonstrate the feature for her on her PC. The following sections will cover what you need to know in order to plan a strategy for secure remote administration using Remote Desktop for Administration and Remote Assistance.
You already saw how to configure Remote Desktop in Chapter 4, “Managing Windows Server 2003 Remotely.” This chapter focuses on planning Remote Desktop for Administration, and you should be sure to review and understand the topics in Chapter 4 before continuing.
Planning to Remotely Administer Computers with Remote Desktop for Administration Remote Desktop for Administration (formerly known as Terminal Services in Remote Administration mode) provides remote access to the desktop of any Microsoft Windows Server 2003 computer, allowing you to administer servers on your network from virtually any computer in the world. The Remote Desktop for Administration tool in Windows Server 2003 uses Terminal Services technology and is more powerful than the simplified Remote Desktop version found in Windows XP.
510
Chapter 10
Planning Network Security
Remote Desktop for Administration can be used to troubleshoot organizational computers using a direct network connection, a secure Virtual Private Network (VPN) connection, or a secure remote access connection. Remote Desktop for Administration is used to control a remote computer’s keyboard and mouse input and display the video output on the controlling computer’s monitor. You can create up to two simultaneous remote connections. Each session is independent of other client sessions and the server console session. No additional Terminal Services license is required to run Remote Desktop for Administration. However, computers using Remote Desktop for Administration must meet the following requirements:
The controlled computer (the computer that will be accessed remotely) must be running Windows XP Professional or Windows Server 2003.
The controlling computer (the computer that will access the remote computer) must be running Windows 95 or higher (with Remote Desktop client software) and use Remote Desktop Connection to establish a session with the controlled computer.
An IP connection must be established between the two computers in order to establish a remote control session.
The following sections will cover the security considerations for using Remote Desktop for Administration, components of Remote Desktop for Administration, how to configure both the controlled computer (the remote computer) and the controlling computer (the computer that will be used to access the remote computer), and how to work with Remote Desktop sessions.
Security Considerations for Remote Desktop for Administration Security requirements for Remote Desktop for Administration are increased beyond the inherent security in Windows Server 2003 as follows:
Remote Desktop for Administration is disabled by default in Windows Server 2003 and must be enabled on any controlled computers.
The Remote Desktop Users group is empty by default and must be populated. By default, only members of the Administrators group have remote access privileges. The Remote Desktop Users group allows the same access as the Users group, with the additional ability to connect remotely.
Remote Desktop users should be required to use strong passwords.
To maintain security, servers that will be administered with Remote Desktop for Administration should be located within the corporate firewall. To administer a computer outside of the firewall, you must go through a proxy server.
Remote Desktop for Administration cannot be used to create a connection between two computers that are directly connected to the Internet. You must first establish a secure VPN connection to the internal network before you can establish a remote session via the Internet.
Planning Secure Remote Administration Methods
511
Remote Desktop for Administration provides remote access to the server desktop by using the Terminal Services Remote Desktop Protocol (RDP) on port 3389.
Components of Remote Desktop for Administration Remote Desktop for Administration works with the following components: Remote Desktop Connection or Terminal Services Client The Remote Desktop Connection or Terminal Services client is used to establish sessions with a remote computer. (Remote Desktop Connection is strongly preferred as the client of choice.) Remote Desktop Connection is included with Window XP and Windows Server 2003. Remote Desktops Snap-In The Remote Desktops MMC snap-in is used to manage multiple Remote Desktop connections to terminal servers or to computers running Windows 2000 or Windows Server 2003. Remote Desktop Web Connection The Remote Desktop Web Connection can be deployed on a Web server to provide client connectivity to terminal servers and other computers via Internet Explorer and TCP/IP. Terminal Services Manager The Terminal Services Manager is used to manage and monitor users, sessions, and processes on any terminal server on the network. Terminal Services Configuration The Terminal Services Configuration is used to manage properties for the connections that are configured for the Remote Desktop Protocol (RDP). The connections provide the link clients use to log on to a session on the server for either Remote Desktop for Administration or Terminal Server connections. Terminal Services Group Policies The Terminal Services Group Policies are used to configure individual computers or groups of computers, or to assign policies for Remote Desktop for Administration to users or user groups. Active Directory Users and Computers and Local Users and Groups The Active Directory Users and Computers and Local Users and Groups extensions are used to control Terminal Services features for each user.
The Remote Desktop Connection client can be installed on 32-bit Windows operating systems by connecting to a Terminal Services server and running the client setup program (\servername\Tsclient\Win32\Setup.exe). The Tsclient folder should first be shared. To use Microsoft IntelliMirror to deploy Remote Desktop Connection, use the Msrdpcli.msi file in the systemroot\system32\clients\Tsclient\ Win32 folder. To install Remote Desktop Connection on Windows CE, see the Microsoft Web site for instructions.
512
Chapter 10
Planning Network Security
Planning to Offer Remote Assistance to Client Computers Sometimes the best way to help someone fix a problem is to demonstrate a solution. Likewise, sometimes the easiest way for a user to explain a problem or error is to step you through the actions she took and dialog boxes and other messages she encountered when the problem occurred. Remote Assistance enables a trusted individual (who could be a friend, a support person, or an IT administrator) to remotely and interactively assist someone with a computer problem. The helper (also known as the expert) can view the user’s screen remotely and offer advice based on what she sees. With the user’s permission, the helper can even take control of the user’s computer and perform tasks remotely. Remote Assistance can be helpful for answering questions and resolving problems that are difficult for a user to explain, as well as for demonstrating the functionality of an application. Remote Assistance is also helpful when you need to perform a complicated set of instructions on an inexperienced user’s computer. For instance, the local system configuration might need to be investigated. Users can request help, and conversely, experts can initiate an offer to help by sending invitations either through e-mail or Windows Messenger. Users and experts can also send invitations by saving them to a file and transmitting them through other means such as across a network share or through a Yahoo! Mail account. Invitations can be password-protected, and they can be set to expire on a given date. Unlike Remote Desktop for Administration, Remote Assistance establishes a concurrent session with the user at the remote computer, the user must authorize access, and both computers have to be running Windows XP or Windows Server 2003. Remote Assistance can be used in the following situations:
Within a local area network (LAN).
Over the Internet.
Over the Internet with one or both parties behind a firewall on a LAN. Connections through a firewall require that TCP port 3389 be open.
In the following sections, we’ll explore how remote assistance works and identify methods for securing remote assistance.
How Remote Assistance Works Remote Assistance must first be enabled. You can enable Remote Assistance in the System applet of the Control Panel by clicking the Remote tab and selecting the Turn On Remote Assistance And Allow Invitations To Be Sent From This Computer checkbox. If you click the Advanced button from the Remote tab, you can set configuration options for the maximum number of hours that invitations will remain open, as shown in Figure 10.20. Invitations can be managed through the Windows Help And Support Center, which can be launched from the Start menu. The main window for the Help And Support Center is shown in Figure 10.21.
Planning Secure Remote Administration Methods
FIGURE 10.20
The Remote Assistance Settings dialog box
FIGURE 10.21
The Help And Support Center window
513
You open the Remote Assistance window of the Help And Support Center, shown in Figure 10.22, by clicking Remote Assistance. Here the user can send an invitation to request assistance or view the status of existing invitations.
514
Chapter 10
Planning Network Security
Help desk staff and administrators can also initiate a remote assistance session through the Offer Remote Assistance feature. A sample Remote Assistance invitation sent by email is shown here: Subject: YOU HAVE RECEIVED A REMOTE ASSISTANCE INVITATION Hello Suzan: I would like you to connect to my computer with Microsoft Remote Assistance, in order to provide some assistance to me. Once connected, you will be able to view my screen and chat online with me in real time. To start a Remote Assistance session, you should select the following link at URL https://www.microsoft.com/remoteassistance/s.asp#1AjcAM0TD,xMCTeKNJW/KMU W6Pu/mxoYDG1GW/11sboTa5JAnxA=,0zu2kNPeOcKnaiH1xDSlyK4Wcac=Z *************************************************** Suzan, I’m getting a message that the .pst file couldn’t be found when I try to open Outlook. Please help! ***************************************************
Methods for Securing Remote Assistance If a user accepts assistance, and if remote control is allowed by Group Policy, a helper can control the user’s computer and perform any task that the user can perform, including accessing the network with that user’s credentials. The following methods can be used to address the security concerns that such access introduces.
Firewall Configuration To control whether a person within the organization can request help outside of the organization, configure the firewall to prohibit or permit inbound and outbound traffic through port 3389.
Group Policy You can set Group Policy to permit or prohibit users from requesting help using Remote Assistance. You can also determine whether users can allow someone to remotely control their computers or just view them. In addition, you can set Group Policy to permit or prohibit a helper from offering Remote Assistance without a specific request from the user. Two Remote Assistance policies can be configured in Group Policy: Offer Remote Assistance policy and Solicited Remote Assistance policy. Figure 10.23 displays these two policies. The Offer Remote Assistance policy specifies whether an expert can offer unsolicited help via remote assistance to the computers for which the Group Policy Object (GPO) is applied. The Properties dialog box for this policy is shown in Figure 10.24.
Planning Secure Remote Administration Methods
FIGURE 10.22
The Remote Assistance window
FIGURE 10.23
Remote Assistance policies
515
516
Chapter 10
Planning Network Security
If enabled, this policy can be further configured to allow helpers to remotely control the computer (the default) or only to view the computer. A list of approved helpers can also be defined in the policy. The Solicited Remote Assistance policy, shown in Figure 10.25, specifies whether users can solicit another user’s assistance, in other words ask for help, via Remote Assistance. Again, the policy can be further configured to allow helpers to remotely control the computer (the default) or only to view the computer. Tickets can be set to expire by configuring the Maximum Ticket Time (Hours) setting, which is 24 hours by default. This setting sets a limit on the amount of time that a Remote Assistance invitation can remain open. FIGURE 10.24
The Offer Remote Assistance Policy Properties dialog box
The Select The Method For Sending E-Mail Invitations setting specifies which e-mail standard to use to send Remote Assistance invitations. Depending on the format supported by your e-mail program, you can use either the Mailto (the invitation recipient connects through an Internet link) or SMAPI (Simple MAPI) standard (the invitation is attached to your e-mail message). If Remote Assistance is disabled in this setting or set to Not Configured and disabled in Control Panel, the Offer Remote Assistance policy will also be disabled. If the status is set to Not Configured, users can enable or disable and configure Remote Assistance themselves in System properties in Control Panel. Configuring either policy doesn’t mean that an expert can connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user is still given a chance to accept or deny the connection. If the user accepts, the expert is granted view-only privileges to the user’s desktop. Thereafter, the user must explicitly click a button to give the expert the ability to remotely control the desktop assuming that remote control is enabled. The user can stop remote control at any time.
Summary
FIGURE 10.25
517
The Solicited Remote Assistance Policy Properties dialog box
The Remote Tab of System Properties Remote Assistance is disabled by default on a local computer. This prevents anyone using the computer from sending a Remote Assistance invitation. You can enable Remote Assistance in the System applet of the Control Panel by clicking the Remote tab of the System Properties dialog box and selecting the Turn On Remote Assistance And Allow Invitations To Be Sent From This Computer checkbox. Group Policy settings will override this setting.
Summary In this chapter, you learned how to plan for remote administration, and how to plan for recoverability. We covered the following topics:
How IPSec works. IPSec primarily provides two services: a way for computers to decide whether they trust each other (authentication) and a way to keep network data private (encryption). The Windows Server 2003 implementation of IPSec explicitly supports the idea of policy-based security.
How to create and configure IPSec policies and filter lists. The policy’s Properties dialog box contains options to add, remove, and manage rules, filter lists, and security actions.
How to plan for remote administration. Servers and clients are remotely administered using Remote Desktop for Administration. Remote Assistance is used to offer remote help for users from an expert.
518
Chapter 10
Planning Network Security
Exam Essentials Know how to create a remote access policy for VPNs. The simplest method is to create a policy that allows VPN access to all users. To allow VPN access to a smaller group, create a new group for the VPN users. You can then create a policy using the following conditions: Set the NAS-Port-Type attribute to Virtual (VPN), set the Tunnel-Type attribute to the appropriate protocol, and use the Windows-Groups attribute to specify the new group. Know how to create and configure IPSec policies. You configure IPSec by modifying the default policies, creating your own policies that embody the rules and filters you want to use, and controlling how policies are applied to computers in your management scope. You customize a policy with the policy’s Properties dialog box, where you can add, remove, and manage rules, filter lists, and security actions. Know how to manage filter lists. You manage filter lists and filter actions by using the corresponding tabs in the Edit Rule Properties dialog box, which lists items that are available to any policy. You can instead use the Manage IP Filter Lists And Filter Actions command from the Context menu. Know how to create a plan for remote administration using Remote Desktop for Administration and Remote Assistance. Be able to troubleshoot Windows Server 2003 computers remotely through the use of Remote Control and Remote Desktop. Know the requirements for configuring these options and how they are used.
Key Terms
Key Terms Before you take the exam, be certain you are familiar with the following terms: authentication
mutual authentication
authentication header (AH)
passthrough action
connection type
preshared keys
Encapsulating Security Payload (ESP)
public key certificates
encryption
public key infrastructure (PKI)
filter action
Remote Assistance
filter lists
Remote Desktop for Administration
Internet Key Exchange (IKE)
security association (SA)
Internet Protocol Security Extensions (IPSec)
security method
Internet Security Agreement/Key Management Protocol (ISAKMP)
Spoofing
IPSec client
tampering
IPSec Policy Agent
ticket-granting service (TGS)
IPSec server
ticket-granting ticket (TGT)
IPv4
Transport mode
Kerberos v5
tunnel endpoint
Key Distribution Center (KDC)
Tunnel mode
machine certificates mirrored
519
520
Chapter 10
Planning Network Security
Review Questions 1.
You have upgraded a Windows 2000 Server to a Windows Server 2003 DNS server. You open IP Security Policies in the context of the DNS server and assign the Secure Server (Require Security) policy. You want the policy to take effect immediately, but you notice that the change is not effective. What command must you run in order to prompt policy changes to be immediately applied? A. secedit /refreshpolicy machine_policy /enforce B. gpupdate /target:user /force C. gpupdate /target:computer /force D. netsh ipsec static
2.
You are the system administrator for a company that collects foreign economic information. Your company has government contracts to compile data and generate reports. The data from the reports is eventually used in congressional reports. Your company obtains this information from various subcontracted agencies in multiple countries. All data received by your company must be verified as having originated from each of the contracted organizations. You have implemented IPSec to secure data transmission. How must you configure IPSec to ensure that the information is coming from the trusted agencies? A. Configure AH to provide authentication of the source of each IP packet. B. Configure AH to provide encryption of the IP packets. C. Configure ESP to provide encryption of the IP payload. D. Configure ESP to provide authentication of the IP payload.
3.
You are the system administrator of a financial services company that handles extremely sensitive financial information about high–net worth clients. You have gone to great lengths to secure your network by using firewalls, secured routers, and strong remote access authentication. You also have built a thorough physical security system in which all persons need badges to enter the facilities. Every door is monitored and the badge activity is tracked and reported. Although you feel comfortable that the perimeter of the network is secure, you want to make certain that no one inside the network can capture any packets on the wire and read any of the data. What IPSec component must you employ in order to achieve this objective? A. AH authentication B. IPSec packet filtering C. ESP encryption D. AH encryption
Review Questions
4.
521
The security and integrity of the data on your Native mode Windows Server 2003 network is of paramount importance to the management of your company. You have seven locations that communicate with each other frequently, and all of them use their access to the Internet on a regular basis. You have been charged with securing the traffic in all communications among the managers and executive staff of the company. To accomplish this, you plan to implement IPSec to provide the authentication and encryption of the specified communications. What will you need to change in order for IPSec to function properly across your network? A. Modify the applications on the network that the managers and executives use to
support IPSec. B. Upgrade the managers’ and executives’ NIC cards to support IPSec. C. Upgrade the router software to pass the IPSec traffic to the other locations. D. Enable IPSec on your computers to accept IPSec connections from other computers. 5.
What three policies are included by default with IPSec in Windows Server 2003? A. Client (Respond Only), Secure Server (Request Security), and Secure Server (Require
Security). B. Client (Request Security), Server (Request Security), and Server (Require Security). C. Client (Respond Only), Server (Request Security), and Secure Server (Require Security). D. Secure Client (Request Security), Secure Server (Request Security), and Secure Server
(Require Security). 6.
You have just been informed that your company has signed a contract with another company to complete a joint Windows Server 2003 application software development project. This project is going to involve a great deal of source-code sharing between the two organizations, and there is considerable concern about protecting the communications between the companies. Both companies are running Windows Server 2003 in Native mode, and both have enabled IPSec to ensure the security of data transfers. Both companies want to control the IPSec security protocols and limit IPSec communication between the two company networks. Your company’s domain is panacea.com, and the other company’s domain is hearth.com. You create a security filter with a source of panacea.com and a destination of hearth.com. The administrator of hearth.com creates a security filter with a source of hearth.com and a destination of panacea.com. When you test the connection, the IPSec negotiation process fails, and the traffic is not secured. What is the most likely cause of this problem? A. The companies are running different service packs that relate to IPSec. B. Nothing. The users need to choose when to transfer data using IPSec. C. You need to create inbound and outbound filters. D. Your security filters are configured the opposite of what they should be.
522
7.
Chapter 10
Planning Network Security
You are troubleshooting a problem with IPSec policies. You want one policy to affect all the users in the Sales OU and all its subordinate OUs. All the users in the North America OU (a subordinate of the Sales OU) are currently being affected by a policy that’s different from the one that affects the users in the Sales OU. What is the problem? A. The policy for the lowest-level OU overrides the others. B. Policies in lower-level OUs are adopted from the domain-level policy. C. Policies in lower-level OUs are adopted from the local computer’s policy. D. Policies are always adopted from the next-higher-level OU. Users in the Sales OU would
be affected by the domain-level policy, and users in the North America OU would be affected by the Sales policy. 8.
Your human resources department is becoming increasingly concerned about liability surrounding the privacy of employee information. They have sound policies in place to control access to information such as health, salary, and other personal data; however, they have learned that if information gets out and it wasn’t secured properly, the company could be liable for damages. You are told to secure the HR and accounting systems when HR employees are moving information around. However, those systems must remain open to staff in other departments. You immediately implement IPSec on the HR and accounting servers and on the machines of the employees in those two departments. In order to allow regular connections to the servers from the other departments, while requiring IPSec connections from the machines that deal with the confidential information, what security filter actions should you specify? (Choose all that apply.) A. Permit B. Block C. Accept Unsecured D. Allow Unsecured E. Use These Security Settings
9.
You want to set up an IPSec tunnel between two sites in different cities. How should you use filter lists at each site? A. Each site should have two filter lists. One list should specify a filter for outbound traffic
that points back to itself as the endpoint, and the other list should specify a filter for inbound traffic that has the other site as an endpoint. B. Each site should have one filter list that specifies a filter for outbound traffic that has
the other site as an endpoint and a filter for inbound traffic that points back to itself as the endpoint. C. Each site should have two filter lists. One list should specify a filter for outbound traffic
that has the other site as an endpoint, and the other list should specify a filter for inbound traffic that points back to itself as the endpoint. D. Each site should have one filter list that specifies a filter for outbound traffic that points
back to itself as the endpoint and a filter for inbound traffic that has the other site as an endpoint.
Review Questions
523
10. You have been told to implement a strong security infrastructure for your hospital in preparation for the government-required HIPPA regulations. You have a secure perimeter with a firewall and access control lists on your routers. However, the only security in place on your internal LAN is the access control lists on your Windows 2003 servers that are providing applications and data. In addition, you have basic password-protected applications that are running on mainframes and Unix machines in the hospital. You do not have security on the wire throughout your network. You intend to implement IPSec so that it will provide authentication and encryption for packets going over the wire. However, you do not want to break any applications or prevent access to any applications anywhere in the hospital until you have demonstrated that IPSec can work across all the platforms within the hospital. With this in mind, you enable IPSec on all your Windows 2003 servers and workstations and then begin to implement IPSec on the other platforms within the hospital to test interoperability. Which Microsoft prebuilt policies should you assign to the Windows Server 2003 machines until you have fully tested IPSec interoperability? A. Client (Respond Only) B. Secure Server (Require Security) C. Server (Request Security) D. Client (Request Only) 11. You are the network administrator for the XYZ Corporation and are located at the corporate headquarters in New York. Your network is configured behind a firewall that is configured for maximum security. You have a remote user who works out of his home in London and who accesses your network through the Internet. He is having problems with his Windows XP Professional configuration. Within your corporate network, you use Remote Assistance to help local users with problems. Users within the network can use Remote Assistance successfully. However, when your remote user requests Remote Assistance, it does not work at all. What is the most likely problem? A. The firewall is blocking the request, and you need to open TCP port 9833. B. The firewall is blocking the request, and you need to open TCP port 8976. C. The firewall is blocking the request, and you need to open TCP port 3389. D. The firewall is blocking the request, and you need to open TCP port 7760. 12. You are the IT manager for a division of a regional insurance company. This division handles call center and customer service functions. Recently all client computers were upgraded from Windows 2000 Professional to Windows XP Professional. You want to establish a more proactive approach to ensuring that users get the help they need to understand how to use the new operating system. You decide to use the Offer Remote Assistance feature to invite users to get live assistance from your help desk staff. Which of the following actions must you take in order to use the Offer Remote Assistance feature? A. Enable the GPO for Remote Assistance, and add users who can offer Remote Assistance. B. Designate Windows XP Professional computers that can be used by the help desk staff
to initiate Remote Assistance sessions. C. Open TCP port 3389 on the network firewall. D. Specify Windows Messenger or e-mail as the means of providing assistance.
524
Chapter 10
Planning Network Security
13. You are a technical support engineer working in the corporate headquarters of a company with 500 sales and customer care associates, many of whom work from remote offices and from home. A user calls, experiencing a problem with her Windows XP computer after installing a new sound card. You learn that the card was not supported on the HCL. She is logged on to the network through a VPN connection. Because this user is not very technically savvy, you know that you can fix her computer much faster by doing it yourself rather than by trying to walk her through the troubleshooting steps from a distance. You attempt to establish a Remote Desktop connection to her computer, but you are unable to do so. What is the most likely reason you cannot establish a Remote Desktop connection to the user’s computer? A. Remote Desktop is supported only in Windows Server 2003. B. Remote Desktop is not enabled in Control Panel System Remote. C. The RDP protocol must be configured on the client computer before a Remote Desktop
connection can be established. D. Remote Desktop cannot be used over a VPN connection. 14. You are the network administrator for your company. The network is running Active Directory in Native mode. All servers are Windows Server 2003, and all clients are Windows XP. You are in the early stages of implementing IPSec. Starting with the default policies, you want to configure them to meet your objectives. Specifically, you want to customize the Secure Server (Require Security) policy to protect against a DoS attack. How will you do this? A. Clear the Accept Unsecured Communication, But Always Respond Using IPSec check-
box on the Filter Action, Security Methods page on the server, and configure the clients to initiate security with the server rather than use the default response rule. B. Enable Accept Unsecured Communication, But Always Respond Using IPSec checkbox
on the Filter Action, Security Methods page on the server, and configure the clients to initiate security with the server rather than use the default response rule. C. Enable the Accept Unsecured Communication, But Always Respond Using IPSec check-
box on the Filter Action, Security Methods page on the server, and configure the server to initiate security with the clients rather than use the default response rule. D. Clear the Accept Unsecured Communication, But Always Respond Using IPSec check-
box on the Filter Action, Security Methods page on the server, and configure the clients to use the default response rule rather than to initiate security with the server. E. Clear the Accept Unsecured Communication, But Always Respond Using IPSec check-
box on the Filter Action, Security Methods page on the server, and configure the server to use the default response rule rather than to initiate security with the clients.
Review Questions
525
15. You want to configure IPSec for additional security on your Windows Server 2003 network using the least amount of administrative effort. All clients are Windows XP. How should you apply the IPSec policies? A. Apply the Server (Request Security) policy to all servers on the network. Apply the
Client (Require Security) policy to all clients on the network. B. Apply the Server (Require Security) policy to all servers on the network. Apply the
Client (Request Security) policy to all clients on the network. C. Apply the Server (Require Security) policy to all servers on the network. Apply the
Client (Respond Only) policy to all clients on the network. D. Apply the Server (Request Security) policy to all servers on the network. Apply the
Client (Allow Security) policy to all clients on the network. E. Apply a custom policy requiring IPSec for client-server traffic to all servers on the net-
work. Apply the Client (Respond Only) policy to all clients on the network.
526
Chapter 10
Planning Network Security
Answers to Review Questions 1.
C. The new command in Windows Server 2003 to automatically refresh a computer policy change is gpupdate /target:computer /force.
2.
A. Configuring AH to provide authentication of the source of each IP packet will ensure that the data originated from the trusted agencies. However, the ideal solution would also employ ESP to encrypt and authenticate the IP payload. Using AH with ESP provides authentication and encryption to ensure that the data you are receiving has not been seen by any unauthorized eyes, has not been tampered with, and is from the person you expect. AH provides authentication and a signature to grant integrity for the entire packet, but it doesn’t provide encryption. ESP encrypts the data in the packet. It also offers a signature and authentication for the actual data. AH and ESP together virtually ensure that the packet received is from the appropriate person, that the data in the packet is from that person, and that no one has altered the packet or seen the information inside.
3.
C. ESP provides confidentiality by encrypting the payload (data) in each packet that transverses the network. ESP also provides other benefits, such as authentication and integrity, by signing the payload and providing dedicated sequence numbers. The main benefit in this scenario is that the payload cannot be viewed. AH authentication is used to ensure that the packet received is from the person or computer from whom you expected the packet; it protects against spoofing. AH by itself doesn’t provide encryption. Packet filtering is used to control basic communication and prevent denial-of-service attacks or block protocols.
4.
D. The components necessary for a Windows Server 2003 computer to act as an IPSec client are installed by default. However, also by default, the policy required for using IPSec is not turned on, and so it lies dormant. You enable IPSec through the IP Security Policy Management snap-in and choose to use it to manage local IPSec policy, your domain, or the policy of another domain. IPSec works at the network layer, and applications are no more aware of using IPSec than they would be aware of using any lower-level OSI component. If the NICs or routers support IP—and virtually all of them do—then they will support IPSec.
5.
C. The three default IPSec policies are Client (Respond Only), Server (Request Security), and Secure Server (Require Security). These policies are intended to serve as examples and are not intended for operational use without modification. You should create new, custom policies for operational use. (In fact, you’ll have to create your own policies for things like DHCP and remote access servers.) The default policies allow a computer to receive unsecured traffic and are intended for use on intranets in Active Directory domains.
6.
C. You need inbound and outbound filters for both domains, and only outbound filters have been created. You also need to create an inbound security filter for panacea.com with a source of hearth.com and a destination of panacea.com. In addition, the administrator of hearth.com needs to create an inbound security filter with a source of panacea.com and a destination of hearth.com. Service packs could be an issue in the future, and they should always be watched. But service packs are not an issue in this specific situation and are certainly not the most likely source of the problem. Users and applications are entirely unaware of IPSec and don’t need to take any action to utilize it. The outbound filters are configured appropriately.
7.
A. The IPSec policy attached to the North America OU overrides all others; it is the lowest level discussed in the question.
Answers to Review Questions
527
8.
C, E. An Accept Unsecured security filter action will always request an IPSec connection before it allows an unsecured request. If all the machines that process confidential information are configured to use IPSec, these connections will be secure. The Use These Security Settings action lets you customize the behavior of the server, and you could, of course, configure it to work in the Accept Unsecured manner. An Allow Unsecured security filter action does not prefer IPSec and will not request an IPSec connection unless it’s requested by the client. A Permit action tells the IPSec filter to take no action. The Block action prevents remote systems from making any type of connection.
9.
C. Each side needs two filter lists: one for inbound traffic and one for outbound traffic.
10. C. Server (Request Security) is a combination of Client (Respond Only) and Secure Server (Require Security). This policy will always attempt to use IPSec by requesting it when it connects to a remote computer and by allowing IPSec when an incoming connection requests it. This will give you flexibility as you enable IPSec on the other machines, because it will allow communication even if IPSec is not utilized. Client (Respond Only) will attempt an IPSec negotiation if the other computer requests it, but it will never attempt it on its own outward-bound connections. Keep in mind that “client” in this context is not necessarily a computer workstation; it only refers to the computer that is initiating the connection. Secure Server (Require Security) specifies that all IP communication must use IPSec. Obviously, this will have an impact on a network that is not completely IPSec-enabled and interoperable. Client (Request Only) is not a valid option. 11. C. If the Remote Assistance connections are made through a firewall, the firewall will have to be configured to open TCP port 3389 in both directions. 12. A. The Offer Remote Assistance feature is enabled in Group Policy. When you enable the GPO for Remote Assistance, you add users who are permitted to offer Remote Assistance to other users. The other options either don’t apply or don’t need to be configured in order to use the Offer Remote Assistance feature. The Offer Remote Assistance feature can be used on any computer that supports Remote Assistance (Windows XP Professional or Windows Server 2003). If you are connecting across a firewall, you will need to open TCP port 3389 on the firewall. Remote Assistance can be provided through Windows Messenger or e-mail. 13. B. Remote Desktop is supported in Windows XP Professional and Windows Server 2003, and it is used to remotely administer desktops connected via a direct network connection, a VPN connection, or a remote access connection. No additional protocols need to be configured to establish a Remote Desktop connection. 14. A. To protect against a DoS attack while using the default policy Secure Server (Require Security), clear the Accept Unsecured Communication, But Always Respond Using IPSec checkbox on the Filter Action Security Methods page on the server, and configure the clients to initiate security with the server rather than use the default response rule. 15. C. The three default IPSec policies are: Client (Respond Only), Server (Request Security), and Server (Require Security). In this scenario, you should apply the Server (Require Security) policy to all servers on the network. Then you would apply the Client (Respond Only) policy to all clients on the network.
Chapter
11
Planning, Implementing, and Maintaining Certificate Services MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan security for wireless networks. Configure Active Directory directory service for certificate publication. Plan a public key infrastructure (PKI) that uses Certificate Services.
Identify the appropriate type of certificate authority to support certificate issuance requirements.
Plan the enrollment and distribution of certificates.
Plan for the use of smart cards for authentication.
A secure network infrastructure requires a means of keeping messages and data secure. Cryptographic systems are used to validate the identity of parties to a transaction (authentication), verify that data was not altered in transit (integrity), and ensure that data is secret to all except the authorized parties (confidentiality). Cryptography is as old as the art of communication. In times of war, transmissions can be secured from enemy interception by using a cipher to scramble the data. Unlike a code, such as Morse code or ASCII, which merely represents a signal without any intention of secrecy, a cipher conceals the true meaning of data by disguising it in a new form. For example, the sideband frequencies of the voice signals in a telephone conversation can be inverted to scramble the data so that an unauthorized party listening in on the conversation can’t make out what is said. The inversion of frequencies is a cipher that makes the contents of the conversation secret except to the parties on either end, who know how to undo the cipher. Simple ciphers might rotate the sequence of letters in the alphabet or substitute letters for numbers. The most advanced ciphers rely on complex algorithms to rearrange the actual data bits contained in digital signals. Secure modern networks incorporate a comprehensive system of cryptographic services known as a public key infrastructure (PKI). In a PKI, digital keys are used to lock (encrypt) and unlock (decrypt) data transmissions, and digital certificates are used to prove identity and transmit keys in a secure fashion. Certificates can be issued by trustworthy public authorities such as VeriSign, or they can be issued and used internally by an organization. Certificate services are one component of a PKI, and all of the components work together to provide a level of security that meets the specific requirements of an organization. Microsoft Certificate Services (MCS) began as part of IIS and evolved to include e-mail, e-commerce, business partner communications, and other enterprise security needs in addition to secure Web site access and secure Web transactions. Microsoft introduced their Certificate Services implementation several years ago with Internet Information Server (IIS) 3. MCS enabled organizations to issue and manage their own digital certificates to secure Web transactions with SSL. From the beginning, MCS could also be used with Exchange 5 to provide users with e-mail security. With each subsequent release of IIS, the Certificate Services functionality has become more robust and flexible. In Windows Server 2003, MCS is now completely integrated into the operating system and directory service structure. This chapter starts with the basic terms and concepts that underlie MCS. You will learn why encryption is important and how it is used to meet everyday business needs. You will understand how certificates fit into the big picture of a public key infrastructure. You will also learn the concepts of a certificate service and how a certificate service can be a part of an overall security solution for your organization. You must consider many factors when you are planning a certificate solution, including planning for different certificate issuance requirements, planning for certificate enrollment and
Understanding the Public Key Infrastructure
531
distribution, and planning for special needs such as smart card authentication and security for wireless networks. MCS can be fully integrated with Active Directory, and you will learn how to configure Active Directory for certificate publication.
Understanding the Public Key Infrastructure A public key infrastructure (PKI) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and even money through the use of a public and private cryptographic key pair that is obtained and shared through a trusted authority. The PKI uses digital certificates to identify an individual or organization and directory services to store, manage, and revoke the certificates. PKI involves emerging standards and approaches. A PKI is used to provide several security benefits, including authentication, data integrity, confidentiality, and nonrepudiation: Authentication Authentication is used to validate the entity and the origin of data. Data communications implicitly assume that there is more than one party. Parties to a transaction are known as entities, and they can be users, organizations, computers, or devices. Cryptographic systems verify each party’s identity to the other party. For example, secure Web sites allow users to verify that the server’s identity is as claimed. The client can encrypt a challenge message and send it to the server. If the server can decrypt it and answer correctly, the server can prove its identity. Integrity Integrity provides the means of verifying that data was not altered in transit. Data integrity is provided by using a digital signature. Confidentiality Cryptographic systems can ensure confidentiality, meaning that data is secret to all except the authorized parties to a data transaction. Even complete strangers can communicate privately with assurance using cryptographic technologies. Nonrepudiation Nonrepudiation is one aspect of conventional business that can now be brought to e-commerce. If one party signs a paper contract and gives you a copy, you now have protection against that party later claiming that he/she/it didn’t agree to the terms of the contract. Digital signatures can provide the same assurance and even legal binding for electronic transmissions. Deploying a PKI allows you to perform tasks such as:
Digitally signing files such as documents and applications
Securing e-mail from unintended viewers
Enabling secure connections between computers, even if they are connected over the public Internet or through a wireless network
Enhancing user authentication through the use of smart cards
In the following sections, we’ll discuss key PKI concepts, the elements of a PKI, and special terms you’ll need to understand.
532
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
Key PKI Concepts In a secure transaction, there must be a means of disguising the information communicated between two parties so that it cannot be intercepted and used by an unauthorized third party. Methods such as firewalls, Network Address Translation (NAT), and Port Address Translation (PAT) can protect data from being intercepted by unauthorized parties. Methods of encryption, including IPSec and Certificate Services, prevent intercepted information from being understood and used. Encryption is the conversion of data into a disguised form, called a ciphertext, for the purpose of protecting communications from unauthorized parties. Decryption is the conversion of encrypted data back into its original form. The introduction to the chapter discussed how a cipher is created using a computer algorithm. To recover the contents of an encrypted signal, the correct key is required in order to decrypt the data. The key is actually another algorithm that “undoes” the work of the encryption algorithm. A computer can be used to “break” the cipher, but the more complex the encryption algorithm, the longer it takes to break the cipher. Security experts assume that any unauthorized party with sufficient time, resources, and motivation can break an encryption algorithm. The goal is to increase the amount of time it will take to such an extent—years, decades, centuries—that by the time the data could be read, the security risk would no longer exist. However, as the strength of the cipher increases, so does the cost in terms of processing power. As technology advances and computing power increases, stronger encryption algorithms are needed. Secure desktop clients today use 128-bit encryption, while a secure server may use 4096-bit or stronger encryption. Encryption is essential to any type of sensitive transaction, such as a credit-card purchase over the inherently unsecure Internet, or an e-mail exchange concerning a corporate secret at the highest executive levels. Encryption assumes critical importance for communications over wireless LANs (WLANs). Wireless circuits are vastly easier to “tap” than their hard-wired counterparts. There are two forms of encryption:
Symmetric encryption, which uses the same key to encrypt and decrypt data. Symmetric encryption is used in preshared secret key systems.
Asymmetric encryption, which uses one key to encrypt data and a different key to decrypt data. Asymmetric encryption is used in public key systems.
Cryptographic systems can employ secret keys or public keys. In the next sections, you’ll learn the differences between these cryptographic systems. We’ll then explore the advantages of public key cryptography systems, including the uses of digital signatures and digital certificates.
Secret Key Cryptography In a secret key cryptography system, two people who want to communicate use a single shared key that must be kept secret. This is the equivalent of a secret password on which both parties agree. The same key is used to encrypt and decrypt data, so if the secret key is compromised through loss or theft, then the data encrypted with that key becomes vulnerable. Secret key systems tend to be fast and flexible, but their dependence on a single key makes them better suited for applications like IPSec where you can change the key frequently. In addition, secret-key systems can only be used for encryption, not authentication.
Understanding the Public Key Infrastructure
533
Public Key Cryptography As opposed to the single secret key used in a secret-key system, public key cryptography systems use a pair of keys:
A public key, which is designed to be freely distributed
A private key (also called a secret key), which is known only to its owner and should never be revealed to any other party
These keys complement each other. If you encrypt something with your public key, it can be decrypted only with the corresponding private key (which only you hold), and vice versa. This means that anyone can use your public key to encrypt something, but only you can decrypt the same data—because only the private key can decrypt data encrypted by the public key, and only you have the private key. The security of these keys depends on the mathematical relationship between the public and private keys. You can’t derive one from the other, so passing out the public key doesn’t introduce any risk of compromising the private key. For this reason, a remote party’s public key is frequently used to encrypt data sent to that party, because it is freely available, yet the data can be decrypted only with the private key, which only the remote party knows. Two fundamental operations are associated with public key cryptography: encryption, which we have already discussed, and signing.
Digital Signatures Signing uses encryption to prove the origin and authenticity of a data transaction. A sender can use a private key to digitally sign a message, thereby creating a digital signature that proves to a recipient that the sender is indeed the true source of the information. Digital signatures differ from handwritten signatures and even fingerprints because they are different every time they are generated. Producing two different messages that have an identical hash is virtually impossible. A special type of algorithm called a hashing algorithm, also known as a message authentication algorithm, calculates a unique mathematical value, known as a digest, from the actual message contents. The digest is then encrypted using the private key and either added to the end of the message or sent as a separate file attachment. The public key can be sent along with the message, either on its own or as part of a certificate. If Jane wants the world to know that she is the author of a message, she signs it by encrypting it with her private key. She can then post the message publicly. This obviously doesn’t provide any privacy, because anyone can decrypt the data using her public key. However, the fact that it can be decrypted using Jane’s public key means that it must have been encrypted using Jane’s private key, which only she holds—so it must have come from Jane. Perhaps you want to digitally sign an e-mail message announcing a critical security flaw in one of your company’s existing software products. You could use the built-in functionality of the Eudora e-mail client to do the following: 1.
The encryption process examines the message content you provide and passes it through a hashing algorithm to generate a unique “fingerprint.”
2.
It encrypts the message and the fingerprint using your private key, thereby creating the digital signature for this specific message.
534
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
If someone wants to verify that the message is from you, you can perform the same steps in reverse. First, your software decrypts the message using your public key. Then it computes a hash for the message and comes up with a value for the digest. If the new digest and the decrypted version match, it proves that you actually sent the message, and the message hasn’t been modified.
A digital signature does not provide confidentiality, because anyone can check the signature and read the data.
Digital Certificates Digital certificates are the passports of the electronic world. Like your passport booklet, which contains the unique passport I.D. number, a digital certificate serves as a carrying case for a public key. A certificate contains the public key and a set of attributes, such as the key holder’s name and e-mail address. These attributes specify something about the owner, such as the owner’s identity, what the owner is allowed to do with the certificate, and so on. The attributes and the public key are bound together because the certificate is digitally signed by the entity that issued the certificate. Anyone who wants to verify the certificate’s contents can verify the issuer’s signature. Your passport contains a unique key (the passport number) and some attributes (an expiration date, your name, date of birth, etc.). A passport is issued by a trusted agency and sealed to prevent alteration. Any third party (such as a country or the local DMV) that trusts the agency that issued your license (the U.S. government) and verifies that the lamination is intact can rely on its authenticity. The entire system is based on a trust model. Although the U.S. government verifies the validity of its citizen’s passports, the passport itself is not issued by the top brass in Washington. The process of issuing passports is delegated to trusted agencies of the government, such as post offices, clerks of court, and public libraries. A guy in Seattle doesn’t need to fly to D.C. to get a passport—he can simply submit an application through the local post office. Foreign entities (countries) can validate the identity of an unknown individual based on their trust in a known entity, the U.S. government. Because my passport carried the recognized and trusted seal of the U.S. government, Australia and Japan granted me permission to enter their countries even though neither country knew who I was. However, a country that does not have relations with the U.S. would not recognize me because it does not recognize the U.S. as a trusted entity, and there my passport would be useless. A public key infrastructure is built on the same type of trust model. You’ll understand the analogy in a deeper way as you read further, but for now, here are a few important concepts to remember:
Certificates are digital passports that contain a unique key and a collection of attributes used to identify an individual.
Certificates operate within a system that is based on a hierarchy of trust and authority.
Certificates are issued to individuals by entities, which are often trusted representatives of a higher-level entity to whom the process of issuing certificates is delegated by that higherlevel entity.
Understanding the Public Key Infrastructure
535
Entities that issue certificates can therefore exist at different levels within a hierarchy of authority (like the U.S. Post Office as an agency of the U.S. government).
Foreign entities can validate the identity of an unknown individual based on their trust in a known entity (like the government of Australia recognizing my U.S. passport).
Elements of a PKI A public key infrastructure is a comprehensive system of security methodologies. A PKI has many components, including the following:
Digital certificates, which form the foundation of a PKI. They provide the electronic credentials (the public keys) that are used to sign and encrypt data.
Certificate authorities (CAs), which are trusted entities or services that issue certificates, revoke certificates they’ve issued, and publish certificates for their clients. CAs, such as VeriSign and Thawte, can do this for millions of users; with MCS, you can set up your own CA for each department or workgroup in your organization if you so desire. Each CA is responsible for choosing what attributes it will include in a certificate and what mechanism it will use to verify those attributes before issuing the certificate. Multiple CAs can be used in a hierarchy to perform specialized tasks, such as issuing certificates to subordinate CAs or issuing certificates to users.
Certificate revocation, which enables a proactive response to a situation in which a certificate has been compromised in some way.
Certificate revocation lists (CRLs), which are lists of certificates that have been revoked before reaching the scheduled expiration date. The CAs build and maintain these lists.
Certificate publishers, also known as certificate repositories, which make certificates and CRLs publicly available, inside or outside an organization. This allows widespread availability of the critical material needed to support the entire PKI. A good certificate publisher will allow clients to automatically get the certificates they need. Microsoft’s CA and clients support certificate publishers, such as Active Directory, that use the Lightweight Directory Access Protocol (LDAP).
The certificate management system, which controls which certificates are published, temporarily, permanently suspended, renewed, or revoked. In Windows Server 2003, the Certificate Services snap-in accomplishes this function.
PKI-aware applications, which allow you and your users to do useful things with certificates, such as encrypt e-mail or network connections. An effective security system works transparently, and the user doesn’t need to be aware of what the application is doing to effect security. The best-known examples of PKI-aware applications are Web browsers, such as Internet Explorer, and e-mail applications, such as Outlook and Outlook Express. Windows Server 2003 includes the Encrypting File System (EFS), a PKI-aware file system that can automatically encrypt and decrypt files for IT staff and end users. These applications don’t have any “knowledge” per se about the underlying PKI services. They are simply able to use the certificates to implement PKI functions such as validating identity.
536
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
Certificate policy and practice statements, which outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.
In the following sections, we’ll explore the certificate authority, including CA types and roles. You’ll then get to see the process of certificate services in action. We’ll also discuss methods for certificate publication.
EFS, an Example of a PKI-Aware File System EFS is a PKI-aware file system used in Windows Server 2003 to encrypt files and folders transparently to you and your applications so that when you’re logged in, everything in an EFSencrypted folder looks like a normal document. When an unauthorized user attempts to access another user’s EFS-encrypted files, Windows Server 2003 produces an “access denied” message. EFS files are always encrypted on disk. This happens because EFS is actually a file system driver that sits between the standard disk drivers and the applications. When Word (for example) requests a block of data from an EFS-protected file, EFS reads an encrypted block from disk, decrypts it in memory, and passes it back to Word without storing the unencrypted text on disk. EFS supports recovery so that you always have a way to recover access to files that have been encrypted. It does this by encrypting the key used to protect the file twice: once for the owner and once for the Administrator account (or whatever other account has recovery authority). The Administrator account is defined as the recovery agent by default, but you can customize recovery access and define additional recovery agents in MCS.
The Certificate Authority A certificate authority controls the issuance and use of digital certificates for the users and computers in a defined group. You could set up a CA for a single organizational unit, a Windows Server 2003 domain, or an entire enterprise. CAs such as VeriSign and Thawte also function within the international public domain. The CA actually has several distinct functions. Besides issuing certificates when it receives a legitimate request, it also allows administrators to revoke certificates once they’re no longer needed. You can control what newly issued certificates may be used for; for example, you could apply a restriction that would permit anyone to request a certificate for secure e-mail but that wouldn’t allow those certificates to be used for encrypting files. These functions are all controlled by a robust set of permissions. For example, you can control who can request new certificates and which computers may be used to request them. As with almost any other setting in Active Directory’s Group Policy Objects (GPOs), you can delegate control over these settings to whatever part of your organization needs to have it. The CA can stand alone, but you’ll normally use it to generate machine certificates for IPSec and end-user certificates for smart card logon or EAP-TLS authentication. Microsoft’s CA can stand alone, or it can act as part of a certificate hierarchy. This hierarchy, also known as a certification chain, can contain CAs from inside and outside a single
Understanding the Public Key Infrastructure
537
organization. That allows you to have secure communications with business partners and suppliers without necessarily having to issue your certificates to them or generate a user account on your server. Consider the passport analogy. You can travel to any countries that recognize the U.S. government as a valid authority. In some countries such as Germany, you can even use a California driver’s license to prove your identity. There is essentially a hierarchy of trust going on here—Germany trusts the U.S., Germany knows that the U.S. has delegated authority to the state of California to issue identity cards, the state of California trusted the Santa Barbara DMV to issue identity cards bearing the California state seal, so Germany trusts the I.D. card that you got at the local DMV office as proof of your identity. In a hierarchy, as shown in Figure 11.1, each certificate authority signs the certificates it issues using its own private key. How can you determine whether a certificate is valid or not? Each CA actually has its own certificate, which contains the CA’s public key. This CA certificate is itself signed by a higher-level CA. You can stack up any number of CAs in a hierarchy, with each CA certifying the authenticity of the certificates it has issued. Eventually, though, there must be a top-level CA, called a root certificate authority. Because there is no authority above the root CA in the hierarchy, there’s no higher authority to vouch for its certificate. Instead, the root CA signs its own certificate, asserting that it is the root. Root CAs require far greater physical and electronic security measures to ensure the integrity of the total system. Companies, such as VeriSign, that provide certificates to the public need very strong security for the root CA. Their root CAs exist as independent computers that are taken offline and kept under lock and in vaults behind layers of physical security measures. In a highly secure environment, the root CA should never be a network-attached computer. FIGURE 11.1
A simple certificate hierarchy
538
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
The root CA is the CA at the top of the hierarchy. CAs lower in the hierarchy are variously called intermediate or subordinate CAs (or sometimes, child CAs). We will discuss the different CA roles later in this chapter in “CA Roles.”
CA Types MCS supports two different types of CAs: enterprise and stand-alone. Each type can operate in one of several different roles. The difference between types and roles is simple to understand. Cars and trucks are different types of vehicles. A single car or truck can be used in different roles: to carpool, to race, and so on. The type of CA you install determines to whom you can issue certificates and what the certificates can be used for, so it’s important to understand the distinctions between them. The only real configuration difference between the two types is which set of policies is enforced, but the operational differences between them are important.
The Enterprise CA The enterprise CA acts as part of the PKI for an enterprise. It issues and revokes certificates for end users and intermediate CAs according to the policy and security settings that you apply to the CA. As you’d expect from something labeled “enterprise,” enterprise CAs require Active Directory access, although they don’t necessarily have to be installed on an AD domain controller. MCS machines acting as enterprise CAs have these five special attributes:
All users and computers in their domains always trust them.
Certificates issued by an enterprise CA can be used to log on to Windows Server 2003 domains if you’re using smartcards (those little credit-card-looking things that actually pack an embedded microprocessor and cryptographic software).
Enterprise CAs publish certificates and CRL information to Active Directory, where any client in the enterprise can retrieve the certificates and CRL information.
Enterprise CAs use certificate types and templates to construct the content of newly issued certificates. You’ll read about types and templates more in “Certificate Templates,” but for now it’s important to understand that they deliver some useful capabilities. First, enterprise CAs can use templates to automatically fill in new certificates with the right set of attributes. Second, enterprise CAs can automatically fill in the holder’s name for new certificates by looking it up in Active Directory.
Enterprise CAs will always either reject or approve a certificate request. They’ll never mark a request as pending and save it for human inspection. The CA makes this decision based on the security permissions on the security template and on permissions and group memberships in Active Directory.
The Stand-alone CA Stand-alone CAs don’t require Active Directory access, because they’re designed to do nothing but issue certificates for external use. In other words, a stand-alone CA is made to issue certificates to people who aren’t part of your organization (for example, Internet users or business
Understanding the Public Key Infrastructure
539
partners). Stand-alone CAs are very similar to enterprise CAs in most respects, with a few differences:
Stand-alone CAs automatically mark incoming certificate requests as “pending,” because the CA doesn’t have access to Active Directory information to verify them.
Certificates issued by a stand-alone CA can’t be used for smart card logons (though you may store them on a smart card).
Certificates and CRLs generated by the stand-alone CA aren’t published anywhere—you must manually distribute them.
You can install a stand-alone CA on a server that participates in an Active Directory organization. The CA will be able to publish certificate information if its server is a member of the Certificate Publishers group.
CA Roles Whether your MCS servers are acting as enterprise or stand-alone CAs, they can assume one of four distinct roles. These roles govern the conditions under which the CA will issue certificates, as well as what those certificates can be used for once issued. In addition, the role your CA will play has some bearing on the questions you need to answer when you’re installing the CAs in your network. Here are the role types:
Enterprise root CAs sit at the top of a certificate hierarchy. While they can issue certificates to end users or subordinate CAs, the enterprise root normally is used only to issue certificates to subordinate CAs. That’s because delegating issuance powers to the subordinates gives you maximum flexibility in setting permissions and choosing which templates to use. For the most secure environments, the root CA at the top of a hierarchy is an offline, standalone computer under tight security.
Enterprise subordinate CAs live in an enterprise CA hierarchy below the root. They typically issue certificates to computers and users, not to other subordinate CAs. By setting appropriate permissions at the enterprise subordinate CA level, you maintain granular control over who can request and revoke certificates.
Stand-alone root CAs stand alone, just like the name implies. They may or may not be physically connected to the network. They may or may not be part of the Active Directory infrastructure. Because stand-alone roots can be physically and logically disconnected from the network, they can be made pretty much impervious to network attacks, making them well suited for use in issuing your most valuable certificate types.
Stand-alone subordinate CAs normally issue certificates to end users. They usually don’t take part in Active Directory, although they can. For example, if you were setting up a PKI for a company with offices in several countries, you could set up a separate, standalone, subordinate CA in each country. This would allow you to issue certificates to end users in each country without being able to cross-verify certificates issued in different countries.
540
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
How Certificate Services Work The process of issuing a digital certificate is something only a cryptographer could love. It involves a lot of arcana necessitated by the demand for high security. However, the overall flow of data between the client and the CA is fairly easy to understand (refer to Figure 11.2). The following steps explain what happens: 1.
The CA receives a certificate request from a client. This request can be generated through a Web page offered by the CA, manually by the end user, or automatically by various system components.
2.
The CA checks the incoming request to see that it is complete and correct (e.g., to see whether or not the requestor already has a certificate, to see whether or not the name on the certificate is a duplicate, and so on).
3.
The CA checks whatever policies the group administrator has chosen to apply to make sure the request is in line with those policies. Sometimes this means that the CA must push the request off to a queue, where it sits and waits for human approval. If you configure the CA to do so, it can automatically approve requests that meet the specified policy.
4.
The CA takes the attributes specified in the certificate request, adds in some of its own data (such as the name of the CA and a copy of its own certificate), and asks a system cryptographic service to sign it. This signature, equivalent to the seal on a driver’s license or a college diploma, serves as both protection against tampering and an assertion of validity. (Which cryptographic service actually does the signing is up to you.)
5.
The CA returns a copy of the new certificate to the requestor.
6.
Optionally, it publishes the new certificate in Active Directory or in a shared folder. This allows other users, computers, and programs to look up certificates in a domain- or organization-wide directory.
FIGURE 11.2
The flow of certificate data between client and CA
Certificate Publication Methods One of the fundamental tasks of a PKI system is to publish certificates so that users and other entities can use them. For instance, the recipient of data that has been encrypted with a party’s private key must be able to obtain the public key in order to decrypt the data.
Understanding the Public Key Infrastructure
541
Certificates are often published in the equivalent of an electronic phone directory. Certificates can also be physically sent through e-mail or other physical media such as floppy disks and smart cards. Certificate directories are databases that are X.500/LDAP-compliant. Certificates are in the X.509 format. Directories can be public or private (meaning that they are only used internally by an organization). In Windows Server 2003, Microsoft Certificate Services is fully integrated with Active Directory. Certificates are published to Active Directory by default. You can also use the certutil -dspublish command to publish certificates and CRLs.
Make sure you understand how to apply certificates within an Active Directory hierarchy.
PKI Terminology Cryptographic systems and PKIs are composed of a set of technologies. Different vendors may use different cryptographic and PKI technologies. This section discusses some additional terms and concepts related to Microsoft’s implementation of PKI technologies.
Cryptographic Service Providers We’ve mentioned the need for PKI-aware applications as a component of the PKI. How do these applications actually work within the PKI infrastructure? Microsoft ships a set of cryptographic libraries with every copy of Windows NT, Windows 95/98, Windows 2000, Windows XP, and Windows Server 2003. The libraries are known as cryptographic service providers (CSPs). The libraries implement basic, low-level crypto operations, including both secret and public key encryption. They expose a set of application programming interfaces that Microsoft calls the CryptoAPI. Applications, and the operating systems themselves, make CryptoAPI calls when they need cryptographic work performed. Any system can have any number of CSPs installed, including encryption-only CSPs and CSPs with signature capability. MCS can use installed CSPs that have the capability to sign and issue certificates. The end result is that PKI-aware applications integrate seamlessly with the PKI infrastructure in a way that is transparent to end users and other entities.
Policy and Exit Modules MCS supports using predefined sets of instructions that tell the CA what to do with incoming requests and how to proceed after a request is approved. The rules that govern how the CA handles an incoming request are built into policy modules, and rules that specify where and how a newly issued certificate is published are built into exit modules. Although you can write your own policy and exit modules, you’ll probably use the ones Microsoft provides with Windows Server 2003.
542
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
A policy module is a set of instructions that tells the CA what to do with incoming certificate requests. A policy module can automatically approve or reject a request, based on any rules built into the module. It can also mark a request as “pending” and leave it for a human operator to approve or reject. Policy modules can also change the attributes listed in a certificate, adding or removing them according to its design. Microsoft’s standard policy module does three things:
It processes each incoming request or marks it as pending, depending on whether you’re operating an enterprise or a stand-alone CA.
It adds an attribute to the certificate that specifies where the issuing CA’s certificate may be obtained. This allows clients who want to verify the new certificate to get the issuer’s certificate at the same time.
It adds an attribute that specifies where the issuing CA’s CRLs are available to clients.
An exit module allows the CA to do something with a certificate after it’s been issued. For example, Microsoft’s standard exit module can publish new certificates to Active Directory, store them in a shared folder, or e-mail them back to the requestor. It also publishes CRLs for the issuing CA, if you enable that feature.
Certificate Trust Lists The Certificate Trust List (CTL) is a way for PKI administrators to decide whom they trust. When you put a CA certificate on the CTL for your domain, you’re explicitly telling your users’ PKI clients that it’s okay to trust certificates issued by that CA. The CTL resides in Active Directory, and as an administrator you can control who may (and may not) make changes to the CTL for a site, domain, or organizational unit through Group Policy.
Certificate Attributes Each certificate includes a combination of attributes that provide information about the certificate holder. The X.509 standard defines which attributes are mandatory and which are optional. Optional attributes are known as extensions. MCS uses nine significant attributes, as shown in Table 11.1. The certificate template used when the certificate was generated determines the exact combination and contents of these attributes in a certificate—but more on that in a minute. TABLE 11.1
Certificate Attributes
Attribute Name
Description
Basic constraints
Specifies whether this certificate can be used to sign other certificates. If so, it also specifies how many levels deep the resulting hierarchy can be.
Default CSP list
Provides a list of CSPs that can be used with this type of certificate. For example, EFS requires certificates generated with the Microsoft RSA CSP.
Display name
Displays the name when someone views the certificate’s information; this is a “friendly” name that’s less complex than the certificate’s distinguished name (DN).
Understanding the Public Key Infrastructure
TABLE 11.1
543
Certificate Attributes (continued)
Attribute Name
Description
E-mail name
Specifies the e-mail address associated with the holder of this certificate.
Extended key usage
Specifies a list of extended functions (including signing a CTL, encrypting e-mail, and establishing secure network connections) for which this certificate can be used. The extended key usage information coexists with, but doesn’t override, the standard key usage fields.
Key usage
Specifies the combination of basic operations (digital signatures, encryption, and key exchange) for which this certificate can be used.
Machine certificate template
Specifies whether certificates that use this template are intended for use by people or by computers.
Security permissions
Specifies who can request a particular kind of certificate. For example, the default permissions for the Administrator template allow only users with administrative access to request administrator-level certificates.
Certificate Templates Like user templates, certificate templates are used to create new certificates based on the desired functionality. Windows Server 2003 includes 22 different certificate templates. There’s no supported way for you to build your own templates. The most useful certificate templates are listed in Table 11.2. TABLE 11.2
Certificate Templates in Windows Server 2003 What Certificates Based on the Template May Do
Who Gets Certificates Issued Using This Template
Administrator
Sign code, sign CTLs, secure e-mail and EFS file systems, authenticate clients
Domain administrators
Authenticated Session
Signature-only operations for authenticating clients
Network clients
Basic EFS
Encrypt EFS intermediate keys and files
Users who have access to EFS volumes
Code Signing
Sign executable code to assert its trustworthiness
Users who have authorization to sign executable objects
Computer
Authenticate computers to servers and vice versa
Computers in a domain
Template Name
544
Chapter 11
TABLE 11.2
Planning, Implementing, and Maintaining Certificate Services
Certificate Templates in Windows Server 2003 (continued) What Certificates Based on the Template May Do
Who Gets Certificates Issued Using This Template
Domain Controller
Authenticate clients to servers and vice versa
Active Directory domain controllers
EFS Recovery Agent
Recover encrypted files when the original key material is unavailable
Users who have EFS recovery privileges
Enrollment Agent
Request certificates for users or computers
Users who are authorized to request certificates
Exchange Enrollment Agent (Offline request)
Generate offline certificate requests for Exchange mailbox owners
Users who can request new certificates for Exchange users
Exchange Signature Only
Signature-only certificate for Exchange users
Exchange users
Exchange User
Signature- and encryptioncapable certificate
Exchange users
Smartcard Logon
Authenticate a client to a logon server
Smart card holders who use smart cards to log on; cannot be used for secure e-mail or EFS security
Smartcard User
Client authentication and e-mail security
Smart card holders who have permission to use their smart cards to log on and secure e-mail and EFS files
Template Name
Subordinate Certification Issue and revoke certificates while Authority acting as a subordinate CA
Computers acting as subordinate CAs
Trust List Signing
Sign the certificate trust list
Administrators who have authorization to modify the CTL
User
Authenticate client-to-server, sign and encrypt e-mail, encrypt EFS data
Ordinary, unprivileged users
User Signature Only
Sign e-mail; sign client-to-server authentication messages
Users whom you don’t want to have encryption capability
Understanding the Public Key Infrastructure
545
Server Gated Cryptography (SGC) U.S. export law forbids exporting strong encryption services. This restriction would make international banking extremely difficult if not for Server Gated Cryptography (SGC). SGC, an extension of SSL, is an encryption protocol that uses a digital certificate and is most commonly used to protect sessions such as online banking sessions. Most operating systems and browsers today employ SCG encryption capability. SGC works by allowing 40-bit exportable versions of Internet Explorer to use 128-bit encryption. SGC is included with all versions of Windows since Windows 95 and NT 4. The catch is that only approved financial institutions may use SGC on the server side, so SGC is not a loophole for all international encryption needs. The very nature of SGC certificates means that they cannot be generated by your stand-alone or enterprise CA. They must come from a commercial CA such as VeriSign.
Recovery Keys Ordinarily, if you lose the key associated with a certificate, you’re in trouble—it’s like losing the combination to a bank vault. You might be able to locate a safecracker who could break in, but the odds aren’t good. The risk of permanent data loss has precluded the adoption of encryption in many businesses, so Microsoft has provided a solution in the form of recovery keys. The idea behind recovery keys is that if the key used to encrypt a piece of data (on an EFS volume, e-mail message, or wherever else) is lost, the recovery key can be used to decrypt the data. Signing keys aren’t recoverable, so no one can surreptitiously pretend to be you by recovering your key. Windows Server 2003 allows you to define a recovery policy that specifies who may recover data and under what conditions. Users who have recovery authority are called recovery agents, and they use special certificates and keys to enable recovery. On a stand-alone server, the Administrator account is automatically set up as the default recovery agent, and additional recovery agents can be named through MCS. On domain controllers, members of the Domain Admins and Enterprise Admins groups also have access to the recovery key.
Key Recovery versus Key Escrow Some cryptographic systems use key escrow, in which a third party holds a copy of your encryption keys. In some escrow scenarios, this third party is a government agency, such as the National Security Agency or the Treasury Department; in others, it’s an industry organization, such as the American Bar Association or the American Banking Association. If you think of recovery as using one of those magnetic key holders, you can consider escrow to be storing a copy of your key in a safety deposit box. A simple way to remember this difference is that recovery lets you recover your keys, and escrow lets someone else recover your keys. Windows Server 2003 does not implement key escrow.
Smart Cards Support for cryptographic smart cards is a key feature of the PKI. A smart card is a credit card–sized device that is used with an access code to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys,
546
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card. Smart cards are a tamper-resistant and portable way to provide security solutions for tasks such as logging on to a Windows Server 2003 domain, client authentication, code signing, and securing e-mail. Smart cards provide the following benefits:
Tamper-resistant storage for protecting private keys and other forms of personal information.
Isolation of security-critical computations involving authentication, digital signatures, and key exchange from other parts of the computer that do not have a “need to know.” These operations are all performed on the smart card.
Portability of credentials and other private information between computers at work, home, or on the road.
Planning to Use Smart Cards As the systems engineer in an enterprise internetwork with a large base of roaming users, you want to ensure security by providing the strongest possible form of authentication available. You want to use a cryptography-based identification system that can also ensure proof of possession when authenticating a user to a domain. Smart cards are the logical choice. They provide a very strong form of hardware-based authentication. An additional benefit is that they add a layer of security through the use of a Personal Identification Number (PIN). A malicious person would have to obtain both the user’s smart card and the PIN to impersonate the user and gain access to the network. Smart cards are also resistant to undetected attacks because the user will probably know when the card is missing. Smart cards can in this way be integrated as an important component of a PKI.
Planning and Managing the Certificate Server Managing the certificate server involves first installing MCS, configuring the CA service, configuring the CA itself, and then configuring revocation and trust. We’ll explore each of these topics in the next sections.
Installing Microsoft Certificate Server The actual process of installing and configuring MCS is pretty straightforward, especially when you compare it with the steps required to set up the equivalent service under Windows NT.
Planning and Managing the Certificate Server
547
However, some prior planning is necessary to avoid making the wrong configuration choices at installation—MCS doesn’t allow you to change some of its settings once it’s installed.
Planning the CA Installation Before you install a CA anywhere on your network, you must know the answer to three questions that the setup program is going to ask you: What role do you want the CA to play? At one point in the installation process, you pick between stand-alone and enterprise CAs, and after that point, the installation options diverge. Also, you can’t install an enterprise CA unless you’ve already set up and tested Active Directory. Do you want to use any CSPs other than the default Microsoft modules? If you install the optional (and North America–only) High Encryption Pack for Windows Server 2003, you can take advantage of CSPs that are cryptographically stronger than the ones included with Windows Server 2003. Do you want to allow end users to request certificates using the Web interface included with MCS? This interface makes it easier for users to get certificates, which may or may not be what you want to accomplish.
Installing the CA You install the Certificate Server using the Windows Components Wizard. When you run the wizard, you can install the CA service itself, the Web enrollment component, or both. When you’re ready to install the CA on a computer (after answering the questions listed earlier in the section, of course), you can do the follow the steps to perform the installation: 1.
Open the Windows Components Wizard by clicking Start Control Panel Add Or Remove Programs and clicking the Add/Remove Windows Components icon. The wizard opens and lists all the components it knows how to install or remove.
2.
Select Certificate Services from the component list. You’ll see a warning dialog box telling you that you can’t change the name of the computer, or move it into or out of an AD domain, after installing the CA. If you want the machine you’re installing on to function as an enterprise CA, make sure you promote it to a domain controller before continuing with the installation.
3.
Click the Details button and uncheck any component you don’t want installed. For example, if you want to install only the Web enrollment components on a network kiosk, uncheck the Certificate Services CA option. Click OK when you’re done, and then click the Next button to move on to the next wizard step.
4.
The CA Type page appears (see Figure 11.3). Notice the Use Custom Setting To Generate The Key Pair And CA Certificate checkbox—you’ll need to check it if you want to change the CSPs this CA can use, if you want to reuse an existing key pair, or if you want to change the default hash algorithm. Click Next once you’ve filled out the page.
548
Chapter 11
FIGURE 11.3
Planning, Implementing, and Maintaining Certificate Services
The CA Type page
If you checked the Use Custom Setting To Generate The Key Pair And CA Certificate checkbox, you’ll see the Public And Private Key Pair Selection page (see Figure 11.4). Apart from selecting the key pair you want to use, this page allows you to choose the CSP, hash algorithm, and key length you want to use with its controls. By default, the Microsoft Base Cryptographic Provider is the standard CSP, although you may have others available depending on what hardware and software you have installed on your server.
5.
FIGURE 11.4
The Public and Private Key Pair Selection page
The fields on this page do the following:
6.
The CSP list shows all the CSPs on your machine. Choose the one you want this CA to use. Be forewarned that if you choose a CSP that doesn’t support the RSA algorithm suite (such as the Microsoft Base DSS CSP), your CA may not interoperate properly with CAs from other vendors.
Planning and Managing the Certificate Server
549
The Hash Algorithms list allows you to choose the hash algorithm you want to use for computing digital signatures. Don’t use MD4. If you can avoid it, don’t use MD5 either—both algorithms have known weaknesses. Instead, accept the default setting of SHA-1.
The Key Length drop-down list lets you select a key length if you’re generating a key pair. You can take the default value of 1024 bits or you can go all the way up to 4096 bits if you need to, provided your CSP supports longer keys.
The Use An Existing Key checkbox allows you to reuse an existing key pair for the CA’s key, as long as it was generated with algorithms compatible with your selected CSP. As you choose different CSPs, you’ll see that this checkbox (and the contents of the list below it) changes to reflect the keys you could potentially use.
The Import button lets you import certificates from a PFX/PKCS#12 file.
The View Certificate button shows you the properties for the selected certificate.
The Use The Certificate Associated With This Key checkbox lets you use an existing certificate if the key pair you’ve selected has one associated with it and if it’s compatible with your chosen CSP.
7.
Once you’ve set the options you want to use, click the Next button.
8.
The CA Identifying Information page (see Figure 11.5) appears, allowing you to specify the information needed to uniquely identify this CA. You must specify a unique name for the CA in the Common Name field. The Distinguished Name Suffix field contains LDAP naming information. There is also a preview field to enable you to preview the distinguished name as it will be. The Validity Period controls at the bottom of the dialog box allow you to set the validity interval for your CA’s certificate.
FIGURE 11.5
CA Identifying Information page
You cannot change any of this identifying information once the CA is installed, because it’s all encoded into the CA’s certificate. Make sure the information you enter here is correct!
550
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
If you choose an organization name that includes special characters (i.e., &, *, [, ], etc.), the CA has to encode them with Unicode, because the X.509 standard for PKI certificates requires it. This might make some older (or broken!) applications unable to verify your CA certificate, so Setup will warn you and give you a chance to change the CA name before proceeding.
9.
Click the Next button after you’ve filled in enough information to identify your CA.
10. The Certificate Database Settings page (see Figure 11.6) allows you to choose where on
your server these database files reside. The CA stores its certificates in a database file, and you get to choose where that database resides on the disk. Note that this database contains the CA’s certificates, not the certificates it issues—those are published in Active Directory or wherever else you specify. The Store Configuration Information In A Shared Folder checkbox allows you to force the CA to use a shared folder for storing the certificates it emits. This is handy if you’re not using Active Directory or if you have clients that expect to get certificates only from a file on disk somewhere. FIGURE 11.6
Certificate Database Settings page
11. The Preserve Existing Certificate Database checkbox lets you reinstall the CA on top of
an existing installation. For example, if you have a machine that you want to convert from stand-alone to enterprise mode, or if you need to reinstall to change the CA’s name or Active Directory membership, checking this box tells Setup not to erase the old certificates.
Make sure whatever location you specify is on an NTFS disk volume and that it gets backed up regularly. If you lose a CA’s certificates, you’ll have to reissue all the certificates ever issued by that CA.
Planning and Managing the Certificate Server
551
12. Once you’re happy with the settings on all of the preceding pages, click the Next button.
If you’re currently using the Internet Information Service (IIS) WWW service, setup will stop it for you so it can finish the installation. If you are not using IIS, Setup will inform you that you must install it if you want to use the Web enrollment component of certificate services. Once the Setup is complete, you’ll need to restart your machine. From then on, the CA service will automatically start whenever the server does.
Installing the Certificates and Certification Authority Snap-Ins Managing Microsoft Certificate Server involves using two different, but related, Microsoft Management Console (MMC) snap-ins: the Certificates snap-in for managing certificates and the Certification Authority snap-in for managing the CA itself. The process for installing the two snap-ins is identical, and you can usually keep them together in a single console file so that you can quickly manage all certificate-related functionality on a machine at once.
Certificate Templates are managed separately through the Certificate Templates snap-in, as well as through the Certificate Templates node in the appropriate Active Directory snap-in for the object to be managed.
You have already seen how to install MMC snap-ins earlier in this book, and you install the certificates and CA snap-ins using the same procedure. One slight difference is that you must specify the CA to manage. The local server is selected by default, but you may need to change this if you need to manage a remote CA. You should install the snap-ins before proceeding to the next section.
To manage all three certificate types—for user, computer, and service accounts— from a single MMC, just add three instances of the Certificates snap-in.
Once you’ve installed the Certificate Server and the CA snap-in, you’re ready to configure and manage your CA. The snap-in interface is shown in Figure 11.7, and it looks very much like every other MMC snap-in. In the left half of the console window, you’ll see one node for each CA running on the server you’re managing. FIGURE 11.7
The Certification Authority snap-in
552
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
If you expand any one of those CA nodes, you’ll see the following five folders below it: Revoked Certificates This folder holds all certificates that have been revoked by this CA. Once revoked, a certificate can’t be unrevoked; it will stay on the CRL forever. Issued Certificates This folder lists the certificates that this CA has issued since its installation. Double-clicking a certificate shows its properties, and right-clicking a certificate allows you to revoke it. Pending Requests This folder lists the requests that are queued on the CA, waiting for you to approve or disapprove them. Enterprise CAs will never have any items in this list, but standalone CAs may display zero or more requests at any given time. Failed Requests This folder lists all the requests that failed or were rejected, including the CN, e-mail address, and submission date of the failed request. Certificate Templates This folder shows the certificate templates that are available for use on this server. You may change the set of available templates by right-clicking the Policy Settings folder and using the New Certificate To Issue Or Delete commands. Double-clicking a template shows you the certificate purposes available with that certificate, but there’s no way to change the template directly. Each folder actually expands into a list, and you can customize the list’s columns and fields using the View submenu on the context menu. To do this, right-click the folder, and then select the Choose Columns and Customize commands until you have the list configured the way you want it. You can also define filters using the View Filter command; for example, you could create a filter that showed only certificates that were due to expire after a particular date.
Controlling the CA Service Because MCS is just another Windows Server 2003 service, you can configure it to start whenever you want. The installer automatically configures the service to start when the system starts; for extra security, you can set it to start manually so that it can only issue certificates when you want it to do so. As with every other Windows Server 2003 service, you can use the Services item in the Computer Management snap-in to start and stop the services, set recovery options for it when it stops, and change the account used to run it. You can also do most of these functions, plus some other useful ones, directly from the Certification Authority snap-in. When you right-click a CA, you gain access to several commands that simplify your day-to-day management tasks; commands to perform the following tasks appear under the All Tasks submenu of the Context menu you get when you right-click the CA.
Switching to a Different CA The Retarget Certification Authority command actually appears when you right-click the Certification Authority node, not an individual CA. This command lets you point the snapin at a different CA; you may remember that during installation you have to specify
Planning and Managing the Certificate Server
553
which CA you want to manage, and this is how you change it. When you use this command, you’ll be able to browse the network and change to any CA to which you have management rights.
Starting/Stopping the Service In addition to starting and stopping the CA from the Services item in Computer Management or from the command line, you can use the Start Service and Stop Service commands from the context menu or simply right-click your CA’s name, select All Tasks, and then Start or Stop Service. These operations take effect immediately; you don’t get a chance to change your mind or confirm your command.
Backing Up and Restoring CA Data Performing a solid backup of the CA’s data is a two-step process, and it involves two separate tools. Although this seems more complicated than necessary, performing good backups is critical. If you lose the CA’s certificates, you won’t be able to issue, renew, or revoke certificates for that CA’s domain. Of course, backing up data is pointless unless you have the ability to restore it when you need to do so.
Backing Up the CA The two-step process of backing up the CA is conceptually simple. First, you use the Certification Authority Backup Wizard to make a usable copy of the CA’s data. Because the CA keeps its files open when it’s running, you can’t just copy the files unless you stop the service; however, the wizard can copy the needed data while the service is running. To begin this first step, right-click the CA’s name, select All Tasks, and then use the Backup CA command. After an introductory wizard page, you’ll see the Items To Back Up page, as shown in Figure 11.8. Use it to specify what you want backed up. FIGURE 11.8
The Items To Back Up page
554
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
The following settings specify what should be backed up:
The Private Key And CA Certificate setting specifies that you want to back up the CA’s private key and the associated certificate. If you choose this option, the wizard will ask you for a password that it uses to encrypt the private key and certificate data and store it in a PKCS#12 file.
The CA keeps log files that record certificate issuance and revocation. It also keeps a queue of pending requests. If you want these backed up (and you should, because losing the queue means end users will have to resubmit their requests, and losing the logs means you lose historical information about certificate issuance), check the Certificate Database And Certificate Database Log checkbox. If you choose to back up the log and queue files, you can further specify whether you want to back up the entire set of files at each backup (the default) or only those items that have changed since the previous backup (by checking the Perform Incremental Backup checkbox.) Incremental backups reduce the amount of data required for your regular backups, but you must still do at least one nonincremental backup. We recommend doing incremental backups during the week, with full backups at either the week’s beginning or its end.
The Back Up To This Location field (and the associated Browse button) lets you specify where you want the backed-up data to go. You must specify an empty directory; the wizard will put a file named caName.p12 (containing the private key and certificate) and a directory named DataBase (which contains the actual logs, queues, and CA database) in the location you provide. You can’t store multiple backups in the same directory.
Once you’ve chosen the appropriate settings, click the Next button. If you chose to back up the private key material, you’ll be prompted to enter a password to secure the data on disk. Once you’ve done that (if necessary), you’ll see a summary page; clicking its Finish button will actually perform the backup. Once you’ve used the Certificate Authority Backup Wizard to make a backup of your CA data, the second necessary step is to use Windows Server 2003 Backup tool (or another backup tool, such as ARCserve or BackupExec) to back up your CA data to disk, tape, CD-RW, or whatever media you use for backup. Don’t skip this step—all the Certificate Authority Backup Wizard does is make a clean copy of the CA’s data on your local machine where it’s no more protected than the original data was.
Restoring the CA A restore reverses the backup process, returning the target machine to its original backed-up state. Restoring CA data is, therefore, the reverse process of the backup process. First you restore your backed-up CA data from its storage media, for example, by using the Windows Backup tool. Then you right-click the CA’s name, select All Tasks, and use the Backup CA command to launch the Certification Authority Restore Wizard. The wizard allows you to restore whatever you’ve backed up, in any combination you choose. For example, you can restore just the queue; the queue and the logs; or the queue, the logs, and the key material. The actual process does have some differences, though. First, the CA service has to be stopped to use the Certificate Authority Restore Wizard; the wizard offers to do this for you. The most important page of the wizard is the Items To Restore page, shown in Figure 11.9. You
Planning and Managing the Certificate Server
555
can specify what you want to restore; you must also use the Restore From This Location controls to tell the wizard where to find the specific backup from which you want to restore. FIGURE 11.9
The Items To Restore page
If you want to restore several incremental backups in a row—as you might need to if it’s been awhile since your last full backup—you must first restore the correct full backup, then restore each of the incremental backups that match it, in the right order. To facilitate this process, you might want to name your CA backups with a code that indicates the date when the backup was made.
Renewing the CA Certificate Like real-world credentials, certificates eventually expire. When you control the CA, you get to control the expiration interval for certificates it issues, which can be pretty handy. CA certificates aren’t exempt from this process, so it’s likely that you’ll need to renew your CA certificates periodically. For subordinate CAs, renewal is accomplished by requesting a new certificate from the issuing CA, but root CAs get to renew their own certificates. There are two ways to accomplish this:
The CA can take its existing keys and bind them to a new certificate. This is the most common option, because it allows you to keep reusing the existing keys for signature verification and signing. If you do this enough times, though, the CA’s CRL can grow very large, and that slows performance of all your PKI components.
The CA can generate a new key pair and use it to create a new certificate. This option is useful when you want or need to generate a new key (say, because you fear the old one has been compromised). In essence, this is equivalent to creating a brand-new CA because there’s a new key and certificate.
To begin the renewal process, just right-click the CA whose certificate you want to use and select the Renew CA Certificate command. You’ll be reminded that the CA must be stopped to renew the certificate, then you’ll see a dialog box like the one shown in Figure 11.10. You use this dialog box to specify whether or not you want to create a new key pair for the new certificate. You can’t change the CSP but you can increase the key length in this dialog box.
556
Chapter 11
FIGURE 11.10
Planning, Implementing, and Maintaining Certificate Services
The Renew CA Certificate dialog box
Configuring the CA CAs have a number of configurable properties that control how they behave. Most of these settings have reasonable default values, but there are times when you might need to change them. All of the CA’s properties, including its policy and exit module settings, are available through the Properties dialog box that appears when you select a CA and use the Properties command (either from the Action menu or the context menu). In the following sections, we will look at the various CA properties and how to set them. In additon, we will see how to configure CA templates and CAs.
Setting General Properties The first thing you’ll see in the CA Properties dialog box is the General tab, shown in Figure 11.11. Most of the information here is strictly for reference—although the tab shows you the name and description for the CA, along with the CSP and hash algorithm in use, you can’t change them. You can view the CA certificate’s details with the View Certificate button.
Setting Policy Module Properties The Policy Module tab, as seen in Figure 11.12, shows you which policy module is active, and it lets you configure the current module or change to another one altogether. The selected policy module will almost always be the Enterprise And Stand-alone Policy module that Microsoft supplies with Windows Server 2003 (unless you wrote your own or bought a replacement from a third party). In that case, use the Select button to pick a new policy module from the list of those registered with the system.
Planning and Managing the Certificate Server
FIGURE 11.11
The General tab of the CA Properties dialog box
FIGURE 11.12
The Policy Module tab of the CA Properties dialog box
557
558
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
The Properties button allows you to set options for whichever policy module you have installed. The properties in this dialog box change according to what module is installed.
Setting Exit Module Properties The Exit Module tab, as shown in Figure 11.13, is very similar to the Policy Module tab; it shows you which exit modules you’ve currently configured to work with your CA. A CA can use only one policy module at a time, but it may use several exit modules, which are executed in a series. For example, you could use the Microsoft policy module to publish newly issued certificates to Active Directory and the file system, then use your own module to publish certificates on a Web page or in an Exchange public folder. FIGURE 11.13
The Exit Module Properties dialog box
When you click the Properties button, you’ll see a Properties dialog box with only one checkbox: Allow Certificates To Be Published To The File System. This checkbox lets you specify that you want new certificates stored in the shared folder you specified when you installed the CA. Otherwise, the certificates are stored in Active Directory. At this point, you may be wondering where CRLs are published, since there’s no explicit way for you to specify their disposition. By default, the CA always puts newly generated CRLs in systemroot\system32\certserv\certEnroll. Each CRL gets a name that starts with the letter “c” and includes the date it was generated. If you generate multiple CRLs on one day, the CA adds a suffix number. For example, c030214.crl is the only CRL published on 14 February 2003, while c030311.crl is the fifth CRL published on 11 March 2003. The CRLs will
Planning and Managing the Certificate Server
559
be available to LDAP and HTTP clients (according to the CDPs you specified), and you can take the generated files and publish them wherever you like.
Viewing Storage Properties The Storage tab, shown in Figure 11.14, shows the paths where the CA is keeping its configuration and certificate database files. You can’t change these values after the CA is installed, but it might be useful to have a way to double-check the file locations in case you need them, and this is the quickest way to do so. There is one thing you can change here: If your CA is a stand-alone CA running on a computer with Active Directory access, checking the Active Directory checkbox will move the CA’s configuration information into the directory. FIGURE 11.14
The Storage tab of the CA’s Properties page
Setting Security Properties Like practically everything else in Windows Server 2003, MCS servers can be assigned their own set of permissions that control who can see and change the information the CA owns. These permissions are managed through the Security tab, shown in Figure 11.15. Table 11.3 shows the 12 permission settings that you can apply to the CA; each permission allows someone who holds it to do something specific with the CA. Right out of the box, the following four groups have permissions to use the CA:
The Administrators, Domain Admins, and Enterprise Admins groups have the Issue and Manage Certificates and Manage CA permissions.
The Authenticated Users group has Request Certificates permissions.
560
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
There are also permissions for both CAs and certificate templates that you can configure in Active Directory Sites and Services. You access these permissions within the domain’s Services Public Key Services Certificate Templates node or within the domain’s Services Public Key Services Certification Authorities node. You can also set certificate-related permissions within the domain’s Services Public Key Services Enrollment Services node. FIGURE 11.15
TABLE 11.3
The Security tab of the CA’s Properties page
CA Permissions That May Be Assigned to Users and Groups
Permission
Description
Read
Read certificates only from the database.
Request certificates
Request new certificates (for users or computers).
Issue and Manage Certificates
Issue, revoke, approve, and otherwise manage certificates.
Manage CA
Perform all tasks necessary to manage the CA.
Configuring Certificate Templates Part of configuring the CA is telling it which certificate templates can be used and who can use them. When someone requests a certificate from your CA (as described in the “Requesting
Planning and Managing the Certificate Server
561
New Certificates” section later in this chapter), they can request that the CA use any of the templates you’ve made available, and the issued certificate will be filled out according to the rules in the template. By adding and removing templates, and by setting permissions on the templates that are installed, you get control over what people can do.
Assigning Permissions to Templates You set permissions on the CA itself using the CA Properties dialog box; however, to set permissions on the certificate templates, you have to leave the familiar environment of the Certification Authority snap-in. The Active Directory Sites and Services snap-in is where you actually adjust permissions for enterprise-wide services, including the use of certificate templates and other PKI components. You will adjust template permissions in Exercise 11.1.
You should perform this exercise on an enterprise CA.
EXERCISE 11.1
Assigning Permissions to Templates 1.
Open the Active Directory Sites and Services snap-in.
2.
Highlight the main node for the domain, then right-click the node and choose View Show Services Node.
562
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.1 (continued)
3.
Click Services, Public Key Services, and choose Certificate Templates node. This fills the right half of the MMC window with a list of installed templates.
4.
Right-click the template whose permissions you want to set, and then choose the Properties command. When the Properties dialog box appears, switch to the Security tab.
5.
Adjust the permissions to suit your needs. To keep users from using the template to request new certificates, make sure that you deny the appropriate groups the Enroll permission.
Enabling Automatic Enrollment Users aren’t the only ones who have certificates; Windows 2000, XP, and Windows Server 2003 computers have them, too. Normally, you’d have to manually issue certificates for new computers as they join your AD domain, but this is a pain. Instead, you can use automatic enrollment to have the CA automatically generate a new certificate for each computer that joins the domain. To do this, you have to adjust a setting in the Group Policy Object (GPO) for your domain. Exercise 11.2 shows you how to enable automatic enrollment for the CA.
Planning and Managing the Certificate Server
563
You must use an enterprise CA in order to complete this exercise.
EXERCISE 11.2
Enabling Automatic Enrollment 1.
Open the appropriate Group Policy snap-in, and use it to select the GPO for which you want to turn on automatic enrollment.
2.
Open the GPO’s Computer Configuration node, then open the Windows Settings, Security Settings, and select the Public Key Policies node. This exposes four subfolders beneath the Public Key Policies node.
3.
Right-click the Automatic Certificate Request Settings folder under the Public Key Policies node, and select New Automatic Certificate Request. This starts the Automatic Certificate Request Wizard.
4.
Click Next to get past the wizard’s introductory page. When the Certificate Template page appears, it lists all the types of certificates that can be automatically issued to computers. Normally, you’ll use the basic Computer type, but separate types exist for domain controllers and devices that participate in IPSec. Select the template type you want to use, and then click the Next button.
564
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.2 (continued)
5.
If there are multiple CAs, the Certification Authorities page lists all the CAs available in the Active Directory domain. Choose the one that you want to issue certificates for newly added computers, and then click the Next button.
6.
When the Completing the Automatic Certificate Request Setup Wizard page appears, review your choices and then click the Finish button to actually create the request.
Once you’ve completed these steps, the new request appears as an item in the Automatic Certificate Request Settings folder; you can edit or remove it later by selecting it and using the commands in the Action menu.
Configuring Stand-alone CAs Stand-alone and enterprise CAs have a few differences, about which you’ve already read. You need to know how to perform two additional tasks in order to configure a stand-alone CA, both of which pertain to handling incoming certificate requests. Enterprise CAs always process incoming requests automatically. By default, though, standalone CAs tag inbound requests as “pending” and place them in the Pending Requests folder under the CA’s node in the Certification Authority snap-in. Once queued, the requests will sit there until you either approve or reject them. Configuring stand-alone CAs therefore requires setting the default action for new requests, and handling pending requests.
Setting the Default Action for New Requests If you don’t want requests to automatically be marked as “pending,” you can change the arrival behavior by adjusting the controls on the Default Action tab, which you get to by clicking
Planning and Managing the Certificate Server
565
the Configure button in the Policy Module tab of the CA Properties dialog box (see Figure 11.8 earlier in this chapter). Once you make this change, newly arrived requests will be treated in accordance with your instructions, but you’ll still need to approve or reject any previously queued requests.
Handling Pending Requests The process of approving or rejecting a pending request is fairly easy. Navigate to the Pending Requests folder in the CA snap-in and select it. When you do, all pending requests appear on the right side of the snap-in window. Right-click the request you want to approve or reject, and you’ll see commands for either action.
Configuring Revocation and Trust Issuing certificates is necessary if you want to use a PKI, but it’s not the only thing you have to do. To get ongoing use and security out of your PKI, you have to decide which certificates and issuers you trust, and you need to be able to revoke certificates once their useful life span is over. You do these things by using two separate mechanisms:
The Certificate Trust List (CTL) for a domain holds the set of root CAs whose certificates you trust. You can designate CTLs for groups, users, or an entire domain. If a CA’s certificate isn’t on the CTL, its trustworthiness depends on how you’ve configured your clients (either explicitly or through a GPO) to behave when presented with an untrusted certificate.
The revocation function adds the targeted certificate to the CA’s certificate revocation list (CRL), and a new CRL is published. Clients are required to check the CRL before using a certificate; if the certificate appears on the CRL, clients can not use it. This mechanism is very similar to the authorization mechanism stores use to verify credit cards.
In the following sections, we’ll discuss trusting other CAs, managing the CTL, and managing revocation.
Trusting Other CAs The Trusted Root Certification Authorities folder under the Public Key Policies node in the Group Policy snap-in contains a list of root CAs that you trust. Note that this isn’t the same as a CTL (more on this in the next section); it’s just a list of CAs that individual sites, domains, or organizational units may or may not trust. Because the set of trusted CAs for an Active Directory object is defined as part of the GPO for that object, you can designate exactly which Active Directory objects trust which CAs. You can modify the Trusted Root Certification Authorities list in three ways:
You can add new CA root certificates to it by importing them.
You can remove a certificate from it.
You can change the purposes for which the foreign CA is trusted.
566
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
You do all three of these things from the Public Key Policies node in the Group Policy snap-in. You can then do the following:
To import a new root CA certificate and add it to the trust list, right-click the Trusted Root Certification Authorities folder and select All Tasks Import. Tell the Certificate Import Wizard how to find the new certificate; it will then load the certificate into the store and add it to the trust list.
We’ll discuss certificate stores below in the “Managing Certificates” section.
To remove a certificate from the folder, right-click it and choose Delete. You’ll see a confirmation dialog box that warns you of the consequences of removing the certificate.
To edit the list of purposes that a CA’s certificates may be used for, right-click the CA’s entry in the Trusted Root Certification Authority folder and open its Properties dialog box. By default, all purposes are enabled for newly added certificates, but you can control how these purposes are used by choosing either the Disable All Purposes For This Certificate radio button or the Enable Only The Following Purposes radio button.
The list of trusted root CAs is distributed by the GPO, which means that it is automatically available to all members of the group. Don’t confuse this list with the CTL.
Planning a PKI Deployment with Active Directory As the systems engineer for your organization, you are charged with the responsibility of setting up a PKI that allows for a hierarchy of trust that varies for different departments in your company. Specifically, the Marketing department has a business partner whose certificates they need to trust. However, the Engineering department must not trust any CAs other than the internal CAs. How will you provide a customized solution using Microsoft Certificate Services and Active Directory? You could set up one GPO for your Marketing department that allows them to trust external CAs and another for the Engineering team that allows them only to trust internal CAs. Once you’ve added the foreign CA certificate to your local certificate store, you’ve instructed your clients to trust any certificate issued by that CA as much as they trust certificates issued by their own CA. This is a useful capability, because it allows you to trust CAs operated by other organizations without requiring that they share a common root. Because Windows Server 2003 Active Directory forests allow you to do essentially the same thing with domains, the combination of the two features allows you to selectively trust business partners, suppliers, or other “outside-the-fence” entities that need access to some, but not all, of your network resources.
Planning and Managing the Certificate Server
567
Managing the CTL The Trusted Root Certification Authorities list shows which foreign CAs you trust at all. The CTL shows that you trust how those CA’s certificates will be used. Normally, you use CTLs to designate trust when your enterprise doesn’t have its own CAs. If you do have your own CAs, you’d use the Trusted Root Certification Authorities list to establish the trust list. When you add a foreign CA to your CTL, you’re actually generating a new, digitally signed list that is stored in Active Directory and distributed throughout the domain. You manage CTLs with the Enterprise Trust folder under the Public Key Policies component in the Group Policy snap-in; although this may seem odd, it does make sense because the CTL is stored in Active Directory. You can do two things with CTLs from the Group Policy snap-in: import a CTL from another machine, or create a new one. Both actions are available by right-clicking the Enterprise Trust folder. Then select All Tasks Import to use the Import Certificate Wizard (covered in more detail in the “Importing, Exporting, and Finding Certificates” section later in this chapter), or select New Certificate Trust List to create a new CTL. Exercise 11.3 shows you how to create a new CTL.
You must perform the steps of this exercise on a domain controller.
EXERCISE 11.3
Creating a New CTL 1.
Open the GPO snap-in. Right-click the Enterprise Trust folder: Computer Configuration Windows Settings Security Settings Public Key Policies Enterprise Trust folder. Then select the New Certificate Trust List command to start the Certificate Trust List Wizard. Click the Next button, and you’ll see the Certificate Trust List Purpose page.
2.
If you want to identify this CTL, enter a prefix for it in the provided field. If you want the CTL to be valid for a fixed period, enter its life span in the Valid Duration fields. If you want to restrict the purposes for which the certificate can be used, check the appropriate boxes in
568
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.3 (continued)
the Designate Purposes list. By default, none of these purposes is specified; you must check at least one purpose to create the CTL. Click the Next button.
3.
The Certificates In The CTL page appears. The Current CTL Certificates list shows you which certificates are on the CTL. A newly created CTL will be blank until you add some certificates by using the Add From Store and Add From File buttons. Click the Next button once you’re done.
4.
Next, the Signature Certificate page appears. You use this page to designate which certificate will sign the CTL. The Select From Store and the Select From File buttons allow you to riffle through your certificate stash until you find a certificate that’s marked for use in CTL signing (look for the purpose marked “Microsoft trust list signing”). Click the Next button once you’ve identified the certificate you want to use.
Planning and Managing the Certificate Server
569
EXERCISE 11.3 (continued)
5.
On the Secure Timestamp page you may choose to have the CTL marked with a secure timestamp, which guarantees the authenticity and integrity of the date and time recorded in the CTL. However, you must have access to, and the URL of, a secure timestamp service.
6.
The Friendly CTL Name page allows you to enter a friendly name and description for the CTL; these items are displayed in the Group Policy snap-in whenever the CTL itself is shown in a list.
7.
Once you’ve completed the wizard, you get the usual summary page. Clicking the Finish button will create the CTL and store it in Active Directory.
Managing Revocation Certificate revocation is not something to be done lightly, because there’s no way to reverse the procedure. Once revoked, a certificate stays revoked forever. Sometimes, though, revocation is necessary. For example, you typically need to revoke certificates issued to employees when they leave your organization or when they no longer need the particular certificate type you issued them. Whenever you have some reason to think that a private key may have been compromised, naturally you’ll want to revoke the associated certificate as soon as possible. In the following sections, we’ll cover revoking certificates, publishing CRLs, and changing CRL distribution points.
Revoking Certificates You can revoke any certificate issued by the CA you’re managing; you cannot revoke certificates issued by other CAs because you don’t have the ability to sign a new CRL for them. To revoke one of the certificates you’ve issued, open the Issued Certificates folder in the Certification Authority snap-in, then right-click the certificate and select All Tasks Revoke Certificate. You’ll have the opportunity to choose a reason code for the revocation (the default is “unspecified,” but you can also mark a certificate revoked for a specific reason, like a change of the user’s affiliation or cessation of operations). Once you click OK, the certificate is immediately revoked.
Don’t revoke a certificate unless you’re sure you won’t need it anymore! Your best bet is to first create a new test certificate, and then revoke the old certificate.
In Exercise 11.4 you will revoke a certificate. EXERCISE 11.4
Revoking a Certificate 1.
Open the Certification Authority administrative tool by selecting Start Administrative Tools Certification Authority. Expand the CA folder.
2.
Open the Issued Certificates folder, and then select the certificate you want to revoke.
570
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.4 (continued)
3.
Right-click the certificate, and choose All Tasks Revoke Certificate.
4.
Select a reason code for the revocation, and then click the OK button.
Publishing CRLs The CRL is simply a signed list of certificate serial numbers for those certificates that have been revoked. When you revoke a certificate, it’s immediately added to the CRL, which is then resigned by the CA. However, the CRL isn’t republished at that instant. The CA will automatically publish an updated CRL according to its schedule. The CA’s schedule is determined by the publication interval. When you right-click the Revoked Certificates folder in the Certification Authority snap-in, you can open the folder’s Properties dialog box. The CRL Publishing Parameters tab, shown in Figure 11.16, provides options for the CRL publishing schedule. You can use these controls to adjust the publication interval for CRLs to anywhere from 1 hour to 9999 years (the default is 1 week). Microsoft helpfully included some code that tells you when the next scheduled update will take place, so you can judge when that’s going to happen. You can also configure the delta CRL schedule. Delta CRLs contain incremental CRL information; they only contain data that has changed since the last publication. This helps reduce network traffic if you have a large CRL. The default publication schedule for the delta CRL is one day. You can see the list of CRLs in the View CRLs tab, shown in Figure 11.17. Each full and delta CRL is listed, unless the CA key is reused during a renew. To view the contents of a CRL, select it in the list and click the View CRL button.
Planning and Managing the Certificate Server
FIGURE 11.16
The CRL Publishing Parameters tab
FIGURE 11.17
The View CRLs tab
571
If you need to publish a CRL manually, you can do so by right-clicking the Revoked Certificates item in the CA snap-in and selecting All Tasks Publish command. You can choose to publish either the full CRL or the delta CRL. The snap-in asks you to confirm that you want to
572
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
overwrite the existing CRL; if you agree, the CA will publish the CRL to the set of CDPs that you’ve defined.
Clients still have to pick up the CRL from the CDPs, and that can take some time. Be aware that the time elapsed between selecting the Publish command and the actual arrival of the new CRL on client machines may vary.
Using Delta CRLs to Improve Client Performance You are the systems engineer for an organization with large CAs that have experienced significant amounts of certificate revocation. The CRLs have become very long as a result, and this is causing a degradation in client response time because clients have to frequently download lengthy CRLs. What can you do to improve performance? To resolve the burden on clients of frequent downloads of lengthy CRLs, you can publish delta CRLs. This enables the client to download the most current delta CRL and combine it with the most current base CRL to have an exhaustive list of revoked certificates. The client will ordinarily have a locally cached CRL, so publishing the delta CRLs can potentially improve performance. The client applications must support the CryptoAPI in order to use delta CRLs. If the clients do not support the use of delta CRLs, you must take one of two actions: either do not configure the CA to publish delta CRLs or configure the CA to publish CRLs and delta CRLs on the same interval. This solution provides current CRLs to all applications and enables those applications that do support delta CRLs to use them.
Changing CRL Distribution Points Certificate requests normally include information that tells the CA where to publish (or distribute) the certificate when it’s done. However, because CRLs are solely a function of the CA, there’s no external source for defining CDPs. You do that yourself with the X.509 Extensions tab of the Policy Module Properties dialog box.
Planning Is the Key to a Successful CA Your network has a commercial Web site. Your manager also wants to support encrypted and signed e-mail in addition to the other methods of protecting your information resources. In the past you have helped people obtain VeriSign certificates for mail, but you think it’s time to create your own certificates. You now plan to build a PKI to support the necessary certificates.
Managing Certificates
573
A CA is one of the most forward-looking services that you can deploy in your network. The concept of a validated digital identity is central to a distributed global information system. In the near future, a CA will be as ubiquitous in the enterprise network as a DNS or DHCP, and, of course, a directory service. Some organizations will outsource their CA service, just as they outsource their DNS service. However, as local services’ dependency on certificates grows, most likely a local PKI authority will always be available. The keys to a solid CA, as with a closely coupled directory service, are to plan, experiment, plan, and experiment some more. Remember that every time you create a certificate for an entity, it can be revoked, but the certificate itself should be kept and not deleted. This is part of the security and auditable architecture. For example, if you build a CA hierarchy and create certificates based on a specific directory structure and you then change that structure, you will most likely have to revoke all the certificates affected by the change and then create new ones. This will result in an ever-expanding CRL, which eventually will affect the performance of the CA. One of the better strategies is to build a flat directory tree that is associated only with identity and then use other OUs of the tree to add the attributes that can define the identity with more clarity. For example, as users move around the organization, you can create a geographical OU with values representing the various locations and then have an identity attribute point to one of the location attributes in the geographical OU. This is the type of experimentation that needs to take place before you put a CA hierarchy into production.
Managing Certificates Apart from the intricacies of managing your CA, you also need to be able to manage certificates for your account—including those issued to you. Windows Server 2003 implements a database of certificates, or a certificate store, for each user and computer account. This database contains end user and CA certificates and CRLs. (The certificates themselves may be stored in the local computer’s Registry, in Active Directory, or in a database file, but they all appear as a single, seamless store.) The Certificates snap-in allows you to manage the certificate store associated with your account, with a service account, or with a local computer. The snap-in also allows you to import and export certificates, request new certificates, renew existing certificates, and change various certificate properties. This particular snap-in is intended for use by end users and administrators; some of what it can do is duplicated in Internet Explorer 4 and later. In the following sections, we’ll introduce the Certificates snap-in and discuss how to manage certificates, including viewing and changing certificate properties, requesting new certificates, rekeying an existing certificate, renewing certificates, and importing and exporting certificates.
Introducing the Certificates Snap-In Once you install the Certificates snap-in, you can begin managing certificates in the store you associated with the snap-in when you installed it. For example, if you install the snap-in to manage
574
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
your certificates, you’ll see it listed as Certificates–Current User in the MMC, as shown in Figure 11.18. The snap-in works the same way no matter whose certificate store you’re managing, but (depending on the account you use) you may not have permission to do everything described in this section. FIGURE 11.18
A Certificates MMC console window
When you open the snap-in, you’ll see a number of folders. The folders relevant to our discussion including the following: Personal Folder This folder contains a subfolder named “Certificates,” which contains certificates that belong to you (both those issued to you and those you’ve imported from elsewhere). Trusted Root Certification Authorities folder This folder also contains a Certificates subfolder; it lists the roots you trust. Whether or not you can modify the contents of this list depends on the settings in the GPOs that apply to your account. Enterprise Trust Folder This folder contains one subfolder, labeled “Certificate Trust List.” Your GPO determines its contents, as it’s loaded with whatever CTLs the GPO administrators have defined for you. Intermediate Certification Authorities This folder contains separate Certificates and Certificate Revocation List subfolders. CA certificates and CRLs from CAs other than your own end up here.
Viewing and Changing Certificate Properties The most common task you’ll perform in the Certificates snap-in is probably viewing, and maybe even changing, properties for a particular certificate. Because the certificate contains a large amount of attribute data signed by the CA, many interesting properties are contained in each certificate. Viewing them and changing what you can change are two separate tasks:
To see the certificate’s properties, including the full path back to the top of the hierarchy and the certificate’s attributes, double-click it or use the Open command on the context menu.
Managing Certificates
575
To change the purposes the certificate may be used for, use the Properties command from the Actions or context menus.
This split in behavior seems a little confusing—after all, it would make more sense to view all of the certificate’s properties with the Properties command. It makes more sense when you recall that the certificate’s attributes are vouched for by the CA, so there’s no way for you to change them without invalidating the CA’s signature. You can view and change certificate properties on the General, Details, and Certification Path tabs of the Certificate Information dialog box, or in the Properties page of a personal certificate.
The General Tab The General tab of the Certificate Information dialog box (obtained by double-clicking an issued certificate) appears in Figure 11.19. It summarizes what purposes the certificate can be used for by listing each purpose as a plainly worded bullet point. In addition, it shows the name of the holder, the name of the issuer, and the validity period for the certificate. FIGURE 11.19 is intended.
The General tab of a certificate lists the purposes for which the certificate
This page has a couple of interesting things to note. At the bottom of the display area, you may see a lock-and-key icon, along with a text message, if you have the private key that matches the certificate. The Issuer Statement button at the very bottom of the dialog box area allows you to view any message encoded into the certificate by the issuer. These statements, often called certification practices statements (CPSs), normally set forth the terms and conditions under
576
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
which the CA will issue certificates. Most large commercial CAs (like VeriSign and GTE) include CPSs in their certificates, and they can make interesting reading if you don’t mind wading through lots of legalese.
The Details Tab The Details tab contains the majority of the certificate information. Because each certificate object is a combination of an attribute name and a value, the centerpiece of this tab is a list of the attribute names and values. You can view the full contents of any field by selecting it; in Figure 11.20 you can see the full canonical name of the CA that issued the certificate. FIGURE 11.20
The Details tab of a certificate lists its attribute names and values.
You can use the Show pull-down menu to control which attributes are displayed. By default, all of them are shown, but you can limit the display by asking to see only required extensions, all extensions, or old-style X.509 version 1 attributes.
The Certification Path Tab Every certificate will be part of some kind of certificate hierarchy, even if it’s a self-signed root certificate. Viewing the full hierarchy for a certificate is often useful, so you can see its exact provenance—much like you’d want to see the pedigree on an allegedly purebred puppy before taking it home. The Certification Path tab, shown in Figure 11.21, shows you the complete ancestry of the selected certificate. The tab also warns you when one, or possibly more, of the ancestors of the current certificate isn’t trusted. If it’s displaying a certificate that isn’t trusted, the Certificate Status field at the bottom of the tab explains exactly what’s occurring.
Managing Certificates
FIGURE 11.21 certificate.
577
The Certification Path tab shows you the full hierarchy path for this
When you select a CA that’s above you in the hierarchy, the View Certificate button in the dialog box becomes active. Clicking it displays a separate Certificate Information dialog box for the selected certificate.
Changing Certificate Purposes If you use the Properties command on a personal certificate you’ll see a dialog box very similar to the one in Figure 11.22. By choosing the appropriate radio button, you can change the specific tasks for which this certificate can be used:
The Enable All Purposes For This Certificate button is set by default. When it’s on, the certificate can be used for any purpose that’s allowed by its issuer. That restriction exists because the issuer has control over which purpose flags are encoded into the certificate, so it’s not possible for an end user to use a certificate for any purpose not provided for by the issuer.
The Disable All Purposes For This Certificate button essentially shuts off the certificate, preventing its use for anything at all, without revoking or deleting it. This is a useful way to temporarily disable a certificate.
The Enable Only The Following Purposes radio button, in conjunction with the list box below it, allows you to mix and match only the purposes for which you want the certificate to be used. The note above the list box explains that the listed purposes will be drawn from the purpose flags encoded into the certificate.
578
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
FIGURE 11.22 A personal certificate’s Properties dialog box allows you to edit the list of purposes for which it can be used.
Requesting New Certificates Requesting a certificate is simple, because you normally request one only for yourself. When you right-click the Personal folder, or its Certificates subfolder, you’ll notice that the All Tasks submenu has an additional command: Request New Certificate. When you choose that particular command, you’re actually starting the Certificate Request Wizard. In Exercise 11.5, we will show you how to request a certificate using this wizard. EXERCISE 11.5
Requesting a Certificate 1.
Open the Certificates snap-in from an MMC console session using the Add/Remove Snap-In utility.
2.
Right-click the Personal folder, and choose All Tasks Request New Certificate. The Certificate Request Wizard appears.
3.
Skip the introductory page by clicking the Next button.
4.
The Certificate Types page appears, listing all of the available certificate types that you can access. The contents of this list depend on what permissions have been set for templates in your domain. Pick a template from the list. If you want to specify that the private key for
Managing Certificates
579
EXERCISE 11.5 (continued)
this certificate should be protected, click the Advanced checkbox (do so for this exercise). Click the Next button when you’re done.
5.
If you checked Advanced in the Certificate Types page the next thing you’ll see is the Cryptographic Service Provider page, which lists all of the available CSPs. If you want to use a particular CSP to request this certificate, choose it from the list. More likely, you’ll want to check the Enable Strong Private Key Protection checkbox, which forces the OS to alert you any time an application attempts to use your private key. You can also increase or decrease the key length from 1024 bits. Click Next when you’ve made the appropriate changes.
580
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.5 (continued)
6.
If you checked Advanced, the Certification Authority page appears, allowing you to choose the CA and computer to which your request will be sent. You can change them if you like. Click Next when you’re done.
7.
The Certificate Friendly Name And Description page lets you supply a friendly name and description for the certificate. These data won’t be encoded into the certificate, but they will be stored with it so you can edit them later if necessary. Click Next to continue.
8.
The Wizard Summary dialog box appears. Click Finish to send the request to your CA.
What happens next depends on your CA. If it’s set to automatically process requests, you’ll get either an error dialog box indicating that the request failed for some reason or a dialog box offering to automatically install the certificate in the store for you. If you’re using a standalone CA that’s set to mark requests as pending, you’ll have to come back later and check the status of the request.
Using the Web Enrollment Agent If you chose to install the Web enrollment component of the CA, your CA can also issue certificates to Web clients via a Web-based interface—assuming, of course, that your clients are all using Internet Explorer for Windows and IIS is installed on the CA. IIS is the web server built into Windows Server 2003. IIS is installed in much the same way as certificate services. By default, the CA pages are at http://ca-name/certsrv/, where ca-name is the name of the CA server in question. When you load that page, you see a welcome page that gives you three choices:
The Download A CA Certificate, Certificate Chain, Or CRL task takes you to a set of pages from which you can download the current CRL, the CA’s certificate, or the CA’s entire certification chain.
Managing Certificates
581
The Request A Certificate task leads you through a series of pages very similar to the ones in the snap-in’s Certificate Request Wizard. One interesting difference is that you can use the Web interface to feed the CA a PKCS#10-format certificate request generated by another application; you can also take a private key that’s already on a smart card and request a certificate using that key pair.
The View The Status Of A Pending Certificate Request task looks up any pending requests and tells you whether they’ve been approved or not.
You will see exactly how to issue a certificate with the web enrollment component in Exercise 11.6. Your server must be configured to use IIS in order to continue. EXERCISE 11.6
Issuing Certificates 1.
Install the CA and Web components, following the instructions in the previous “Installing the CA” section.
2.
Open a Web browser and load the CA enrollment page (http://ca-name/certsrv/). If you’re using Windows 2000, XP, or Windows Server 2003, the browser will identify you to the CA. If not, you’ll have to log on to the domain; the browser will prompt for credentials.
3.
When the Microsoft Certificate Services page appears, click Request A Certificate.
4.
In the Request A Certificate page, click User Certificate.
582
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.6 (continued)
5.
The User Certificate–Identifying Information page will appear. Click Submit and a summary page will appear telling you that the CA has all the information it needs.
6.
If you have automatic certificate approval turned on, you’ll see a page titled Certificate Issued with a link reading Install This Certificate. Click it and your new certificate will be downloaded and installed; if your CA requires approval, you’ll have to go back and manually approve the request.
Rekeying an Existing Certificate If you need to, you can request that your existing certificate be reissued, either with the same key or a new one. You might want to do this if you lose the private key, but not if you suspect it’s been compromised (in that case, the right thing to do is to revoke the old certificate). If you want to rekey your existing certificate, do so by right-clicking the target certificate and choosing either All Tasks Request Certificate With New Key or All Tasks Request Certificate With Same Key command. Whichever one you pick will take you through the Certificate Request Wizard again; the difference is that internally the wizard remembers that you want to change the key pair bound to the certificate, not issue an entirely new one.
Renewing a Certificate Just as when you rekey a certificate, you can renew a certificate in one of two ways—by keeping the existing key pair or by requesting a new one. When you rekey, the certificate attributes stay the same, but the key pair may change. When you renew, some certificate attributes change. Microsoft includes a Certificate Renewal Wizard that you can get to by right-clicking a certificate and using the All Tasks Renew Certificate With Same Key and All Tasks Renew Certificate With New Key commands. In either case, the wizard starts by asking you to choose whether you want to use your CA’s default settings or buck the trend by setting your own.
Managing Certificates
583
While you might think the dialog box’s text about “settings” and “values” applies to the expiration interval, it doesn’t—it’s really just a pair of radio buttons that act like the Advanced checkbox in the Certificate Request Wizard. If you choose the No, I Want To Provide My Own Settings radio button, you’ll get to pick a CSP and a CA, just like you do when Use Custom Setting To Generate The Key Pair And CA Certificate is checked.
Importing, Exporting, and Locating Certificates Your certificates can be added to your store when you request them. However, moving certificates in and out of your own personal store is frequently desirable. For example, assume that one of your users needs to exchange encrypted e-mail with a business partner. Neither you nor the business partner wants to cross-certify your CAs, so the easiest way to make the communications happen is to have your user export their certificate and send it to the other party, and vice versa. The following sections discuss exporting and importing certificates.
Exporting Your Certificates You may find it necessary to export a certificate from your store so that you can import it someplace else. The Certificates snap-in can export certificates and private keys in a wide variety of formats. Exercise 11.7 shows you how to export a certificate to a file. In Exercise 11.8, you will import the certificate that you just exported.
EXERCISE 11.7
Using the Certificate Export Wizard 1.
Right-click your certificate, and use the All Tasks Export command to start the Certificate Export Wizard. Click Next to dismiss the wizard introduction page.
2.
If you’re exporting a certificate for which you have a corresponding private key, you’ll see the Export Private Key page asking you whether you want to export the private key or just the certificate. If you created your certificate with the Enable Strong Private Key Protection checkbox set, the Yes, Export The Private Key radio button will be grayed out because you can’t export protected private keys.
3.
Next, the Export File Format page appears so that you can choose the format for the exported certificate. If you’re only exporting a certificate, your choices are as follows:
Plain binary X.509 format (labeled as DER Encoded Binary X.509 (.CER)). This format is just a bunch of binary data, so it’s well suited for copying around on the network, onto removable disks, and so on. Most programs can accept CER files in this format, so this is a pretty portable choice.
584
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.7 (continued)
X.509 format, encoded using the base-64 encoding system. Base-64 encoding is used for moving binary data around in e-mail messages; in addition, some PKI components expect to see only base-64 certificates.
PKCS#7 binary format (.P7B). This is the format used by most e-mail security tools, and it can contain many certificates in a single file—something that the CER files can’t do. The Include All Certificates In The Certification Path If Possible checkbox causes the exporter to include as many of the intermediate and root CA certificates as possible in the output file, which makes it possible to deliver a complete end-to-end certificate chain to someone in a .P7B file.
4.
If you’re exporting a certificate with a private key, you get only one choice—PKCS#12 format (in the form of a .PFX file)—because the PKCS#12 standard defines a secure way to encrypt a private key and store it along with the certificate. When you use PKCS#12 format, you can use three checkboxes to control what else goes in the .PFX file:
The Include All Certificates In The Certification Path If Possible option puts as much of the certificate chain as possible in the .PFX file.
The Enable Strong Protection option turns on strong protection for the exported private key. A protected private key can’t be exported, and the operating system will notify you whenever an application requests access to the key. This only works if you have Windows NT 4 SP4 or later, Windows 2000, XP Professional, or Windows Server 2003, all with Internet Explorer 5 or later.
The Delete The Private Key If The Export Is Successful option removes the private key from your local store. Check this option when you want to permanently move a key pair someplace else (unchecking it will leave the certificate in place for future use) or you want to test export/import capability. Make your choices, and then click Next.
Managing Certificates
585
EXERCISE 11.7 (continued)
5.
If you’re exporting a .PFX file, you’ll be prompted to enter and confirm a password on the Password page.
6.
You must enter a filename for the exported certificate on the File To Export page. The default path on most machines is C:\Documents and Settings\username\.
7.
Check the Confirmation page to double-check what the wizard is about to do, and then click the Finish button when you’re done. The certificate will be exported, and you’ll receive notice of the operation’s success or failure.
Importing a Certificate Importing certificates is the best way to move your certificates from some other computer or program into the Windows Server 2003 PKI. For example, if you have a VeriSign certificate that you’ve been using with Netscape Navigator on your home PC, you can export it and then import it onto your laptop so you can use it with Internet Explorer. The Certificates snap-in can import certificates in several different formats. In general, the hardest part of using the Import Certificate Wizard is remembering where on the disk you put the file—the wizard takes care of all the details for you. Exercise 11.8 shows you how to use the Certificate Import Wizard to import the certificate that you exported in the previous exercise. EXERCISE 11.8
Using the Certificate Import Wizard 1.
Start the wizard by right-clicking the appropriate certificate storage folder, and choose the All Tasks Import command from the context menu.
2.
Skip the introductory page by clicking its Next button.
3.
On the File To Import page, provide the full path and filename of the certificate file that you exported in the previous exercise, and then click the Next button. Alternatively, you can browse to the file by selecting the Browse button. You can import certificates in three formats:
PKCS#12 (.PFX or .P12) files are used to store certificates with their associated private keys. Outlook, Outlook Express, and Netscape’s tools all produce PKCS#12 files when you export a certificate, as do many third-party PKI components.
PKCS#7 (.P7B, .P7C, or .CRT) files are used to store certificates without keys. A PKCS#7 file can contain an entire certificate chain (including CA certificates) or just a certificate—the application that creates the file gets to decide what goes in it. Almost every PKI component that runs on Windows can produce PKCS#7 files.
586
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
EXERCISE 11.8 (continued)
Microsoft’s own SST format, which is sparsely used.
4.
If you are importing a PKCS#12 file, the Password page appears and you will be prompted to enter the correct password. Use the password that you specified in Step 4 of the previous exercise. You can also enable strong private key protection and mark the key as exportable from the Password wizard page. Click Next to continue.
5.
The Certificate Store page allows you to choose the store in which you want to put the certificate. You have two choices:
Choose the Automatically Select The Certificate Store Based On The Type Of Certificate radio button to let the snap-in determine the proper store for the certificate based on its type, issuer, and owner information. This is probably the easiest choice for ordinary use, especially since PKCS#12 and PKCS#7 files can contain multiple certificates.
Choose the Place All Certificates In The Following Store radio button, and then use the Browse button to locate the store you want to use. If you’re sure where the certificate goes, this is the better choice (in fact, the snap-in sets this as the default choice if you select a certificate folder before you use the Import command).
Summary
587
EXERCISE 11.8 (continued)
Once you’ve chosen the destination for the certificate, click the Next button.
6.
The Completing The Certificate Import Wizard page is displayed. Click Finish to actually import the certificate. You’ll get a dialog box indicating whether the import attempt succeeded or not.
Summary In this chapter, you learned:
The fundamental concepts of certificate-based authentication services, including what a certificate authority is, what solutions it provides, and how Microsoft’s CA works.
How to plan and manage a PKI using MCS. The planning process involves considering different certificate issuance requirements, planning for certificate enrollment and distribution, and planning for special solutions including the use of smart card authentication and security for wireless networks.
How to install and configure the certificate server included with Windows Server 2003.
How to configure Active Directory for certificate publication. Certificates are published to Active Directory by default. You can also use the certutil -dspublish command to publish certificates and CRLs.
588
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
Exam Essentials Understand the key features that encryption and signing provide. Confidentiality ensures that encrypted data can’t be read by anyone except the intended recipients. Authentication is used to verify the identity of the sender. Digital signatures can provide integrity as well as nonrepudiation, which make it virtually impossible for someone to deny having signed a document. Know the four things the public-key infrastructure (PKI) needs to do. The PKI needs to make it easy to issue, review, revoke, and manage trust levels for keys. A PKI offers a way for clients to find and fetch public keys and information about whether a specific key is valid or not. A PKI provides an easy-to-use way for users to use keys—not just by moving keys around where they’re needed, but also by providing easy-to-use applications that perform public-key cryptographic operations for securing e-mail, network traffic, and other types of communication. Understand the different components of a PKI. CAs issue certificates, revoke certificates they’ve issued, and publish certificates for their clients. Certificate publishers make certificates and CRLs publicly available, inside or outside an organization. Management tools allow you, as an administrator, to keep track of which certificates were issued, when a given certificate expires, and so on. PKI-savvy applications allow you and your users to do useful things with certificates, such as encrypt e-mail or network connections. Understand the difference between an enterprise CA and a stand-alone CA. The enterprise CA acts as part of the PKI for an enterprise. It issues and revokes certificates for end users and intermediate CAs according to the policy and security settings that you apply to the CA. Standalone CAs don’t require Active Directory access, because they’re designed to do nothing but issue certificates for external use. A stand-alone CA is made to issue certificates to people who aren’t part of your organization, such as Internet users or business partners. Understand what certificate templates are. Certificate templates act like rubber stamps. By specifying a particular template as the model you want to use for a newly issued certificate, you’re actually telling the CA which optional attributes to add to the certificate, as well as implicitly telling it how to fill in some of the mandatory attributes. Templates greatly simplify the process of issuing certificates, because you don’t need to memorize the names of all the attributes you might potentially want to put in a certificate. Understand CA roles in Windows Server 2003. Enterprise root CAs sit at the top of a certificate hierarchy. Although they can issue certificates to end users or subordinate CAs, normally they are used only to issue certificates to subordinate CAs. Enterprise subordinate CAs live in an enterprise CA hierarchy below the root. They typically issue certificates to computers and users, not to other subordinate CAs. Stand-alone root CAs stand alone, just as the name implies. They don’t necessarily take part in your network at all, although they can be physically connected. Stand-alone subordinate CAs normally issue certificates to people. They usually don’t take part in Active Directory, although they can.
Exam Essentials
589
Understand recovery keys. If the key used to encrypt a piece of data (on an EFS volume, in an e-mail message, or elsewhere) is lost, the recovery key can be used to decrypt the data. Know how to install the Certificate Server. You install the Certificate Server using the Windows Components Wizard. After installing the server, you need to install the Certificates snap-in and the Certificate Authority snap-in management tools. Know how to control the CA service. The Retarget Certification Authority command lets you point the snap-in at a different CA. You can use the Start Service and Stop Service commands from the context menu. The two-step process of backing up the CA is conceptually simple. First, you use the Certification Authority Backup Wizard to make a usable copy of the CA’s data. Next, you use Windows Server 2003 Backup tool to back up your CA data to disk, tape, CD-RW, or whatever you use for backup. It’s likely that you’ll need to renew your CA certificates periodically. Understand certificate revocation and trust. The Certificate Trust List (CTL) for a domain holds the set of root CAs whose certificates you trust. You can designate CTLs for groups, users, or an entire domain. The revocation function adds the targeted certificate to the CA’s certificate revocation list (CRL), and a new CRL is published. Clients are required to check the CRL before using a certificate; if the certificate appears on the CRL, clients may not use it. Know how to use the Certificates snap-in. The most common task you’ll perform in the Certificates snap-in is probably viewing properties, and maybe even changing them, for a particular certificate. To request a new certificate, right-click the Personal folder and choose All Tasks Request New Certificate. The Certificate Request Wizard appears. You can request that your existing certificate be reissued, with either the same key or a new one. Just as when you rekey a certificate, you can renew a certificate in two ways: by keeping the existing key pair or by requesting a new one. Sometimes the easiest way to make communication happen is to have your user export their certificate and send it to the other party, and vice versa. Be able to plan a PKI using MCS. Plan an MCS solution that meets specific needs. This involves considering different certificate issuance requirements, planning for certificate enrollment and distribution, and planning for special solutions including the use of smart card authentication and security for wireless networks. Know how to configure Active Directory for certificate publication. Certificates are published to Active Directory by default for a CA that uses Active Directory. To publish certificates in a domain, the server on which the CA is installed must be a member of the Certificate Publishers group in Active Directory. The server is automatically a member of the Certificate Publishers group for the domain of which it is a member. You can also use the certutil -dspublish command to publish certificates and CRLs.
590
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
Key Terms Before you take the exam, be certain you are familiar with the following terms: algorithm
entities
asymmetric encryption
exit modules
authentication
hashing algorithm
certificate hierarchy
integrity
certificate policy and practice statements
key
Certificate Revocation Lists (CRLs)
key escrow
certificate store
Microsoft Certificate Services (MCS)
Certificate Trust List (CTL)
nonrepudiation
certification practices statements (CPSs)
policy modules
cipher
private key
ciphertext
public key
confidentiality
public key cryptography
cryptography
public key infrastructure (PKI)
decryption
recovery agents
digest
recovery keys
digital certificates
root certificate authority
digital signatures
secret key cryptography
Encrypting File System (EFS)
signing
encryption
symmetric encryption
Review Questions
591
Review Questions 1.
You are the network administrator for a financial services company that has many prominent clients with vast sums of money. Information regarding the company and its clients must be managed with the utmost confidentiality. Your client contract guarantees this confidentiality. You have been charged with making sure that every internal transmission on the network between the employees associated with a particular client is accessible only to people who are appropriately involved with that client’s information. You install an enterprise root CA with an enterprise subordinate–issuing CA and then deploy IPSec and EFS on all the systems in the company. This gives you encryption and authentication of all communication between employees, as well as security on the hard drive of each machine. In implementing EFS, you have created the recovery agent certificate and the necessary private keys on the initial Active Directory domain controller. What else can you do to protect the recovery agent private key for the entire domain in case it is needed to recover encrypted data from a person’s computer after he leaves the company? A. Log on to the domain controller using the domain Administrator account and export
the default recovery agent certificate to removable storage. Select the Delete The Private Key If Export Is Successful option. B. Log on to the domain controller using the local Administrator account and export the
default recovery agent certificate to removable storage. Select the Delete The Private Key If Export Is Successful option. C. Log on to the domain controller using the domain Administrator account and export
the default recovery agent certificate to removable storage. Select the No, Do Not Export The Private Key option. D. Log on to the domain controller using the local Administrator account and export the
default recovery agent certificate to removable storage. Select the No, Do Not Export The Private Key option. 2.
The security policy at your organization has been modified to include mutual authentication on all connections between servers and workstations on the private network. You have upgraded your network to Windows Server 2003 running in Native mode. Because you know that you have to implement certificates for the authentication, you install an enterprise root CA and an enterprise subordinate CA to issue the individual certificates for the network. You want each user’s machine to automatically enroll for the computer certificate that’s necessary for mutual authentication within the Active Directory domain. With this objective in mind, you configure a Public Key Group Policy for the domain. What do you need to include in this policy to meet your objective? A. Enable mutual authentication. B. Issue Enrollment Agent certificates for the domain computer users. C. Publish the CTL that includes the use of computer certificates in the domain. D. In the computer certificate template, grant Enroll permission to all domain computers.
592
3.
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
You administer a Windows Server 2003 domain on which you have installed an enterprise root certificate authority and an enterprise subordinate certificate authority for secure e-mail. You believe that one of the private keys may have been compromised, and you need to invalidate the associated certificate as soon as possible. Which of the following actions must you take to invalidate the certificate? A. Publish a CRL without revoking the certificate. B. Enable strong private key protection. C. Revoke it using the Certificate Revocation dialog box from the Certification Authority
MMC snap-in. D. Export the certificate to a floppy disk and lock it in a safe. E. Delete the certificate. 4.
One of your users, Tammy, suffered a disk failure and lost her private key. She wants to continue using her existing certificate. This requires which of the following actions? A. Her certificate must be revoked. B. Her certificate must be reissued. C. Her certificate must be rekeyed. D. Her certificate must be renewed.
5.
The Acme Investment Company is developing a whole new range of financial services on their Web site. They are going to offer their services to the public, and they want to have all the transactions done over the Internet to keep costs down. Their internal network is composed of 100 Windows XP Professional workstations and three Windows Server 2003 servers, one of which runs an Internet Information Server. The IIS Server is a stand-alone server because it isn’t considered part of the internal network and it contains a database with client personal information. You want to provide a high level of security when users access the Web site. You also want to create the feeling that your site is a legitimate financial institution and you are in fact who you claim to be. To provide a solution, you plan to install a SGC certificate for your site. How can you obtain a SGC certificate for this situation? A. Install a stand-alone root CA and then obtain the SGC server certificate from
that CA. B. Install an enterprise root CA with a child subordinate and obtain the SGC. C. Obtain the SGC from a commercial CA. D. Install a stand-alone root CA with a child subordinate and obtain the SGC from
that CA.
Review Questions
6.
593
The Risk and Mitigation Insurance Company has a Web site that is hosted on an Internet Information Server running on Windows Server 2003. This IIS server is a member of the single Active Directory domain network. The main pages on the IIS server are a series of personal questions (including medical, financial, and other personal history questions) that are needed to obtain insurance quotes. Before a potential customer fills out the application for the quotes, you guarantee that the information will remain confidential and that only the appropriate people within your company will evaluate the information. To ensure that only certain people in your organization can see the information, you need to build a CA. To provide this level of service, what kind of CA hierarchy look should you use? A. An enterprise subordinate child CA of an enterprise root CA B. A stand-alone child subordinate CA of a commercial CA C. An enterprise child subordinate CA of a commercial CA D. A stand-alone child subordinate CA of a stand-alone root CA
7.
The Codeworks Company develops Java applets and ActiveX controls for Web browsers. These applications are sold over the Internet and are downloaded immediately after customers enter their credit card information. You obviously have a CA to provide security for the transaction, but you also want to offer signing so that customers can be sure that the software is coming from your organization. Your CA is set up with a root CA with an enterprise subordinate CA for issuing certificates. What should you do to provide the signing capability for your Web site? A. Request a User Signature Only certificate from your enterprise subordinate CA. B. Request a User Signature Only certificate from a commercial CA. C. Request a Code Signing certificate from your enterprise subordinate CA. D. Request a Code Signing certificate from a commercial CA.
8.
Rajesh, one of your systems engineers, has set up a stand-alone subordinate CA for his users. Users started requesting certificates as soon as the CA was activated, but no user has received a certificate. What is the most likely cause of this problem? A. The CA is misconfigured. B. User requests have been going to the wrong CA. C. The certificates have been issued and published, but they have not yet returned
to the users. D. The requests are marked as pending, so they’re sitting in a queue for approval.
594
9.
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
The Acme Law firm deals daily with very sensitive information about public figures. You have upgraded the firm’s network from Windows NT to Windows Server 2003, and it consists of 200 Windows 2000 Professional workstations and 10 Windows Server 2003 servers. Although you have solid perimeter security, the partners are concerned about liability from internal people who are not related to clients and who obtain information improperly. Most of the employees aren’t technically savvy, but the firm still wants the highest level of security to demonstrate good faith, in case a problem should develop. You plan to create a certificate authority hierarchy that will only be used internally to support IPSec encryption and mutual authentication. How should you set up the root CA so that it is most secure from internal access? A. Install a stand-alone root CA connected to the domain and then remove it. B. Install an enterprise root CA that is not connected to the domain. C. Install an enterprise root CA on a computer connected to the domain and then
remove it. D. Install a stand-alone root CA on a computer not connected to the domain. 10. Acme revoked a user’s certificate because she left the company. Then she came back. What’s the best way to reintegrate the user into Acme’s PKI? A. Issue her a new certificate. B. Rekey her old certificate. C. Manually remove her old certificate from the CRL. D. Regenerate a new CRL. 11. Your company is preparing to downsize in the wake of a merger with another company. You are the administrator of the Windows Server 2003 network that has Active Directory running. You are running an enterprise root certificate authority and an enterprise subordinate CA to issue certificates for authentication and access to internal Web sites. In order to protect the resources on the network, you need to invalidate the certificates for the people who will be leaving the company so that they can’t access the network. How do you invalidate the users’ certificates? A. Export their certificates. B. Rename their certificates. C. Revoke their certificates. D. Enable certificate protection.
Review Questions
595
12. You are responsible for protecting the data on your Windows Server 2003 network, which is used for the development operations lab of an aeronautics firm that is working on government contracts. Your perimeter is secure, as there is no outside access to the network at all. The network is used for internal purposes only, and there is no need to move raw data outside the building. However, the government requires that the data be kept secure at all times, which means that it must be secure on the wire and on the disks. To provide this level of security, you have implemented IPSec and EFS on the entire network. One of the researchers at the facility has vanished, and critical information that you need to obtain immediately is on his hard drive. Because you have configured the administrator as a recovery agent, you attempt to recover the data, but your attempt fails. What can you do to get the encrypted information from the hard drive? A. Install another instance of Windows Server 2003 and then retrieve the data. B. Delete all the recovery keys. C. Create a new recovery key with the missing user’s certificate stored in the CA. D. Use the recovery agent’s EFS private key. E. You can’t recover the data, because back doors, even for special circumstances, defeat
the whole purpose of truly secure data. 13. One of your systems engineers needs to restrict certain user accounts so that users can request only User certificates. To do this, she must use the _______________ snap-in to _______________. A. Active Directory Sites and Services; deny the users Enroll permission on everything
except the User template B. Active Directory Users and Computers; deny the users Enroll permission on everything
except the User template C. Certificates; remove the users’ certificates D. Certification Authority; turn off enrollment for those users 14. John wants to restrict who can request certificates for users. What does he need to do to accomplish this? A. He needs to remove the Enroll permission from the Authenticated Users group. B. He needs to remove the Enroll permission from the Administrators group. C. He needs to remove the Issue Certificate permission from the Administrators group. D. He needs to remove the Enroll and Manage permissions from any groups he doesn’t
want to be able to issue certificates. 15. Ashley, a systems engineer in your organization, installed a CA on a Windows Server 2003 member server. She now wants to join an Active Directory domain. What effect will this have on the CA installation? A. It will have no effect. B. The CA will need to be removed and reinstalled. C. The CA will need to have its certificate reissued. D. The parent CA will need to be reinstalled.
596
Chapter 11
Planning, Implementing, and Maintaining Certificate Services
Answers to Review Questions 1.
A. Storing the key in the secure location is another step you can take that adds an extra layer of security. This also removes the recovery agent account. Selecting the Delete The Private Key If Export Is Successful option removes the key from the domain controller after it is exported. Obviously, you need to take care in where and how you store this key—a CD-ROM or Zip disk is preferable to a standard floppy. You need to log on with the domain account because you are dealing with the recovery agent for the domain. If you wanted the key for a specific machine, you would use the local administrator account for that machine.
2.
D. Granting enrollment privileges to all the domain computers eliminates the need for the administrator to log on to each computer and request a computer certificate for the machine. With this privilege in place, each member machine of the domain has its own certificate that can be used to verify itself to other machines. Mutual authentication is the goal, but there is no switch that you turn on in the policy to accomplish this. Computer certificates by definition can be issued only to computers, not to users. Publishing the CTL only informs what certificates have been created; it doesn’t convey the privileges or issue the certificates themselves.
3.
C. When you want to invalidate a certificate, you must revoke it using the Certificate Revocation dialog box from the Certification Authority MMC snap-in. You must specify a reason for revoking the certificate; in this case, it is Key Compromise. After you revoke the certificate, you should manually publish the CRL, letting users know that the certificate is no longer valid.
4.
C. Rekeying causes the CA to resign the existing certificate after its key material has been regenerated.
5.
C. An SGC certificate is an extension of SSL and is used to provide added encryption between client sessions and Web servers. You cannot obtain an SGC certificate from a stand-alone or enterprise CA, as it must come from a commercial CA that is guaranteeing that you are authentic.
6.
C. An enterprise CA will work in conjunction with Active Directory and will allow you to control employee access to particular areas or files on the IIS server. If it’s set up as a subordinate child of a commercial CA, it will allow a certificate that can be verified as authentic by the commercial CA to be created by your enterprise CA. If you use your own root CA, the client will have to trust you from a self-referential source. A root CA is recommended for certifying subordinate CAs, not for issuing certificates.
7.
D. Many Internet browsers are configured not to accept programs and scripts unless they are signed by a trusted authority. A commercial CA is more trustworthy than your CA because by definition it’s not self-referential. User certificates are used to identify, through signatures and encryption, users’ communication, such as e-mail. An enterprise CA is used to identify an organization’s own users, rather than the enterprise itself as an entity.
8.
D. Stand-alone CAs can mark requests as “pending,” in which case the requests will be queued until the administrator approves or rejects them.
Answers to Review Questions
9.
597
A. Installing the root CA on a computer connected to the domain ensures that the CA updates Active Directory and that all the domain member computers and users will trust the certificate it issues. You then remove the root CA, configuring it as an offline CA, and store it in a secure location. An enterprise CA is best suited for issuing certificates within an organization because it is closely tied to Active Directory. You can’t take an enterprise CA offline—it would not be able to issue certificates without the link to Active Directory.
10. A. Once the certificate is revoked, it can’t be unrevoked, even by removing its serial number from the CRL. The only way to get the user back into the PKI is to issue her a new certificate. 11. C. Revoking a certificate permanently renders the certificate invalid. You can also place a certificate on hold until it expires, but this method doesn’t give you the opportunity to add the certificate to a Certificate Revocation List and give a reason for the action. This latter action is preferred because you immediately inform others about the action and you have a history of why it occurred. Exporting a certificate only copies it to another location and doesn’t remove it from the CA. Renaming a certificate is not an option. Enabling certificate protection forces the user to enter a password each time the user wants to encrypt information. 12. D. A recovery agent should use their private key to gain access to data that has been encrypted. By default, the administrator is designated as the recovery agent for a computer the first time the administrator logs on to the machine. Therefore, you are free to modify recovery settings by adding recovery agents that modify policies on who can initiate recovery. One of these modifications is to remove all the recovery keys from the local machine. Installing another instance of Windows Server 2003 won’t help you see data encrypted by another system; that method would work for bypassing file permissions but not encryption. Creating a new recovery key from the user’s certificate isn’t a valid option. 13. A. To restrict which templates certain users can use, set permissions for those users in the Active Directory Sites and Services snap-in. 14. D. Enroll permission allows a user to issue certificates. By default, the Authenticated Users group has this permission, as do all of the Administrators groups. To restrict access, you have to remove this permission from all groups, and then grant it only to the users you want to have it. 15. B. You can’t rename a computer or join or leave a domain once the CA is installed.
Chapter
12
Planning and Implementing Domains, Trees, and Forests MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan a strategy for placing global catalog servers.
Evaluate network traffic considerations when placing global catalog servers.
Implement an Active Directory directory service forest and domain structure.
Create the forest root domain.
Create a child domain.
Create and configure Application Data Partitions.
Install and configure an Active Directory domain controller.
Set an Active Directory forest and domain functional level based on requirements.
Establish trust relationships. Types of trust relationships might include external trusts, shortcut trusts, and crossforest trusts.
Manage an Active Directory forest and domain structure.
Manage trust relationships.
Manage schema modifications.
Add or remove a UPN suffix.
So far in Part 2 of this book, we've been focusing on topics related to planning a corporate network infrastructure. Now we’re going to switch gears a bit and concentrate our attention on the Active Directory, probably the most important evolution in the Windows server lineup since Windows NT 4. The Active Directory was actually introduced with Windows 2000 Server, but Windows Server 2003 adds a lot of new functionality and interface enhancements that further evolve the product. Just as in Windows 2000, though, the success of Active Directory is very dependent on your ability to plan and organize your business’s needs. The time you spend understanding these concepts is very important because the success of your Active Directory implementation depends on them. Now that you are familiar with the basic information, you need to start looking at exactly how the Active Directory can be implemented. You will begin by examining the necessary steps and conditions you need to follow to prepare to install the Active Directory on your network. First, you need to prepare for the Domain Name System (DNS), since Active Directory cannot be installed without the support of a DNS server. You also need to verify that the computer you upgrade to a domain controller meets some basic file system and network connectivity requirements so that the Active Directory runs smoothly and efficiently in your organization. Next, you’ll explore the new concept of domain functional levels, which essentially determine what sorts of domain controllers you can use in your environment. For instance, in Windows 2000 mixed domain functional level, you can include Server 2003, 2000 Server, and NT 4 Server domain controllers, but the functionality of the domain is severely limited. Once you understand how to properly plan for your domain environment you will learn how to install the Active Directory, which you accomplish by promoting a Windows Server 2003 computer to a domain controller. You will also learn how to verify the installation by testing the Active Directory from a client computer. After the initial Active Directory installation, you will learn how to install and configure Application Directory partitions, which provide replicable data repositories using the Active Directory paradigm but don’t actually store any security principals, such as users or groups. As the name implies, Application Directory partitions are primarily used to store data generated by applications that need to be replicated throughout your network environments independently of the rest of the Active Directory. After you've seen how to plan and implement a single domain, we’ll examine the details of implementing a multi-domain Active Directory network. Many businesses find that using a single domain provides an adequate solution to meet their business needs. By working with trees and forests, however, organizations can use multiple domains to better organize their environments.
Preparing for Active Directory Installation
601
We’ll cover some reasons why you should create more than one Active Directory domain. Then, we’ll look at the exact processes involved in creating a domain tree and joining multiple trees together into a domain forest. In addition, you will learn how to demote a domain controller and manage multiple domains after you’ve created trees and forests.
Preparing for Active Directory Installation All too often, systems and network administrators implement hardware and software without first taking the time to evaluate the prerequisites. For example, you will not be able to implement a tape backup solution without first ensuring that the appropriate network connectivity and attachment interface are available on servers. Installation and configuration of the Active Directory is no exception. The main physical components that form the basis of the Active Directory are Windows Server 2003 domain controllers. Before you begin installing domain controllers to set up your Active Directory environment, you should ensure that you are properly prepared to do so. In the following sections, you’ll see some of the prerequisites and types of information you’ll need to successfully install and configure an Active Directory environment.
The technical information and exercises in this chapter are based on the assumption that you will be using Microsoft’s implementation of DNS, unless otherwise noted. If you are using other types of DNS servers in your environment, you may not be able to take advantage of all the features mentioned in this chapter.
Planning and Installing DNS It is vital that you understand DNS in order to deploy the Active Directory and install and configure domain controllers. A common mistake systems administrators make is underestimating the importance and complexity of DNS. The Active Directory relies on DNS to find clients, servers, and network services that are available throughout your environment. Clients rely on DNS to find the file, print, and other resources they require to get their jobs done. Fully understanding DNS is not an easy task, especially if you have limited experience with the Transmission Control Protocol/Internet Protocol (TCP/IP). However, you must understand and properly implement DNS if you want to use the Active Directory successfully. In the following section you will learn about DNS and its importance in the Active Directory.
Planning an Active Directory DNS Environment One of the major benefits of using Microsoft DNS is that it lets you manage and replicate the DNS database as a part of the Active Directory. As a result, you can automate much of the administration of the DNS service and still keep information up-to-date.
602
Chapter 12
Planning and Implementing Domains, Trees, and Forests
With respect to your DNS environment, you’ll want to plan to use various DNS servers. There are several possible roles for DNS servers, including primary, secondary, master, and caching-only servers. With respect to the Active Directory, DNS services are absolutely vital. If DNS isn’t functioning properly, the Active Directory clients and servers will not be able to locate each other, and network services will be severely impacted. Let’s look at how you can plan to use DNS zones and servers with the Active Directory.
Planning DNS Zones The first step in planning for DNS server deployment is determining the size and layout of your DNS zones. In the simplest configurations, you will have a single Active Directory domain and a single DNS zone. This configuration usually meets the needs of single-domain environments. When you consider multiple domains, you generally need to make some choices when planning for DNS. In some environments, you might choose to use only a single zone that spans over all of the domains. In other cases, you might want to break zones apart for administrative and performance reasons. The DNS zone configuration you choose is largely independent of the Active Directory configuration. That is, for any given Active Directory configuration, you could use any zone setup, as long as all names can be properly resolved. That said, make no mistake—the proper functioning of DNS zones is critical to how the Active Directory functions.
Planning Server Roles First and foremost, DNS servers are extremely important in the Active Directory environment. In order to provide for fault tolerance for DNS servers, you should ensure that each DNS zone you configure consists of one primary DNS server and at least one secondary server. If the primary DNS computer fails, the secondary server can still carry out name resolution operations, and most operations will continue normally. This is, however, a temporary solution since you will need to restore or replace the primary DNS server in order to make updates to the DNS zone information. Generally, you will want to make the primary DNS server the master server for the zone. If it is necessary for performance reasons, however, you can choose to use a separate machine for DNS services. You generally use caching-only servers when you want to make DNS information available for multiple computers that do not have a fast or reliable connection to the main network. You typically plan caching-only servers around the physical network because they do not have any authority over specific zones. Figure 12.1 shows a representative DNS server configuration for an Active Directory domain. Notice that a single domain spans multiple locations, and the remote offices use secondary servers.
Installing DNS It should come as no surprise that DNS must be properly installed and configured before you can install an Active Directory domain. If it is not already installed on the system, you should install the DNS service by using the Manage Your Server tool, which appears by default after you restart the computer (see Figure 12.2). By clicking Add Or Remove A Role, you start the
Preparing for Active Directory Installation
603
Configure Your Server Wizard, which you can use to quickly and easily enable DNS on the server. You can then use DNS to perform name resolution to other domain controllers or resources on your network (if any). If you haven’t yet installed DNS, you will be prompted to do so as part of the configuration of a domain controller. In some cases, this provides an easy way to configure DNS with the appropriate options for the Active Directory. It’s not the right choice for every environment, however. Unless you are setting up the Active Directory in a test environment or on a network that doesn’t yet have DNS services, you may find it easier to test and verify DNS configuration before you start installing the Active Directory. FIGURE 12.1
Arranging servers for the Active Directory
Domain Controller
DNS
Domain Controller
DNS
Remote Office #1
Secondary DNS Server
Single DNS Zone
Corporate Office
Primary DNS Server
Domain Controller
Remote Office #2
DNS
Secondary DNS Server
Although DNS servers must be present on your network, you do not have to use Microsoft’s DNS service. If other DNS servers are available on the network, you may choose to use those servers when you install the Active Directory. Note, however, that if you’re using other implementations of DNS servers (such as Unix or Windows NT 4), you will not be able to take advantage of all of the features of Windows Server 2003’s DNS and its integration with the Active Directory. In addition, you will be required to enter the proper SRV records manually because most current DNS servers do not support dynamic updates.
604
Chapter 12
FIGURE 12.2
Planning and Implementing Domains, Trees, and Forests
The Manage Your Server tool
If you plan to work through the exercises presented in this chapter, be sure that you have either already installed DNS or are at least planning to do so as part of the Active Directory installation process.
Verifying the DNS Configuration Once DNS has been installed, you should ensure that it has been configured to allow updates. This option allows the Active Directory to automatically add, modify, and remove RRs to the DNS database whenever changes are made in the Active Directory. The Allow Updates option is extremely useful because it reduces the chances for error in manual data entry and greatly reduces the administration effort required.
DNS is covered in greater detail in Chapter 5.
You should also verify that DNS forward and reverse lookup zones have been created properly. These zones will be used to resolve names to network addresses and are extremely important for the successful setup of the Active Directory.
Verifying the File System The file system an operating system uses is an important concern for many reasons. First, the file system can provide the ultimate level of security for all of the information stored on the server itself. Second, the file system is responsible for managing and tracking all of this data.
Preparing for Active Directory Installation
605
Furthermore, certain features are available only on certain file systems. These features include encryption support, remote file access, remote storage, disk redundancy, and disk quotas.
Verifying Network Connectivity Although a Windows Server 2003 computer can exist on a network by itself (or without a network card at all), you will not harness much of the potential of the operating system without network connectivity. Because the fundamental purpose of a network operating system is to provide resources to users, you must verify network connectivity. Before you begin to install the Active Directory, you should perform several checks of your current configuration to ensure that the server is configured properly on the network. You should test the following: Network adapter At least one network adapter should be installed and properly configured on your server. A quick way to verify that a network adapter is properly installed is to use the Computer Management administrative tool. Under the Network Adapters branch, you should have at least one network adapter listed. If you do not, use the Add/Remove Hardware icon in the Control Panel to configure hardware. TCP/IP Make sure TCP/IP is installed, configured, and enabled on any necessary network adapters. The server should also be given a valid IP address and subnet mask. Optionally, you may need to configure a default gateway, DNS servers, WINS servers, and other network settings. If you are using the Dynamic Host Configuration Protocol (DHCP), be sure that the assigned information is correct. In general, it is a good idea to use a static IP address for servers because IP address changes can cause network connectivity problems if they are not handled properly. Internet access If the server should have access to the Internet, verify that it is able to connect to external web servers and other machines outside the LAN. If the server is unable to connect, you might have a problem with the TCP/IP configuration. LAN access The server should be able to view other servers and workstations on the network. You can quickly verify this type of connectivity by using the My Network Places icon on the Desktop. If other machines are not visible, ensure that the network and TCP/IP configuration is correct for your environment. Client access Network client computers should be able to connect to your server and view any shared resources. A simple way to test connectivity is to create a share and test to see if other machines are able to see files and folders within it. If clients cannot access the machine, ensure that both the client and server are configured properly. WAN access If you’re working in a distributed environment, you should ensure that you have access to any remote sites or users that will need to connect to this machine. Usually, this is a simple test that can be performed by a network administrator. In some cases, verifying network access can be quite simple. You might have some internal and external network resources with which to test. In other cases, it might be more complicated. There are several tools and techniques you can use to verify that your network configuration is correct: Using the ipconfig utility By typing ipconfig/all at the command prompt, you can view information about the TCP/IP settings of a computer. Figure 12.3 shows the types of information you’ll receive.
606
Chapter 12
FIGURE 12.3
Planning and Implementing Domains, Trees, and Forests
Viewing TCP/IP information with the ipconfig utility
Using the ping command The ping command was designed to test connectivity to other computers. You can use ping by simply typing ping and then an IP address or host name at the command line. The following are some steps for testing connectivity using the ping command. Ping 127.0.0.1. The loopback address is used to verify that you have TCP/IP setup correctly. Ping your own IP address. Ping an address that is remote from your subnet. In order to ensure that routing is set up properly, you should attempt to ping computers that are local on other subnets (if any exist) on your network. Ping the near side gateway address on your router, then the far side address. Try pinging the router addresses. Any errors will indicate a problem in the network configuration or a problem with a router. Ping a known local host on the same subnet. If you receive a response, then you have connectivity to the network. Next, check to see if you can ping another machine using its host name. If this works, then local name resolution works properly.
Some firewalls, routers, or servers on your network or on the Internet might prevent you from receiving a successful response from a ping command. This is usually for security reasons because malicious users might attempt to disrupt network traffic using excessive pings. Just because you do not receive a response, do not assume that the service is not available. Instead, try to verify connectivity in other ways. For example TRACERT can be used to demonstrate connectivity beyond your subnet even if other routers ignore Internet Control Message Protocol (ICMP) responses. Since the display of a second router implies connectivity, the path to an ultimate destination shows success even if it does not display the actual names and addresses.
Preparing for Active Directory Installation
607
Browsing the network To ensure that you have access to other computers on the network, be sure that they can be viewed using the Network Neighborhood icon. This verifies that your name resolution parameters are set up correctly and that other computers are accessible. Also, try connecting to resources (such as file shares or printers) on other machines. Browsing the Internet You can quickly verify whether your server has access to the Internet by visiting a known website, such as www.microsoft.com. This ensures that you have access outside of your network. If you do not have access to the Web, you might need to verify your proxy server settings (if applicable) and your DNS server settings. By performing these simple tests, you can ensure that you have a properly configured network connection and that other network resources are available.
Determining the Domain Functional Level Windows Server 2003 Active Directory introduces a new concept called domain and forest functionality. This is similar to the idea of mixed mode and native mode in Windows 2000 Active Directory, so much so that those two modes are actually included as a part of domain and forest functionality. However, Microsoft refers to these modes as functional levels, and adds a third functional level appropriately called Windows Server 2003 functional level. When you are installing a Windows Server 2003 domain controller, you must determine which functional level you will support: Windows 2000 Mixed, Windows 2000 Native, or Windows Server 2003. Windows 2000 Mixed domain functional level is the default option when you are installing a domain controller. It is designed to allow backward compatibility with Windows NT 4 and earlier domain models. If you need to support Windows NT domain controllers for one or more domains within your environment, you should choose Windows 2000 Mixed domain functional level for those domains. However, as long as you are using Windows 2000 Mixed domain functional level, certain Active Directory features (such as universal groups and group nesting) are unavailable. If your environment does not require support for Windows NT domain controllers within any of your domains but does require support for Windows 2000 domain controllers, then you can choose to implement your domains in Windows 2000 native domain functional level. Windows 2000 native domain functional level allows for most of the functionality of the Active Directory for all domain controllers, but it does not allow for backward compatibility with Windows NT 4. Since this means that Windows NT domain controllers cannot be used in Windows 2000 native domain functional level Active Directory domains, deciding whether or not to use Windows 2000 native domain functional level is an important decision. Note also that domains cannot be converted from Windows 2000 native domain functional level back to Windows 2000 mixed domain functional level. Windows 2000 native domain functional level does not offer the full functionality of Active Directory supported by Windows Server 2003, so you should consider upgrading all of your domain controllers if you want to use any of the new features of Active Directory. If you know that you will only be running Windows Server 2003 domain controllers, you can install Active Directory in the Windows Server 2003 domain functional level. This level adds all of the functionality of Active Directory in Windows Server 2003, as shown in Table 12.1.
608
Chapter 12
TABLE 12.1
Planning and Implementing Domains, Trees, and Forests
Comparing Domain Functional Levels
Domain Functional Feature
Windows 2000 Native
Windows Server 2003
Ability to rename domain Disabled controllers
Disabled
Enabled
Logon time stamp updates
Disabled
Disabled
Enabled
Kerberos KDC key version Disabled numbers
Disabled
Enabled
InetOrgPerson objects can have passwords
Disabled
Disabled
Enabled
Converts NT groups to domain local and global groups
Disabled
Enabled
Enabled
SID history
Disabled
Enabled
Enabled
Group nesting
Enabled Enabled for Distribution Groups, disabled for Security Groups(note that Domain Local Security groups can still have Global Groups as members)
Enabled
Universal Groups
Enabled for Distribution Groups, disabled for Security Groups
Enabled
Windows 2000 Mixed
Enabled
In addition to domain functional levels, Windows Server 2003 includes added forest functionality over Windows 2000. Forest functionality applies to all of the domains in a forest. There are two levels of forest functionality: Windows 2000 and Windows Server 2003. Windows 2000 forest functionality is the default and supports Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers. All of the new forest functionality features of Windows Server 2003 are supported exclusively by Windows Server 2003. The new features include: Global Catalog replication enhancements When an administrator adds a new attribute to the global catalog, only the changes are replicated to other global catalogs in the forest. This can significantly reduce the amount of network traffic generated by replication. Defunct schema classes and attributes You can never permanently remove classes and attributes from the Active Directory schema, but you can mark them as defunct so that they cannot be used. When forest functionality is raised to Windows Server 2003, you can redefine the defunct schema attribute so that it occupies a new role in the schema.
Preparing for Active Directory Installation
609
Forest trusts Previously, system administrators had no easy way of granting permission on resources in different forests. Windows Server 2003 resolves some of these difficulties by allowing trust relationships between separate Active Directory forests. Forest trusts act much like domain trusts, except that they extend to every domain in two forests. Note that all forest trusts are intransitive. Linked value replication Windows Server 2003 introduces a new concept called linked value replication. In Windows 2000, if changes were made to a member of a group, the entire group would be replicated during the replication process. With linked value replication, only the user record that has been changed is replicated. This can significantly reduce network traffic associated with replication. Renaming domains Although the Active Directory domain structure was originally designed to be flexible, there were several limitations. Due to mergers, acquisitions, corporate reorganizations, and other business changes, you may need to rename domains. You can now change the DNS and NetBIOS names for any domain, as well as reposition a domain within a forest. Note that this operation is not nearly as simple as just issuing a rename command. Instead, there’s a specific process you must follow to make sure that the operation is successful. Fortunately, when you properly follow the procedure, Microsoft supports domain renaming. Other features In addition to the Windows Server 2003 forest functional features just listed, Windows Server 2003 also supports improved replication algorithms and dynamic auxiliary classes. These improvements are designed to increase performance, scalability, and reliability.
Planning the Domain Structure Once you have verified the technical configuration of your server for the Active Directory, it’s time to verify the Active Directory configuration for your organization. Since the content of this chapter focuses on installing the first domain in your environment, you really only need to know the following information prior to beginning setup:
The DNS name of the domain
The NetBIOS name of the server (which will be used by previous versions of Windows to access server resources)
Whether the domain will operate in mixed mode or native mode
Whether or not other DNS servers are available on the network
However, if you will be installing additional domain controllers in your environment or will be attaching to an existing Active Directory structure, you should also have the following information:
If this domain controller will join an existing domain, you should know the name of that domain. You will also either require a password for a member of the Enterprise Administrators group for that domain or have someone with those permissions create a domain account before promotion.
Whether the new domain will join an existing tree and, if so, the name of the tree it will join.
The name of a forest to which this domain will connect (if applicable).
610
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Installing the Active Directory Installing the Active Directory is an easy and straightforward process as long as you planned adequately and made the necessary decisions beforehand. In this section, you’ll look at the actual steps required to install the first domain controller in a given environment. With previous versions of the Windows Server operating system, you had to determine the role of your server as it related to the domain controller or member server during installation. Choices included making the machine a Primary Domain Controller (PDC), a Backup Domain Controller (BDC), or a member server. This was an extremely important decision because, even though you could promote a BDC to a PDC, you had to completely reinstall the operating system to make any changes to the server’s role between a domain controller and a member server. Instead of forcing you to choose whether or not the machine will participate as a domain controller during setup, Windows Server 2003 allows you to promote servers after you install the operating system. Therefore, at the end of the setup process, all Windows Server 2003 computers are configured as either member servers (if they are joined to a domain) or stand-alone servers (if they are part of a workgroup). The process of converting a member server to a domain controller is known as promotion. Through the use of a simple and intuitive wizard, systems administrators can quickly configure servers to be domain controllers after installation. Later in this section, you’ll follow the steps you need to take to install the Active Directory by promoting the first domain controller in the domain. These steps are done using the Active Directory Installation Wizard (DCPROMO). This tool is designed to be used after a server has been installed in the environment. As part of the promotion process, the server creates or receives information related to the Active Directory configuration. The first step in installing the Active Directory is promoting a Windows Server 2003 computer to a domain controller. The first domain controller in an environment serves as the starting point for the forest, trees, domains, and the Operations Master roles. Exercise 12.1 shows the steps you need to follow to promote an existing Windows Server 2003 to a domain controller. In order to complete the steps in this exercise, you must have already installed and configured a Windows Server 2003 computer and a DNS server that supports SRV records. If you do not have a DNS server available, the Active Directory Installation Wizard automatically configures one for you. EXERCISE 12.1
Promoting a Domain Controller 1.
Open the Manage Your Server utility, which is located in the Administrative Tools program group.
2.
Click Add Or Remove A Role and then click Next to begin the process. For the server role, select Domain Controller (Active Directory) and then click Next. Finally, click Next once more to start the Active Directory Installation Wizard. Alternatively, you can start the Active Directory Installation Wizard by clicking Start Run and typing dcpromo.
Installing the Active Directory
611
EXERCISE 12.1 (continued)
3.
Click Next on the Welcome To The Active Directory Installation Wizard page of the wizard to begin the domain controller promotion process. The Operating System Compatibility page of the wizard provides you with an important note about operating system compatibility. Click Next to continue.
4.
On the Domain Controller Type page, specify the type of domain controller this server will be. To choose the domain controller type, select Domain Controller For A New Domain and click Next.
5.
On the Create New Domain page, choose whether the new domain tree is part of an existing forest or a new one that you create. Since this is the first tree in the forest, select Domain In A New Forest and click Next.
612
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.1 (continued)
6.
On the New Domain page, specify a name for the new domain by typing in the full name of the DNS domain. For example, you can type test.mycompany.com. If you are not working in a test environment, be sure that you have chosen a root domain name that is consistent for your organization, and doesn’t overlap with others. For example, you might choose ActiveDirectory.test, since it is unlikely to conflict with other existing domains and DNS namespaces. Once you’ve selected a name, click Next.
7.
On the NetBIOS Domain Name page, type in the NetBIOS name for this machine and click Next. In order to preserve backward compatibility with earlier versions of Windows, you must provide a NetBIOS computer name. A NetBIOS name can be up to 15 characters. To make it easier to remember and type the name, you should limit yourself to the English alphabet characters and Arabic numbers.
Installing the Active Directory
613
EXERCISE 12.1 (continued)
8.
In the Database And Log Folders page, specify the file system locations for the Active Directory database and log file. Microsoft recommends that these files reside on separate physical devices in order to improve performance and to provide for recoverability. The default file system location is in a directory called NTDS located within the system root. However, you can choose any folder located on a FAT, FAT32, or NTFS partition. After you’ve specified the file system locations, click Next.
9.
On the Shared System Volume page, select a shared system volume location. The system volume folder is used to store domain information that is replicated to all of the other domain controllers in the domain. This folder must be stored on an NTFS 5 partition. The default location is in a directory called SYSVOL within the system root, but you can change this path based on your server configuration. Click Next.
614
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.1 (continued)
10. As part of the promotion process, Windows Server 2003 needs you to set permissions on user and group objects, which is done on the Permissions page. If you’re running in a Windows 2000 mixed-domain functional level environment, choose Permissions Compatible With Pre–Windows 2000 Servers. If you are sure you will not be supporting non–Windows 2000 or newer machines, however, you should choose Permissions Compatible Only With Windows 2000 Or Windows Server 2003 Operating Systems. Although this option will not allow compatibility with previous operating systems, it will implement stronger security settings. Once you have made the appropriate selection, click Next.
11. On the Directory Services Restore Mode Administrator Password page, provide a Directory Services Restore Mode Administrator password. This password is used to restore the Active Directory in the event of its loss or corruption. Note that this password does not have to correspond with passwords set for any other account. Once you’ve selected and confirmed the password, click Next.
Verifying the Active Directory Installation
615
EXERCISE 12.1 (continued)
12. Based on the installation options you’ve selected, the Active Directory Installation Wizard presents a summary of your choices. It is a good idea to copy and paste this information into a text file to refer to later. Verify the options, and then click Next to begin the Active Directory installation process. When the necessary operations are complete, the wizard prompts you to click Finish.
Once the Active Directory has been installed, you are prompted to reboot the system. After the reboot, you can access the administrative tools that are related to the configuration and management of the Active Directory.
Verifying the Active Directory Installation Once you have installed and configured the Active Directory, you’ll want to verify that you have done so properly. In the following sections, you’ll look at methods for doing this.
Using Event Viewer The first (and perhaps most informative) way to verify the operations of the Active Directory is to query information stored in the Windows Server 2003 event log. You can do this using the Windows Server 2003 Event Viewer. Exercise 12.2 walks you through this procedure. Entries seen with the Event Viewer include errors, warnings, and informational messages. In order to complete the steps in this exercise, you must configure the local machine as a domain controller.
616
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.2
Viewing the Active Directory Event Log 1.
Open the Event Viewer snap-in from the Administrative Tools program group.
2.
In the left pane, select Directory Service.
3.
In the right pane, notice that you can sort information by clicking column headings. For example, you can click the Source column to sort by the service or process that reported the event.
4.
Double-click an event in the list to see the details for that item. Note that you can click the Copy button to copy the event information to the Clipboard. You can then paste the data into a document for later reference. Also, you can move between items using the up and down arrows. Click OK when you are done viewing an event.
5.
Filter an event list by right-clicking the Directory Service item in the left pane, selecting Properties, and then selecting the Filter tab. Note that filtering does not remove entries from the event logs—it only restricts their display.
6.
To verify the Active Directory installation, look for events related to the proper startup of Active Directory, such as Event ID 1000 (Active Directory Startup Complete) and 1394 (Attempts To Update The Active Directory Database Are Succeeding). Also, be sure to examine any Error or Warning messages because these could indicate problems with DNS or other necessary services.
7.
When you’re done viewing information in the Event Viewer, close the application.
In addition to providing information about the status of events related to the Active Directory, you should make it a habit to routinely visit the Event Viewer to find information about other system services and applications.
Verifying the Active Directory Installation
617
Gaining Insight through Event Viewer Although its simple user interface and somewhat limited GUI functionality may make you overlook it, in the real world, the Event Viewer tool can be your best ally in isolating and troubleshooting problems with Windows Server 2003. The Event Viewer allows you to view information that is stored in various log files that are maintained by the operating system. This list of logs includes the following: Application Stores messages that are generated by programs that are running on your system. For example, SQL Server 2000 might report the completion of a database backup job within the Application log. Security Contains security-related information, as is defined by your auditing settings. For example, you could see when users have logged onto the system or when particularly sensitive files have been accessed. System Contains operating system–related information and messages. Common messages might include a service startup failure, or information about when the operating system was last rebooted. Directory service Stores messages and events related to how the Active Directory functions. For example, details related to replication might be found here. DNS server Contains details about the operations of the DNS service. This log is useful for troubleshooting replication or name resolution problems. Other log files Contain various features of Windows Server 2003 and the applications that may run on this operating system that can create additional types of logs. This allows you to view more information about other applications or services through the familiar Event Viewer tool. Additionally, developers can easily send custom information from their programs to the Application log. Having all of this information in one place really makes it easy to analyze operating system and application messages. Also, many third-party tools and utilities are available for analyzing log files. Although the Event Viewer GUI does a reasonably good job of letting you find the information you need, you might want to extract information to analyze other systems or applications. One especially useful feature of the Event Viewer is its ability to save the log file in various formats. You can access this feature by clicking Action Save As. You’ll be given the option of saving in various formats, including tab- and comma-delimited text files. These files can then be opened in other applications (such as Microsoft Excel) for additional data analysis. Overall, in the real world, the Event Viewer can be an excellent resource for monitoring and troubleshooting your important servers and workstations!
618
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Using the Active Directory Administrative Tools After a server has been promoted to a domain controller, you will see various tools added to the Administrative Tools program group (see Figure 12.4). These include the following: Active Directory Domains and Trusts You use this tool to view and change information related to the various domains in an Active Directory environment. Active Directory Sites and Services You use this tool to create and manage Active Directory sites and services to map to an organization’s physical network infrastructure. Active Directory Users and Computers User and computer management is fundamental for an Active Directory environment. The Active Directory Users And Computers tool allows you to set machine- and user-specific settings across the domain. A good way make sure that the Active Directory is functioning properly and is accessible is to run the Active Directory Users And Computers tool. When you open the tool, you should see a configuration similar to that shown in Figure 12.5. Specifically, you should make sure that the name of the domain you created appears in the list. You should also click the Domain Controllers folder and ensure that the name of your local server appears in the right pane. If your configuration passes these two checks, the Active Directory is present and configured. FIGURE 12.4
Some of the many Windows Server 2003 administrative tools
Testing from Clients The best test of any solution is to simply verify that it works the way you had intended in your environment. When it comes to using the Active Directory, a good test is to ensure that clients can view and access the various resources presented by Windows Server 2003 domain controllers. In the following sections, you’ll look at several ways to verify that the Active Directory is functioning properly.
Verifying the Active Directory Installation
FIGURE 12.5
619
Viewing Active Directory information
Verifying Client Connectivity Perhaps the most relevant way to test the Active Directory is by testing client operations. Using previous versions of Windows (such as Windows NT 4 or Windows 95/98), you should be able to see your server on the network. Earlier versions of Windows-based clients recognize the NetBIOS name of the domain controller. Windows 2000 and newer computers should also be able to see resources in the domain, and users can browse for resources using the My Network Places icon. If you are unable to see the recently promoted server on the network, it is likely due to a network configuration error. If only one or a few clients are unable to see the machine, the problem is probably related to client-side configuration. To fix this, make sure the client computers have the appropriate TCP/IP configuration (including DNS server settings) and that they can see other computers on the network. If, however, the new domain controller is unavailable from any of the other client computers, you should verify the proper startup of the Active Directory using the methods mentioned earlier in this chapter. If the Active Directory has been started, ensure that the DNS settings are correct. Finally, test network connectivity between the server and the clients with the ping command.
For more information on configuring client computers, see the MCSA/MCSE: Windows XP Professional Study Guide, 2nd Edition by Lisa Donald with James Chellis (Sybex, 2003).
620
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Joining a Domain If the Active Directory has been properly configured, clients and other servers should be able to join the domain. Exercise 12.3 outlines the steps you need to take to join a Windows XP Professional computer to the domain. In order to complete this exercise, you must have already installed and properly configured at least one Active Directory domain controller and a DNS server that supports SRV records in your environment. In addition to the domain controller, you need at least one other Windows 2000, Windows XP Professional (Windows XP Home Edition cannot join a domain), or Windows Server 2003 computer that is not configured as a domain controller. Once clients are able to successfully join the domain, they should be able to view Active Directory resources using the My Network Places icon. This test validates the proper functioning of the Active Directory and ensures that you have connectivity with client computers. EXERCISE 12.3
Joining a Computer to an Active Directory Domain 1.
On the Desktop of the computer that is to be joined to the new domain, right-click the My Computer icon and click Properties (or select System from the Control Panel).
2.
Select the Network Identification tab. You will see the current name of the local computer as well as information on the workgroup or domain to which it belongs.
3.
Click Change to change the settings for this computer.
4.
If you want to change the name of the computer, you can make the change here. This is useful if your domain has a specific naming convention for client computers. Otherwise, continue to the next step.
5.
In the Member Of section, choose the Domain option. Type the name of the Active Directory domain that this computer should join. Click OK.
6.
When prompted for the username and password of an account that has permissions to join computers to the domain, enter the information for an administrator of the domain. Click OK to commit the changes. If joining the domain was successful, you will see a dialog box welcoming you to the new domain.
7.
You will be notified that you must reboot the computer before the changes take place. Select Yes when prompted to reboot.
Creating and Configuring Application Data Partitions
621
Creating and Configuring Application Data Partitions Organizations store many different kinds of information in various places. For the IT departments that support this information, it can be difficult to ensure that the right information is available when and where it is needed. Windows Server 2003 introduces a new feature, called application data partitions, that allows systems administrators and application developers to store custom information within the Active Directory. The idea behind application data partitions is that, since you already have a directory service that can replicate all kinds of information, you might as well use it to keep track of your own information. Developing distributed applications that can, for example, synchronize information across an enterprise is not a trivial task. You have to come up with a way to transfer data between remote sites (some of which are located across the world), and you have to ensure that the data is properly replicated. The main benefit of storing application information in the Active Directory is that you can take advantage of its storage mechanism and replication topology. Application-related information stored on domain controllers benefits from having faulttolerance features and availability. Take a look at the following simple example to understand how this can work. Suppose your organization has developed a customer Sales Tracking and Inventory application. The company needs to make the information that is stored by this application available to all of its branch offices and users located throughout the world. However, the goal is to do this with the least amount of IT administrative effort. Assuming that Active Directory has already been deployed throughout the organization, developers can build support into the application for storing data within the Active Directory. They can then rely on the Active Directory to store and synchronize the information between various sites. When users request updated data from the application, the application can obtain this information from the nearest domain controller that hosts a replica of the Sales Tracking and Inventory data. Other types of applications can also benefit greatly from the use of application data partitions. Now that we have a good idea of what application data partitions are, let’s take a look at how they can be created and managed using Windows Server 2003 and the Active Directory.
Creating Application Data Partitions By default, after creating an Active Directory environment, you will not have any customer application data partitions. Therefore, the first step in making this functionality available is to create a new application data partition. There are several tools you can used to do this: Third-party applications or application-specific tools Generally, if you are planning to install an application that can store information in the Active Directory database, you’ll receive some method of administering and configuring that data along with the application. For example, the setup process for the application might assist you in the steps you need to take to set up a new application data partition and to create the necessary structures for storing data.
622
Chapter 12
Planning and Implementing Domains, Trees, and Forests
The creation and management of application data partitions is an advanced Active Directory–related function. Be sure that you have a solid understanding of the Active Directory schema, Active Directory replication, LDAP, and your applications’ needs before you attempt to create new application data partitions in a live environment.
Active Directory Services Interface (ADSI) ADSI is a set of programmable objects that can be accessed through languages such as Visual Basic Scripting Edition (VBScript), Visual C#, Visual Basic .NET, and many other language technologies that support the Component Object Modeling (COM) standard. Through the use of ADSI, developers can create, access, and update data stored in the Active Directory and in any application data partitions. FIGURE 12.6
Using the LDP tool to view Active Directory schema information
LDP You can view and modify the contents of the Active Directory schema using LDAP-based queries. The LDP tool allows you to view information about application data partitions. In order to use this utility, you must first install the Windows Server 2003 Support Tools. The installer for this collection of utilities is located within the Windows Server 2003 installation media in the \Support\Tools folder. You’ll need to run the SupTools.msi file in order to install the tools. Once the installation is complete, you can access the utility by clicking Start Run
Creating and Configuring Application Data Partitions
623
and typing ldp.exe. Figure 12.6 shows an example of connecting to a domain controller and browsing Active Directory information. For further details on using LDP, click the Support Tools Help icon (located within the Windows Support Tools program folder in the Start Menu). Additional details about working with the LDP tool are also available in LDP.doc file, which is located within the folder into which you installed the Support Tools. ntdsutil The ntdsutil utility is the main method by which systems administrators can create and manage application data partitions on their Windows Server 2003 domain controllers. This utility’s specific commands are covered later in this section.
The creation and management of application data partitions can be fairly complex, and the success of such a project will depend on the quality of the architecture design. This is a good example of where IT staff and application developers must cooperate to ensure that data is stored effectively and that it is replicated efficiently.
An application data partition can be created in one of three different locations within an Active Directory forest: As a new tree in an Active Directory forest In this location, the new application data partition functions as a new tree within the Active Directory forest. As a child of an Active Directory domain partition Application partitions can be children of existing Active Directory domain partitions. For example, you can create an Accounting application data partition within the Finance.MyCompany.com domain. As a child of another application data partition This method allows you to create a hierarchy of application data partitions. As you might expect, you must be a member of the Enterprise Admins or Domain Admins group in order to be able to create application data partitions. Alternatively, you can be delegated the appropriate permissions to create new partitions. Now that we have a good idea of the basic ways in which application data partitions can be created, let’s look at how replicas (copies of application data partition information) are handled.
Managing Replicas Unlike the basic information that is stored in the Active Directory, application partitions cannot contain security principals. Also, not all domain controllers automatically contain copies of the data stored in an application data partition. A replica is a copy of any data stored within the Active Directory. In relation to application data, systems administrators can define which domain controllers host copies of the application data. This is a very important feature, since, if it’s used effectively, administrators can find a good balance between replication traffic and data consistency. For example, suppose that 3 of your organization’s 30 locations
624
Chapter 12
Planning and Implementing Domains, Trees, and Forests
require up-to-date accounting-related information. You might choose to only replicate the data to domain controllers located in the places that require the data. Replication is the process by which replicas are kept up-to-date. Similarly to how basic Active Directory information (such as users and groups) is synchronized between domain controllers, application data can be stored and updated on designated servers. Application data partition replicas are managed using the Knowledge Consistency Checker (KCC) that ensures that the designated domain controllers receive update replica information. Additionally, the KCC uses all of the Active Directory sites and connection objects that you create to determine the best method to handle replication.
Removing Replicas When you demote a domain controller, that server can no longer host an application data partition. If a domain controller contains a replica of application data partition information, you must first remove the replica from the domain controller before it can be demoted. If a domain controller is the machine that hosts a replica of the application data partition, then the entire application data partition is removed and will be permanently lost. Generally, you want to do this only after you’re absolutely sure that your organization no longer needs access to the data stored in the application data partition.
Using ntdsutil to Manage Application Data Partitions The primary method by which systems administrators create and manage application data partitions is through the ntdsutil command-line tool. You can launch this tool by simply entering ntdsutil at a command prompt. The ntdsutil command is both interactive and contextsensitive. That is, once you launch the utility, you’ll see an ntdsutil command prompt. At this prompt, you can enter various commands that set your context within the application. For example, if you enter the domain management command, you’ll be able to enter in domainrelated commands. Several operations also require you to connect to a domain, a domain controller, or an Active Directory object before you perform a command.
For complete details on using ntdsutil see the Windows Server 2003 Help and Support Center.
Table 12.2 provides a list of the domain management commands supported by the ntdsutil tool. You can access this information by typing the following sequence of commands at a command prompt.
ntdsutil
domain management
help
Creating and Configuring Application Data Partitions
TABLE 12.2
625
NTDSUTIL Domain Management Commands
NTDSUTIL Domain Management Command
Purpose
Help or ?
Displays information about the commands that are available within the Domain Management menu of the ntdsutil command.
Connection or Connections
Allows you to connect to a specific domain controller. This will set the context for further operations that are performed on specific domain controllers.
Create NC PartitionDistinguishedName DNSName
Creates a new application directory partition.
Delete NC PartitionDistinguishedName
Removes an application data partition.
List NC Information PartitionDistinguishedName
Shows information about the specified application data partition.
List NC Replicas PartitionDistinguishedName
Returns information about all replicas for the specific application data partition.
Precreate PartitionDistinguishedName ServerDNSName
Precreates cross-reference application data partition objects. This allows the specified DNS server to host a copy of the application data partition.
Remove NC Replica PartitionDistinguishedName DCDNSName
Removes a replica from the specified domain controller.
Select Operation Target
Selects the naming context that will be used for other operations.
Set NC Reference Domain PartitionDistinguisedName DomainDistinguishedName
Specifies the reference domain for an application data partition.
Set NC Replicate NotificationDelay PartitionDistinguishedName FirstDCNotificationDelay OtherDCNotificationDelay
Defines settings for how often replication will occur for the specified application data partition.
626
Chapter 12
Planning and Implementing Domains, Trees, and Forests
The commands listed in this table are all case-insensitive. Mixed-case was used to make them easier to read. Also, if you’re wondering what the NC stands for, it’s “naming context” (referring to the fact that this is a partition of the Active Directory schema).
Instead of focusing on those details of specific commands and syntax related to ntdsutil, be sure that you really understand application directory partitions and how they and their replicas can be used.
Figure 12.7 provides an example of working with ntdsutil. The following commands were entered to set the context for further operations:
ntdsutil
domain management
connections
connect to server localhost
connect to domain ADTest
quit
list
Reasons for Creating Multiple Domains Before you look at the steps you must take to create multiple domains, you should become familiar with the reasons why an organization might want to create them. In general, you should always try to reflect your organization’s structure within a single domain. Through the use of organizational units (OUs) and other objects, you can usually create an accurate and efficient structure within one domain, and creating and managing a single domain is usually much simpler than managing a more complex environment. That said, this section looks at some real benefits and reasons for creating multiple domains as well as some drawbacks of using multiple domains.
Reasons for Using Multiple Domains There are several reasons why you might need to implement multiple domains. These reasons include such considerations as: Scalability Although Microsoft has designed the Active Directory to accommodate millions of objects, this number may not be practical for your current environment. Supporting many thousands of users within a single domain places higher disk space, CPU (central processing unit), and network burdens on your domain controllers. Determining the scalability of the Active Directory is something you have to test within your own environment.
Reasons for Creating Multiple Domains
FIGURE 12.7
627
Viewing naming contexts on the local domain controller
Reducing replication traffic All the domain controllers of a domain must keep an up-to-date copy of the entire Active Directory database. For small- to medium-sized domains, this is not generally a problem. Windows Server 2003 and the Active Directory database manage all of the details of transferring data behind the scenes. Other business and technical limitations might, however, affect Active Directory’s ability to perform adequate replication. For example, if you have two sites that are connected by a very slow network link (or no link at all), replication is not practical. In this case, you would probably want to create separate domains to isolate replication traffic. It is important to realize that the presence of slow network links alone is not a good reason to break an organization into multiple domains. Through the use of the Active Directory site configuration, replication traffic can be managed independently of the domain architecture. Political and organizational reasons There are several business reasons that might justify the creation of multiple domains. One of the organizational reasons to use multiple domains is to avoid potential problems associated with the Domain Administrator account. At least one user needs to have permissions at this level. If your organization is unable or unwilling to place this level of trust with all business units, then multiple domains may be the best answer. Since each domain maintains its own security database, you can keep permissions and resources isolated. Through the use of trusts, however, you can still share resources. Keep in mind that some types of organizational and political issues might require you to use multiple domains while others do not. As a result, if you are considering creating multiple domains for purely political reasons (so that an IT or business manager can retain control over certain resources, for example), you might want to think again. Many levels of hierarchy Larger organizations tend to have more complex business structures. Even if the structure itself is not complicated, most likely a company that has many departments has several levels within its structure. OUs can accommodate many of these issues. If, however, you find that you need many levels of OUs to manage resources (or if there are large
628
Chapter 12
Planning and Implementing Domains, Trees, and Forests
numbers of objects within each OU), it might make sense to create additional domains. Each domain would contain its own OU hierarchy and serve as the root of a new set of objects. Varying security policies All of the objects within the domain share many characteristics in common, one of which is security policy. A domain is designed to be a single security entity. Domains allow settings such as usernames and password restrictions to apply to all of their objects. If your organization requires separate security policies for different groups of users, you should consider creating multiple domains. Decentralized administration There are two main models of administration that are in common use: a centralized administration model and a decentralized administration model. In the centralized administration model, a single IT organization is responsible for managing all of the users, computers, and security permissions for the entire organization. In the decentralized administration model, each department or business unit might have its own IT department. In both cases, the needs of the administration model can play a significant role in whether or not you decide to use multiple domains. Consider, for example, a multinational company that has a separate IT department for offices in each country. Each IT department is responsible for supporting only the users and computers within its own region. Since the administration model is largely decentralized, creating a separate domain for each of these major business units might make sense from a security and maintenance standpoint. Multiple DNS or domain names Although this might at first sound like a trivial reason to create additional domains, if you use multiple DNS names or domain names you must create multiple domains. Each domain can have only one fully qualified domain name (FQDN). For example, if you need some of your users within the sales.mycompany.com namespace and others in the engineering.mycompany.com namespace, you must use multiple domains. If the domain names are noncontiguous, you will need to create multiple domain trees (a topic you’ll see covered later in this chapter).
Drawbacks of Multiple Domains Although there are many reasons why it makes sense to have multiple domains, there are also reasons why you should not break an organizational structure into multiple domains, many of which are related to maintenance and administration. Some of the drawbacks to using multiple domains include the following: Administrative inconsistency One of the fundamental responsibilities of most systems administrators is implementing and managing security. When you are implementing Group Policy and security settings in multiple domains, you must be careful to ensure that the settings are consistent. As mentioned previously, security policies can be different between domains. If this is what is intended, then it is not a problem. If, however, the organization wishes to make the same settings apply to all users, then each domain will require similar security settings.
Creating Domain Trees and Forests
629
More difficult management of resources Managing servers, users, and computers can become a considerable challenge when you are also managing multiple domains since there are many more administrative units required. In general, you need to manage all user, group, and computer settings separately for the objects within each domain. The hierarchical structure provided by OUs, on the other hand, provides a much simpler and easier way to manage permissions. Decreased flexibility Creating a domain involves the promotion of a domain controller to the new domain. Although the process is quite simple, it is much more difficult to rearrange the domain topology within an Active Directory environment than it is to simply reorganize OUs. When planning domains, you should ensure that the domain structure will not change often. Now that you have examined the pros and cons related to creating multiple domains, it is time to see how to create trees and forests.
Creating Domain Trees and Forests So far this chapter has covered some important reasons for using multiple domains in a single network environment; now it’s time to look at how to create multidomain structures like domain trees and domain forests. Regardless of the number of domains you have in your environment, you always have a tree and a forest. This might surprise those of you who generally think of domain trees and forests as Active Directory environments that consist of multiple domains. However, recall that when you install the first domain in an Active Directory environment, that domain automatically creates a new forest and a new tree. In the following sections you will learn how to plan trees and forests as well as see how to actually promote domain controllers to establish a tree and forest environment.
Planning Trees and Forests You have already seen several reasons why you must have multiple domains within a single company. What you haven’t yet seen is how multiple domains can be related to each other and how their relationships can translate into domain forests and trees. A fundamental commonality between the various domains that exist in trees and forests is that they all share the same Active Directory Global Catalog. This means that if you modify the Active Directory schema, these changes must be propagated to all of the domain controllers in all of the domains. This is an important point because adding and modifying the structure of information in the Global Catalog can have widespread effects on replication and network traffic. Every domain within an Active Directory configuration has its own unique name. For example, even though you might have a sales domain in two different trees, their complete names will be different (such as sales.company1.com and sales.company2.com). In the following sections, you’ll look at how you can organize multiple Active Directory domains based on business requirements.
630
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Using a Single Tree The concept of domain trees was created to preserve the relationship between multiple domains that share a common contiguous namespace. For example, you might have the following DNS domains (based on Internet names):
mycompany.com
sales.mycompany.com
engineering.mycompany.com
europe.sales.mycompany.com
Note that all of these domains fit within a single contiguous namespace. That is, they are all direct or indirect children of the mycompany.com domain. In this case, mycompany.com is called the root domain. All of the direct children (such as sales.mycompany.com and engineering.mycompany.com) are called child domains. Finally, parent domains are the domains that are directly above one domain. For example, sales.mycompany.com is the parent domain of europe.sales.mycompany.com. Figure 12.8 provides an example of a domain tree. FIGURE 12.8
A domain tree Domain Tree
Root Domain (Parent) company.com
hr.company.com
corp. company.com
Subdomains (Children)
us. corp. company.com
Creating Domain Trees and Forests
631
In order to establish a domain tree, you must create the root domain for the tree first. Then, you can add child domains of this root. These child domains can then serve as parents for further subdomains. Each domain must have at least one domain controller, and domain controllers can participate in only one domain at a time. However, domain controllers can be moved between domains. To do this, you must first demote a domain controller to a member server and then promote it to a domain controller in another domain.
You will learn how to demote a domain controller later in this chapter, in the section titled “Demoting a Domain Controller.”
Domains are designed to be security boundaries. The domains within a tree are automatically bound together using a two-way trust relationship, which allows users and resources to be shared between domains through the use of the appropriate groups. Since trust relationships are transitive, all of the domains within the tree trust each other. Note, however, that a trust by itself does not grant any security permissions to users or objects between domains. Trusts are designed only to allow resources to be shared. Administrators must explicitly assign security settings to resources before users can access resources between domains. Using a single tree makes sense when your organization maintains only a single contiguous namespace. Regardless of the number of domains that exist within this environment and how different their security settings are, they are related by a common name. Although domain trees make sense for many organizations, in some cases, the network namespace may be considerably more complicated. You’ll look at how forests address these situations next.
Using a Forest Active Directory forests are designed to accommodate multiple noncontiguous namespaces. That is, they can combine domain trees together into logical units. An example might be the following tree and domain structure: Tree: Organization1.com
Sales.Organization1.com
Marketing.Organization1.com
Engineering.Organization1.com
NorthAmerica.Engineering.Organization1.com Tree: Organization2.com
Sales.Organization2.com
Engineering.Organization2.com
Figure 12.9 provides an example of how multiple trees can fit into a single forest. Such a situation might occur in the merger of companies or if a company is logically divided into two or more completely separate and autonomous business units. All of the trees within a forest are related through a single forest root domain. This is the first domain that is created in the Active Directory environment. The root domain in each tree creates a transitive trust with the forest root domain. The result is a configuration in which all of
632
Chapter 12
Planning and Implementing Domains, Trees, and Forests
the trees within a domain and all of the domains within each tree trust each other. Again, as with domain trees, the presence of a trust relationship does not automatically signify that users have permissions to access resources across domains. It only allows objects and resources to be shared. Authorized network administrators must set up specific permissions. All of the domains within a single Active Directory forest have the following features in common: Schema The schema is the Active Directory structure that defines how the information within the data store is structured. In order for the information stored on various domain controllers to remain compatible, all of the domain controllers within the entire Active Directory environment must share the same schema. For example, if you add a field for an employee’s benefits plan number, all domain controllers throughout the environment need to recognize this information before you can share information between them. FIGURE 12.9
A single forest consisting of multiple trees Organization 1 Tree
Organization 2 Tree
organization1. com
organization2. com
engineering. organization1. com
northamerica. engineering. organization1. com
sales. organization1. com
marketing. sales. organization1. com
sales. organization2. com
engineering. organization2. com
Forest
Global Catalog One of the problems associated with working in large network environments is that sharing information across multiple domains can be costly in terms of network and server resources. Fortunately, the Active Directory uses the Global Catalog (GC), which serves as a repository for information about a subset of all objects within all Active Directory domains in a forest. Systems administrators can determine what types of information should be added to the
Creating Domain Trees and Forests
633
defaults in the GC. Generally, they decide to store commonly used information, such as a list of all of the printers, users, groups, and computers. In addition, they can configure specific domain controllers to carry a copy of the GC. Now, going back to the question of where all the color printers in the company can be found, all that needs to be done is to contact the nearest GC server. Configuration information Some roles and functions must be managed for the entire forest. When you are dealing with multiple domains, this means that you must configure certain domain controllers to perform functions for the entire Active Directory environment. Some specifics of this will be discussed later in this chapter. The main purpose of allowing multiple domains to exist together is to allow them to share information and other resources. Now that you’ve seen the basics of domain trees and forests, take a look at how domains are actually created.
The Promotion Process A domain tree is created when a new domain is added as the child of an existing domain. This relationship is established during the promotion of a Windows Server 2003 computer to a domain controller. Although the underlying relationships can be quite complicated in larger organizations, the Active Directory Installation Wizard (DCPROMO) makes it easy to create forests and trees. Using the Active Directory Installation Wizard, you can quickly and easily create new domains by promoting a Windows Server 2003 stand-alone server or a member server to a domain controller. When you install a new domain controller, you can choose to make it part of an existing domain, or you can choose to make it the first domain controller in a new domain. In the following sections and exercises, you’ll become familiar with the exact steps you need to take to create a domain tree and a domain forest when you promote a server to a domain controller.
Creating a Domain Tree Earlier you saw how to promote the first domain controller in the first domain in a forest, also known as the root. If you don’t promote any other domain controllers, then that domain controller simply controls that one domain and no trees are created. To create a new domain tree, you need to promote a Windows Server 2003 computer to a domain controller. In the Active Directory Installation Wizard, select the option that makes this domain controller the first machine in a new domain that is a child of an existing domain. As a result, you will have a new domain tree that contains two domains—a parent and a child. Before you can create a new child domain, you need the following information:
The name of the parent domain
The name of the child domain (the one you are planning to install)
The file system locations for the Active Directory database, logs, and shared system volume
DNS configuration information
The NetBIOS name for the new server
A domain administrator username and password
634
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Exercise 12.4 walks you through the process of creating a new child domain using the Active Directory Installation Wizard. This exercise assumes that you have already created the parent domain, and that you are using a server in the domain that is not a domain controller. EXERCISE 12.4
Creating a New Subdomain 1.
Log on to the computer as a member of the Administrators group and open the Active Directory Installation Wizard by clicking Start Run, and typing dcpromo. Click Next to begin the wizard.
2.
You will see a message that states that Windows 95 and Windows NT 4.0 computers running Service Pack 3 or earlier will be unable to communicate with Windows Server 2003 computers. Read the information and then click Next to continue.
3.
On the Domain Controller Type page, select Domain Controller For A New Domain. Click Next.
Creating Domain Trees and Forests
635
EXERCISE 12.4 (continued)
4.
On the Create New Domain page, choose Child Domain In An Existing Domain Tree. Click Next.
5.
On the Network Credentials page, enter the username and password for the domain administrator of the domain you wish to join. You will also need to specify the full name of the domain. After you have entered the appropriate information, click Next.
636
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.4 (continued)
6.
If the information you entered was correct, you will see the Child Domain Installation page. Here, you will be able to confirm the name of the parent domain and then enter the domain name for the child domain. If you want to make a change, you can click the Browse button and search for a domain. The Complete DNS Name Of New Domain field will show you the FQDN for the domain you are creating. Click Next to continue.
7.
On the NetBIOS Domain Name page you’ll be prompted for the NetBIOS name for this domain controller. This is the name that will be used by previous versions of Windows to identify this machine. Choose a name that is up to 15 characters in length and includes only alphanumeric characters. Click Next to continue.
Creating Domain Trees and Forests
637
EXERCISE 12.4 (continued)
8.
On the Database And Log Folders page, you’ll need to specify the database and log locations. These settings specify where the Active Directory database resides on the local machine. As mentioned previously, it is good practice to place the log files on a separate physical hard disk because this increases performance. Enter the path for a local directory, and click Next.
9.
On the Shared System Volume page, specify the folder in which the Active Directory public files will reside. This directory must be on an NTFS 5 partition. Choose the path, and then click Next.
638
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.4 (continued)
10. If you have not yet installed and configured the DNS service, or if you are getting a configuration error, the Active Directory Installation Wizard prompts you about whether or not the DNS service on the local machine should be configured automatically. Since the Active Directory and client computers rely on DNS information for finding objects, generally you will want the wizard to automatically configure DNS. Click Next to continue.
11. On the Permissions page, select whether or not you want to use permissions that are compatible with Windows NT domains. If you will be supporting any Windows NT Server computers or if you have existing Windows NT domains, you should choose Permissions Compatible With Pre–Windows 2000 Server Operating Systems. Otherwise, choose Permissions Compatible Only With Windows 2000 Or Windows Server 2003 Operating Systems. Click Next.
Creating Domain Trees and Forests
639
EXERCISE 12.4 (continued)
12. In order to be able to recover this server in the event of a loss of Active Directory information, you will need to provide a password on the Directory Services Restore Mode Administrator Password page. This password will allow you to use the built-in recovery features of Windows Server 2003 in the event that the Active Directory database is lost or corrupted. Enter a password, confirm it, and then click Next.
13. On the Summary page, you will be given a brief listing of all the choices you made in the previous steps. It’s a good idea to copy this information and paste it into a text document for future reference. Click Next to continue on.
640
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.4 (continued)
14. The Active Directory Installation Wizard will automatically begin performing the steps required to create a new domain in your environment. Note that you can press Cancel if you want to abort this process. When the process has completed, you will be prompted to reboot the system. After the system has been rebooted, the local server will be the first domain controller in a new domain. This domain will also be a subdomain of an existing one.
Joining a New Domain Tree to a Forest A forest is formed by joining two or more domains or trees that do not share a contiguous namespace. For example, you could join the organization1.com and organization2.com domains together to create a single Active Directory environment. Any two independent domains can be joined together to create a forest, as long as the two domains have noncontiguous namespaces. (If the namespaces were contiguous, you would actually need to create a domain tree.) The process of creating a new tree to form or add to a forest is as simple as promoting a server to a domain controller for a new domain that does not share a namespace with an existing Active Directory domain. In Exercise 12.5, you will use the Active Directory Installation Wizard to create a new domain tree to add to a forest. In order to add a new domain to an existing forest, you must already have at least one other domain. This domain serves as the root domain for the entire forest. Keep in mind that the entire forest structure is destroyed if the original root domain is ever entirely removed. Therefore, you should have at least two domain controllers in the Active Directory root domain. Such a setup provides additional protection for the entire forest in case one of the domain controllers fails. In order to complete this exercise, you must have already installed another domain controller that serves as the root domain for a forest, and you must use a server in the domain that is not a domain controller.
Creating Domain Trees and Forests
641
EXERCISE 12.5
Creating a New Domain Tree in the Forest 1.
Open the Active Directory Installation Wizard by clicking Start Run, and typing dcpromo. Click Next to begin the wizard, and then click Next again to continue past the Operating System Compatibility screen.
2.
On the Domain Controller Type page, select Domain Controller For A New Domain. Click Next.
3.
On the Create New Domain page, choose Domain In A New Forest. Click Next.
642
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.5 (continued)
4.
On the New Domain Name page, you need to specify the full name of the new domain you wish to create. Note that this domain may not share a contiguous namespace with any other existing domain. Once you have entered the appropriate information, click Next.
5.
On the NetBIOS Domain Name page, you are prompted for the NetBIOS name of the domain controller. This is the name previous versions of Windows use to identify this machine. Choose a name that is up to 15 characters in length and includes only alphanumeric characters. Click Next to continue.
6.
On the Database And Log Folders page, specify the database and log locations. These settings specify where the Active Directory database resides on the local machine. Enter the path for a local directory, and click Next.
Creating Domain Trees and Forests
643
EXERCISE 12.5 (continued)
7.
On the Shared System Volume page, specify the folder in which the Active Directory public files reside. This directory must be located on an NTFS 5 partition. Choose the path, and then click Next.
8.
If you have not yet configured the DNS service, you are prompted to do so. Since the Active Directory and client computers rely on DNS information for finding objects, generally you want the wizard to automatically configure DNS. Click Next to continue.
9.
On the Permissions page, select whether or not you want to use permissions that are compatible with Windows NT domains. If you will be supporting any Windows NT Server computers or have existing Windows NT domains, you should choose Permissions Compatible With Pre–Windows 2000 Server Operating Systems. Otherwise, choose Permissions Compatible Only With Windows 2000 Or Windows Server 2003 Operating Systems. Click Next.
644
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.5 (continued)
10. In order to be able to recover this server in the event of a loss of Active Directory information, you need to provide a Directory Services Restore Mode Administrator password. This password allows you to use the built-in recovery features of Windows Server 2003 if the Active Directory database is lost or corrupted. Enter a password, confirm it, and then click Next.
11. On the Summary page, you are given a brief listing of all of the choices you made in the previous steps. Click Next to continue.
12. The Active Directory Installation Wizard automatically begins performing the steps required to create a new domain tree in an existing forest based on the information you provided. Note that you can press Cancel if you want to abort this process. When the setup is complete, you are prompted to reboot the system.
Adding Additional Domain Controllers Fault tolerance and reliability In organizations that rely upon their network directory services infrastructures, you need the Active Directory to provide security and resources for all users. For this reason, downtime and data loss are very costly. Through the use of multiple
Creating Domain Trees and Forests
645
domain controllers, you can ensure that if one of the servers goes down, another one is available to perform the necessary tasks. Additionally, data loss (perhaps from hard disk failure) will not result in the loss or unavailability of network security information since you can easily recover the Active Directory information from the remaining domain controller. Performance The burden of processing login requests and serving as a repository for security permissions and other information can be great, especially in larger businesses. By using multiple domain controllers, you can distribute this load across multiple computers. Additionally, by strategically placing domain controllers, you can greatly increase response times for common network operations, such as authentication and browsing for resources.
Planning for Domain Controller Placement You’re the Senior Systems Administrator for a medium-sized Active Directory environment. Currently, the environment consists of only one Active Directory domain. Your company’s network is spread out through 40 different sites within North America. Recently, you’ve received complaints from users and other system administrators about the performance of Active Directory–related operations. For example, users report that it takes several minutes to log on to their machines in the morning. And systems administrators complain that updating user information within the OUs for which they are responsible can take a long time. One network administrator, who has a strong Windows NT domain background but little knowledge about Active Directory design, suggests that you create multiple domains to solve some of the performance problems. However, you know that this would significantly change the environment and could make administration more difficult. Furthermore, the company’s business goals involve keeping all company resources as unified as possible. Fortunately, the Active Directory’s distributed domain controller architecture allows you to optimize performance for this type of situation without making dramatic changes to your environment. You decide that the quickest and easiest solution is to deploy additional domain controllers throughout the organization. The domain controllers are generally placed within areas of the network that are connected by slow or unreliable links. For example, a small branch office in Des Moines, Iowa receives its own domain controller. The process is quite simple: you install a new Windows Server 2003 computer and then run the Active Directory Installation Wizard to make the new machine a domain controller for an existing domain. Once the initial directory services data is copied to the new server, it is ready to service requests and updates of your domain information. Note that there are potential drawbacks to this solution; for instance, you have to manage additional domain controllers and the network traffic generated from communications between the domain controllers. It’s important that you monitor your network links to ensure that you’ve reached a good balance between replication traffic and overall Active Directory performance.
646
Chapter 12
Planning and Implementing Domains, Trees, and Forests
In addition to the operations you’ve already performed, you can use the Active Directory Installation Wizard to create additional domain controllers for any of your domains. There are two main reasons to create additional domain controllers: You should always have at least two domain controllers per domain. For many organizations, this provides a good balance between the cost of servers and the level of reliability and performance. For larger or more distributed organizations, however, additional domain controllers greatly improve performance.
Demoting a Domain Controller In addition to being able to promote member servers to domain controllers, the Active Directory Installation Wizard can do the exact opposite—demote domain controllers. You might choose to demote a domain controller for a couple of reasons. First, if you have determined that the role of a server should change (for example, from a domain controller to a web server), you can easily demote it to make this happen. Another reason to demote a domain controller is if you wish to move the machine between domains. Since you cannot do this in a single process, you need to first demote the existing domain controller to remove it from the current domain. Then, you can promote it into a new domain. The end result is that the server is now a domain controller for a different domain. To demote a domain controller, simply access the Active Directory Installation Wizard. The wizard automatically notices that the local server is a domain controller. You are prompted to decide whether or not you really want to remove this machine from the current domain (see Figure 12.10). Note that if the local server is a Global Catalog server, you will be warned that at least one copy of the Global Catalog must remain available so that you can perform logon authentication. In order for a domain to continue to exist, there must be at least one remaining domain controller in that domain. As noted in the dialog box in Figure 12.10, you must take some very important considerations into account if you are removing the last domain controller from the domain. Since all of the security accounts and information will be lost, you should ensure that the following requirements are met before you remove a domain’s last domain controller: Computers no longer log on to this domain. Ensure that computers that were once members of this domain have changed domains. If computers are still attempting to log on, they will not be able to use any of the security features, including any security permissions or logon accounts. Users will, however, still be able to log on to the computer using cached authenticated information. No user accounts are needed. All of the user accounts that reside within the domain (and all of the resources and permissions associated with them) will be lost when the domain is destroyed. Therefore, if you have already set up usernames and passwords, you need to transfer these accounts to another domain; otherwise, you will lose all of this information. All encrypted data is decrypted. You need the security information (including User, Computer, and Group objects) stored within the Active Directory domain database to access any
Demoting a Domain Controller
647
encrypted information. Once the domain fails to exist, the security information stored within it will no longer be available, and any encrypted information stored in the file system will become permanently inaccessible. So, decrypt any encrypted data before you begin the demotion process so that you can make sure you can access this information afterward. For example, if you have encrypted files or folders that reside on NTFS volumes, you should decrypt them before you continue with the demotion process. FIGURE 12.10
Demoting a domain controller using the Active Directory Installation Wizard
Back up all cryptographic keys. If you are using cryptographic keys to authenticate and secure data, you should export the key information before you demote the last domain controller in a domain. Because this information is stored in the Active Directory database, any resources locked with these keys become inaccessible once the database is lost as a result of the demotion process.
Removing a domain from your environment is not an operation that should be taken lightly. Before you plan to remove a domain, make a list of all the resources that depend on the domain and the reasons why the domain was originally created. If you are sure your organization no longer requires the domain, then you can safely continue. If you are not sure, think again!
By now, you’ve probably noticed a running theme—a lot of information disappears when you demote the last domain controller in a domain. The Active Directory Installation Wizard makes performing potentially disastrous decisions very easy. Be sure that you understand these effects before you demote the last domain controller for a given domain. By default, at the end of the demotion process, the server is joined as a member server to the domain for which it was previously a domain controller. If you demote the last domain controller in the domain, the server becomes stand-alone.
648
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Managing Multiple Domains You can easily manage most of the operations that must occur between domains by using the Active Directory Domains And Trusts administrative tool. In the following sections, you’ll look at ways to perform the most common domain management functions. We’ll also look at ways to manage UPN suffixes to simplify user accounts, and we’ll examine Global Catalog servers in more detail.
Managing Trusts Trust relationships make it easier to share security information and network resources between domains. As was already mentioned, standard transitive two-way trusts are automatically created between the domains in a tree and between each of the trees in a forest. Figure 12.11 shows an example of the default trust relationships in an Active Directory forest. FIGURE 12.11
Default trusts in an Active Directory forest = Transitive Two-Way Trust tree1.com
tree2.com
When configuring trusts, there are two main characteristics you’ll need to consider: Transitive trusts By default, Active Directory trusts are transitive trusts. The simplest way to understand transitive relationships is through an example like the following: if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. Trusts can be configured as intransitive so that this type of behavior does not occur. One-way vs. two-way Trusts can be configured as one-way or two-way relationships. The default operation is to create two-way trusts or bidirectional trusts. This makes it easier to manage
Managing Multiple Domains
649
trust relationships by reducing the trusts you must create. In some cases, however, you might decide that you do not need two-way trusts. In one-way relationships, the trusting domain allows resources to be shared with the trusted domain. When domains are added together to form trees and forests, an automatic transitive two-way trust is created between them. Although the default trust relationships work well for most organizations, there are some reasons why you might want to manage trusts manually. First, you may want to remove trusts between domains if you are absolutely sure that you do not want resources to be shared between domains. Second, because of security concerns, you may need to keep resources isolated. In addition to the default trust types, you can also configure the following types of special trusts: External trusts You use external trusts to provide access to resources on a Windows NT 4 domain or forest that cannot use a forest trust. Windows NT 4 domains cannot benefit from the other trust types that are new to Windows Server 2003, so in some cases, external trusts could be your only option. External trusts are always nontransitive, but they can be established in a one-way or two-way configuration. Realm trusts Similar to external trusts, you use realm trusts to connect to a non-Windows domain that uses Kerberos authentication. Realm trusts can be transitive or non-transitive, oneway or two-way. Cross-forest trusts Cross-forest trusts are used to share resources between forests. They can only be used with Windows Server 2003 domains and cannot be intransitive, but they can be established in a one-way or two-way configuration. Authentication requests in either forest can reach the other forest in a two-way cross-forest trust. Shortcut trusts In some cases, you may actually want to create direct trusts between two domains that implicitly trust each other. Such a trust is sometimes referred to as a shortcut trust and can improve the speed at which resources are accessed across many different domains. Perhaps the most important aspect to remember regarding trusts is that creating them only allows you to share resources between domains. The trust does not grant any permissions between domains by itself. Once a trust has been established, however, systems administrators can easily assign the necessary permissions. Exercise 12.6 walks you through the steps you need to take to manage trusts. In this exercise, you will see how to assign trust relationships between domains. In order to complete the steps in this exercise, you must have domain administrator access permissions. EXERCISE 12.6
Managing Trust Relationships 1.
Open the Active Directory Domains And Trusts administrative tool by clicking Start Administrative Tools Active Directory Domains And Trusts.
2.
Right-click the name of a domain and select Properties.
650
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.6 (continued)
3.
Select the Trusts tab. You will see a list of the trusts that are currently configured. To modify the trust properties for an existing trust, highlight that trust and click Properties.
4.
This screen displays information about the trust’s direction, transitivity, and type, along with the names of the domains involved in the relationship. Click Cancel to exit without making any changes.
5.
To create a new trust relationship, click the New Trust button on the Trusts tab. The New Trust Wizard appears. Click Next to proceed with the wizard.
Managing Multiple Domains
651
EXERCISE 12.6 (continued)
6.
On the Trust Name page, you are prompted for the name of the domain with which the trust should be created. Enter the name of the domain and click Next.
7.
On the Trust Type page, you would normally choose the Trust With A Windows Domain option if you know that the other domain uses a Windows domain controller. In order to continue with this exercise (without requiring access to another domain), it is important to choose the Realm Trust option. This selection allows you to walk through the process of creating a trust relationship without needing an untrusted domain in the Active Directory environment. Select the Realm Trust option. Click Next when you are done.
652
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.6 (continued)
8.
On the Transitivity Of Trust page, choose whether the trust is transitive or intransitive. Choose the Nontransitive option and click Next to continue.
9.
On the Direction Of Trust page, select the direction of the trust. If you want both domains to trust each other, select the two-way option. Otherwise select either One-way: Incoming or One-Way: Outgoing, depending on where the affected users are located. For the sake of this exercise, choose One-Way: Incoming and then click Next.
Managing Multiple Domains
653
EXERCISE 12.6 (continued)
10. On the Trust Password page, specify a password that should be used to administer the trust. Note that if there is an existing trust relationship between the domains, the passwords must match. Click Next to continue.
11. Now you see a summary page that recaps the selections you have made. Since this is an exercise, you don’t actually want to establish this trust. Click Cancel on the Trust Selections Complete page to cancel the wizard without saving the changes.
12. Exit the Trust properties for the domain by clicking Cancel.
Once you have established the trust relationships, you will be able to share resources between domains.
654
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Managing UPN Suffixes User principal name (UPN) suffixes are the part of a user’s name that appears after the @ symbol. So, for instance, the UPN suffix of
[email protected] would be sybex1.com. By default, the UPN suffix is determined by the name of the domain in which the user is created. In this example, the user james was created in the domain sybex1.com, so the two pieces of the UPN logically fit together. However, you might find it useful to provide an alternative UPN suffix to consolidate the UPNs forest-wide. For instance, if you manage a forest that consists of sybex1.com and sybex2.com, you might want all of your users to adopt the more generally applicable sybex.com UPN suffix. By adding additional UPN suffixes to the forest, you can easily choose the appropriate suffix when it comes time to create new users. Exercise 12.7 shows you exactly how to add additional suffixes to a forest.
Managing Global Catalog Servers One of the best features of a distributed directory service like the Active Directory is that you can store different pieces of information throughout an organization. For example, a domain in Japan might store a list of users who operate within a company’s Asian Operations business unit, while one in New York would contain a list of users who operate within its North American Operations business unit. This architecture allows systems administrators to place the most frequently accessed information on domain controllers in different domains, thereby reducing disk space requirements and replication traffic. There is, however, a problem you may encounter when you deal with information that is segmented into multiple domains. The issue involves querying information stored within the Active Directory. What would happen, for example, if a user wanted a list of all of the printers available in all domains within the Active Directory forest? In this case, the search would normally require information from at least one domain controller in each of the domains within the environment. Some of these domain controllers may be located across slow network links or may have unreliable connections. The end result would include an extremely long wait while retrieving the results of the query. Fortunately, the Active Directory has a mechanism that speeds up such searches. You can configure any number of domain controllers to host a copy of the Global Catalog. The Global Catalog contains all of the schema information and a subset of the attributes for all domains within the Active Directory environment. Although a default set of information is normally included with the Global Catalog, systems administrators can choose to add additional information to this data store. Servers that contain a copy of the Global Catalog are known as Global Catalog servers. Now, whenever a user executes a query that requires information from multiple domains, they need only contact the nearest Global Catalog server for this information. Similarly, when users must authenticate across domains, they do not have to wait for a response from a domain controller that may be located across the world. The end result is that the overall performance of Active Directory queries increases. Exercise 12.8 walks you through the steps you need to take to configure a domain controller as a Global Catalog server. Generally, Global Catalog servers are only useful in environments that use multiple Active Directory domains.
Managing Multiple Domains
655
EXERCISE 12.7
Adding a UPN Suffix 1.
Open the Active Directory Domains And Trusts administrative tool by clicking Start Administrative Tools Active Directory Domains And Trusts.
2.
Right-click Active Directory Domains And Trusts in the left side of the window and select Properties.
3.
On the UPN Suffixes tab of the Active Directory Domains And Trusts Properties dialog box, enter any alternate UPN suffix in the Alternate UPN Suffixes field. Click the Add button to add the suffix to the list.
4.
To remove a UPN suffix, select its name in the list and click the Remove button.
EXERCISE 12.8
Managing Global Catalog Servers 1.
Open the Active Directory Sites And Services administrative tool by clicking Start Administrative Tools Active Directory Sites And Services.
2.
Find the name of the local domain controller within the list of objects (typically under Default First Site Name Servers), and expand this object. Right-click NTDS Settings and select Properties.
656
Chapter 12
Planning and Implementing Domains, Trees, and Forests
EXERCISE 12.8 (continued)
3.
In the NTDS Settings Properties dialog box, type Primary GC Server for Domain in the Description field. Note that there is a checkbox that determines whether or not this computer contains a copy of the Global Catalog. If the box is checked, then this domain controller contains a subset of information from all other domains within the Active Directory environment. Select the Global Catalog checkbox, and then click OK to continue.
4.
When you are finished, close the Active Directory Sites And Services administrative tool.
Summary This chapter covered the following:
The prerequisites for installing a Windows Server 2003 domain controller. Considerations include verifying the file system and verifying DNS configuration.
Issues involving domain planning, including determining the name for the root domain.
How to use the Active Directory Installation Wizard to create the first domain controller in an Active Directory environment.
How to verify the configuration of the Active Directory by performing several tests of its functionality, including client access to the Active Directory.
How to create and configure Application Directory Partitions to store replicable application data.
The good reasons for creating multiple domains. By using multiple domains, organizations can retain separate security databases. However, they are also able to share resources between domains.
Exam Essentials
657
How to use multiple domains to provide two major benefits for the network directory services—security and availability. These benefits are made possible through the use of the structure of the Active Directory and the administrative tools that can be used to access it.
How systems administrators can simplify operations while still ensuring that only authorized users have access to their data.
How multiple domains can interact to form Active Directory trees and forests.
How to use the Active Directory Installation Wizard to create new Active Directory trees and forests.
How to combine multiple domain trees into Active Directory forests.
How to use trusts to balance security and domain interoperability. Although each domain in the environment retains a separate security database through the use of properly configured trusts, you will be able to enjoy the benefits of separate security domains while still being able to share resources.
How to use Global Catalog servers to greatly improve the performance of cross-domain Active Directory queries.
Exam Essentials Know the prerequisites for promoting a server to a domain controller. You should understand the tasks that you must complete before you attempt to upgrade a server to a domain controller. Also, you should have a good idea of the information you need in order to complete the domain controller promotion process. Understand the steps of the Active Directory Installation Wizard. When you run the Active Directory Installation Wizard, you’ll be presented with many different choices. You should understand the effects of the various options provided in each step of the wizard. Be familiar with the tools that you will use to administer the Active Directory. There are three main administrative tools that are installed when you promote a Windows Server 2003 to a domain controller. Be sure you know which tools to use for which types of tasks. Understand the purpose of Application Directory Partitions. The idea behind application data partitions is that, since you already have a directory service that can replicate all kinds of security information, you can also use it to keep track of application data. The main benefit of storing application information in the Active Directory is that you can take advantage of its storage mechanism and replication topology. Application-related information stored on domain controllers benefits from having fault-tolerance features and availability. Understand the reasons for using multiple domains. There are seven primary reasons for using multiple domains: they provide additional scalability, they reduce replication traffic, they help with political and organizational issues, they provide many levels of hierarchy, they provide varying security policies, they allow for decentralized administration, and they allow for multiple DNS or domain names.
658
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Understand the drawbacks of using multiple domains. With multiple domains, maintaining administrative consistency is more difficult. The number of administrative units multiplies as well, which makes it difficult to keep track of network resources. Finally, it is much more difficult to rearrange the domain topology within an Active Directory environment than it is to simply reorganize OUs. Know how to create a domain tree. To create a new domain tree, you need to promote a Windows Server 2003 computer to a domain controller and select the option that makes this domain controller the first machine in a new domain that is a child of an existing one. The result is a new domain tree that contains two domains—a parent domain and a child domain. Know how to join a domain tree to a forest. Creating a new tree to form or add to a forest is as simple as promoting a server to a domain controller for a new domain that does not share a namespace with an existing Active Directory domain. In order to add a new domain to an existing forest, you must already have at least one other domain. This domain serves as the root domain for the entire forest. Understand how to manage trusts. When configuring trusts, you’ll need to consider two main characteristics: transitivity and direction. The simplest way to understand transitive relationships is through an example like the following: If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. Trusts can be configured as intransitive so that this type of behavior does not occur. In one-way relationships, the trusting domain allows resources to be shared with the trusted domain. In two-way relationships, both domains trust each other equally. Special trusts include external trusts, realm trusts, cross-forest trusts, and shortcut trusts. Understand how to manage UPN suffixes. By default, the name of the domain in which the user is created determines the UPN suffix. By adding additional UPN suffixes to the forest, you can easily choose more manageable suffixes when it comes time to create new users. Understand how to manage Global Catalog (GC) servers. You can configure any number of domain controllers to host a copy of the Global Catalog. The Global Catalog contains all of the schema information and a subset of the attributes for all domains within the Active Directory environment. Servers that contain a copy of the Global Catalog are known as Global Catalog servers. Whenever a user executes a query that requires information from multiple domains, they need only contact the nearest Global Catalog server for this information. Similarly, when users must authenticate across domains, they will not have to wait for a response from a domain controller that may be located across the world. The end result is increased overall performance of Active Directory queries.
Key Terms
Key Terms Before you take the exam, be certain you are familiar with the following terms: Active Directory Installation Wizard (DCPROMO)
promotion
application data partitions
realm trusts
bidirectional trusts
shortcut trust
Cross-forest trusts
transitive trusts
domain controllers
Transmission Control Protocol/Internet Protocol (TCP/IP)
external trusts
two-way trusts
functional levels
Windows Server 2003 functional level
659
660
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Review Questions 1.
What is the maximum number of domains that a Windows 2003 Server computer, configured as a domain controller, may participate in at one time? A. 0 B. 1 C. 2 D. Any number of domains
2.
You are attempting to join various machines on your network to an Active Directory domain. Which of the following scenarios describe machines that can be added to the domain? Choose all that apply. A. The machine is running Windows XP Professional. B. The machine is a member of another domain. C. The machine is running Windows Server 2003. D. The machine is a member of a workgroup.
3.
Which of the following operations is not supported by the Active Directory Installation Wizard? A. Promoting a server to a domain controller B. Demoting a domain controller to a server C. Moving servers between domains D. Starting the DNS Installation Wizard
4.
Windows Server 2003 requires the use of which two of the following protocols or services in order to support the Active Directory? A. DHCP B. TCP/IP C. NetBEUI D. IPX/SPX E. DNS
Review Questions
5.
661
You are installing the first domain controller in your Active Directory environment. Where would you click next in the following exhibit in order to begin the Active Directory Installation Wizard?
A. Remote Desktops B. Services C. Licensing D. Manage Your Server 6.
You are a systems administrator for an environment that consists of two Active Directory domains. Initially, the domains were configured without any trust relationships. However, the business now needs to share resources between domains. You decide to create a trust relationship between Domain A and Domain B. Before you take any other actions, which of the following statements is true? (Choose all that apply.) A. All users in Domain A can access all resources in Domain B. B. All users in Domain B can access all resources in Domain A. C. Resources cannot be shared between the domains. D. Users in Domain A do not have permission to access resources in Domain B. E. Users in Domain B do not have permission to access resources in Domain A.
662
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Jane is a systems administrator for a large Active Directory environment that plans to deploy four Active Directory domains. She is responsible for determining the hardware budget she needs to deploy the four domains. She has the following requirements:
7.
The budget should minimize the number of servers to be deployed initially.
Each domain must implement enough fault-tolerance to survive the complete failure of one domain controller.
If one domain controller fails, users in all domains should still have access to Active Directory information. In order to meet these requirements, what is the minimum number of domain controllers Jane can deploy initially? A. 0 B. 1 C. 2 D. 4 E. 8 A junior systems administrator who was responsible for administering an Active Directory domain accidentally demoted the last domain controller of your ADTest.com domain. He noticed that after the demotion process was complete, no Active Directory–related operations could be performed by any machine on the network. He calls you to ask for advice about re-creating the domain. Your solution must meet the following requirements:
8.
No Active Directory security information can be lost.
All objects must be restored.
The process must not require the use of Active Directory or server backups because they were not being performed for the ADTest.com domain. After the last domain controller in a domain has been demoted, how can the domain be re-created to meet these requirements? A. By creating a new domain controller with the same name as the demoted one. B. By creating a new domain with the same name. C. By adding a new member server to the old domain. D. None of the above solutions meets the requirements.
9.
Which of the following item(s) does not depend on the DNS namespace? (Choose all that apply.) A. Organizational Units (OUs) B. Domains C. Domain trees D. Domain forests E. DNS zones F. Active Directory sites
Review Questions
663
10. Which of the following types of computers contain a copy of the Global Catalog? A. All Windows NT domain controllers B. All Active Directory domain controllers C. Specified Active Directory domain controllers D. Active Directory workstations 11. Which of the following pieces of information should you have before you use the Active Directory Installation Wizard to install a new subdomain? (Choose all that apply.) A. The name of the child domain B. The name of the parent domain C. DNS configuration information D. NetBIOS name for the server 12. Which type of trust is automatically created between the domains in a domain tree? A. Transitive B. Two-way C. Transitive two-way D. Intransitive two-way 13. A systems administrator wants to remove a domain controller from a domain. Which of the following is the easiest way to perform the task? A. Use the Active Directory Installation Wizard to demote the domain controller. B. Use the DCPROMO /REMOVE command. C. Reinstall the server over the existing installation, and make the machine a member of
a workgroup. D. Reinstall the server over the existing installation, and make the machine a member of
a domain. 14. Which of the following is true regarding the sharing of resources between forests? A. All resources are automatically shared between forests. B. A trust relationship must exist before resources can be shared between forests. C. Resources cannot be shared between forests. D. A transitive trust relationship must exist before resources can be shared between forests. 15. You are the network administrator of a large network. You recently decided to add a new child domain to an existing domain. The new child domain is located at a remote office, and you want to configure one of the Windows Server 2003 member servers to act as a domain controller at the remote site. Which of the following utilities do you use? A. Active Directory Sites And Services B. Active Directory Users And Computers C. Server Manager D. DCPROMO
664
Chapter 12
Planning and Implementing Domains, Trees, and Forests
Answers to Review Questions 1.
B. A domain controller can contain Active Directory information for only one domain. If you want to use a multidomain environment, you must use multiple domain controllers configured in either a tree or forest setting.
2.
A, B, C, D. All of the above configurations can be joined to a domain. Note that if a machine is a member of another domain, it must first be removed from that domain before it can be joined to another one. Join it to a workgroup to remove it from the old domain, then join it to the new domain.
3.
C. The only way to move a domain controller between domains is to demote it from its current domain and then promote it into another domain. You cannot move a domain controller automatically using any of the built-in tools included with Windows Server 2003.
4.
B, E. The use of LDAP and TCP/IP is required to support the Active Directory. TCP/IP is the network protocol that is favored by Microsoft, so they determined that all Active Directory communication would occur on TCP/IP. DNS is required because Active Directory is inherently dependent upon the domain model. Option A is used for automatic address assignment, and is not required. Similarly, options C and D, while they are available network protocols in Windows Server 2003, are not required by the Active Directory.
5.
D. You typically use the Configure Your Server Wizard, launched from the Manage Your Server tool, to begin the process of promoting a server to a domain controller.
6.
D, E. A trust relationship only allows for the possibility of sharing resources between domains; it does not explicitly provide any permissions. In order to allow users to access resources in another domain, you must configure the appropriate permissions.
7.
E. Every domain must have at least one domain controller; therefore, Jane would need at least four domain controllers in order to create the domains. Furthermore, to meet the requirements for fault-tolerance and the ability to continue operations during the failure of a domain controller, each of the four domains must also have a second domain controller. Therefore, Jane must deploy a minimum of eight servers configured as Active Directory domain controllers.
8.
D. Once the last domain controller in an environment has been removed, there is no way to recreate the same domain. If adequate backups had been performed, you may have been able to recover information by rebuilding the server.
9.
A, F. OUs do not participate in the DNS namespace—they are used primarily for naming objects within an Active Directory domain. The naming for Active Directory objects, such as sites, does not depend on DNS names either.
10. C. Systems administrators can define which domain controllers in the environment contain a copy of the Global Catalog (GC). Although the GC does contain information about all domains in the environment, it does not have to reside on all domain controllers. 11. A, B, C, D. Before beginning the promotion of a domain controller, you should have all of the information listed. You must specify all of these pieces of information in the Active Directory Installation Wizard.
Answers to Review Questions
665
12. C. A transitive two-way trust is automatically created between the domains in a domain tree. 13. A. The Active Directory Installation Wizard allows administrators to remove a domain controller from a domain quickly and easily without requiring them to reinstall the operating system. 14. B. When you create trust relationships, resources can be shared between domains that are in two different forests. To simplify access to resources (at the expense of security), a systems administrator could enable the Guest account in the domains so that resources would be automatically shared for members of the Everyone group. 15. D. A domain tree is created when a new domain is added as the child of an existing domain. This relationship is established during the promotion of a Windows Server 2003 computer to a domain controller. Although the underlying relationships can be quite complicated in larger organizations, the Active Directory Installation Wizard (DCPROMO) makes it easy to create forests and trees.
Chapter
13
Managing and Maintaining the Active Directory MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan a strategy for placing global catalog servers.
Evaluate network traffic considerations when placing global catalog servers.
Evaluate the need to enable universal group caching.
Plan a user authentication strategy.
Plan a smart card authentication strategy.
Create a password policy for domain users.
Restore Active Directory directory services.
Perform an authoritative restore operation.
Perform a nonauthoritative restore operation.
One of the most fundamental responsibilities of any systems administrator is security management. Therefore, all network operating systems offer some way to grant or deny access to resources, such as files and printers. The Active Directory is no exception. You can define fundamental security objects through the use of the users, groups, and computers security principals. Then you can allow or disallow access to resources by granting specific permissions to each of these objects. Another important consideration when working with the Active Directory is ensuring that your system information is safely backed up. Backups are useful when you lose data because of system failures, file corruptions, or accidental modifications of information. In this chapter, you’ll learn how to implement security within the Active Directory. Through the use of Active Directory tools, you can quickly and easily configure the settings that you require in order to protect information. Note, however, that proper planning for security permissions is an important prerequisite. If your security settings are too restrictive, users may not be able to perform their job functions. Worse yet, they may try to circumvent security measures. On the other end of the spectrum, if security permissions are too lax, users may be able to access and modify sensitive company resources. You should know how to use the Active Directory to apply permissions to resources on the network. Particular attention is placed on the evaluation of permissions when applied to different groups and the flow of permissions through the organizational units (OUs) via Group Policy, which is discussed in depth in Chapter 14, “Planning, Implementing, and Managing Group Policy.” With all of this in mind, let’s start looking at how you can manage security within Active Directory.
In order to complete the exercises in this chapter, you should understand the basics of working with Active Directory objects.
Active Directory Security Overview One of the fundamental design goals for the Active Directory is to define a single, centralized repository of users and information resources. The Active Directory records information about all of the users, computers, and resources on your network. Each domain acts as a security boundary, and members of the domain (including workstations, servers, and domain controllers) share information about the objects within them.
Active Directory Security Overview
669
The information stored within the Active Directory determines which resources are accessible to which users. Through the use of permissions that are assigned to Active Directory objects, you can control all aspects of network security.
Many security experts state that 20 percent of real-world network security is a technical issue and that 80 percent of it is a process-and-policy one. Don’t make the mistake of trying to solve all security problems through system(s) configurations. You also need to establish and enforce business rules, physically secure your resources, and ensure that users are aware of any restrictions.
Throughout this chapter, you’ll learn the details of security as it pertains to the Active Directory. Note, however, that this is only one aspect of true network security. That is, you should always be sure that you have implemented appropriate access control settings for the file system, network devices, and other resources. Let’s start by looking at the various components of network security: Security principals, managing security and permissions, and access control lists (ACLs) and access control entries (ACEs).
You already saw how to manage users and groups in Chapter 2, “Managing Users, Groups, and Computers.” However, in that chapter we didn't discuss the in-depth topics required to effectively plan an Active Directory infrastructure; rather, you learned how to implement security principals. You didn’t really see why they are important. MCSEs require this extra level of understanding, so be sure to review both this chapter and Chapter 2 before taking the MCSE Upgrade exam.
Understanding Security Principals Security principals are Active Directory objects that are assigned security identifiers (SIDs). A SID is a unique identifier that is used to manage any object to which permissions can be assigned. Security principals are assigned permissions to perform certain actions and access certain network resources. The basic types of Active Directory objects that serve as security principals include the following: User accounts User accounts identify individual users on your network by including information such as the user’s name and their password. User accounts are the fundamental unit of security administration. Groups There are two main types of groups: security groups and distribution groups. Both types can contain user accounts. Security groups are used for easing the management of security permissions. Distribution groups, on the other hand, are used solely for the purpose of sending e-mail. Distribution groups are not considered security principals. You’ll see the details of groups in the next section.
670
Chapter 13
Managing and Maintaining the Active Directory
Computer accounts Computer accounts identify which client computers are members of particular domains. Since these computers participate in the Active Directory database, systems administrators can manage security settings that affect the computer. Computer accounts are used to determine whether a computer can join a domain and for authentication purposes. As you’ll see later in this chapter, systems administrators can also place restrictions on certain computer settings to increase security. These settings apply to the computer and, therefore, also apply to any user who is using it (regardless of the permissions granted to the user account). Note that other objects—such as OUs—do not function as security principals. What this means is that you can apply certain settings (such as Group Policy) on all of the objects within an OU; however, you cannot specifically set permissions with respect to the OU itself. The purpose of OUs is to logically organize other Active Directory objects based on business needs. This distinction is important to remember. Security principals can be assigned permissions so that they can access various network resources, can be given user rights, and may have their actions tracked. The three types of security principals—user accounts, groups, and computer accounts—form the basis of the Active Directory security architecture. As a systems administrator, you will likely spend a portion of your time managing permissions for these objects. It is important to understand that, since a unique SID defines each security principal, deleting a security principal is an irreversible process. For example, if you delete a user account and then later re-create one with the same name, you need to reassign permissions and group membership settings for the new account. The fundamental security principals that are used for security administration include users and groups. In the following sections, you’ll learn how users and groups interact and about the different types of groups that you can create.
Types of Groups When dealing with groups, you should make the distinction between local security principals and domain security principals. You use local users and groups to assign the permissions necessary to access the local machine. For example, you may assign the permissions you need to reboot a domain controller to a specific local group. Domain users and groups, on the other hand, are used throughout the domain. These objects are available on any of the computers within the Active Directory domain and between domains that have a trust relationship. There are two main types of groups used in the Active Directory: Security groups Security groups are considered security principals. They can contain user accounts. To make administration simpler, permissions are usually granted to groups. This allows you to change permissions easily at the Active Directory level (instead of at the level of the resource on which the permissions are assigned). Security groups can be used for e-mail purposes—that is, a systems administrator can automatically e-mail all of the user accounts that exist within a group. Of course, the systems administrator must specify the e-mail addresses for these accounts. The Active Directory Contact objects can also be placed within security groups, but security permissions will not apply to them.
Active Directory Security Overview
671
Distribution groups Distribution groups are not considered security principals and are used only for the purpose of sending e-mail messages. You can add users to distribution groups just as you would add them to security groups. Distribution groups can also be placed within OUs for easier management. They are useful, for example, if you need to send e-mail messages to an entire department or business unit within the Active Directory. Understanding the differences between security and distribution groups is important in an Active Directory environment. For the most part, systems administrators use security groups for daily administration of permissions. On the other hand, systems administrators who are responsible for maintaining e-mail distribution lists generally use distribution groups to logically group members of departments and business units. When working in Windows 2000 native or Server 2003 functional level domains, you can convert security groups to or from distribution groups. When group types are running in a Windows 2000 mixed domain functional level, they cannot be changed.
Group Scope In addition to being classified by type, each group is also given a specific scope. The scope of a group defines two characteristics. First, it determines the level of security that applies to a group. Second, it determines which users can be added to the group. Group scope is an important concept in network environments because it ultimately defines which resources users are able to access. The three types of group scope are as follows: Domain local The scope of domain local groups extends as far as the local machine. When you’re using the Active Directory Users And Computers tool, domain local accounts apply to the computer for which you are viewing information. Domain local groups are used to assign permissions to local resources, such as files and printers. They can contain global groups, universal groups, and user accounts. Global The scope of global groups is limited to a single domain. Global groups may contain any of the users that are a part of the Active Directory domain in which the global groups reside. Global groups are often used for managing domain security permissions based on job functions. For example, if you need to specify permissions for the Engineering Department, you could create one or more global groups (such as EngineeringManagers and EngineeringDevelopers). You could then assign security permissions to each group for any of the resources within the domain. Universal Universal groups can contain users from any domains within an Active Directory forest. Therefore, they are used for managing security across domains. Universal groups are available only when you’re running Active Directory in Windows 2000 native or Windows Server 2003 domain functional level. When managing multiple domains, it often helps to group global groups within universal groups. For instance, if you have an Engineering global group in the research.mycompany.com domain and an Engineering global group in the asia.mycompany.com domain, you could create a universal AllEngineers group that contains both of the global groups. Now, whenever security permissions must be assigned to all engineers within the organization, you need only assign permissions to the AllEngineers universal group.
672
Chapter 13
Managing and Maintaining the Active Directory
In order for domain controllers to process authentication between domains, information about the membership in universal groups is stored in the Global Catalog (GC). Keep this in mind if you ever plan to place users directly into universal groups and bypass global groups because all of the users will be enumerated in the GC, which will impact size and performance. Fortunately, universal group credentials are cached on domain controllers that universal group members use to log on. The cached data is obtained whenever universal group members log on, and it is retained on the domain controller for eight hours by default. This is especially useful for smaller locations, such as branch offices, that run less expensive domain controllers. Most domain controllers at these locations cannot store a copy of the entire GC, and frequent calls to the nearest GC would require an inordinate amount of network traffic. When you create a new group using the Active Directory Users And Computers tool, you must specify the scope of the group. Figure 13.1 shows the New Object–Group dialog box, and the available options for the group scope. FIGURE 13.1
The New Object–Group dialog box
As you can see, the main properties for each of these group types are affected by whether the Active Directory is running in Windows 2000 mixed, Windows 2000 native, or Server 2003 domain functional level. Each of these scope levels is designed for a specific purpose and will ultimately affect the types of security permissions that can be assigned to them. There are several limitations on group functionality when running in Windows 2000 mixed domain functional level. Specifically, the following limitations exist:
Universal security groups are not available.
Changing the scope of groups is not allowed.
Limitations to group nesting exist. Specifically, the only nesting allowed is global groups contained in domain local groups. When running in native-mode domains, you can make the following group scope changes:
Active Directory Security Overview
673
Domain local groups can be changed to a universal group. This change can be made only if the domain local group does not contain any other domain local groups.
A global group can be changed to a universal group. This change can be made only if the global group is not a member of any other global groups.
Universal groups themselves cannot be converted into any other group scope type. Changing group scope can be helpful when your security administration or business needs change. You can change group scope easily using the Active Directory Users And Computers tool. To do so, access the properties of the group. As shown in Figure 13.2, you can make a group scope change by clicking one of the options. FIGURE 13.2
The group Properties dialog box
Managing Security and Permissions Now that you understand the basic issues, terms, and Active Directory objects that pertain to security, it’s time to look at how you can apply this information to secure your network resources. The general practice for managing security is to assign users to groups and then grant permissions and logon parameters to the groups so that they can access certain resources. For management ease and to implement a hierarchical structure, you can place groups within OUs. You can also assign Group Policy settings to all of the objects contained within an OU. By using this method, you can combine the benefits of a hierarchical structure (through OUs) with the use of security principals. Figure 13.3 provides a diagram of this process.
674
Chapter 13
FIGURE 13.3
Managing and Maintaining the Active Directory
An overview of security management
Group Policy assigned to
organized in
OU OU OU
Users
Groups
Organizational Units (OUs)
The primary tool used to manage security permissions for users, groups, and computers is the Active Directory Users And Computers tool. Using this tool, you can create and manage Active Directory objects and organize them based on your business needs. Common tasks for many systems administrators might include the following:
Resetting a user’s password (for example, in cases where they forget the password)
Creating new user accounts (when, for instance, a new employee joins the company)
Modifying group memberships based on changes in job requirements and functions
Disabling user accounts (when, for example, users will be out of the office for long periods of time and will not require network resource access)
Once you’ve properly grouped your users, you need to set the actual permissions that affect the objects within Active Directory. The actual permissions available vary based on the type of object. Table 13.1 provides an example of some of the permissions that can be applied to various Active Directory objects and an explanation of what each permission does: TABLE 13.1
Permissions of Active Directory Objects
Permission
Explanation
Control Access
Changes security permissions on the object.
Create Child
Creates objects within an OU (such as other OUs).
Delete Child
Deletes child objects within an OU.
Delete Tree
Deletes an OU and the objects within it.
List Contents
Views objects within an OU.
List Object
Views a list of the objects within an OU.
Active Directory Security Overview
TABLE 13.1
675
Permissions of Active Directory Objects
Permission
Explanation
Read
Views properties of an object (such as a username).
Write
Modifies properties of an object.
Using ACLs and ACEs Each object in Active Directory has an access control list (ACL). The ACL is a list of user accounts and groups that are allowed to access the resource. For each ACL, there is an access control entry (ACE) that defines what a user or a group can actually do with the resource. Deny permissions are always listed first. This means that if users have Deny permissions through user or group membership, they will not be allowed to access the object, even if they have explicit Allow permissions through other user or group permissions. Figure 13.4 shows an ACL for the Sales OU.
The Security tab is only enabled if you selected the Advanced Features option from the View menu in the Active Directory Users And Computers tool.
FIGURE 13.4
ACL for an OU
676
Chapter 13
Managing and Maintaining the Active Directory
Using Groups Effectively You are a new systems administrator for a medium-sized organization, and your network spans a single campus-type environment. The previous administrator whom you replaced was the main person who migrated the network from Windows NT to Windows Server 2003. There are no real complaints about the network, and everyone seems happy with their new workstations. The environment is very collegial, with most employees on a first-name basis, and a great deal of your job is done in the hallway as you bump into people. As you familiarize yourself with the network, you soon realize that the previous administrator had a very ad hoc approach to administration. Many of the permissions to resources had been given to individual accounts as people asked for them. There doesn’t seem to be any particular strategy in the design of the directory or the allocation of resources. In one of your meetings with management, you are told that the company has acquired another company, and if this acquisition goes well, several more acquisitions will follow. You are informed of these sensitive plans because management does not want any hiccups in the information system as these new organizations are absorbed into the existing company. You immediately realize that management practices of the past for this network have to vanish, and they need to be replaced with the best practices that have been developed for networks over the years. One of the fundamental practices in this type of environment is the use of groups to apply permissions and give privileges to users throughout the network. Although it is quite simple to give permissions individually, and in some cases it seems like overkill to create a group, give permissions to the group, and then add a user to the group, it really pays off in the long run, regardless of how small your network is today. One constant in the networking world is that networks grow. And when they grow, it is much easier to add users to a well-thought-out system of groups and consistently applied policies and permissions than it is to patch these elements together for each individual user. Don’t get caught up in the “easy” way of dealing with each request as it comes down the pike. Take the time to figure out how the system will benefit from a more structured approach. Visualize your network as already large with numerous accounts, even if it is still small, and when it grows, you will be well positioned to manage the network as smoothly as possible.
Using Group Policy for Security A very useful and powerful feature of the Active Directory is a technology known as Group Policy. Through the use of Group Policy settings, systems administrators can assign literally hundreds of different settings and options for users, groups, and OUs. Specifically, in relation to security, there are many different options you can use to control how important features such as password policies, user rights, and account lockout settings can be configured.
Using Group Policy for Security
677
Security in the Active Directory is a very important topic on the MCSE Upgrade exam. Due to Microsoft’s overlapping exam objectives, you already saw how to implement security back in Chapter 6, “Administering Security Policy.” This section provides you with a refresher on how to use Group Policy for security, but if you need more detailed information, refer to Chapter 6 before taking the exam.
The general process for making these settings is to create a Group Policy Object (GPO) with the settings that you want, and to then link it to an OU or other Active Directory object. Table 13.2 lists many Group Policy settings that are relevant to creating a secure Active Directory environment. Note that this list is not complete—there are many other options available through Windows Server 2003’s administrative tools. TABLE 13.2
Group Policy Settings Used for Security Purposes
Setting Section
Setting Name
Purpose
Account Policies Password Policy
Enforce PasswordHistory
Specifies how many passwords will be remembered. This option prevents users from reusing the same passwords, whenever they’re changed.
Account Policies Password Policy
Minimum Password Length Prevents users from using short, weak passwords by specifying the minimum number of characters that the password must include.
Account Policies Account Lockout Policy
Account LockoutDuration
Local Policies Security Options
Accounts: RenameAdminis- Often, when trying to gain unauthorized trator Account access to a computer, individuals attempt to guess the Administrator password. One method for increasing security is to rename this account so that no password allows entry using this logon.
Local Policies Security Options
This option specifies whether members of Domain Controller: Allow Server Operators To Sched- the built-in Server Operators group are allowed to schedule tasks on the server. ule Tasks
Specifies how long an account will remain locked out after the account has been locked out (due, generally, to too many bad password attempts). By setting this option to a reasonable value (such as “15 minutes”), you can reduce administrative overhead while still maintaining fairly strong security.
678
Chapter 13
TABLE 13.2
Managing and Maintaining the Active Directory
Group Policy Settings Used for Security Purposes (continued)
Setting Section
Setting Name
Purpose
Local Policies Security Options
Interactive Logon: Do Not Display Last User Name
Increases security by not displaying the name of the last user who logged into the system.
Local Policies Security Options
Shutdown: Allow System To Be Shut Down Without Having To Log On
Allows systems administrators to perform remote shutdown operations without logging on to the server.
You can use several different methods to configure Group Policy settings using the tools included with Windows Server 2003. Exercise 13.1 walks through the steps required to create a basic Group Policy for the purpose of enforcing security settings. EXERCISE 13.1
Applying Security Policies by Using Group Policy 1.
Open the Active Directory Users And Computers tool.
2.
Right-click the domain name, and select Properties.
3.
Change to the Group Policy tab, and select the Default Domain Policy.
4.
To specify the Group Policy settings, click Edit.
Using Group Policy for Security
679
EXERCISE 13.1 (continued)
5.
In the Group Policy window, open Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy object.
6.
In the right pane, double-click the Minimum Password Length setting.
7.
In the Security Policy Setting dialog box, place a check mark next to the Define This Policy Setting option. Increase the value to 7 characters. Click OK to return to the Group Policy Object Editor window.
8.
Open User Configuration, Administrative Templates, Control Panel object. Double-click Prohibit Access To The Control Panel, select Enabled, and then click OK.
9.
Close the Group Policy window to save the settings you chose. Click OK to enable the Security Group Policy.
680
Chapter 13
Managing and Maintaining the Active Directory
EXERCISE 13.1 (continued)
10. To view the security permissions for a Group Policy object, right-click the domain name and select Properties. On the Group Policy tab, highlight the Default Domain Policy Group Policy Object, and select Properties.
11. Select the Security tab of Default Domain Policy Properties dialog box. Click Add, and enter a valid username. Click OK to add this account to the list of users and groups that will be affected by these Group Policy settings. This takes you back to the Default Domain Policy Properties dialog box. Highlight the user, and allow this user the Read and Write permissions.
12. Click OK twice to save the changes. The user will now be able to view and change information for objects in the domain.
13. When finished, close the Active Directory Users And Computers tool.
The settings that you specify apply to all of the security principals included within the OU to which the Group Policy applies.
Understanding Smart Card Authentication In the previous section, we discussed password policies and account lockout policies that increase security over the default Windows Server 2003 settings. However, the standard account logon process is still fairly unsecure due to the fact that a malicious attacker only needs a single piece of information, a password, to log on to the network. This problem is compounded by the fact that users or administrators probably would not detect a stolen password until after it had been used by a hacker to break into the system. Smart cards, which are similar in appearance to credit cards, solve both of these problems.
Understanding Smart Card Authentication
681
Smart cards store user certificate information in a magnetic strip on a plastic card. As an alternative to the standard username and password logon process, users can insert a smart card into a special smart card reader attached to the computer and enter a unique PIN on the keyboard. This provides the system with a double-verification secure logon (the smart card and the PIN) and reduces the likelihood that a user’s authentication method will be stolen without detection. To deploy a smart card solution in the enterprise you must have a certificate authority (CA) and a public key infrastructure (PKI) on your intranet. In each domain, you must configure the security permissions of the Smart Card User, Smart Card Logon, and Enrollment Agent certificate templates to allow smart card users to enroll for certificates. You must also set up the certification authority to issue smart card certificates and Enrollment Agent certificates. After you’ve configured your certificate server to meet the requirements for smart card authentication, you can set up a smart card enrollment station and begin issuing smart cards to users. Most organizations that use smart card authentication don’t allow standard authentication at all, so Microsoft provides a group policy setting that requires the use of smart cards.
Preparing a Smart Card Certificate Enrollment Station To begin issuing smart cards, you must prepare a smart card certificate enrollment station where you physically transfer the authentication information to smart cards. You need to install a smart card reader on the enrollment station, which in this case doubles as a smart card writer. Smart card readers are available from a variety of manufacturers, so you should always make sure that any reader your company purchases is listed on the Windows Server 2003 HCL. After you’ve properly installed the smart card reader, you need to install an Enrollment Agent certificate on the enrollment station, which you obtain from your CA. Exercise 13.2 walks you through the process of configuring an enrollment station.
You must have access to a company CA configured in the manner described in the preceding paragraph in order to complete this exercise.
EXERCISE 13.2
Preparing a Smart Card Certificate Enrollment Station 1.
Log on as the user or administrator who will issue the smart card certificates.
2.
Open an mmc console by selecting Start Run and entering mmc in the Run dialog box.
3.
Add the Certificates snap-in by selecting File Add/Remove Snap-in. Click Add in the Add Standalone Snap-in dialog box. Select the Certificates snap-in and click the Add button. Click Close and then click OK to return to the mmc and display the newly added snap-in.
4.
Double-click the Certificates–Current User node in the mmc window.
682
Chapter 13
Managing and Maintaining the Active Directory
EXERCISE 13.2 (continued)
5.
Right-click the Personal node and select All Tasks Request New Certificate.
6.
In the Certificate Request wizard, select the Enrollment Agent certificate template. Enter a name and description for the template. When prompted, click Install Certificate.
After you’ve prepared the enrollment station to enroll smart cards certificates, you can actually begin writing certificate information to the physical cards. Follow the steps in Exercise 13.3 to enroll a smart card for user logon. Note that you must complete Exercise 13.2 before continuing. In addition, you must have a smart card reader and at least one blank smart card available. EXERCISE 13.3
Setting Up a Smart Card for User Logon 1.
Log on to the computer as the user or administrator that you configured in the previous exercise.
2.
Open Internet Explorer by selecting Start All Programs Internet Explorer.
3.
In the Address field, enter the address of the CA that issues smart card certificates and press Enter.
4.
In the IE window, click Request A Certificate, and then click Advanced Certificate Request.
5.
Click Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Certificate Enrollment Station. If prompted, click Yes to accept the smart card signing certificate.
6.
Click Smart Card Logon on the Smart Card Certificate Enrollment Station web page.
7.
Under Certification Authority, select the CA you want to issue the smart card certificate.
8.
Under Cryptographic Service Provider, select the cryptographic service provider of the smart card’s manufacturer.
9.
Under Administrator Signing Certificate, click the Enrollment Agent certificate from the previous exercise.
10. Under User To Enroll, click Select User. Select the user to enroll and click Enroll. 11. When prompted, insert the smart card into the smart card reader and click OK. When prompted, enter a new PIN for the smart card.
Backup and Recovery of the Active Directory
683
Now that you’ve seen how to configure a smart card enrollment station and set up smart cards for user logon, you should begin to think about Group Policy settings for enforcing smart card logon. One of the most common mistakes that administrators make when administering a smart card policy is to not require smart card logon at all. This means that users with smart cards can log on with either their smart cards or through the standard username and password procedure, which defeats the point of issuing smart cards in the first place! Exercise 13.4 shows you how to configure Group Policy to require smart card authentication. EXERCISE 13.4
Configuring Group Policy to Require Smart Card Logon 1.
Open the Active Directory Users And Computers Utility.
2.
Create a new top-level OU called Smart Card Test.
3.
Right-click the Smart Card Test OU and select Properties.
4.
In the Smart Card Test Properties dialog box, switch to the Group Policy tab and click Add. Press Enter to accept the default GPO name, and then click the Edit button.
5.
In the Group Policy Object Editor window, expand Computer Configuration Windows Settings Security Settings Local Policies Security Options.
6.
Double-click the Interactive Logon: Require Smart Card policy.
7.
In the Interactive Logon: Require Smart Card dialog box, select Enabled and click OK.
Backup and Recovery of the Active Directory If you have deployed the Active Directory in your network environment, there’s a good chance that your users depend on it to function properly in order to do their jobs. From network authentications to file access to print and web services, the Active Directory can be a missioncritical component of your business. Therefore, the importance of backing up the Active Directory data store should be evident.
You saw how to perform backup and restore operations in Chapter 3, “System Recovery and Web Services.” Now, we’ll look at these topics in the context of the Active Directory.
There are several reasons to back up data, including the following:
684
Chapter 13
Managing and Maintaining the Active Directory
Protect against hardware failures. Computer hardware devices have finite lifetimes, and all hardware eventually fails. Some types of failures, such as corrupted hard disk drives, can result in significant data loss. Protect against accidental deletion or modification of data. Although the threat of hardware failures is very real, in most environments, mistakes in modifying or deleting data are much more common. For example, suppose a systems administrator accidentally deletes all of the objects within a specific OU. Clearly, it’s very important to be able to retrieve this information from a backup. Keep historical information. Users and systems administrators sometimes modify files but then later find that they require access to an older version of the file. Or a file is accidentally deleted, but a user does not discover that fact until much later. By keeping backups over time, you can recover information from these prior backups when necessary. Protect against malicious deletion or modification of data. Even in the most secure environments, it is conceivable that unauthorized users (or authorized ones with malicious intent!) could delete or modify information. In such cases, the loss of data might require valid backups from which to restore critical information. Windows Server 2003 includes a Backup utility that is designed to back up operating system files and the Active Directory data store. It allows for basic backup functionality, such as scheduling backup jobs and selecting which files to back up. By default, the backup utility opens in Wizard mode and runs the Backup Or Restore Wizard automatically. If you want to run the Backup utility in the more traditional “Advanced mode,” you need to click the Advanced mode button on the opening screen of the wizard. Figure 13.5 shows the main screen for the Windows Server 2003 Backup utility in Advanced mode. FIGURE 13.5 Advanced mode
The main screen of the Windows Server 2003 Backup utility in
Backup and Recovery of the Active Directory
685
In the following sections, we’ll look at the details of using the Windows Server 2003 Backup utility and how the Active Directory can be restored when problems do occur.
Overview of the Windows Server 2003 Backup Utility Although the general purpose behind performing backup operations—protecting information—is straightforward, there are many options that systems administrators must consider when determining the optimal backup and recovery scenario for their environment. Factors include what to back up, how often to back up, and when the backups should be performed. In this section, you’ll see how the Windows Server 2003 Backup utility makes it easy to implement a backup plan for many network environments.
Backup Types One of the most important issues when dealing with backups is keeping track of which files have been backed up and which files need to be backed up. Whenever a backup of a file is made, the Archive bit for the file is set. You can view the attributes of system files by right-clicking them and selecting Properties. By clicking the Advanced button on the Properties dialog box, you will see the option File Is Ready For Archiving on the Advanced Attributes dialog box. Figure 13.6 shows an example of the attributes for a file. Although it is possible to back up all of the files in the file system during each backup operation, it’s sometimes more convenient to back up only selected files (such as those that have changed since the last backup operation). There are several types of backups that can be performed: Normal Normal backups back up all of the selected files and then mark them as backed up. This option is usually used when a full system backup is made. Copy Copy backups back up all of the selected files, but do not mark them as backed up. This is useful when you want to make additional backups of files for moving files off-site or making multiple copies of the same data or for archival purposes. Incremental Incremental backups copy any selected files that are marked as ready for backup and then mark the files as backed up. When the next incremental backup is run, only the files that are not marked as having been backed up are stored. Incremental backups are used in conjunction with full (normal) backups. The general process is to make a full backup and then to make subsequent incremental backups. The benefit to this method is that only files that have changed since the last full or incremental backup will be stored. This can reduce backup times and disk or tape storage space requirements. When recovering information from this type of backup method, a systems administrator will be required to first restore the full backup and then to restore each of the incremental backups. Differential Differential backups are similar in purpose to incremental backups with one important exception: Differential backups copy all files that are marked for backup but do not mark the files as backed up. When restoring files in a situation that uses normal and differential backups, you only need to restore the normal backup and the latest differential backup. Figure 13.7 provides an example of the differences between the normal, incremental, and differential backup types.
686
Chapter 13
Managing and Maintaining the Active Directory
Daily Daily backups back up all files that have changed during the current day. This operation uses the file time/date stamps to determine which files should be backed up and does not mark the files as having been backed up. Note that systems administrators might choose to combine normal, daily, incremental, and differential backup types as part of the same backup plan. In general, however, it is sufficient to use only one or two of these methods (for example, normal backups with incremental backups). If you require a combination of multiple backup types, be sure that you fully understand which types of files are being backed up. FIGURE 13.6
Viewing the Archive attributes for a file
FIGURE 13.7
Differences between the normal, incremental, and differential backup types
Data
Mon
Tue
Normal
Mon
Tue
Incremental
Wed
Thur
Fri
Wed Thur Fri
Differential
Wed Wed
Thur
Wed
Thur
Fri
Backup and Recovery of the Active Directory
687
Although the Windows Server 2003 Backup utility provides the basic functionality required to back up your files, you may want to investigate third-party products that provide additional functionality. These applications can provide options for specific types of backups (such as those for Exchange Server and SQL Server), as well as disaster recovery options, networking functionality, centralized management, and support for more advanced hardware.
Backing Up System State Data When planning to back up and restore the Active Directory, the most important component is known as the System State data. System State data includes the components that the Windows Server 2003 operating system relies on for normal operations. The Windows Server 2003 Backup utility offers the ability to back up the System State data to another type of media (such as a hard disk, network share, or tape device). Specifically, it will back up the following components for a Windows Server 2003 domain controller (see Figure 13.8): The Active Directory The Active Directory data store is at the heart of the Active Directory. It contains all of the information necessary to create and manage network resources, such as users and computers. In most environments that use the Active Directory, users and systems administrators rely on the proper functioning of these services in order to do their jobs. Boot Files Boot files are the files required for booting the Windows Server 2003 operating system and can be used in the case of boot file corruption. COM+ Class Registration Database The COM+ Class Registration database is a listing of all of the COM+ Class registrations stored on the computer. Applications that run on a Windows Server 2003 computer might require the registration of various share code components. As part of the System State backup process, Windows Server 2003 stores all of the information related to Component Object Model+ (COM+) components so that it can be quickly and easily restored. Registry The Windows Server 2003 Registry is a central repository of information related to the operating system configuration (such as desktop and network settings), user settings, and application settings. Therefore, the Registry is absolutely vital to the proper functioning of Windows Server 2003. SYSVOL The SYSVOL directory includes data and files that are shared between the domain controllers within an Active Directory domain. This information is relied upon by many operating system services for proper functioning.
Scheduling Backups In addition to the ability to specify which files to back up, you can schedule backup jobs to occur at specific times. Planning when to perform backups is just as important as deciding what to back up. Performing backup operations can reduce overall system performance; therefore, you should plan to back up information during times of minimal activity on your servers. Figure 13.9 shows the Schedule functionality on the Schedule Jobs tab of the Window Server 2003 Backup utility.
688
Chapter 13
Managing and Maintaining the Active Directory
FIGURE 13.8
Backing up the Windows Server 2003 System State data
FIGURE 13.9
Scheduling jobs using the Windows Server 2003 Backup utility
Backup and Recovery of the Active Directory
689
To add a backup operation to the schedule, you can simply click the Add Job button on the Schedule windows. This will start the Windows Server 2003 Backup Wizard (which we’ll cover later in this chapter).
Restoring System State Data In some cases, the Active Directory data store or other System State data may become corrupt or unavailable. This could be due to many different reasons. A hard disk failure might, for example, result in the loss of data. Or the accidental deletion of an OU and all of its objects might require a restore operation to be performed. The actual steps involved in restoring System State data are based on the details of what has caused the data loss and what effect this data loss has had on the system. In the best case, the System State data is corrupt or inaccurate, but the operating system can still boot. If this is the case, all that you must do is boot into a special Directory Services Restore Mode and then restore the System State data from a backup. This process will replace the current System State data with that from the backup. Therefore, any changes that have been made since the last backup will be completely lost and must be redone. In a worst-case scenario, all of the information on a server has been lost or a hardware failure is preventing the machine from properly booting. If this is the case, there are several steps that you must take in order to recover System State data. These steps include the following: 1.
Fix any hardware problem that might prevent the computer from booting (for example, replace any failed hard disks).
2.
Reinstall the Windows Server 2003 operating system. This should be performed like a regular installation on a new system.
3.
Reinstall any device drivers that may be required by your backup device. If you backed up information to the file system, this will not apply.
4.
Restore the System State data using the Windows Server 2003 Backup utility.
We’ll cover the technical details of performing restores later in this section. For now, however, you should understand the importance of backing up information and, whenever possible, testing the validity of backups.
Backing Up the Active Directory The Windows Server 2003 Backup utility makes it easy to back up the System State data (including the Active Directory) as part of a normal backup operation. We’ve already covered the ideas behind the different backup types and why and when they are used. Exercise 13.5 walks you through the process of backing up the Active Directory. In order to complete this exercise, the local machine must be a domain controller, and you must have sufficient free space to back up the System State (usually at least 500MB).
690
Chapter 13
Managing and Maintaining the Active Directory
EXERCISE 13.5
Backing Up the Active Directory 1.
Open the Backup utility by clicking Start All Programs Accessories System Tools Backup.
2.
If the Backup tool is configured to start the Backup Or Restore Wizard at startup (the default), then the wizard appears automatically. Otherwise, click the Backup Wizard button in the Backup utility. Click Next to start the backup process.
3.
If the Backup tool is configured to start automatically, choose Backup Files And Settings on the Backup Or Restore page and click Next to continue. If you clicked the Backup Wizard button in the Backup utility, then this page will not appear.
4.
On the What To Backup page, select Let Me Choose What To Backup. Note that there are also options to back up all files on the computer and to back up only specific information. Click Next to continue.
5.
On the Items To Back Up page, expand My Computer and place a check mark next to System State. Click Next.
Backup and Recovery of the Active Directory
691
EXERCISE 13.5 (continued)
6.
The Backup Type, Destination, And Name page will appear. You’ll need to select where you want to back up this information. If you have a tape drive installed on the local computer, you’ll have the option of backing up to tape. Otherwise, that option will be disabled. Select File for the backup media type, and then click Browse to find a suitable location for the backup file. The default file extension for a Windows Server 2003 Backup file is .bfk. You should ensure that the selected folder has sufficient space to store the System State data (which is usually more than 500MB). Click Next to continue.
7.
The Completing The Backup Or Restore Wizard page will now display a summary of the options you selected for backup. Verify that the files to be backed up and the location information are correct. Note that by clicking the Advanced button, you can select from among different backup types (such as copy, differential, and incremental) and can choose whether remote storage files will be backed up. Click Finish to begin the backup process.
692
Chapter 13
Managing and Maintaining the Active Directory
EXERCISE 13.5 (continued)
8.
The backup process will begin, and the approximate size of the backup will be calculated. On most systems, the backup operation will take at least several minutes. The exact amount of time required will be based on server load, server hardware configuration, and the size of the System State data. For example, backing up the System State on a busy domain controller for a large Active Directory domain will take much longer than a similar backup for a seldom-used domain controller in a small domain.
9.
When the backup operation has completed, you will see information about the overall backup process. You can click the Report button to see information about the backup process (including any errors that might have occurred). Optionally, you can save this report as a text file to examine the information later.
10. When finished, click Close.
Restoring the Active Directory The Active Directory has been designed with fault tolerance in mind. For example, it is highly recommended that each domain have at least two domain controllers. Each of these domain controllers contains a copy of the Active Directory data store. Should one of the domain controllers fail, the other one can take over the functionality. When the failed server is repaired, it can then be promoted to a domain controller in the existing environment. This process effectively restores the failed domain controller without incurring any downtime for end users because all of the Active Directory data is replicated to the repaired server in the next scheduled replication. In some cases, you might need to restore the Active Directory from backup media. For example, suppose a systems administrator accidentally deletes several hundred users from the domain and does not realize it until the change has been propagated to all of the other domain controllers. Manually re-creating the accounts is not an option since the objects’ security identifiers will be different (and all permissions must be reset). Clearly, a method for restoring from backup is the best solution. You can elect to make the Active Directory restore authoritative or nonauthoritative, as described in the following sections.
Overview of Authoritative Restore Restoring the Active Directory and other System State data is an important process should system files or the Active Directory data store become corrupt or otherwise unavailable. Fortunately, the Windows Server 2003 Backup utility allows you to easily restore the System State data from a backup, should the need arise. We mentioned earlier that in the case of the accidental deletion of information from the Active Directory, you may need to restore the Active Directory data store from a recent backup. But what happens if there is more than one domain controller in the environment? Even if you did perform a restore, the information on this domain controller would be seen as outdated and it would be overwritten by the data from another domain controller. And this data from the older domain controller is exactly the information you want to replace.
Backup and Recovery of the Active Directory
693
Fortunately, Windows Server 2003 and the Active Directory allow you to perform what is called an authoritative restore. The authoritative restore process specifies a domain controller as having the authoritative (or master) copy of the Active Directory data store. When other domain controllers communicate with this domain controller, their information will be overwritten with the Active Directory data stored on the local machine. Now that we have an idea of how an authoritative restore is supposed to work, let’s move on to looking at the details of performing the process.
Managing Backups for Large, Active Servers You are a systems administrator for a large organization. Your company has experienced dramatic growth in the last six months, and many new servers are being deployed. The existing servers in your environment have also been burdened with more users and data. For example, your most important servers are accessed from users around the world, and they’re in use almost 24 hours a day. In order to accommodate the additional needs of users, you have been adding storage to current servers (most of which have plenty of room for expandability). Although this addresses the immediate concern—the need for more storage space—it raises other challenges. One of these is the important issue of performing backups. Up until now, you have chosen to perform full backups of all of the data on your servers every night. However, the volume of data has grown greatly, and so, too, has the time required to perform the backups. It’s clear that you cannot afford to perform full backups every night due to performance and storage considerations. Nevertheless, your business depends heavily on its IT resources, and any loss of data is unacceptable. You’re tasked with coming up with a backup methodology. There’s one catch, though: Due to budget limitations, you can’t purchase larger, faster backup solutions (at least not in the short term). You’ve got to work with what you already have. At first, this might seem like a problem: How can you back up a much larger amount of data in the same (or even less) time? There are two main constraints: First, the “backup window” is limited by the increased usage of the servers. The backup window includes the times during which your production servers can sustain the decrease in performance caused by backup operations. Second, your backup hardware can only store a limited amount of data per piece of media, and you’re not always available to swap tapes in the middle of the night should the backup operation require more space. Although this may seem like a difficult problem, you should be able to reduce backup times and storage requirements by using multiple backup types. An efficient design would take advantage of full, differential, and incremental backup types. You can use full backups as the basis of your strategy. Then, you can selectively choose to perform differential and/or incremental backups (instead of full backups) nightly. By examining your business requirements, you decide to
694
Chapter 13
Managing and Maintaining the Active Directory
implement the following weekly schedule:
Full Backups (est. 8 hours): Sunday afternoons
Incremental backups: (est. 1/2–1 hour): Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday nights
By using these backup types, you can significantly reduce the amount of time backup operations will take. For example, during the week, you will only be backing up a relatively small subset of all of the data stored on your servers. Therefore, the backups will also use up less space on your backup media (read: fewer required media changes during the week!). The use of multiple types of backup operations does come at a price, however. One potential issue is that, should you need to restore files, you may need to load data from multiple backup sets. This can be both time-consuming and risky (in the case of the loss or failure of a tape). Also, when you restore data, you must understand how to recover from failures at various times during the week. Overall, though, this solution gives you a good method for continuing to protect your organization’s data. And it gives you an opportunity to use ingenuity to stay within budget! In the real world, coming up with backup plans that meet real-world constraints can be a challenge. Fortunately, you’re not alone in this type of problem, and there are many potential solutions. Before you think about investing in larger and faster storage solutions, consider using a combination of backup types to fit within your requirements (and budget). A little bit of planning can save costly upgrades and still provide the data protection your business requires.
Performing an Authoritative Restore When restoring Active Directory information on a Windows Server 2003 domain controller, the Active Directory services must not be running. This is because the restore of System State data requires full access to system files and the Active Directory data store. If you attempt to restore System State data while the domain controller is active, you will see the error message shown in Figure 13.10. FIGURE 13.10
Attempting to restore System State while a domain controller is active
Backup and Recovery of the Active Directory
695
When recovering System State data using Windows Server 2003 Backup, you have the option of restoring data to an alternate location. However, this operation will only copy some components from the System State backup, and it will not restore the Active Directory.
In general, restoring data and operating system files is a straightforward process. It is important to note that restoring a System State backup will replace the existing Registry, SYSVOL, and Active Directory files, so any changes you made since the last backup will be lost. Exercise 13.6 walks you through the process of performing an authoritative restore on the System State and Active Directory information. This process uses the ntdsutil utility to set the authoritative restore mode for a domain controller after the System State is restored but before the domain controller is rebooted. In order to complete this process, you must have first completed the steps in Exercise 13.5.
Any changes made to the Active Directory since the backup performed in Exercise 13.5 will be lost after the completion of Exercise 13.6.
EXERCISE 13.6
Restoring the System State and the Active Directory 1.
Reboot the local machine. At the Operating System selection screen, select Windows Server 2003 and press the F8 key to enter the Windows Server 2003 boot options.
2.
From the boot menu, choose Directory Services Restore Mode “Windows Server 2003 Domain Controllers Only” and press Enter. Verify that Windows Server 2003 is still selected and press Enter. The operating system will begin to boot in safe mode.
3.
Log on to the computer as a member of the local Administrators group. Note that you cannot log on using any Active Directory accounts since network services and the Active Directory have not been started.
4.
You will see a message warning you that the machine is running in safe mode and that certain services will not be available. For example, a minimal set of drivers has been loaded, and you will not have access to the network. Click OK to continue.
5.
When the operating system has finished booting, open the Backup utility by clicking Start All Programs Accessories System Tools Backup.
6.
The Backup Or Restore Wizard should begin automatically if the Backup utility is still configured to do so. Click Next to begin the wizard.
696
Chapter 13
Managing and Maintaining the Active Directory
EXERCISE 13.6 (continued)
7.
On the Backup Or Restore page, select Restore Files And Settings and click Next to continue.
8.
On the What To Restore page, expand the File item by clicking the plus (+) sign. Expand the Media item, and then click the checkbox next to the System State icon. Click Next to continue.
Backup and Recovery of the Active Directory
697
EXERCISE 13.6 (continued)
9.
The Completing The Backup Or Restore Wizard page will display a summary of the recovery options that you selected. Click the Advanced button.
10. On the Where To Restore page, you can specify the location for the restored files. The options include the original location, an alternate location, or a single folder. For this exercise, verify that the Original Location option is selected, and then click Next.
698
Chapter 13
Managing and Maintaining the Active Directory
EXERCISE 13.6 (continued)
11. On the How To Restore page you will be prompted to specify how you want files to be restored. Select the Replace Existing Files option, and click Next.
12. On the Advanced Restore Options page, use the default settings. Click Next.
Backup and Recovery of the Active Directory
699
EXERCISE 13.6 (continued)
13. Click Finish on the Completing The Backup Or Restore Wizard page to begin the restore operation. The Windows Server 2003 Backup utility will begin to restore the System State files to the local computer.
14. Once the System State data has been restored, you will see statistics related to the recovery operation on the Restore Progress dialog box. To view detailed information, click the Report button. When you are finished, click Close.
700
Chapter 13
Managing and Maintaining the Active Directory
EXERCISE 13.6 (continued)
15. You will be prompted about whether or not you want to restart the computer. Select No. 16. Now, you will need to place the domain controller in authoritative restore mode. To do this, click Start Run and type cmd. At the command prompt, type ntdsutil and press Enter. Note that you can type the question mark symbol (?), and press Enter to view help information for the various commands available with the ntdsutil application.
17. At the ntdsutil prompt, type authoritative restore and press Enter. 18. At the authoritative restore prompt, type restore database and press Enter. You will be asked whether or not you want to perform an authoritative restore. Click Yes.
19. The ntdsutil utility will begin the authoritative restore process. After the process has completed you will see a screen similar to the following graphic.
Summary
701
EXERCISE 13.6 (continued)
20. Type quit twice to exit ntdsutil. Then, close the command prompt by typing exit. 21. Finally, click Start Shut Down, and restart the computer. Following a reboot of the operating system, the Active Directory and System State data will be current to the point of the last backup.
In addition to restoring the entire Active Directory database, you can also restore just specific subtrees within the Active Directory using the restore subtree command in the ntdsutil utility. This allows you to restore specific information and is useful in the case of an accidental deletion of isolated material. Following the authoritative restore process, the Active Directory should be updated to the time of the last backup. Furthermore, all other domain controllers for this domain will have their Active Directory information overwritten by the results of the restore operation. The end result is an Active Directory environment that has been recovered from media.
Overview of Nonauthoritative Restore Now that you understand why you would use an authoritative restore and how it is performed, it’s an easy conceptual jump to understand what a nonauthoritative restore is. Remember that making a restore authoritative simply tells other domain controllers in the domain to recognize the restored machine as the newest copy of the Active Directory for replication purposes. If you only have one domain controller, the authoritative restore process becomes moot; you can simply skip the steps required to make the restore authoritative and begin using the domain controller immediately after the normal restore is complete, as shown in steps 1 through 15 of Exercise 13.6. If you have more than one domain controller in the domain and you need to perform a nonauthoritative restore, you can simply allow the domain controller to receive Active Directory database information from other domain controllers in the domain using normal replication methods.
Summary In this chapter, we covered the important topic of security as it pertains to the Active Directory. Specifically, we discussed the following:
The differences between security and distribution groups.
Group scope, including local, global, and universal groups.
How permissions can be managed.
How Group Policy can be used for security purposes and how the Security Configuration And Analysis utility can ensure consistency.
How to back up and restore System State data using the Windows Server 2003 Backup utility. Through the use of wizards and prompts, this Backup tool can simplify an otherwise tedious process.
702
Chapter 13
Managing and Maintaining the Active Directory
How to restore System State data and the Active Directory database. Using the authoritative restore functionality, you can revert all or part of an Active Directory environment back to an earlier state.
Exam Essentials Understand the purpose of security principals. Security principals are Active Directory objects that can be assigned permissions. Understanding how they work is vital to creating a secure Active Directory environment. Security principals include users, groups, and computers. Understand group types and group scope. The two major types of groups are security and distribution groups, and they have different purposes. Groups can be local, global, or universal. Domain local groups are used to assign permissions to local resources, such as files and printers. The scope of global groups is limited to a single domain. Universal groups can contain users from any domains within an Active Directory forest. Understand how to use Group Policy to manage password and other security-related policies. Through the use of Group Policy settings, you can configure password and account-related options. You can also specify to which users, groups, and OUs many of the settings apply. Understand how to configure smart card authentication. Smart card authentication requires a CA for issuing smart card certificates. To enroll a smart card certificate, you must first prepare a smart card enrollment station, then write certificate information to the smart cards using a smart card reader. Finally, to make smart cards useful, you should enable the Interactive Logon: Require Smart Card policy in the Group Policy Object Editor. Understand the various backup types available with the Windows Server 2003 Backup utility. The Windows Server 2003 Backup utility can perform full, differential, incremental, and daily backup operations. Each of these operations can be used as part of an efficient backup strategy. Know how to back up the Active Directory. The data within the Active Directory database on a domain controller is part of the System State data. You can back up the System State to a file using the Windows Server 2003 Backup utility. Know how to restore the Active Directory. Restoring the Active Directory database is considerably different from other restore operations. In order to restore some or all of the Active Directory database, you must first boot the machine into Directory Services Restore Mode. Understand the importance of an authoritative restore process. An authoritative restore is used when you want to restore earlier information from an Active Directory backup and you want the older information to be propagated to other domain controllers in the environment.
Key Terms
Key Terms Before you take the exam, be certain you are familiar with the following terms: authoritative restore
incremental backups
copy backups
normal backups
daily backups
permissions
differential backups
security groups
Directory Services Restore Mode
security principals
distribution groups
smart cards
domain local groups
System State data
global groups
universal groups
703
704
Chapter 13
Managing and Maintaining the Active Directory
Review Questions 1.
You are the systems administrator for a medium-sized Active Directory domain. Currently, the environment supports many different domain controllers, some of which are running Windows NT 4 and others that are running Windows 2000 and Server 2003. When running in this type of environment, which of the following types of groups cannot be used? A. Universal security groups B. Global groups C. Domain local groups D. Computer groups
2.
You are almost finished helping with the migration of a Windows NT network to a Windows Server 2003 network. The current domain functional level is Windows 2000 mixed mode. There are three locations, and the engineers are creating a single domain for now. There are many rumors that there will be a merger with one of your competitors, and the designers are considering adding a new domain to bring those users into the network. One of your jobs is to help come up with the administrative plans for the designers to manage the users. To outline your task, you are going to build a best-practices approach to giving permissions to resources on your mixed network. Which of the following approaches best suits your situation? A. Apply permissions to the domain local groups and add the accounts to this group. B. Apply permissions to the domain local groups, add users to global groups, and add the
global groups to the domain local groups. C. Apply permissions to global groups, add users to universal groups, and place these uni-
versal groups into global groups. D. Apply permissions to domain local groups, add the users to global groups, add the global
groups into universal groups, and add the universal groups into the domain local groups. 3.
The Association of Pipe Builders has offices throughout the United States. It has a Windows Server 2003 network that is running in Windows 2000 mixed domain functional level. The association has confidential information from several companies that needs to be kept that way. You created a shared folder named Confidential and published it in the directory to contain this confidential information. The manager of the department that manages this information has requested that you disable John’s access to the share. When checking the properties of the share, you notice that a domain local group called Secret and another domain local group called Temporary have permissions to the Confidential share. You notice that John is the only member of the Temporary group, so instead of modifying John’s account directly with a deny to the share, you simply delete the group. You immediately get a call from the manager that he has changed his mind and that John needs access to the resources. You re-create the Temporary group and add John back into the group. The next day you get a call from John telling you that he cannot access the resources. What is the best way for you to provide access for John to the resource? A. Add John to the Secret group. B. Grant John direct access to the share. C. Grant access to the Confidential folder for the Temporary group. D. Add the Temporary group into the Secret group.
Review Questions
4.
705
Oscar, a systems administrator, has created a top-level OU called Engineering. Within the Engineering OU, he has created two OUs: Research and Development. Oscar wants to place security permissions on only the Engineering OU, so he blocked the inheritance of properties for the OUs. However, when he does so, he finds that the permissions settings for the child OUs are now unacceptable. Which of the following actions should he take to change the permissions for the child OUs? A. Open the ACL for each child OU and set permissions for each ACE. B. Rename the parent OU. C. Delete and re-create the child OUs. D. Delete and re-create the parent OU.
5.
An Active Directory environment is running in Windows 2000 mixed domain functional level. Which of the following types of groups are available for managing users? (Choose all that apply.) A. Distribution groups B. Local groups C. Universal security group D. Global groups
6.
Susan is a systems administrator who is responsible for performing backups on several servers. Recently, she has been asked to take over operations of several new servers. Unfortunately, no information about the standard upkeep and maintenance of those servers is available. Susan wants to begin by making configuration changes to these servers, but she wants to first ensure that she has a full backup of all data on each of these servers. Susan decides to use the Windows Server 2003 Backup utility to perform the backups. She wants to choose a backup type that will back up all files on each of these servers, regardless of when they were last changed or if they have been previously backed up. Which of the following types of backup operations stores all of the selected files, without regard to the Archive bit setting? (Choose all that apply.) A. Normal B. Daily C. Copy D. Differential E. Incremental
7.
A systems administrator boots the operating system using the Directory Services Repair Mode. He attempts to log in using a Domain Administrator account, but is unable to do so. What is the most likely reason for this? A. The account has been disabled by another domain administrator. B. The permissions on the domain controller do not allow users to log on locally. C. The Active Directory service is unavailable, and they must use the local Administrator
password. D. Another domain controller for the domain is not available to authenticate the login.
706
Chapter 13
Managing and Maintaining the Active Directory
Which of the following types of backup operations should be used to back up all of the files that have changed since the last full backup or incremental backup and marks these files as having been backed up?
8.
A. Differential B. Copy C. Incremental D. Normal Following an authoritative restore of the entire Active Directory database, what will happen to the copy of the Active Directory on other domain controllers for the same domain?
9.
A. The copies of the Active Directory on other domain controllers will be overwritten. B. The information on all domain controllers will be merged. C. The other domain controllers will be automatically demoted. D. The copies of the Active Directory on the restored domain controller will be overwritten. 10. Which of the following ntdsutil commands is used to perform an authoritative restore of the entire Active Directory database? A. restore active directory B. restore database C. restore subtree D. restore all 11. You are responsible for managing several Windows Server 2003 domain controller computers in your environment. Recently, a single hard disk on one of these machines failed, and the Active Directory database was lost. You want to perform the following:
Determine which partitions on the server are still accessible.
Restore as much of the system configuration (including the Active Directory database) as is possible. Which of the following could be used to help meet these requirements? A. Event Viewer B. System Monitor C. A hard disk from another server that is not configured as a domain controller D. A valid System State backup from the server
12. Which of the following is not backed up as part of the Windows Server 2003 System State on a domain controller? A. Registry B. COM+ Registration information C. Boot files D. Active Directory database information E. User profiles
Review Questions
707
13. Ron is a systems administrator who is responsible for performing backups on several servers. Recently, he has been asked to take over operations of several new servers, including backup operations. He has the following requirements:
The backup must complete as quickly as possible.
The backup must use the absolute minimum amount of storage space.
He must perform backup operations at least daily with a full backup at least weekly. Ron decides to use the Windows Server 2003 Backup utility to perform the backups. He wants to choose a set of backup types that will meet all of these requirements. He decides to back up all files on each of these servers every week. Then, he decides to store only the files that have changed since the last backup operation (regardless of type) during the weekdays. Which of the following types of backup operations should he use to implement this solution? (Choose two.) A. Normal B. Daily C. Copy D. Differential E. Incremental
14. You are using the Backup Wizard to back up the Active Directory. You want to ensure that the entire Active Directory is backed up while maintaining a minimum backup file size. In the following screen, where would you click in order to accomplish this task?
A. Back Up Selected Files, Drives, Or Network Data B. Only Back Up The System State Data C. Back Up Everything On My Computer D. The Next button
708
Chapter 13
Managing and Maintaining the Active Directory
15. You are the network administrator for a large network. You are in charge of designing a backup plan for your Windows Server 2003 domain controllers. Which of the following backup operations will create a backup and mark the files as having been backed up? A. Normal B. Daily C. Copy D. Differential
Answers to Review Questions
709
Answers to Review Questions 1.
A. Because you are supporting Windows NT 4, Windows 2000, and Server 2003 domain controllers, you must run the environment in Windows 2000 mixed domain functional level. Universal security groups are not available when running in Windows 2000 mixed domain functional level.
2.
B. Since this is still a Windows 2000 mixed-domain functional-level network, universal groups are not available, so the best practice is to add users to global groups and apply permissions to the domain local groups where the resources reside. Even in a native-mode network, you do not want to place users into a universal group because the contents of universal groups are included in the Global Catalog and therefore will unnecessarily add to its size. When the migration is complete, the universal groups can be used to include global groups from multiple domains and then be placed in domain local groups that have permissions applied to them.
3.
C. Once you delete a security principal such as a local domain group, it is lost forever, and any new one, even with the same name, needs to have the permissions reapplied to become effective. You could add John to the Secret group, but you don’t know what other resources he would get access to by becoming a member of this group. Giving John direct access to the share would work, but it is not the best practice. You should always use groups to apply resources in order to maintain manageability of the network. Since the network is in Windows 2000 mixed domain functional level, you cannot nest groups other than adding a global group into a domain local group.
4.
A. When you blocked inheritance, the child OUs did not retain the permissions of the parent OU. Therefore, you must use the ACL for each child and set specific permissions for each ACE in the list.
5.
A, B, D. There are several limitations on group functionality when running in Windows 2000 mixed domain functional level. Specifically, the following limitations exist: universal security groups are not available, changing the scope of groups is not allowed, and limitations to group nesting exist (specifically, the only nesting allowed is global groups contained in domain local groups).
6.
A, B, C. Normal and copy backup operations do not use the Archive bit to determine which files to back up, and they will include all files that are selected for backup on the server. The other backup types will store only a subset of files based on their dates or whether or not they have been previously backed up. For this reason, Susan should choose one of these operations to ensure that she performs a valid backup of all files on the servers before she makes any configuration changes.
7.
C. When booting in Directory Services Repair Mode, the Active Directory is not started, and network services are disabled. Therefore, the systems administrator must use a local account in order to log in.
8.
C. Incremental backup operations copy files and mark them as having been backed up. Therefore, they are used when a systems administrator wants to back up only the files that have changed since the last full or incremental backup. Differential backups, although they will back up the same files, will not mark the files as having been backed up.
710
9.
Chapter 13
Managing and Maintaining the Active Directory
A. In an authoritative restore of the entire Active Directory database, the restored copy will override information stored on other domain controllers.
10. B. The restore database command instructs the ntdsutil application to perform an authoritative restore of the entire Active Directory database. 11. D. You can recover System State data from a backup, which always includes the Active Directory Database. In this case, the Event Viewer and System Monitor wouldn’t help you recover the database, but they might help you determine why the hard drive crashed in the first place. 12. E. The System State backup includes information that can be used to rebuild a server’s basic configuration. All of the information listed, except for user profile data, is backed up as part of a System State backup operation. 13. A, E. In order to meet the requirements, Ron should use the normal backup type to create a full backup every week and the incremental backup type to back up only the data that has been modified since the last full or incremental backup operation. 14. B. Backing up the System State data will back up the entire Active Directory. Backing up everything on the computer will require a very large backup file. 15. A. Only Normal and Incremental backups mark files as having been backed up.
Chapter
14
Planning, Implementing, and Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan Group Policy strategy.
Plan a Group Policy strategy by using Resultant Set of Policy (RSoP) Planning mode.
Plan a strategy for configuring the user environment by using Group Policy.
Plan a strategy for configuring the computer environment by using Group Policy.
Configure the user environment by using Group Policy.
Distribute software by using Group Policy.
Automatically enroll user certificates by using Group Policy.
Redirect folders by using Group Policy.
Configure user security settings by using Group Policy.
Troubleshoot issues related to Group Policy application deployment. Tools might include RSoP and the gpresult command. Troubleshoot the application of Group Policy security settings. Tools might include RSoP and the gpresult command.
One of the biggest challenges faced by systems administrators is the management of users, groups, and client computers. It’s difficult enough to deploy and manage workstations throughout the environment. When you add in the fact that users are generally able to make system configuration changes, it can quickly become a management nightmare! For example, imagine that a user notices that they do not have enough disk space to copy a large file. Instead of seeking help from the IT help desk, they decide to do a little cleanup of their own. Unfortunately, this cleanup operation involves deleting many critical system files! Or, consider the case of users changing system settings “just to see what they do.” Relatively minor changes, such as modifying TCP/IP bindings or Desktop settings, can cause hours of support headaches. Now, multiply these problems by hundreds (or even thousands) of end users. Clearly, systems administrators need a way to limit the options available to users of client operating systems. So how do you prevent small problems like these from occurring in a Windows Server 2003 environment? Fortunately, there’s a solution that’s readily available and easy to implement. One of the most important system administration features in Windows Server 2003 and the Active Directory is the use of Group Policy. By using Group Policy objects (GPOs), administrators can quickly and easily define restrictions on common actions and then apply them at the site, domain, or organizational unit (OU) level. Although the proper configuration of the Active Directory and client and server operating systems is very important, the real power of the computer for end users is in the applications they use. From simple word processors to spreadsheets and client-server applications, applications are what all types of users within a typical business need to help them complete their jobs. From an end user’s viewpoint, it’s very easy to take software for granted. For example, many have come to expect computers to run messaging applications, productivity applications, and (for people like us) games. However, from the view of systems administrators and help desk staff, deploying and maintaining software can be a troublesome and time-consuming job. Regardless of how much time is spent installing, updating, reinstalling, and removing applications based on users’ needs, there seems to be no end to the process. The real reason for deploying and managing networks in the first place is to make the applications that they support available. End users are often much more interested in being able to do their jobs using the tools they require than in worrying about network infrastructure and directory services. In the past, software deployment and management have been troublesome and time-consuming tasks. Fortunately, Windows Server 2003 and the Active Directory provide many improvements to the process of deploying and managing software. Through the use of Group Policy objects and the Microsoft Installer (MSI), software deployment options can be easily configured. The applications themselves can be made available to any users who are part of the Active Directory environment. Furthermore, systems administrators can automatically assign applications to users and computers and allow programs to be installed automatically when they are needed.
Implementing Group Policy
713
In this chapter, you will see how group policies work and then look at how they can be implemented within an Active Directory environment. We’ll also look at how Windows Server 2003 and the Active Directory can be used to deploy and manage software throughout the network, and you’ll see how to troubleshoot problems should they arise.
We covered the basics of Group Policy in Chapter 6, “Administering Security Policy,” but we applied them at the local computer level. In this chapter we'll examine Group Policy in the context of the Active Directory.
Planning a Group Policy Strategy Through the use of Group Policy settings, systems administrators can control many different aspects of their network environment. As you’ll see throughout this chapter, there are ways in which user settings and computer configurations can be configured using GPOs. Windows Server 2003 includes many different administrative tools for performing these tasks. However, it’s important to keep in mind that, as with many aspects of using the Active Directory, a successful Group Policy strategy involves planning. Since there are hundreds of possible GPO settings and many different ways in which they can be implemented, you should start by determining the business and technical needs of your organization. You might start by grouping your users based on their work functions. You might find, for example, that users in remote branch offices require particular network configuration options. In that case, Group Policy settings might be best implemented at the site level. Or, you might find that certain departments have varying requirements for disk quota settings. In this case, it would probably make the most sense to apply GPOs to the appropriate department OUs within the domain. The overall goal should be to reduce complexity (for example, by reducing the overall number of GPOs and GPO links), while still meeting the needs of your users. By taking into account the various needs of your users and the parts of your organization, you can often determine a logical and efficient method of creating and applying GPOs. Although there’s rarely a right or wrong method of implementing Group Policy settings, there are usually better and worse methods. By implementing a logical and consistent set of policies, you’ll also be well prepared to troubleshoot any problems that might come up, or to adapt to your organization’s changing requirements. Later in this chapter you’ll see some specific methods for determining effective Group Policy settings before you apply them.
Implementing Group Policy Now, let’s look at how you can implement Group Policies in an Active Directory environment. In this section, you’ll start by creating GPOs. Then, you’ll apply these GPOs to specific Active Directory objects and take a look at how to use administrative templates.
714
Chapter 14
Planning, Implementing, and Managing Group Policy
Creating GPOs Although there is only one Group Policy editing application included with Windows Server 2003, you can access it in several ways. This is because systems administrators may choose to apply the Group Policy settings at different levels within the Active Directory. In order to create or link GPOs at different levels, you can use the following tools: Local Security Policy This administrative tool allows you to quickly access the Group Policy settings that are available for the local computer. These options will apply to the local machine and to users that access it. You must be a member of the local administrators group to access and make changes to these settings. Domain Security Policy Often, you will want to set Group Policy options that apply to the entire domain. This tool, which is available on Windows Server 2003 computers that are functioning as domain controllers, allows you to quickly make those changes. Domain Controller Security Policy In many environments, you will want to provide additional or customized security settings for your domain controllers. Using this administrative tool, you can easily customize Group Policy settings for the domain controller. Active Directory Sites And Services Used for linking GPOs at the site level. This method is commonly used by systems administrators who want to apply certain Group Policy settings based on the physical implementation of their Active Directory environment. For example, you might want to have users in remote branch offices have one collection of settings, while users in the Corporate office may require other settings.
Active Directory Users And Computers Used for linking GPOs at the domain or OU level. This is the main method by which you will create and link GPOs for the objects (including users, groups, and computers) within an Active Directory domain. As you’ll see later in this chapter, by combining security settings, you can achieve very granular control regarding to which objects GPO settings apply. MMC Group Policy snap-in By directly configuring the Microsoft Management Console (MMC) Group Policy snap-in, you can access and edit GPOs at any level of the hierarchy. This is also a useful option since it allows you to modify the local Group Policy settings and create a custom console that is saved to the Administrative Tools program group. In Chapter 6, you saw how to create a GPO for the local computer. Now, we'll examine the steps necessary to create a GPO at the domain level. Exercise 14.1 walks you through the process of creating a custom MMC snap-in for editing Group Policy settings.
You should be careful when making Group Policy settings because certain options might prevent the proper use of systems on your network. Always test Group Policy settings on a small group of users before you deploy GPOs throughout your organization. You’ll probably find that some settings need to be changed in order for them to be effective.
Implementing Group Policy
715
EXERCISE 14.1
Creating a Group Policy Object Using MMC 1.
Click Start Run, type mmc, and press Enter.
2.
On the File menu, click Add/Remove Snap-In.
3.
Click the Add button. In The Add Standalone Snap-In dialog box, select Group Policy Object Editor from the list, and click Add.
4.
In the Select Group Policy Object Wizard, click Browse (note that you can set the scope to Domains/OUs, Sites, or Computers).
716
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.1 (continued)
5.
On the Domains/OUs tab, click the Create New Group Policy Object button (located to the right of the Look In drop-down list).
6.
To name the new object, type Test Domain Policy. Click OK to select the Policy object.
7.
Place a check mark next to the Allow The Focus Of The Group Policy Snap-In To Be Changed When Launching From The Command Line option. This will allow the context of the snap-in to be changed when you launch the MMC item.
8.
Click Finish to create the Group Policy object. Click Close in the Add Standalone Snap-In dialog box. Finally, click OK in the Add/Remove snap-in dialog box to add the new snap-in.
9.
Next, we’ll make some changes to the default settings for this new GPO. Open the following items: Test Domain Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
10. Double-click the Interactive Logon: Do Not Display Last User Name option.
Implementing Group Policy
717
EXERCISE 14.1 (continued)
11. On the Interactive Logon: Do Not Display Last User Name dialog box, place a check mark next to the Define This Policy Setting In The Template option, and then select Enabled. Click OK to save the setting.
12. In the Group Policy Object Editor, double-click the Interactive Logon: Message Text For Users Attempting to Log On option.
13. Place a check mark next to the Define This Policy Setting In The Template option, and then type the following: By logging onto this domain, you specify that you agree to the usage policies as defined by the IT department. Click OK to save the setting.
14. In the Group Policy Object Editor, double-click the Interactive Logon: Message Title For Users Attempting To Log On option.
718
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.1 (continued)
15. Place a check mark next to the Define This Policy Setting In The Template option, and then type Test Policy Logon Message. Click OK to save the setting.
16. To make changes to the user settings, expand the following objects in the Group Policy Object Editor: Test Domain Policy, User Configuration, Administrative Templates, Start Menu & Task Bar.
17. Double-click the Add Logoff To The Start Menu option. Note that you can get a description of the purpose of this setting by clicking the Explain tab. You can also see this description in the right pane of the MMC when the policy is selected. Select Enabled, and then click OK.
18. On the Group Policy Object Editor, expand the following objects: Test Domain Policy, User Configuration, Administrative Templates, System.
19. Double-click the Don’t Run Specified Windows Applications option. 20. In the Don’t Run Specified Windows Applications Properties dialog box, select Enabled, and then click the Show button. To add to the list of disallowed applications, click the Add button. When prompted to enter the item, type wordpad.exe. To save the setting, click OK three times.
21. To change network configuration settings, click Test Domain Policy, User Configuration, Administrative Templates, Network, Offline Files. Note that you can change the default file locations for several different network folders.
22. To change script settings (covered later in this chapter), click Test Domain Policy Computer Configuration Windows Settings Scripts (Startup/Shutdown). Note that you can add script settings by double-clicking either the Startup and/or the Shutdown item.
23. The changes you have made for this GPO are automatically saved. You can optionally save this customized MMC console by selecting Save As from the Console menu. Then provide a name for the new MMC snap-in (such as Group Policy Test). You will now see this item in the Administrative Tools program group.
24. When you are finished modifying the Group Policy settings, close the MMC tool.
Note that Group Policy changes do not take effect until the next user logs in. That is, users who are currently working on the system will not see the effects of the changes until they log off and log in again.
Implementing Group Policy
719
Linking GPOs to the Active Directory Creating a GPO is the first step in assigning group policies. The second step is to link the GPO to a specific Active Directory object. GPOs can be linked to sites, domains, and OUs. Exercise 14.2 walks through the steps you must take to assign a GPO to an OU within the local domain. In this exercise, you will link the Test Domain Policy GPO to an OU. In order to complete the steps in this exercise, you must have first completed Exercise 14.1. EXERCISE 14.2
Linking GPOs to the Active Directory 1.
Open the Active Directory Users And Computers tool.
2.
Create a new top-level OU called Group Policy Test.
3.
Right-click the Group Policy Test OU, and click Properties.
4.
On the Group Policy Test Properties dialog box, select the Group Policy tab. To add a new policy at the OU level, click New.
5.
Enter a descriptive name for the GPO such as Group Policy Test GPO. Note that you can also add additional GPOs to this OU. When multiple GPOs are assigned, you can also control the order in which they apply by using the Up and Down buttons. Finally, you can edit the GPO by clicking the Edit button, and you can remove the link (or, optionally, delete the GPO entirely) by clicking the Delete button.
6.
To save the GPO link, click OK in the OU Properties dialog box.
7.
When finished, close the Active Directory Users And Computers tool.
720
Chapter 14
Planning, Implementing, and Managing Group Policy
Note that the Active Directory Users And Computers tool offers a lot of flexibility in assigning GPOs. You could create new GPOs, add multiple GPOs, edit them directly, change priority settings, remove links, and delete GPOs all from within this interface. In general, creating new GPOs using the Active Directory Sites And Services or the Active Directory Users And Computers tool is the quickest and easiest way to create the settings you need. To test the Group Policy settings, you can simply create a User or Computer account within the Group Policy Test OU that you created in Exercise 14.1. Then, using another computer that is a member of the same domain, log on as the newly created user. First, you should see the prelogon message that you set in Exercise 14.1. After logging on, you’ll also notice that the other changes have taken effect. For example, you will not be able to run the WordPad.exe program.
When testing Group Policy settings, it is very convenient to use the Terminal Services functionality of Windows Server 2003. This feature allows you to have multiple simultaneous logon sessions to the same computer. With respect to Group Policy, it is useful when you want to modify Group Policy settings and then quickly log on under another user account to test them.
Using Administrative Templates There are many different options that Group Policy settings can modify. Microsoft has included some of the most common and useful items by default, and they’re made available when you create new GPOs or when you edit existing ones. You can, however, create your own templates and include them in the list of settings. By default, several templates are included with Windows Server 2003. These are as follows: Common.adm This template contains the policy options that are common to both Windows 95/98/Me and Windows NT 4 computers. Conf.adm This template contains the policy options for configuring NetMeeting options on Windows 2000, XP Professional, and Server 2003 client computers. This template cannot be used with 64-bit versions of Windows. Inetcorp.adm This template contains Dial-Up, Language, and Temporary Internet Files settings. Inetres.adm This template contains the policy options for configuring Internet Explorer options on Windows 2000 and XP client computers. Inetset.adm This template contains additional Internet settings such as Autocomplete and display settings. System.adm This template contains common configuration options and settings for Windows 2000 and XP client computers. Windows.adm
This template contains policy options for Windows 95/98/Me computers.
Winnt.adm This template contains policy options that are specific to the use of Windows NT 4.
Implementing Group Policy
721
Wmplayer.adm This template contains the policy options for configuring Windows Media Player options on Windows 2000, XP, and Server 2003 client computers. This template cannot be used with 64-bit versions of Windows. Wuau.adm This template contains the policy options for configuring Windows Update and Automatic Update. These Administrative Template files are stored within the inf subdirectory of the system root directory. It is important to note that the use of the Windows.adm, Winnt.adm, and Common.adm files is not supported in Windows Server 2003. These files are primarily provided for backward compatibility with previous versions of Windows. The *.adm files are simple text files that follow a specific format that is recognized by the Group Policy Object Editor. Following is an excerpt from the system.adm file: CATEGORY !!WindowsComponents CATEGORY !!WindowsExplorer KEYNAME "Software\Microsoft\Windows\CurrentVersion \Policies\Explorer" POLICY !!ClassicShell EXPLAIN !!ClassicShell_Help VALUENAME "ClassicShell" END POLICY POLICY !!NoFolderOptions EXPLAIN !!NoFolderOptions_Help VALUENAME "NoFolderOptions" END POLICY POLICY !!NoFileMenu EXPLAIN !!NoFileMenu_Help VALUENAME "NoFileMenu" END POLICY POLICY !!NoNetConnectDisconnect EXPLAIN !!NoNetConnectDisconnect_Help VALUENAME "NoNetConnectDisconnect" END POLICY POLICY !!NoShellSearchButton EXPLAIN !!NoShellSearchButton_Help VALUENAME "NoShellSearchButton" END POLICY
722
Chapter 14
Planning, Implementing, and Managing Group Policy
POLICY !!NoViewContextMenu EXPLAIN !!NoViewContextMenu_Help VALUENAME "NoViewContextMenu" END POLICY
Notice that the various options that are available for modification are specified within the Administrative Template file. If necessary, systems administrators can create custom Administrative Template files that include more options for configuration. To add new administrative templates when modifying GPOs, simply right-click the Administrative Templates object in the Group Policy Object Editor and select Add/Remove Templates, which brings up the Add/Remove Templates dialog box (see Figure 14.1). FIGURE 14.1
Adding administrative templates when creating GPOs
Managing Group Policy Once you have implemented GPOs and applied them to sites, domains, and OUs within the Active Directory, it’s time to look at some ways to manage them. In the following sections, you’ll look at how multiple GPOs can interact with one another and ways you can provide security for GPO management. These are very important features of working with the Active Directory, and if you properly plan Group Policy, you can greatly reduce the time the help desk spends troubleshooting common problems.
Managing GPOs One of the benefits of GPOs is that they’re modular and can apply to many different objects and levels within the Active Directory. This can also be one of the drawbacks of GPOs, if they’re not managed properly. A common administrative function related to using GPOs is finding all of the Active Directory links for each of these objects. You can do this when you are viewing the Links tab of the GPO Properties dialog box. As shown in Figure 14.2, clicking the Find Now button shows which objects are using a particular GPO.
Managing Group Policy
FIGURE 14.2
723
Viewing GPO links to the Active Directory
In addition to the common function of delegating permissions on OUs, you can also set permissions regarding the modification of GPOs. The best way to accomplish this is to add users to the Group Policy Creator/Owners built-in security group. The members of this group are able to modify security policy.
Filtering Group Policy Another method of securing access to GPOs is to set permissions on the GPOs themselves. You can do this by opening an object’s Properties dialog box, switching to the Group Policy tab, selecting a GPO, and clicking the Properties button to open the GPO Properties dialog box. From the Security tab of the GPO Properties dialog box you can view the specific permissions that are set on the GPO itself (see Figure 14.3). The permissions options include the following:
Full Control
Read
Write
Create All Child Objects
Delete All Child Objects
Apply Group Policy
Of these, the Apply Group Policy setting is particularly important because you use it to filter the scope of the GPO. Filtering is the process by which selected security groups are included or excluded from the effects of the GPOs. To specify that the settings should apply to a GPO, you
724
Chapter 14
Planning, Implementing, and Managing Group Policy
should select Allow for both the Apply Group Policy and Read settings. These settings will be applied only if the security group is also contained within a site, domain, or OU to which the GPO is linked. In order to disable GPO access for a group, choose Deny for both of these settings. Finally, if you do not want to specify either Allow or Deny effects, leave both boxes blank. This is effectively the same as having no setting. FIGURE 14.3
GPO security settings
In Exercise 14.3, you will filter Group Policy using security groups. In order to complete the steps in this exercise, you must have first completed Exercises 14.1 and 14.2. EXERCISE 14.3
Filtering Group Policy Using Security Groups 1.
Open the Active Directory Users And Computers administrative tool.
2.
Create two new Global Security groups within the Group Policy Test OU, and name them PolicyEnabled and PolicyDisabled.
3.
Right-click the Group Policy Test OU, and select Properties. Select the Group Policy tab.
4.
Highlight Test Domain Policy, and click the Properties button.
5.
On the Security tab of the GPO Properties dialog box, click Add, and enter the PolicyEnabled and the PolicyDisabled groups. Click OK.
Managing Group Policy
725
EXERCISE 14.3 (continued)
6.
Highlight the PolicyDisabled group, and select Deny for the Read and Apply Group Policy permissions. This prevents users in the PolicyDisabled group from being affected by this policy.
7.
Highlight the PolicyEnabled group, and select Allow for the Read and Apply Group Policy permissions. This ensures that users in the PolicyEnabled group will be affected by this policy.
726
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.3 (continued)
8.
Click OK to save the Group Policy settings. You will be warned that Deny takes precedence over any other security settings. Select Yes to continue.
9.
Click OK to save the change to the properties of the OU.
10. When finished, close the Active Directory Users And Computers administrative tool.
By using these settings, you can ensure that only the appropriate individuals will be able to modify GPO settings.
Delegating Administrative Control of GPOs So far, you have learned about how you can use Group Policy to manage user and computer settings. What you haven’t done is determine who can modify GPOs. It’s very important to establish the appropriate security on GPOs themselves for two main reasons. First, if the security settings aren’t set properly, users and systems administrators can easily override them. This defeats the purpose of having the GPOs in the first place. Second, having many different systems administrators creating and modifying GPOs can become extremely difficult to manage. When problems arise, the hierarchical nature of GPO inheritance can make it difficult to pinpoint the problem. Fortunately, through the use of the Delegation Of Control Wizard, determining security permissions for GPOs is a simple task. Exercise 14.4 walks you through the steps you must take to grant the appropriate permissions to a User account. Specifically, the process involves delegating the ability to manage Group Policy links on an Active Directory object (such as an OU). In order to complete this exercise, you must have first completed Exercises 14.1 and 14.2. EXERCISE 14.4
Delegating Administrative Control of Group Policy 1.
Open the Active Directory Users And Computers tool.
2.
Expand the local domain, and create a user named Policy Admin within the Group Policy Test OU.
3.
Right-click the Group Policy Test OU, and select Delegate Control.
4.
Click Next to start the Delegation Of Control Wizard.
5.
On the Users Or Groups page, click Add. Enter the Policy Admin account, and click OK. Click Next to continue.
Managing Group Policy
727
EXERCISE 14.4 (continued)
6.
On the Tasks To Delegate page, select Delegate The Following Common Tasks, and place a check mark next to the Manage Group Policy Links item. Click Next to continue.
7.
Finally, click Finish on the final page of the wizard to complete the Delegation Of Control Wizard and assign the appropriate permissions. Specifically, this will allow the Policy Admin user to create GPO links to this OU (and, by default, any child OUs).
8.
When you are finished, close the Active Directory Users And Computers tool.
Controlling Inheritance and Filtering Group Policy Controlling inheritance is an important function when you are managing GPOs. By default, GPO settings flow from higher-level Active Directory objects to lower-level ones. For example, the effective set of Group Policy settings for a user might be based on GPOs assigned at the site level, the domain level, and in the OU hierarchy. In general, this is probably the behavior you would want. In some cases, however, you might want to block Group Policy inheritance. You can accomplish this easily by selecting the properties for the object to which a GPO has been linked. On the Group Policy tab, you will be able to set several useful options regarding inheritance. The first (and most obvious) option is the Block Policy Inheritance check box located at the bottom of the Group Policy tab of the Group Policy Object Properties dialog box (see Figure 14.4). By enabling this option, you are effectively specifying that this object starts with a clean slate—that is, no other Group Policy settings will apply to the contents of this Active Directory site, domain, or OU.
728
Chapter 14
FIGURE 14.4
Planning, Implementing, and Managing Group Policy
Blocking GPO inheritance
There is, however, a way that systems administrators can force inheritance. They do this by setting the No Override option to prevent other systems administrators from making changes to default policies. You can set the No Override option by clicking the Options button on the Group Policy tab for the object to which the GPO applies. Doing so brings up the GPO’s Option dialog box (see Figure 14.5). Notice that you can also choose to temporarily disable a GPO. This is useful during troubleshooting and when you are attempting to determine which GPOs are causing certain behavior. FIGURE 14.5
Setting the No Override GPO option
Exercise 14.5 walks you through the steps you need to take to manage inheritance and filtering of GPOs.
Managing Group Policy
729
EXERCISE 14.5
Managing Inheritance and Filtering of GPOs 1.
Open the Active Directory Users And Computers administrative tool.
2.
Create a top-level OU called Parent.
3.
Right-click the Parent OU, and select Properties. Select the Group Policy tab, and click the New button to create a new GPO. Name the new object Master GPO.
4.
Click the Options button on the Group Policy tab.
5.
On the Master GPO Options dialog box, place a check mark next to the No Override option. This ensures that administrators of OUs contained within the Parent OU will not be able to override the settings defined in this GPO. To save the settings, click OK. Notice that a check mark appears next to the Master GPO in the No Override column in the list of Group Policy object links.
6.
On the Group Policy tab of the Parent OU Properties dialog box, create another GPO and name it Optional GPO. Click the OK button to save the changes.
7.
Within the Parent OU, create another OU called Child.
8.
Right-click the Child OU, and select Properties.
9.
Select the Group Policy tab, and place a check mark in the Block Policy Inheritance check box. This option prevents the inheritance of GPO settings from the Parent OU for the Optional GPO settings. Note that since the No Override setting for the Master GPO was enabled on the Parent OU, the settings in the Master GPO will take effect on the Child OU regardless of the setting of the Block Policy Inheritance box. Click OK to save the changes.
10. When you are finished, close the Active Directory Users And Computers tool.
Assigning Script Policies Systems administrators might want to make several changes and settings that would apply during the computer startup or user logon. Perhaps the most common operation logon scripts perform is mapping network drives. Although users can manually map network drives, providing this functionality within login scripts ensures that mappings stay consistent and that users need only remember the drive letters for their resources. Script policies are specific options that are part of Group Policy settings for users and computers. These settings direct the operating system to the specific files that should be processed during the startup/shutdown or logon/logoff processes. You can create the scripts themselves by using the Windows Script Host (WSH) or by using standard batch file commands. WSH is a utility included with the Windows Server 2003 operating system. It allows developers and systems administrators to quickly and easily create scripts using the familiar Visual Basic Scripting
730
Chapter 14
Planning, Implementing, and Managing Group Policy
Edition (VBScript) or JScript (Microsoft’s implementation of JavaScript). Additionally, WSH can be expanded to accommodate other common scripting languages. To set script policy options, you simply edit the Group Policy settings. As shown in Figure 14.6, there are two main areas for setting script policy settings: Startup/Shutdown Scripts These settings are located within the Computer Configuration Windows Settings Scripts (Startup/Shutdown) object. Logon/Logoff Scripts These settings are located within the User Configuration Windows Settings Scripts (Logon/Logoff) object. FIGURE 14.6
Viewing Startup/Shutdown script policy settings
To assign scripts, simply double-click the setting, at which time its Properties dialog box will appear. For instance, if you double-click the Startup setting, the Startup Properties dialog box appears, as shown in Figure 14.7. To add a script filename, click the Add button. When you do, you will be asked to provide the name of the script file (such as MapNetworkDrives.vbs or ResetEnvironment.bat). Note that you can change the order in which the scripts are run by using the Up and Down buttons. The Show Files button opens the directory folder in which you should store the Logon script files. In order to ensure that the files are replicated to all domain controllers, you should be sure that you place the files within the SYSVOL share.
Managing Group Policy
FIGURE 14.7
731
Setting scripting options
Managing Network Configuration Group policies are also useful in network configuration. Although many different methods handle network settings at the protocol level—such as Dynamic Host Configuration Protocol (DHCP)—Group Policy allows administrators to set which functions and operations are available to users and computers. Figure 14.8 shows some of the features that are available for managing Group Policy settings. The paths to these settings are as follows: Computer Network Options These settings are located within the Computer Configuration, Administrative Templates, Network Connections folder. User Network Options These settings are located within the User Configuration, Administrative Templates, Network folder. Some examples of the types of settings available include the following:
The ability to allow or disallow the modification of network settings. In many environments, the improper changing of network configurations and protocol settings is a common cause of help desk calls.
The ability to allow or disallow the creation of Remote Access Service (RAS) connections. This option is very useful, especially in larger networked environments, since the use of modems and other WAN devices can pose a security threat to the network.
Setting of offline files and folders options. This is especially useful for keeping files synchronized for traveling users and is commonly configured for laptops.
732
Chapter 14
FIGURE 14.8
Planning, Implementing, and Managing Group Policy
Viewing Group Policy User network configuration options
Each setting includes detailed instructions in the description area of the GPO Editor window. By using these configuration options, systems administrators can maintain consistency for users and computers and can avoid many of the most common troubleshooting calls.
Automatically Enrolling User and Computer Certificates in Group Policy Group Policy can also be used to automatically enroll user and computer certificates, making the entire certificate process transparent to your end users. Before you go on, you should understand what certificates are and why they are an important part of network security. Think of a digital certificate as a carrying case for a public key. A certificate contains the public key and a set of attributes, like the key holder’s name and e-mail address. These attributes specify something about the holder: their identity, what they’re allowed to do with the certificate, and so on. The attributes and the public key are bound together because the certificate is digitally signed by the entity that issued it. Anyone who wants to verify the certificate’s contents can verify the issuer’s signature.
Managing Group Policy
733
Certificates are one part of what security experts call a public-key infrastructure (PKI). A PKI has several different components that you can mix and match to achieve the desired results. Microsoft’s PKI implementation offers the following functions: Certificate authorities (CAs) Issue certificates, revoke certificates they’ve issued, and publish certificates for their clients. Big CAs like Thawte and VeriSign may do this for millions of users; you can also set up your own CA for each department or workgroup in your organization if you want to. Each CA is responsible for choosing what attributes it will include in a certificate and what mechanism it will use to verify those attributes before it issues the certificate. Certificate publishers Make certificates publicly available, inside or outside an organization. This allows widespread availability of the critical material needed to support the entire PKI. PKI-savvy applications Allow you and your users to do useful things with certificates, like encrypt e-mail or network connections. Ideally, the user shouldn’t have to know (or even necessarily be aware of) what the application is doing—everything should work seamlessly and automatically. The best-known examples of PKI-savvy applications are web browsers like Internet Explorer and Netscape Navigator and e-mail applications like Outlook and Outlook Express. Certificate templates Act like rubber stamps: by specifying a particular template as the model you want to use for a newly issued certificate, you’re actually telling the CA which optional attributes to add to the certificate, as well as implicitly telling it how to fill some of the mandatory attributes. Templates greatly simplify the process of issuing certificates since they keep you from having to memorize the names of all the attributes you might potentially want to put in a certificate. The Autoenrollment Settings policy determines whether or not users and/or computers are automatically enrolled for the appropriate certificates when necessary. By default, this policy is turned on, but you can make changes to the settings as shown in Exercise 14.6. In Exercise 14.6, you will learn how to configure automatic certificate enrollment in Group Policy. You must have completed the other exercises in this chapter in order to proceed with this exercise. EXERCISE 14.6
Configuring Automatic Certificate Enrollment in Group Policy 1.
Open the Active Directory Users And Computers administrative tool.
2.
Open the Parent OU you created in the previous exercise and open the Master GPO.
3.
Open Computer Configuration, Windows Settings, Security Settings, Public Key Policies.
4.
Double-click Autoenrollment Settings in the right pane.
734
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.6 (continued)
5.
The Autoenrollment Settings Properties dialog box will appear. Notice that the Enroll Certificates Automatically setting is enabled by default. Check the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates and the Update Certificates That User Certificate Templates check boxes.
6.
Click OK to close the Autoenrollment Settings Properties dialog box.
Redirecting Folders Using Group Policy The last specific set of Group Policy settings that you will learn about are the folder redirection settings. Group Policy provides a means of redirecting the My Documents, Desktop, and Start menu folders, as well as cached application data, to network locations. Folder redirection is particularly useful for the following reasons:
When using roaming user profiles, a user’s My Documents folder is copied to the local machine each time he logs on. This often requires high bandwidth consumption and time if the My Documents folder is large. If you redirect the My Documents folder, it stays in the redirected location, and the user opens and saves files directly from there.
Documents are always available no matter where the user logs on.
Data in the shared location can be backed up during the normal backup cycle without user intervention.
Data can be redirected to a more robust server-side administered disk that is less prone to physical and user errors.
When you decide to redirect folders, you have two options: basic and advanced. Basic redirection redirects everyone’s folders to the same location (but each user gets their own folder within
Managing Group Policy
735
that location). Advanced redirection redirects folders to different locations based on group membership. For instance, you could configure the Engineers group to redirect their folders to // Engineering1/My_Documents/ and the Marketing group to //Marketing1/My_Documents/. Again, each individual user still gets their own folder within the redirected location. To configure folder redirection, follow the steps in Exercise 14.7. You must have completed the other exercises in this chapter in order to proceed with this exercise. EXERCISE 14.7
Configuring Folder Redirection in Group Policy 1.
Open the Active Directory Users And Computers administrative tool.
2.
Open the Parent OU that you created in the previous exercises and open the Master GPO.
3.
Open User Configuration, Windows Settings, Folder Redirection, My Documents.
4.
Right-click My Documents and select Properties.
5.
On the Target tab of the My Documents Properties dialog box, choose the Basic Redirect Everyone’s Folder To The Same Location selection from the Setting dropdown menu.
6.
Leave the default option for the Target Folder Location drop-down menu, and specify a network path in the Root Path field.
736
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.7 (continued)
7.
Click the Settings tab. All of the default settings are self-explanatory and should typically be left on the default. Click OK when you are done.
Troubleshooting Group Policy Due to the wide variety of configurations that are possible when you are establishing Group Policy, you should be aware of some common troubleshooting methods. These methods will help isolate problems in policy settings or Group Policy object (GPO) links. One possible problem with GPO configuration is that logons and system startups may take a long time. This occurs especially in large environments when the Group Policy settings must be transmitted over the network and, in many cases, slow WAN links. In general, the number of GPOs should be limited because of the processing overhead and network requirements during logon. By default, GPOs are processed in a synchronous manner. This means that the processing of one GPO must be completed before another one is applied (as opposed to asynchronous processing, where they can all execute at the same time). The most common issue associated with Group Policy is the unexpected setting of Group Policy options. In Windows 2000 Server, administrators spent countless hours analyzing inheritance hierarchy and individual settings to determine why a particular user or computer was having policy problems. For instance, say a user named jchellis complains that the Run option is missing from his Start menu. The jchellis user account is stored in the San Jose OU, and you’ve applied Group policies at the OU, domain, and site level. To determine the source of the problem, you would have to manually sift through each GPO to find the Start menu policy as well as figure out the applicable inheritance settings.
Troubleshooting Group Policy
737
Luckily, Windows Server 2003 adds a handy new feature called Resultant Set of Policy (RSoP) that displays the exact settings that actually apply to individual users, computers, OUs, domains, and sites after inheritance and filtering have taken effect. In the example just described, you could run RSoP on the jchellis account and view a single set of Group Policy settings that represent the settings that actually apply to the jchellis account. In addition, each setting’s Properties dialog box displays the GPO that the setting is derived from, as well as the order of priority, the filter status, and other useful information, as you will see a bit later. RSoP actually runs in two modes: Logging Mode Logging mode displays the actual settings that apply to users and computers like in the example in the preceding paragraph. Planning Mode Planning mode can be applied to users, computers, OUs, domains, and sites, and it is used before any settings have actually been applied. Like its name implies, planning mode is used to plan GPOs. Additionally, you can run the command-line utility gpresult.exe to quickly get a snapshot of the group policy settings that apply to a user and/or computer. Let’s take a closer look at the two modes and the gpresult.exe command.
RSoP in Logging Mode RSoP in Logging mode can only query policy settings for users and computers. The easiest way to access RSoP in Logging mode is through the Active Directory Users And Computers tool, although you can run it as a stand-alone MMC snap-in if you want to. To analyze the policy settings for jchellis from the earlier example, right-click the user icon in Active Directory Users And Computers and select All Tasks Resultant Set of Policy (Logging). The Resultant Set of Policy Wizard appears. The wizard walks you through the steps necessary to view the RSoP for jchellis. The Computer Selection page, shown in Figure 14.9, requires you to select a computer for which to display settings. Remember that a GPO contains both user and computer settings, so you must choose a computer that the user has logged on to in order to continue with the wizard. If the user has never logged on to a computer, then you must run RSoP in planning mode, since there is no logged policy information for that user yet. FIGURE 14.9
The Computer Selection page of the Resultant Set of Policy Wizard
738
Chapter 14
Planning, Implementing, and Managing Group Policy
The User Selection page, shown in Figure 14.10, requires you to select a user account to analyze. Since we selected a user from Active Directory Users And Computers tool, you should notice that the username is filled in automatically. This screen is most useful if you are running RSoP in MMC mode and don’t have the luxury of selecting a user contextually. FIGURE 14.10
The User Selection page of the Resultant Set of Policy Wizard
The Summary Of Selection page, shown in Figure 14.11, displays a summary of your choices and provides an option for gathering extended error information. If you need to make any changes before you begin to analyze the policy settings, you should click the Back button on the Summary screen. Otherwise, click Next. FIGURE 14.11
The Summary of Selections page of the Resultant Set of Policy Wizard
Troubleshooting Group Policy
739
After the wizard is complete, you will see the Resultant Set of Policy window shown in Figure 14.12. This window looks very much like the Group Policy Object Editor window, but it only displays the policy settings that apply to the user and computer that you selected in the Resultant Set of Policy Wizard. You can see these user and computers at the topmost level of the tree. Any warnings or errors display as a yellow triangle or red X over the applicable icon at the level where the warning or error occurred. To view more information about the warning or error, right click the icon, select Properties, and select the Error Information tab, as shown in Figure 14.13. FIGURE 14.12
The Resultant Set of Policy window for user jchellis on computer EDGETEK
FIGURE 14.13 dialog box
The Error Information tab of the Computer Configuration Properties
740
Chapter 14
Planning, Implementing, and Managing Group Policy
You cannot make changes to any of the individual settings, since RSoP is a diagnostic tool and not an editor, but you can get more information about settings by clicking a setting and selecting Properties from the pop-up menu. The Setting tab of the setting’s Properties dialog box, shown in Figure 14.14, displays the actual setting that applies to the user in question based on GPO inheritance. The Explain tab simply offers an expanded description of the individual policy, which can usually be inferred from the policy name. The Precedence tab, shown in Figure 14.15, is probably the most interesting tab in the dialog box because it shows you all of the GPOs, in order of priority, that apply to the user. You can see in the figure that the San Jose GPO takes precedence, which would explain why the user doesn’t see the Run option in their Start menu. From here, you could take the necessary steps to fix the user’s problem or inform the user that their policy doesn’t allow them to use the Run option on the Start menu. FIGURE 14.14
The Setting tab of the Setting Properties dialog box
FIGURE 14.15
The Precedence tab of the Setting Properties dialog box
Troubleshooting Group Policy
741
In Exercise 14.8, you’ll learn how to run RSoP in Logging mode. Note that you must have completed the previous exercises in this chapter to complete this exercise. EXERCISE 14.8
Running RSoP in Logging Mode 1.
Open the Active Directory Users And Computers administrative tool.
2.
Open the Parent OU you created in the previous exercises. Make several changes to the Desktop policies in the Optional GPO and the Master GPO. Be sure to refresh the GPO settings with the gpupdate command.
3.
Open the Child OU and add a user named TestUser1.
4.
Log on to the network as TestUser1 to establish an RSoP log, then log off and log on as an administrator.
5.
Open the Active Directory Users And Computers administrative tool.
6.
Right-click the TestUser1 account and select All Tasks Resultant Set of Policy (Logging) to open the Resultant Set of Policy Wizard.
7.
On the Computer Selection page, select the computer that TestUser1 used to log on to the network in step 4. Click Next.
8.
TestUser1 should already be selected on the User Selection page, so click Next to continue.
9.
Verify that the information on the Summary Of Selections page is correct and click Next.
10. Click the Finish button on the Completing The Resultant Set of Policy Wizard page to open the Resultant Set of Policy window.
11. Check some of the Desktop settings that you changed in step 2. Right-click a setting and select Properties from the pop-up menu. You should see the resultant policy on the Setting tab and the order of precedence on the Precedence tab.
Exercise 14.9 shows you how to run RSoP in Planning mode. Note that you must have completed the previous exercises in this chapter to continue. EXERCISE 14.9
Running RSoP in Planning Mode 1.
Open the Active Directory Users And Computers administrative tool.
2.
Open the Parent OU you created in the previous exercise.
742
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.9 (continued)
3.
Right-click the Parent OU and select All Tasks Resultant Set of Policy (Planning) to open the Resultant Set of Policy Wizard.
4.
On the User And Computer Selection page, the Parent OU information should be filled in for you for both the user and computer. You could make changes to this screen if desired—for example, if you wanted to view the RSoP for users in one OU who log on to computers in another OU. Click Next to continue.
5.
On the Advanced Simulation Options page don’t make any changes at this time. This screen is used to simulate special network conditions such as slow network connections or loopback processing. Click Next to continue.
Troubleshooting Group Policy
743
EXERCISE 14.9 (continued)
6.
On the User Security Groups page, select hypothetical security groups that you would place users and computers into under the planned scenario. Click Next to continue.
7.
On the WMI Filters For Users page, you can specify any Windows Management Instrumentation filters that you may have applied to GPOs. WMI filters go beyond the scope of this book, so just click Next and leave the default settings.
8.
The Summary Of Selections page appears. This displays a summary of the selections you made in the wizard. You can elect to gather extended error information, and you can choose a domain controller on which to run the simulated RSoP. Click Next when you are ready to run the simulation.
Chapter 14
744
Planning, Implementing, and Managing Group Policy
EXERCISE 14.9 (continued)
9.
Click Finish on the Completing The Resultant Set Of Policy Wizard page to open the Resultant Set Of Policy window.
10. Click through the various policy settings in the Resultant Set Of Policy window to see the GPO settings for a user and computer stored in the Parent OU.
RSoP in Planning Mode Running RSoP in Planning mode isn’t much different from running RSoP in Logging mode, but the RSoP Wizard asks for a bit more information than you saw earlier. In the earlier example, you saw that jchellis couldn’t see the Run option in the Start menu because his user account is affected by the San Jose GPO in the San Jose OU. As an administrator, you could plan to move his user account to the North America OU. Before doing so, you could verify his new policy settings by running RSoP in Planning mode on user jchellis under the scenario that you’ve already moved him from the San Jose OU to the North America OU. At this point, you haven’t actually moved the user, but you can see what his settings would be if you did.
Using the gpresult.exe Command gpresult.exe is a command-line utility that’s included as part of the RSoP tool. Running the command by itself without any switches returns the following group policy information about the local user and computer:
The name of the domain controller from which the local machine retrieved the policy information
The date and time in which the policies were applied
Which policies were applied
Which policies were filtered out
Group membership
You can use the switches shown in Table 14.1 to get information for remote users and computers and to enable other options. TABLE 14.1
gpresult Switches
Switch
Description
/S systemname
Generates RSoP information for a remote computer name
/USER username
Generates RSoP information for a remote user name
/V
Specifies verbose mode, which displays more verbose information such as user rights information
Troubleshooting Group Policy
745
TABLE 14.1
gpresult Switches (continued)
Switch
Description
/Z
Specifies an even greater level of verbose information
/SCOPE MACHINE
Displays maximum information about the computer policies applied to this system
/SCOPE USER
Displays maximum information about the user policies applied to this system
>textfile.txt
Writes the output to a text file
For example, to obtain information about user jchellis in a system called EDGETEK, you would use the command gpresult /S EDGETEK /USER jchellis. Through the use of these techniques, you should be able to track down even the most elusive Group Policy problems. Remember, however, that good troubleshooting skills do not replace the need for adequate planning and maintenance of GPO settings!
Troubleshooting Logon Performance Problems You are a systems administrator for a medium-sized Active Directory environment. Several weeks ago, you were asked to design and implement the organization’s Group Policy security settings. You spent several days designing a working strategy that was easy to maintain. In order to best suit the needs of your users, you also decided to create nine different Group Policy objects. You designed each GPO to contain information about a specific set of permissions. You also had to take into account that the established OU structure within your single Active Directory domain environment consists of a fairly deep hierarchy (for example, many OUs are nested to four levels). In order to work with this system, you linked the nine GPOs you created to these OUs at various levels, which resulted in dozens of links. Before you deployed your solution, you performed several tests to ensure that the resulting policies were what you intended. The settings seemed to work well, and they met the business needs. Recently, however, you have received several complaints from users throughout the environment; they are complaining about slow performance during login. Based on their reports, the system seems to hang on the Applying Security Settings dialog box, during which time they cannot access their systems. To determine the cause, you examine the network and find no performance problems. Furthermore, the issue seems to have arisen just after you implemented the GPO links. You determine that the problem must be due to the large number of GPO links. After consulting several resources for more information, your opinion seems to be validated— the issue is likely caused by having so many GPO links. You also find out that the GPOs themselves must be processed synchronously (that is, one after the other). You know that this will add significantly to the logon time, regardless of network and other issues.
746
Chapter 14
Planning, Implementing, and Managing Group Policy
You can solve this problem by reducing the number of GPO links. For example, if users that are contained in OUs that are four levels deep within the OU structure have many different GPOs that must be applied during login, perhaps you can consolidate the GPOs into a few, more complicated ones. Or, you can take the settings that you have in some GPOs and repeat them in others (so fewer would have to be applied). Overall, you might sacrifice some of the ease with which you could administer features, but your users could save significant time during logon attempts. Although the initial GPO policy you established above met some of your business requirements (for example, maintaining a good level of security), it failed to meet others (for instance, acceptable performance during logon operations). As is always the case, remember that your technical solutions must meet business goals, and performance issues with GPO links are no exception. Be sure to adequately test logon performance before you begin your GPO rollout.
Overview of Software Deployment It’s difficult enough to manage applications on a stand-alone computer. It seems that the process of installing, configuring, and uninstalling applications is never finished. Add in the hassle of computer reboots and reinstalling corrupted applications, and the reduction in productivity can be very real. When they manage software in network environments, software administrators have even more concerns. First and foremost, they must determine which applications specific users require. Then, IT departments must purchase the appropriate licenses for the software and acquire any necessary media. Next, they actually need to install the applications on users’ machines. This process generally involves help desk staff visiting computers or requires end users to install the software themselves. Both processes entail several potential problems, including installation inconsistency and lost productivity from downtime experienced when applications were installed. As if this wasn’t enough, the system administrators still need to manage software updates and remove unused software. One of the key design goals for the Active Directory was to reduce some of the headaches involved in managing software and configurations in a networked environment. To that end, Windows Server 2003 offers several features that can make the task of deploying software easier and less prone to errors. Before you dive into the technical details, though, you need to examine the issues related to software deployment.
The Software Management Life Cycle Although it may seem that the use of a new application requires only the installation of the necessary software, the overall process of managing applications involves many more steps. When managing software applications, there are three main phases to the life cycle of applications:
Overview of Software Deployment
747
Deploying software The first step in using applications is to install them on the appropriate client computers. Generally, some applications are deployed during the initial configuration of a PC, and others are deployed when they are requested. In the latter case, this often used to mean that systems administrators and help desk staff would have to visit client computers and manually walk through the installation process. With Windows Server 2003 and Active Directory, the entire process can be automated.
It is very important to understand that the ability to easily deploy software does not necessarily mean that you have the right to do so. Before you install software on client computers, you must make sure that you have the appropriate licenses for the software. Furthermore, it’s very important to take the time to track application installations. As many systems administrators have discovered, it’s much more difficult to inventory software installations after they’ve been performed.
Maintaining software Once an application is installed and in use on client computers, you need to ensure that the software is maintained. You must apply changes due to bug fixes, enhancements, and other types of updates in order to ensure that programs are kept up-to-date. As with the initial software deployment, software maintenance can be a tedious process. Some programs require that older versions be uninstalled before updates are added. Others allow for automatically upgrading over existing installations. Managing and deploying software updates can consume a significant amount of the IT staff’s time. Removing software At the end of the life cycle for many software products is the actual removal of unused programs. Removing software is necessary when applications become outdated or when users no longer require their functionality. One of the traditional problems with uninstalling applications is that many of the installed files may not be removed. Furthermore, the removal of shared components can sometimes cause other programs to stop functioning properly. Also, users often forget to uninstall applications that they no longer need, and these programs continue to occupy disk space and consume valuable system resources. Each of these three phases of the software maintenance life cycle is managed by the Microsoft Installer application. Now that you have an overview of the process, let’s move on to looking at the actual steps involved in deploying software using Group Policy.
The Windows Installer If you’ve installed newer application programs (such as Microsoft Office XP), you probably noticed the updated setup and installation routines. Applications that comply with the updated standard use the Windows Installer specification and MSI software packages for deployment. Each package contains information about various setup options and the files required for installation. Although the benefits may not seem dramatic on the surface, there’s a lot of new functionality under the hood!
748
Chapter 14
Planning, Implementing, and Managing Group Policy
The Windows Installer was created to solve many of the problems associated with traditional application development. It has several components, including the Installer service (which runs on Windows 2000, XP, and Server 2003 computers), the Installer program (msiexec.exe) that is responsible for executing the instructions in a Windows Installer package, and the specifications for third-party developers to use to create their own packages. Within each installation package file is a relational structure (similar to the structure of tables in databases) that records information about the programs contained within the package. In order to appreciate the true value of the Windows Installer, you’ll need to look at some of the problems with traditional software deployment mechanisms, and then at how the Windows Installer addresses many of these.
Application Installation Issues Before the Windows Installer, applications were installed using a setup program that managed the various operations required for a program to operate. These operations included copying files, changing Registry settings, and managing any other operating system changes that might be required (such as starting or stopping services). However, this method included several problems:
The setup process was not robust, and aborting the operation often left many unnecessary files in the file system.
The process of uninstalling an application often left many unnecessary files in the file system and remnants in the Windows Registry and operating system folders. Over time, these remnants would result in reduced overall system performance and wasted disk space.
There was no standard method for applying upgrades to applications, and installing a new version often required users to uninstall the old application, reboot, and then install the new program.
Conflicts between different versions of dynamic link libraries (DLLs)—shared program code used across different applications—could cause the installation or removal of one application to break the functionality of another.
Benefits of the Windows Installer Because of the many problems associated with traditional software installation, Microsoft created the Windows Installer. This system provides for better manageability of the software installation process and, as we’ll see later in this chapter, allows systems administrators more control over the deployment process. Specifically, benefits of the Windows Installer include the following: Improved software removal The process of removing software is an important one since remnants left behind during the uninstall process can eventually clutter up the Registry and file system. During the installation process, the Windows Installer keeps track of all of the changes made by a setup package. When it comes time to remove an application, all of these changes can then be rolled back. More robust installation routines If a typical setup program is aborted during the software installation process, the results are unpredictable. If the actual installation hasn’t yet begun,
Overview of Software Deployment
749
then the Installer generally removes any temporary files that may have been created. If, however, the file copy routine starts before the system encounters an error, it is likely that the files will not be automatically removed from the operating system. In contrast, the Windows Installer allows you to roll back any changes when the application setup process is aborted. Ability to use elevated privileges Installing applications usually requires the user to have Administrator permissions on the local computer since file system and Registry changes are required. When installing software for network users, systems administrators thus have two options. The first is to log off of the computer before installing the software, then log back on as a user who has Administrator permissions on the local computer. This method is tedious and time-consuming. The second is to temporarily give users Administrator permissions on their own machines. This method could cause security problems and requires the attention of a systems administrator. Through the use of the Installer service, the Windows Installer is able to use temporarily elevated privileges to install applications. This allows users, regardless of their security settings, to execute the installation of authorized applications. The end result is that this saves time and preserves security. Support for repairing corrupted applications Regardless of how well a network environment is managed, critical files are sometimes lost or corrupted. Such problems can prevent applications from running properly and cause crashes. Windows Installer packages provide you with the ability to verify the installation of an application and, if necessary, replace any missing or corrupted files. This support saves time and lessens the end-user headaches associated with removing and reinstalling an entire application to replace just a few files. Prevention of file conflicts Generally, different versions of the same files should be compatible with each other. In the real world, however, this isn’t always the case. A classic problem in the Windows world is the case of one program replacing DLLs that are used by several other programs. Windows Installer accurately tracks which files are used by certain programs and ensures that any shared files are not improperly deleted or overwritten. Automated installations A typical application setup process requires end users or systems administrators to respond to several prompts. For example, a user may be able to choose the program group in which icons will be created and the file system location to which the program will be installed. Additionally, they may be required to choose which options are installed. Although this type of flexibility is useful, it can be tedious when rolling out multiple applications. By using features of the Windows Installer, however, users are able to specify setup options before the process begins. This allows systems administrators to ensure consistency in installations and saves time for users. Advertising and on-demand installations One of the most powerful features of the Windows Installer is its ability to perform on-demand software installations. Prior to Windows Installer, application installation options were quite basic—either a program was installed or it was not. When setting up a computer, systems administrators would be required to guess which applications the user might need and install all of them.
750
Chapter 14
Planning, Implementing, and Managing Group Policy
The Windows Installer supports a function known as advertising. Advertising makes applications appear to be available via the Start menu. However, the programs themselves may not actually be installed on the system. When a user attempts to access an advertised application, the Windows Installer automatically downloads the necessary files from a server and installs the program. The end result is that applications are installed only when needed, and the process requires no intervention from the end user. We’ll cover the details of this process later in this chapter. To anyone who has managed many software applications in a network environment, all of these features of the Windows Installer are likely welcome ones. They also make life easier for end users and application developers who can focus on the “real work” their jobs demand.
Windows Installer File Types When performing software deployment with the Windows Installer in Windows Server 2003, you may encounter several different file types. These are as follows: Windows Installer packages (MSI) In order to take full advantage of Windows Installer functionality, applications must include Windows Installer packages. These packages are normally created by third-party application vendors and software developers and include the information required to install and configure the application and any supporting files. Transformation files (MST) Transformation files are useful when customizing the details of how applications are installed. When a systems administrator chooses to assign or publish an application, they may want to specify additional options for the package. If, for instance, a systems administrator wants to allow users to install only the Microsoft Word and Microsoft PowerPoint components of Office XP, they could specify these options within a transformation file. Then, when users install the application, they will be provided with only the options related to these components. Patches (MSP) In order to maintain software, patches are often required. Patches may make Registry and/or file system changes. Patch files are used for minor system changes and are subject to certain limitations. Specifically, a patch file cannot remove any installed program components and cannot delete or modify any shortcuts created by the user. Initialization files (ZAP) In order to provide support for publishing non–Windows Installer applications, initialization files can be used. These files provide links to a standard executable file that is used to install an application. An example might be \server1\software\program1\setup.exe. These files can then be published and advertised, and users can access the Add or Remove Programs icon to install them over the network. Application assignment scripts (AAS) Application assignment scripts store information regarding assigning programs and any settings that the systems administrator makes. These files are created when Group Policy is used to create software package assignments for users and computers.
Overview of Software Deployment
751
Each of these types of files provides functionality that allows the system administrator to customize software deployment. Windows Installer packages have special properties that can be viewed by right-clicking the file in Windows Explorer and choosing Properties (see Figure 14.16). FIGURE 14.16
Viewing the properties of a Windows Installer (MSI) package file
Deploying Applications The functionality provided by Windows Installer offers many advantages to end users who install their own software. That, however, is just the beginning in a networked environment. As you’ll see later in this chapter, the various features of Windows Installer and compatible packages allow systems administrators to centrally determine applications that users will be able to install. There are two main methods of making programs available to end users using the Active Directory: assigning and publishing. Both publishing and assigning applications greatly ease the process of deploying and managing applications in a network environment. In the following sections, you’ll look at how the processes of assigning and publishing applications can make life easier for IT staff and users alike. The various settings for assigned and published applications are managed through the use of Group Policy objects (GPOs).
Assigning Applications Software applications can be assigned to users and computers. Assigning a software package makes the program available for automatic installation. The applications advertise their availability to the affected users or computers by placing icons within the Programs folder of the Start menu.
752
Chapter 14
Planning, Implementing, and Managing Group Policy
When applications are assigned to a user, programs will be advertised to the user, regardless of which computer they are using. That is, icons for the advertised program will appear within the Start menu, regardless of whether the program is installed on that computer or not. If the user clicks an icon for a program that has not yet been installed on the local computer, the application will automatically be accessed from a server and will be installed on the computer. When an application is assigned to a computer, the program is made available to any users of the computer. For example, all users who log on to a computer that has been assigned Microsoft Office XP will have access to the components of the application. If the user did not previously install Microsoft Office, they will be prompted for any required setup information when the program first runs. Generally, applications that are required by the vast majority of users should be assigned to computers. This reduces the amount of network bandwidth required to install applications on demand and improves the end user experience by preventing the delay involved when installing an application the first time it is accessed. Any applications that may be used by only a few users (or those with specific job tasks) should be assigned to users.
Publishing Applications When applications are published, they are advertised, but no icons are automatically created. Instead, the applications are made available for installation using the Add Or Remove Programs icon in the Control Panel. Software can be published only to users (not computers). The list of available applications is stored within the Active Directory, and client computers can query this list when they need to install programs. For ease of organization, applications can be grouped into categories.
Implementing Software Deployment So far, you have become familiar with the issues related to software deployment and management from a theoretical level. Now it’s time to drill down into the actual steps required to deploy software using the features of the Active Directory. In the following sections, you will walk through the steps required to create an application distribution share point, to publish and assign applications, to update previously installed applications, to verify the installation of applications, and to update Windows operating systems.
Preparing for Software Deployment Before you can install applications on client computers, you must make sure that the necessary files are available to end users. In many network environments, systems administrators create shares on file servers that include the installation files for many applications. Based on security permissions, either end users or systems administrators can then connect to these shares from a client computer and install the needed software. The efficient organization of these shares can save the help desk from having to carry around a library of CD-ROMs and can allow you to install applications easily on many computers at once.
Implementing Software Deployment
753
One of the problems in network environments is that users frequently install applications whether or not they really require them. They may stumble upon applications that are stored on common file servers and install them out of curiosity. These actions can often decrease productivity and may violate software licensing agreements. You can help avoid this by placing all of your application installation files in hidden shares (for example, "software$").
Exercise 14.10 walks you through the process of creating a software distribution share point. In this exercise, you will prepare for software deployment by creating a directory share and placing certain types of files in this directory. In order to complete the steps in this exercise, you must have access to the Microsoft Office XP installation files (via CD-ROM or through a network share) and 600MB of free disk space. EXERCISE 14.10
Creating a Software Deployment Share 1.
On a Windows Server 2003 domain controller, open Windows Explorer. Create a folder called Software that you can use with application sharing. Be sure that the volume on which you create this folder has at least 600MB of available disk space.
2.
Within the Software folder, create a folder called Office XP.
3.
Copy all of the installation files for Microsoft Office XP from the CD-ROM or network share containing the files to the Office XP folder that you created in step 2.
4.
Right-click the Software folder (created in step 1), and select Sharing And Security. In the folder properties dialog box, choose Share This Folder, and type Software in the Share Name text box and Software Distribution Share Point in the Description text box. Leave all other options as the default, and click OK to create the share.
754
Chapter 14
Planning, Implementing, and Managing Group Policy
Once you have created an application distribution share, it’s time to actually publish and assign the applications. This topic is covered next.
Publishing and Assigning Applications As we mentioned earlier in this chapter, software packages can be made available to users through the use of publishing and assigning. Both of these operations allow systems administrators to leverage the power of the Active Directory and, specifically, Group Policy objects (GPOs) to determine which applications are available to users. Additionally, the organization provided by OUs can help group users based on their job functions and software requirements. The general process involves creating a GPO that includes software deployment settings for users and computers and then linking this GPO to Active Directory objects. Exercise 14.11 walks you through the steps you need to take to publish and assign applications. In this exercise, you will create and assign applications to specific Active Directory objects using Group Policy objects. In order to complete the steps in this exercise, you must have first completed Exercise 14.10. EXERCISE 14.11
Publishing and Assigning Applications Using Group Policy 1.
Open the Active Directory Users And Computers tool from the Administrative Tools program group.
2.
Expand the domain, and create a new top-level OU called Software.
3.
Within the Software OU, create a user named Jane User with a login name of juser (choose the defaults for all other options).
4.
Right-click the Software OU and select Properties.
5.
On the Software Properties dialog box, select the Group Policy tab, and click New.
Implementing Software Deployment
755
EXERCISE 14.11 (continued)
6.
For the name of the new GPO, type Software Deployment.
7.
To edit the Software Deployment GPO, click Edit. Expand the Computer Configuration Software Settings object.
8.
Right-click the Software Installation item, and select New Package.
9.
Navigate to the Software share that you created in Exercise 14.10.
10. Within the Software share, double-click the Office XP folder and select the appropriate MSI file depending on the version of Office XP that you have. Office XP Professional is being used in this example, so you’ll see that the PRO.MSI file is chosen. Click Open.
11. In the Deploy Software dialog box, choose Advanced. Note that the Published option is unavailable since applications cannot be published to computers. Click OK to return to the Deploy Software dialog box.
756
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.11 (continued)
12. To examine the deployment options of this package, click the Deployment tab. Accept the default settings by clicking OK.
13. Within the Group Policy Object Editor, expand the User Configuration Software Settings object.
14. Right-click the Software Installation item, and select New Package. 15. Navigate to the Software share that you created in Exercise 14.10. 16. Within the Software share, double-click the Office XP folder, and select the appropriate MSI file. Click Open.
17. For the Software Deployment option, select Published in the Deploy Software dialog box and click OK.
18. Close the Group Policy Object Editor, and then click Close to close the Properties of the Software OU.
The overall process involved with deploying software using the Active Directory is quite simple. However, you shouldn’t let the intuitive graphical interface fool you—there’s a lot of power under the hood of these software deployment features! Once you’ve properly assigned and published applications, it’s time to see the effects of your work.
Implementing Software Deployment
757
Applying Software Updates The steps described in the previous section work only when you are installing a brand-new application. However, software companies often release updates that need to be installed on top of existing applications. These updates could consist of bug fixes or other changes that are required to keep the software up-to-date. You can apply software updates in Active Directory by using the Upgrades tab of the software package Properties dialog box found in the Group Policy Object Editor. In Exercise 14.12, you will apply a software update to an existing application. You should add the upgrade package to the GPO in the same way that you added the original application in steps 8 through 12 of Exercise 14.11. You should also have completed Exercise 14.11 before attempting this exercise. EXERCISE 14.12
Applying Software Updates 1.
Open Active Directory Users And Computers from the Administrative Tools program group.
2.
Right-click the Software OU, and select Properties.
3.
To edit the Software Deployment GPO, click Edit. Expand the Computer Configuration Software Settings object.
4.
Right-click the upgrade package (not the original package) and select Properties from the context menu.
758
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.12 (continued)
5.
Select the Upgrades tab and click the Add button.
6.
Click the Current Group Policy Object radio button in the Add Upgrade Package dialog box. Select the package to which you want to apply the upgrade. Consult your application’s documentation to see if you should choose the Uninstall The Existing Package radio button or the Package Can Upgrade Over The Existing Package radio button.
7.
Click OK to close the Add Upgrade Package dialog box.
8.
Click OK to save the changes and close the Package Properties dialog box.
Implementing Software Deployment
759
You should understand that not all upgrades make sense in all situations. For instance, if MegaSoft 6 files are incompatible with the MegaSoft 10 application, then your MegaSoft 6 users might not want you to perform the upgrade without taking additional steps to ensure that they can continue to use their files. In addition, users might have some choice about what version they use when it doesn’t affect the support of the network. Regardless of the underlying reason for allowing this flexibility, you should be aware that there are two basic types of upgrades that are available for administrators to provide to the users: Mandatory upgrade Forces everyone who currently has an existing version of the program to upgrade according to the GPO. Users who have never installed the program for whatever reason will be able to install only the new upgraded version. Nonmandatory upgrade Allows users to choose whether they would like to upgrade. This upgrade type also allows users who do not have their application installed to choose which version they would like to use.
Verifying Software Installation In order to ensure that the software installation settings you make in a GPO have taken place, you can log in to the domain from a Windows XP Professional computer that is within the OU to which the software settings apply. When you log in, you will notice two changes. First, the application is installed on the computer (if it was not installed already). In order to access the application, all a user needs to do is click one of the icons within the Program group of the Start menu. Note also that applications are available to any of the users who log on to this machine. Also, the settings apply to any computers that are contained within the OU and to any users who log on to these computers. If you publish an application to users, the change may not be as evident, but it is equally useful. When you log on to a Windows XP Professional computer that is a member of the domain and use a user account from the OU where you published the application, you will be able to automatically install any of the published applications. You can do this by accessing the Add or Remove Programs icon in the Control Panel. By clicking Add New Programs, you access a display of the applications available for installation. By clicking the Add button in the Add New Programs section of the Add or Remove Programs dialog box, you will automatically begin the installation of the published application.
Configuring Automatic Updates in Group Policy So far you’ve seen the advantages of deploying application software in Group Policy. Group Policy also provides a way to install operating system updates across the network for Windows 2000, XP, and Server 2003 machines using Windows Update in conjunction with Software Update Services (SUS). Windows Update is available through the Microsoft website and is used to provide the most current files for the Windows operating systems. Examples of updates include security fixes, critical updates, updated help files, and updated drivers. You can access Windows Updates by clicking the Windows Updates icon in the system tray.
760
Chapter 14
Planning, Implementing, and Managing Group Policy
SUS is used to leverage the features of Windows Update within a corporate environment by downloading Windows updates to a corporate server, which in turn provides the updates to the internal corporate clients. This allows administrators to test and have full control over what updates are deployed within the corporate environment. Within an enterprise network that is using Active Directory, you would typically see automatic updates configured through Group Policy. Group policies are used to manage configuration and security setting via Active Directory. Group Policy is also used to specify what server a client will use for automatic updates. If the SUS client is a part of an enterprise network that is using Active Directory, you would configure the client via Group Policy. In Exercise 14.13, you learn how to configure Group Policy on a Windows Server 2003 domain controller. EXERCISE 14.13
Configuring Software Update Services in Group Policy 1.
Open Active Directory Users And Computers from the Administrative Tools program group.
2.
Right-click the domain and select Properties.
3.
Click the Group Policy tab on the domain Properties dialog box and select the Default Domain Policy. Click the Edit button.
4.
Expand Default Domain Policy, Computer Configuration, Administrative Templates, Windows Components, Windows Update to access the Windows Update settings.
5.
Click the Configure Automatic Updates option.
Implementing Software Deployment
761
EXERCISE 14.13 (continued)
6.
The Configure Automatic Updates Properties dialog box appears. On the Setting tab, you can configure whether automatic updates are not configured, enabled, or disabled. If automatic updates are enabled, you can select Notify For Download And Notify For Install, Auto Download And Notify For Install, or Auto Download And Schedule The Install. You can also specify the schedule that will be applied for the install day and the install time.
7.
To configure which server will provide automatic updates, click the Next Setting button in the Configure Automatic Updates Properties dialog box. This brings up the Specify Intranet Microsoft Update Service Location Properties dialog box. You can configure the status of the intranet Microsoft update service location as Not Configured, Enabled, or Disabled; you can also configure the HTTP name of the server that will provide intranet service updates and the HTTP name of the server that will act as the intranet SUS statistics server.
762
Chapter 14
Planning, Implementing, and Managing Group Policy
EXERCISE 14.13 (continued)
8.
To configure rescheduling of automatic updates, click the Next Setting button in the Specify Intranet Microsoft Update Service Location Properties dialog box. This brings up the Reschedule Automatic Updates Scheduled Installations Properties dialog box. You can enable and schedule the amount of time that automatic updates waits after system startup before it attempts to proceed with a scheduled installation that was previously missed.
9.
To configure auto-restart for scheduled automatic updates installations, click the Next Setting button in the Reschedule Automatic Updates Scheduled Installations Properties dialog box. This brings up the No Auto-Restart For Scheduled Automatic Updates Installations dialog box. You use this option if the computer needs to restart after an update. You can choose to wait until the next time the computer is restarted or to restart the computer automatically as a part of the update.
10. When you are done making setting changes, click the OK button.
Configuring Software Deployment Settings
763
You should be familiar with two security templates: Wuau.adm (for Windows 2000 Server), which is available through the Software Update Services installation; and System.adm (for Windows Server 2003), which automatically applies the group policy settings that are used by SUS.
Configuring Software Deployment Settings In addition to the basic operations of assigning and publishing applications, you can use several other options to specify the details of how software is deployed. You can access these options from within a GPO by right-clicking the Software Installation item (located within Software Settings in User Configuration or Computer Configuration). In the following sections, you will examine the various options that are available and their effects on the software installation process.
The Software Installation Properties Dialog Box The most important software deployment settings are contained in the Software Installation Properties dialog, which you can access by right-clicking the Software Installation item and selecting Properties from the pop-up menu. The following sections describe the features contained on the various tabs of the dialog box.
Managing Package Defaults On the General tab of the Software Installation Properties dialog box, you’ll be able to specify some defaults for any packages that you create within this GPO. Figure 14.17 shows the General options for managing software installation settings. The various options available include the following: Default Package Location This setting specifies the default file system or network location for software installation packages. This is useful if you are already using a specific share on a file server for hosting the necessary installation files. New Packages options These settings specify the default type of package assignment that will be used when you add a new package to either the user or computer settings. If you’ll be assigning or publishing multiple packages, you may find it useful to set a default here. Selecting the Advanced option enables Group Policy to display the package Properties dialog box each time a new package is added. Installation User Interface Options When they are installing an application, systems administrators may or may not want end users to see all of the advanced installation options. If Basic is chosen, the user will only be able to configure the minimal settings (such as the installation location). If Maximum is chosen, all of the available installation options will be displayed. The specific installation options available will depend on the package itself.
764
Chapter 14
FIGURE 14.17
Planning, Implementing, and Managing Group Policy
General settings for software settings
The Advanced Tab The Advanced tab, includes several options for configuring advanced software installation properties. The only option you need to be concerned with is: Uninstall The Applications When They Fall Out Of The Scope Of Management So far, you have seen how applications can be assigned and published to users or computers. But what happens when effective GPOs change? For example, suppose that User A is currently located within the Sales OU. A GPO that assigns the Microsoft Office XP suite of applications is linked to the Sales OU. Now, I decide to move User A to the Engineering OU, which has no software deployment settings. Should the application be uninstalled, or should it remain? If the Uninstall The Applications When They Fall Out Of The Scope Of Management option is checked, applications will be removed if they are not specifically assigned or published within GPOs. In our earlier example, this means that Office XP would be uninstalled for User A. If, however, this box is left unchecked, the application would remain installed.
Configuring Software Deployment Settings
765
Managing File Extension Mappings One of the potential problems associated with using many different file types is that it’s difficult to keep track of which applications work with which files. For example, if you received a file with the extension .abc, you would have no idea which application you would need to view it. And Windows would not be of much help, either. Fortunately, through software deployment settings, systems administrators can specify mappings for specific file extensions. For example, you could specify that whenever users attempt to access a file with the extension .vsd, the operating system should attempt to open the file using the Visio diagramming software. If Visio is not installed on the user’s machine, the computer could automatically download and install it (assuming that the application has been properly advertised). This method allows users to have applications automatically installed when they are needed. The following is an example of the sequence of events that might occur: 1.
A user receives an e-mail message that contains an Adobe Acrobat file attachment.
2.
The computer realizes that Adobe Acrobat, the appropriate viewing application for this type of file, is not installed. However, it also realizes that a file extension mapping is available within the Active Directory software deployment settings.
3.
The client computer automatically requests the Adobe Acrobat software package from the server and uses the Windows Installer to automatically install the application.
4.
The computer opens the attachment for the user.
Notice that all of these steps were carried out without any further interaction with the user. You can manage file extension mappings by right-clicking the Software Installation item, selecting Properties, and then clicking the File Extensions tab. Figure 14.18 shows how file extension settings can be managed. By default, the list of file extensions that you’ll see is based on the specific software packages you have added to the current GPO.
Creating Application Categories In many network environments, the list of supported applications can include hundreds of items. For users who are looking for only one specific program, searching through a list of all of these programs can be difficult and time-consuming. FIGURE 14.18
Managing file extensions
766
Chapter 14
Planning, Implementing, and Managing Group Policy
Fortunately, there are methods for categorizing the applications that are available on your network. You can easily manage the application categories for users and computers by right-clicking the Software Installation item, selecting Properties, and then clicking the Categories tab. Figure 14.19 shows you how application categories can be created. It is a good idea to use category names that are meaningful to users because it will make it easier for them to find the programs they’re looking for. FIGURE 14.19
Creating application categories
Once the software installation categories have been created, you can view them by opening the Add Or Remove Programs item in the Control Panel. When you click Add New Programs, you’ll see that there are several options in the Category drop-down list. Now, when you select the properties for a package, you will be able to assign the application to one or more of the categories.
Removing Programs As we discussed in the beginning of the chapter, an important phase in the software management life cycle is the removal of applications. Fortunately, using the Active Directory and Windows Installer packages, the process is simple. To remove an application, you can right-click the package within the Group Policy settings and select All Tasks Remove (see Figure 14.20). FIGURE 14.20
Removing a software package
Configuring Software Deployment Settings
767
When choosing to remove a software package from a GPO, you have two options: Immediately Uninstall The Software From Users And Computers Systems administrators can choose this option to ensure that an application is no longer available to users who are affected by the GPO. When this option is selected, the program will be automatically uninstalled from users and/or computers that have the package. This option might be useful, for example, if the licensing for a certain application has expired or if a program is no longer on the approved applications list. Allow Users To Continue To Use The Software, But Prevent New Installations This option prevents users from making new installations of a package, but it does not remove the software if it has already been installed for users. This is a good option if the company has run out of additional licenses for the software, but the existing licenses are still valid. Figure 14.21 shows the two removal options that are available. If you no longer require the ability to install or repair an application, you can delete it from your software distribution share point by deleting the appropriate Windows Installer package files. This will free up additional disk space for newer applications. FIGURE 14.21
Software removal options
Windows Installer Settings There are several options that influence the behavior of the Windows Installer that you can set within a GPO. You can access these options by navigating to User Configuration, Administrative Templates, Windows Components, Windows Installer. The options include the following: Always Install With Elevated Privileges This policy allows users to install applications that require elevated privileges. For example, if a user does not have the permissions necessary to modify the Registry but the installation program must make Registry changes, this policy will allow the process to succeed. Search Order This setting specifies the order in which the Windows Installer will search for installation files. The options include n (for network shares), m (for searching removal media), and u (for searching the Internet for installation files).
768
Chapter 14
Planning, Implementing, and Managing Group Policy
Disable Rollback When this option is enabled, the Windows Installer does not store the system state information that is required to roll back the installation of an application. Systems administrators may choose this option to reduce the amount of temporary disk space required during installation and to increase the performance of the installation operation. However, the drawback is that the system cannot roll back to its original state if the installation fails and the application needs to be removed. Disable Media Source For Any Install This option disallows the installation of software using removable media (such as CD-ROM, DVD, or floppy disks). It is useful for ensuring that users install only approved applications. With these options, systems administrators can control how the Windows Installer operates for specific users who are affected by the GPO.
Optimizing and Troubleshooting Software Deployment Although the features in Windows Server 2003 and the Active Directory make software deployment a relatively simple task, there are still many factors that systems administrators should consider when making applications available on the network. In this section, you will learn about some common methods for troubleshooting problems with software deployment in Windows Server 2003 and optimizing the performance of software deployment. Specific optimization and troubleshooting methods include the following: Test packages before deployment. The use of the Active Directory and GPOs makes publishing and assigning applications so easy that systems administrators may be tempted to make many applications available to users immediately. However, the success of using the Windows Installer is at least partially based on the quality of the programming of developers and thirdparty software vendors. Before unleashing an application on the unsuspecting user population, you should always test the programs within a test environment using a few volunteer users and computers. The information gathered during these tests can be invaluable in helping the help desk, systems administrators, and end users during a large-scale deployment. Manage Group Policy scope and links. One of the most flexible aspects of deploying software with the Active Directory is the ability to assign Group Policy settings to users and computers. Since it is so easy to set up GPOs and link them to Active Directory objects, it might be tempting to modify all of your existing GPOs to meet the current software needs of your users. Note, however, that this can become difficult to manage. An easier way to manage multiple sets of applications may be to create separate GPOs for specific groups of applications. For example, one GPO could provide all end-user productivity applications (such as Microsoft Office XP and Adobe Acrobat Reader), whereas another GPO
Optimizing and Troubleshooting Software Deployment
769
could provide tools for users in the Engineering department. Now, whenever the software requirements for a group changes, systems administrators can just enable or disable specific GPOs for the OU that contains these users. Roll out software in stages. Installing software packages over the network can involve high bandwidth requirements and reduce the performance of production servers. If you’re planning to roll out a new application to several users or computers, it’s a good idea to deploy the software in stages. This process involves publishing or assigning applications to a few users at a time, through the use of GPOs and OUs. Verify connectivity with the software distribution share. If clients are unable to communicate with the server that contains the software installation files, the Windows Installer will be unable to automatically copy the required information to the client computer, and installation will fail. You should always ensure that clients are able to communicate with the server and verify the permissions on the software installation share. Organize categories. The list of applications that are available in a typical network environment can quickly grow very large. From standard commercial Desktop applications and utilities to custom client-server applications, it’s important to organize programs based on functionality. Be sure to group software packages into categories that end users will clearly recognize and understand when searching for applications. Create an installation log file. By using the msiexec.exe command, you can create an installation log file that records the actions attempted during the installation process and any errors that may have been generated. Reduce redundancy. In general, it is better to ensure that applications are not assigned or published to users through multiple GPOs. For example, if a user almost always logs on to the same workstation and requires specific applications to be available, you may consider assigning the applications to both the user and the computer. Although this scenario will work properly, it can increase the amount of time spent during logon and the processing of the GPOs. A better solution would be to assign the applications to only the computer (or, alternatively, to only the user). Manage software distribution points. When users require applications, they will depend on the availability of installation shares. To ensure greater performance and availability of these shares, you can use the Windows Server 2003 Distributed File System (DFS). The features of DFS allow for fault tolerance and the ability to use multiple servers to share commonly used files from a single logical share point. The end result is increased uptime, better performance, and easier access for end users. Additionally, the underlying complexity of where certain applications are stored is isolated from the end user. Encourage developers and vendors to create Microsoft Installer packages. Many of the benefits of the software deployment features in Windows Server 2003 rely on the use of MSI packages. To ease the deployment and management of applications, ensure that in-house application developers and third-party independent software vendors use Microsoft Installer packages that were created properly. The use of MSI packages will greatly assist systems administrators and end users in assigning and managing applications throughout the life cycle of the product.
770
Chapter 14
Planning, Implementing, and Managing Group Policy
Enforce consistency using MSI options. One of the problems with applications and application suites (such as Microsoft Office XP) is that end users can choose to specify which options are available during installation. Although this might be useful for some users, it can cause compatibility and management problems. For example, suppose a manager sends a spreadsheet containing Excel pivot tables to several employees. Some employees are able to access the pivot tables (since they chose the default installation options), but others cannot (since they chose not to install this feature). The users who cannot properly read the spreadsheet will likely generate help desk calls and require assistance to add in the appropriate components. One way to avoid problems such as these is to enforce standard configurations for applications. For example, we may choose to create a basic and an advanced package for Microsoft Office XP. The Basic package would include the most-used applications, such as Microsoft Word, Microsoft Outlook, and Microsoft Excel. The advanced package would include these applications plus Microsoft PowerPoint and Microsoft Access. Create Windows Installer files for older applications. Although there is no tool included with Windows Server 2003 to automatically perform this task, it will generally be worth the time to create Windows Installer files for older applications. This is done through the use of third-party applications that are designed to monitor the Registry, file system, and other changes that an application makes during the setup process. These changes can then be combined into a single MSI package for use in software deployment. By carefully planning for software deployment and using some of the advanced features of Windows Server 2003, you can make software deployment a smooth and simple process for systems administrators and end users alike.
Understanding Application Architecture and Managing Software Rollouts The world of computing has moved through various stages and methodologies throughout the past several decades. Real-world business computing began with large, centralized machines called mainframes. In this model, all processing occurred on a central machine and “clients” were little more than keyboards and monitors connected with long extension cords. A potential disadvantage of this setup was that clients relied solely on these central machines for their functionality, and the mainframe tended to be less flexible. Then, with the dramatic drop in the cost of personal computers, the computing industry moved more to a client-based model. In this model, the majority of processing occurred on individual computers. The drawback, however, was that is was difficult to share information (even with networking capabilities), and such critical tasks as data management, backup, and security were challenges.
Optimizing and Troubleshooting Software Deployment
771
Since then, various technologies have appeared to try to give us good features from both worlds. A new and promising method of delivering application has been through the Application Service Provider (ASP) model. In this method, clients are relatively “thin” (that is, they do not perform much processing, nor do they store data); however, users still have access to the tools they need to do their jobs. The software provider is responsible for maintaining the software (including upgrades, backups, security, performance monitoring, etc.), and your company might engage an ASP through a monthly-fee arrangement. In some respects, during the past several years, we’ve moved back toward housing businesscritical functionality on relatively large, central servers. However, we’ve retained powerful client machines that are capable of performing processing for certain types of applications. In a lot of cases, that makes sense. For example, users of Microsoft Office applications have several advantages if they run their applications on their own machines. It might make sense to place other applications, such as a centralized sales-tracking and management tool, on a server. However, the fact remains that modern computers are only marginally useful without software applications that make practical use of their power and features. As an IT professional, it’s important to understand the business reasons when evaluating application architecture. Traditionally, the deployment of standard Windows applications was a tedious, error-prone, and inexact process. For example, if a user deleted a critical file, the entire application may have had to be removed and reinstalled. Or, if an application replaced a shared file with one that was incompatible with other applications, you could end up in a situation affectionately referred to as “DLL Hell”. Microsoft has attempted to address the sore spot of application deployment and management with the use of the Active Directory and Windows Installer technology. However, it’s up to developers and system administrators to take full advantage of these new methods. As an IT professional, you should urge developers to create installation packages using the Windows Installer architecture. In many ways, it’s much simpler to create an Installer package than it is to create the old-style setup programs. On the IT side, be sure that you take advantage of the Active Directory’s ability to assign and publish applications. And, when it comes time to update a client-side application, be sure to make use of the Windows Installer’s ability to generate patch files that can quickly and easily update an installation with minimal effort. This method can roll out application updates to thousands of computers in just a few days! All of these features can cut down on a large amount of support effort that’s required when, for example, a user needs to install a file viewer for a file that they received via e-mail. And, for applications that just don’t make sense on the Desktop, consider using Application Service Providers. Outsourced applications can allow you to avoid a lot of these headaches altogether. There’s a huge array of options, and it’s up to you to make the best choice for your applications!
772
Chapter 14
Planning, Implementing, and Managing Group Policy
Summary In this chapter, we examined the Active Directory’s solution to a common headache for many systems administrators: policy settings. Specifically, we discussed the following:
Group policies can restrict and modify the actions that are allowed for users and computers within the Active Directory environment.
Group Policy objects (GPOs) can be linked to Active Directory objects.
Group Policy object links can interact through inheritance and filtering to result in an effective set of policies.
Administrative templates can be used to simplify the creation of Group Policy objects.
Administrators can delegate control over GPOs in order to distribute administrative responsibilities.
Windows Server 2003 introduces the new Resultant Set of Policy tool, which can be run in Logging mode or Planning mode to determine exactly which set of policies apply to users, computers, OUs, domains, and sites.
Ways in which new Windows Server 2003 features can be used to manage the tasks related to software deployment and the benefits of the Windows Installer technology.
How the Active Directory, Group Policy objects, and the Windows Installer interact to simplify software deployment.
How to publish and assign applications to Active Directory objects.
The tasks associated with deploying, managing, and removing applications using Group Policy.
How to create a network share from which applications can be installed.
How to remotely control software deployment options and configuration through the use of Active Directory administration tools.
How to troubleshoot problems with software deployment.
Exam Essentials Understand the purpose of Group Policy. Group Policy is used to enforce granular permissions for users in an Active Directory environment. Understand user and computer settings. Certain Group Policy settings may apply to users, computers, or both. Computer settings affect all users that access the machines to which the policy applies. User settings affect users, regardless of which machines they log on to. Know the interactions between Group Policy objects and the Active Directory. GPOs can be linked to Active Directory objects. This link determines to which objects the policies apply.
Exam Essentials
773
Understand filtering and inheritance interactions between GPOs. For ease of administration, Group Policy objects can interact via inheritance and filtering. It is important to understand these interactions when implementing and troubleshooting Group Policy. Know how Group Policy settings can affect script policies and network settings. Special sets of Group Policy objects can be used to manage network configuration settings. Understand how delegation of administration can be used in an Active Directory environment. Delegation is an important concept because it allows for distributed administration. Know how to use the Resultant Set of Policy (RSoP) tool to troubleshoot and plan Group Policy. Windows Server 2003 introduces the new Resultant Set of Policy tool, which can be run in Logging mode or Planning mode to determine exactly which set of policies apply to users, computers, OUs, domains, and sites. Identify common problems with the software life cycle. IT professionals face many challenges with client applications, including development, deployment, maintenance, and troubleshooting. Understand the benefits of the Windows Installer. Using the Windows Installer is an updated way to install applications on Windows-based machines. It offers a more robust method for making the system changes required by applications, and it allows for a cleaner uninstall. Windows Installer–based applications can also take advantage of new Active Directory features. Understand the difference between publishing and assigning applications. Some applications can be assigned to users and computers so that they are always available. They can be published to users so that they may be installed with a minimal amount of effort when a user requires them. Know how to prepare for software deployment. Before your users can take advantage of automated software installation, you must set up an installation share and provide the appropriate permissions. Know how to configure application settings using the Active Directory and Group Policy. Using standard Windows Server 2003 administrative tools, you can create an application policy that meets the needs of your requirements. Features include automatic, on-demand installation of applications when they’re needed. Create application categories to simplify the list of published applications. It’s important to group applications by functionality or the users to whom they apply, especially in organizations that support a large number of programs. Be able to troubleshoot problems with software deployment. There are several methods for deploying applications and for testing to make sure that they are working properly. Should you find a problem with a particular installation of software, you can use these methods to repair and/or remove the specific product.
774
Chapter 14
Planning, Implementing, and Managing Group Policy
Key Terms Before you take the exam, be certain you are familiar with the following terms: Add or Remove Programs
Planning mode
Application assignment scripts
public-key infrastructure (PKI)
assigning
publishing
file extensions
Resultant Set of Policy (RSoP)
Filtering
Script policies
folder redirection
Transformation files
gpresult.exe
Windows Installer
initialization files
Windows Installer package
Logging mode
Windows Script Host (WSH)
patches
Review Questions
775
Review Questions Ann is a systems administrator for a medium-sized Active Directory environment. She has determined that several new applications that will be deployed throughout the organization use Registry-based settings. She would like to do the following:
1.
Control these Registry settings using Group Policy.
Create a standard set of options for these applications and allow other systems administrators to modify them using the standard Active Directory tools. Which of the following options can she use to meet these requirements? (Choose all that apply.) A. Implement the Inheritance functionality of GPOs. B. Implement Delegation of specific objects within the Active Directory. C. Implement the No Override functionality of GPOs. D. Create Administrative Templates. E. Provide Administrative Templates to the systems administrators that are responsible
for creating Group Policy for the applications. You are a systems administrator for a medium-sized Active Directory environment. Specifically, you are in charge of administering all objects that are located within the North America OU. The North America OU contains the Corporate OU. You want to do the following:
2.
Create a GPO that applies to all users within the North America OU except for those located within the Corporate OU.
Be able to easily apply all Group Policy settings to users within the Corporate OU, should the need arise in the future.
Accomplish this task with the least amount of administrative effort. Which two of the following options meets these requirements? A. Enable the Inheritance functionality of GPOs for all OUs within the North America OU. B. Implement Delegation of all objects within the North America OU to one administrator
and then remove permissions for the Corporate OU. Have this administrator link the GPO to the North America OU. C. Create a GPO link for the new policy at level of the North America OU. D. Create special Administrative templates for the Corporate OU. E. Enable the “Block Inheritance” option on the Corporate OU.
776
Chapter 14
Planning, Implementing, and Managing Group Policy
Trent is a systems administrator in a medium-sized Active Directory environment. He is responsible for creating and maintaining Group Policy settings. For a specific group of settings, he has the following requirements:
3.
The settings in the Basic Users GPO should remain defined.
The settings in the Basic Users GPO should not apply to any users within the Active Directory environment.
The amount of administrative effort to apply the Basic Users settings to an OU in the future should be minimal. Which of the following options can Trent use to meet these requirements? A. Enable the No Override option at the domain level. B. Enable the Block Policy Inheritance option at the domain level. C. Remove the link to the Basic Users GPO from all Active Directory objects. D. Delete the Basic Users GPO. E. Rename the Basic Users GPO to break its link with any existing Active Directory
objects. 4.
A systems administrator wants to ensure that certain GPOs applied at the domain level are not overridden at lower levels. Which option can they use to do this? A. The No Override option B. The Block Policy Inheritance option C. The Disable option D. The Deny permission
5.
A systems administrator wants to ensure that only the GPOs set at the OU level affect the Group Policy settings for objects within the OU. Which option can they use to do this (assuming that all other GPO settings are the defaults)? A. The No Override option B. The Block Policy Inheritance option C. The Disable option D. The Deny permission
6.
In order to be accessible to other domain controllers, logon/logoff and startup/shutdown scripts should be placed in which of the following shares? A. Winnt B. System C. C$ D. SYSVOL
Review Questions
777
Matt, a systems administrator, has recently created a new Active Directory domain. The domain forms a tree with the three other domains in the environment, and all of the domains are configured in a single site. He is planning to implement Group Policy, and has the following requirements:
7.
Several GPOs must be created to accommodate five different levels of user settings.
The GPOs may be assigned at any level within the Active Directory environment.
All users within the “Engineering” domain must receive specific GPO assignments. At which of the following levels can Matt create a single GPO link in order for it to affect all four domains in the environment? A. Sites B. OUs C. Domains D. Local computer E. Domain Controllers
8.
You want to link a GPO to the Group Policy Test OU. You right-click the OU and the following menu appears. In order to accomplish this task, what would you click next?
A. Properties B. Delegate Control C. All Tasks D. Add Members to a Group
778
Chapter 14
Planning, Implementing, and Managing Group Policy
Alicia is a systems administrator for a large organization. Recently, the company has moved most of its workstations and servers to the Windows Server 2003 platform, and Alicia wants to take advantage of the new software deployment features of the Active Directory. Specifically, she wants to do the following:
9.
Make applications available to users through the Add Or Remove Programs item in the Control Panel.
Group applications based on functionality or the types of users who might require them.
Avoid the automatic installation of applications for users and computers. Which of the following steps should Alicia take to meet these requirements? (Choose all that apply.) A. Create application categories. B. Set up a software installation share and assign the appropriate security permissions. C. Assign applications to users. D. Assign applications to computers. E. Create new file extension mappings. F. Create application definitions using the Active Directory and Group Policy administra-
tion tools. 10. Emma wants to make a specific application available on the network. She finds that using Group Policy for software deployment will be the easiest way. She has the following requirements:
All users of designated workstations should have access to Microsoft Office XP.
If a user moves to other computers on which Microsoft Office XP is not installed, they should not have access to this program. Which of the following options should Emma choose to meet these requirements? A. Assign the application to computers. B. Assign the application to users. C. Publish the application to computers. D. Publish the application to users.
11. Which of the following statements is true regarding the actions that occur when a software package is removed from a GPO that is linked to an OU? A. The application will be automatically uninstalled for all users with the OU. B. Current application installations will be unaffected by the change. C. The systems administrator may determine the effect. D. The current user may determine the effect.
Review Questions
779
12. You have recently created a new software deployment package for installing a new line-ofbusiness application on many users’ systems. You have the following requirements:
You want to use the features of the Active Directory and Group Policy to automatically deploy the software.
The software should be installed on specific machines within the environment only.
The application must be made available with minimal user intervention. Which of the following steps must be performed in order to meet these requirements? (Choose all that apply.) A. Refresh the Active Directory. B. Synchronize all domain controllers. C. Rebuild the Global Catalog. D. Manually copy the required files to an appropriate file share and set the appropriate
permissions on the share. E. Assign the application to the appropriate computers. F. Publish the application to the appropriate computers. 13. Andrew is a Help Desk operator for a large organization. Recently, he has been receiving a large number of calls from users who are attempting to open files for which they do not have viewers. For example, one user wants to open a file named MarketingInfo.ppt, but they do not have the Microsoft PowerPoint viewer installed. Andrew has the following requirements:
The appropriate application should automatically be installed when a user clicks specific file types.
Applications should not be automatically installed in other circumstances.
The installation of applications, when they are needed, should require minimal user intervention. Which of the following Group Policy software deployment features should Andrew use? (Choose all that apply.) A. Categories B. Publishing options C. Assignment options D. File extensions E. None of the above
780
Chapter 14
Planning, Implementing, and Managing Group Policy
14. You are the network administrator for a Fortune 500 company. The Accounting department has recently purchased a custom application for running financial models. The application requires you to make some changes to the computer policy in order for it to run properly. You decide to deploy the changes through the Group Policy setting. You create an OU called Sales and apply the policy settings. When you log on as a member of the Sales OU and run the application, it is still not running properly. You suspect that the policy may not be being applied properly because of a conflict somewhere with another Group Policy setting. What command should you run to see a listing of how the group policies have been applied to the computer and the user? A. GPResult.exe B. GPOResult.exe C. GPAudit.exe D. GPInfo.exe 15. You want to publish an application by using a GPO. In the following GPO, what would you do next in order to publish an application?
A. Right-click Software Settings under Computer Configuration and select New Package. B. Expand Software Settings under Computer Configuration, right-click Software Instal-
lation, and select New Package. C. Expand Software Settings under User Configuration, right-click Software Installation,
and select New Package. D. Right-click Software Settings under User Configuration and select New Package.
Answers to Review Questions
781
Answers to Review Questions 1.
D, E. Administrative Templates are used to specify the options available for setting Group Policy. By creating new Administrative Templates, Ann can specify which options are available for the new applications. She can then distribute these templates to other systems administrators in the environment.
2.
C, E. The easiest way to accomplish this task is to create GPO links at the level of the parent OU (North America) and block inheritance at the level of the child OU (Corporate).
3.
C. Systems administrators can disable a GPO without removing its link to Active Directory objects. This prevents the GPO from having any effects on Group Policy but leaves the GPO definition intact so that it can be enabled at a later date.
4.
A. The No Override option ensures that the Group Policy settings cannot be changed by the settings of lower-level Active Directory objects. This is particularly useful when you want settings to apply to all users at lower levels within the hierarchy, even if their OU’s GPO settings are different.
5.
B. The Block Policy Inheritance option prevents Group Policies of higher-level Active Directory objects from applying to lower-level objects as long as the No Override option is not set.
6.
D. By default, the contents of the SysVol share are made available to all domain controllers. Therefore, scripts should be placed in these directories.
7.
A. GPO links at the site level affect all of the domains that are part of a site. Therefore, Matt can create a single GPO link at the Site level.
8.
A. In order to link a GPO to an OU, you would use the Group Policy tab of the OU Properties dialog box. From there, you can create new GPOs, add GPOs to the OU, and configure each GPO.
9.
A, B, F. Alicia should first create an application share from which programs can be installed. Then, she can define which applications are available on the network. The purpose of application categories is to logically group applications in the Add Or Remove Programs item in the Control Panel. The other options can result in the automatic installation of applications for users and computers (something that she wants to avoid).
10. A. Assigning the application to the computer will ensure that all users who access the workstation will have access to Microsoft Office XP. You cannot publish to computers, and assigning or publishing the application to users would mean that only those users could use the application and they would be able to access it from any machine on the network. 11. C. The systems administrator can specify whether the application will be uninstalled or if future installations will be prevented. 12. D, E. It is the responsibility of the systems administrator to copy installation files to a software deployment share point and ensure that users can access these files. Once this is done, the applications can be assigned to various computers within the environment.
782
Chapter 14
Planning, Implementing, and Managing Group Policy
13. B, D. Publishing makes the applications available for automatic installation. File extension settings can be used to specify the applications that are installed when specific file types are accessed. This method requires minimal user intervention since it occurs automatically in the background. 14. A. The GPResult.exe command displays the resulting set of policies that were enforced on the computer and the specified user during the logon process. 15. C. Software can only be published to users, not computers. You can assign software to users or computers.
Glossary
784
Glossary
A account lockout policy A Windows 2003 policy used to specify how many invalid logon
attempts should be tolerated before a user account is locked out. Account lockout policies are set through account policies. account policies Windows 2003 policies used to determine password and logon requirements. Account policies are set through the Microsoft Management Console (MMC) Local Computer Policy or Domain Controllers Policy snap-in. Active Directory (AD) A directory service available with the Windows 2000 Server and
Windows Server 2003 platforms. The Active Directory stores information in a central database and allows users to have a single user account (called a domain user account or Active Directory user account) for the network. Active Directory Installation Wizard (DCPROMO) The tool that is used for promoting a
Windows Server 2003 or 2000 Server computer to a domain controller. Using the Active Directory Installation Wizard, systems administrators can create trees and forests. See also promotion. Active Directory replication The process of synchronizing the data in the Active Directory
database across all Active Directory servers. Uses a multimaster replication model. Only relevant changes are propagated. See also multimaster replication model, full zone transfers, incremental zone transfers. Active Directory user account A user account that is stored in the Windows 2000 or
Windows 2003 Active Directory’s central database. An Active Directory user account can provide a user with a single user account for a network. Also called a domain user account. Active Directory Users and Computers (ADUC) On Windows Server 2003 domain controllers, the main tool used for managing the Active Directory users, groups, and computers. Active Directory–Integrated (ADI) zone A way of storing information for DNS zones within the Active Directory tree under the domain object container. Each Directory–Integrated zone is stored in a dnsZone container object identified by the name you choose for the zone when creating it. Add Or Remove Programs Control Panel applet that allows for installing and uninstalling software applications and components of the Windows Server 2003 operating system. Administrator A Windows Server 2003 special user account that has the ultimate set of security permissions and can assign any permission to any user or group. Affinity See group affinity. Algorithm A small procedure, in a finite number of steps, that solves a recurrent mathematical
problem. application assignment scripts Script files that specify which applications are assigned to
users of the Active Directory. application data partitions Portion of the Active Directory that is dedicated to application data and replicated along with the rest of the Active Directory database.
Glossary
785
Assigning The process by which applications are made available to computers and/or users. asymmetric encryption Uses one key to encrypt data and a different key to decrypt data. Asymmetric encryption is used in public key systems. audit policy A Windows Server 2003 policy that tracks the success or failure of specified secu-
rity events. authentication The process required to log on to a computer locally or to Active Directory.
Authentication requires a valid username and a password that exists in the local accounts database or in Active Directory. A ticket will be created if the information presented matches the account in the database. authentication header (AH) Header used to digitally sign the entire contents of each packet. authoritative restore Specifies that the contents of a certain portion of the Active Directory on a domain controller should override any changes on other domain controllers, regardless of their sequence numbers. An authoritative restore is used to restore the contents of the Active Directory to a previous point in time. Automated System Recovery (ASR) A process used for system recovery in the event of
system failure. It is a two-part process that utilizes a backup component and a restore component. The system information that is backed up by ASR includes System State data, system services, and disk configuration information (information about basic and dynamic disks and the file signature associated with each disk). Automatic Update Used to extend the functionality of Windows Update by automating the
process of updating critical files. With Automatic Update, you can specify whether you want updates to be automatically downloaded and installed or whether you just want to be notified when updates are available. availability The ability to provide end users with access to a service for a high percentage of time while reducing unscheduled outages. Availability can be expressed numerically as the percentage of the time that a service is available for use, using this formula: Percentage of availability = (total time – downtime)/total time * 100
B Backup utility The Windows Server 2003 utility used to run the Backup Wizard, the Restore
Wizard, and the Automated System Recovery Wizard. Backup Wizard A wizard that is used to perform backup operations. The Backup Wizard is accessed through the Backup utility. bandwidth throttling A technology that allows you to limit how much network bandwidth
can be used by a given website. It prevents a particular website from hogging bandwidth and adversely affecting the performance of the other sites on the web server.
786
Glossary
Berkeley Internet Name Daemon (BIND) The Unix standard for DNS. Windows Server 2003
Server is compliant with several versions of BIND (specifically, BIND 4.9.7, 8.1.2, 8.2, and 9.1.0). Active Directory requires DNS and BIND version 8.1.2. BIND versions prior to 4.9.4 don’t support compression, and they can receive only one Resource Record at a time. If your secondary servers are running older versions of BIND, then you will need to disable these features. bidirectional trusts See two-way trust.
C caching-only servers A type of DNS server that resolves names on behalf of clients and caches the results to speed up subsequent queries. Caching-only servers are not authoritative for a zone. They do not store standard primary or standard secondary zones. They do, however, help to reduce WAN traffic because they do not generate zone transfer traffic, and because cached queries reduce the amount of name resolution traffic that needs to cross the WAN. certificate hierarchy Also known as a certification chain, can contain a series of certification authorities (CAs) from inside and outside a single organization, organized in a hierarchical trust model. certificate policy and practice statements Outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on. Certificate Revocation List (CRL) A list of certificates that have been revoked before reaching
the scheduled expiration date. The CAs build and maintain this list. certificate store A database of certificates that contains end user and server certificates and
the CRL. The certificates themselves may be stored in the local computer’s Registry, in Active Directory, or in a database file, but they all appear as a single, seamless store. Certificate Trust List (CTL) A list of trusted CAs that resides in Active Directory and is used
to establish a trust for certificates issued by a given CA. certification practices statements (CPSs) Statements that set forth the terms and conditions
under which the CA will issue certificates. Most large commercial CAs (like VeriSign and GTE) include CPSs in their certificates. CIPHER A command-line utility that can be used to encrypt and decrypt files on NTFS volumes. ciphertext A disguised form of data. See also cipher. Client Access License (CAL) A special license for each device or user that enables access to Windows Server 2003 servers. CALs are used with the Per Seat licensing mode. client license key packs A set of client licenses used by the Terminal Services license server to distribute licenses to your Terminal Services clients.
Glossary
787
cloned applications A multiple-instance application running in NLB clusters of stateful appli-
cations, and that runs against the same, relatively static dataset. An example is a Web server. cluster See server cluster. cluster host An individual computer, or node, that is a member of a server cluster. Cluster Service The Windows service that runs server clusters. Applications and services must
be compatible with the Cluster Service in order to respond appropriately to a failure. cluster-aware A description of an application that can communicate with the Cluster API to receive status and notification information from the cluster. CNAME records DNS alias records (also known as canonical name, or CNAME, records) allow you to use more than one name to point to a single host. Entries follow the format: mail IN CNAME servername ftp IN CNAME servername servername IN A 172.30.1.14 compatibility scripts A script used by applications that require modifications before they can be run with Terminal Services. conditional forwarder A type of DNS server that will forward DNS queries for external DNS names to DNS servers outside of its own network based on the domain name in the query. Use when DNS clients in separate networks resolve each others’ names without having to query a DNS server on the Internet. confidentiality
Ensures that data is secret to all except the authorized parties to a data
transaction. connection type A component of an IPSec policy that specifies whether the rule applies to
LAN connections, dial-up connections, or both. copy backup A backup type that backs up selected folders and files but does not set the
archive bit (indicating that the file has been backed up). Creator group The Windows Server 2003 special group (rather than an individual user) that created or took ownership of an object. When a regular user creates an object or takes ownership of an object, the username becomes the Creator Owner group. When a member of the Administrators group creates or takes ownership of an object, the Administrators group becomes the Creator group. cross-forest trusts A new Windows Server 2003 feature that lets you implement trusts
between all domains in one forest and all domains in another forest. cryptography The process of securing and maintaining the secrecy of data communications through encryption/decryption systems.
788
Glossary
D daily backup A backup type that backs up all of the files that have been modified on the day
that the daily backup is performed. The archive attribute is not set (indicating that the files have been backed up) on the files that have been backed up. decryption The conversion of encrypted data back into its original form. delegated namaspace Using a delegated namespace resembles creating separate public and pri-
vate namespaces. However, in this case you are creating a single subdomain within the namespace in which the DNS servers for the namespace will reside, rather than dividing the namespace into public and private portions. For instance, for the contoso.com domain, the delegated namespace may be corp.contoso.com. In this model, you would enable internal clients to resolve both internal and external DNS namespaces, but deny access to the internal namespace to external clients. A separate DNS server or servers is required for the delegated internal domain. delegation When a higher security authority assigns administrative permissions to a lesser
authority. delegation resource record Used to locate the authoritative DNS servers for a delegated zone. These records “glue” zones together and provide an effective path for delegation and referral that other DNS servers can follow in the process of resolving a name. Commonly used with stub zones. differential backup A backup type that copies only the files that have been changed since the last normal backup (full backup), and does not reset the archive bit (indicating that the file has been backed up). digest A unique mathematical value calculated by a special type of algorithm called a hashing
algorithm or a message authentication algorithm from the actual message contents. The digest is then encrypted using the private key and either added to the end of the message or sent as a separate file attachment. digital certificates The passports of the electronic world. Like your passport booklet, which
contains the unique passport ID number, a digital certificate serves as a carrying case for a public key. A certificate contains the public key and a set of attributes, such as the key holder’s name and e-mail address. digital signatures An electronic signature used to authenticate the sender’s identity as well as to ensure that the message was not altered in transit. Directory Services Restore Mode A Windows Server 2003 Advanced Option menu item that
is used by Windows Server 2003 computers that are configured as domain controllers to restore the Active Directory. This option is not available on Windows Server 2003 computers that are installed as member servers. This option is used if you need to restore System State data on a domain controller or restore the Active Directory service database. Discretionary Access Control List (DACL) Part of an object's security descriptor that grants or denies permission for access of an object to specific users and groups. Only an object’s owner can change permissions in the object’s DACL.
Glossary
789
disk quota policies Policies used to specify how much disk space can be allocated by users. disk quotas A Windows Server 2003 feature used to specify how much disk space a user is
allowed to use on specific NTFS volumes. Disk quotas can be applied to all users or to specific users. Distribution group A logical group of users who have common characteristics, for example a
group of Sales users. Applications and e-mail programs (for example, Microsoft Exchange) can use distribution groups for sending data as opposed to sending data to individual users. DNS client The network node that needs to resolve a hostname to an IP address. This is also
commonly referred to as the resolver. DNS namespace A naming convention for network resources. DNS uses a hierarchical naming structure in which names identify both the network resource and its place in the namespace hierarchy. In WINS, the namespace is a flat naming structure that uses a single, unique name to identify each unique network resource. DNS proxy A technology used with DHCP servers that allows them to register DNS data for the
computers that they issue leases to. The DHCP server acts as a proxy for the DNS server. The DHCP server must be registered with Active Directory through the DnsProxyUpdate group. DNS server A server that uses DNS to resolve domain or hostnames to IP addresses. DNS zone A contiguous portion of the DNS tree in a DNS database. Administered as a single, separate entity by a DNS server. The zone contains resource records for all the names within the zone. domain In Microsoft networks, an arrangement of client and server computers referenced by a specific name that shares a single security permissions database. On the Internet, a domain is a named collection of hosts and subdomains, registered with a unique name by the InterNIC. domain controller A Windows Server 2003 computer that is configured to store the domain
database, commonly referred to as Active Directory. domain local groups A type of group used to assign permissions to resources. Domain local
groups can contain user accounts, universal groups, and global groups from any domain in the tree or forest. A domain local group can also contain other domain local groups from its own local domain. Domain Name System (DNS) The TCP/IP network service that translates fully qualified domain names (or hostnames) into IP addresses. domain policies Policies applied at the domain level that allow administrators to control what a user can do after logging on. Domain policies include audit policies, security option policies, and user rights policies. These policies are set through Domain Controllers Policy. domain user A user account that is stored in the Windows 2000 Server or Windows Server
2003 Active Directory’s central database. A domain user account provides a user with access to domain-based resources. Also called an Active Directory user account. Dynamic DNS (DDNS) standard The RFC that specifies how Dynamic DNS needs to be implemented to ensure interoperability between the various vendors’ DDNS products.
790
Glossary
E Encapsulating Security Payload (ESP) Protocol used to encrypt the entire payload of an
IPSec packet, rendering it undecipherable by anyone other than the intended recipient. It provides confidentiality only. Encrypting File System (EFS) The Windows Server 2003 technology used to store encrypted files on NTFS partitions. Encrypted files add an extra layer of security to the file system. encryption The process of translating data into code that is not easily accessible to increase
security. Once data has been encrypted, a user must have a password or key to decrypt the data. entities In a PKI, parties to a transaction are known as entities, and they can be users, orga-
nizations, computers, or devices. exit modules In Microsoft Certificate Services, predefined sets of instructions that tell the CA how to proceed after a request is approved. Contain rules that specify where and how a newly issued certificate is published. external trusts Provide access to resources on a Windows NT 4 domain or forest that cannot
use a forest trust.
F failback The process of moving resources, either individually or in a group, back to their original node after a failed node rejoins a cluster and comes back online. failover The process of taking resource groups offline on one node, such as a failed node, and
bringing them back online on another node. failover pairs configuration A common N+I variation. Failover pairs are often used in clusters
with four or more nodes, and they are ideal for ensuring performance consistency after failover. Failover policies can be defined so that each application can fail over between two nodes. fault tolerance Any method that prevents system failure by tolerating single faults, usually
through hardware redundancy. file extension The three-letter suffix that follows the name of a standard file system file. Using Group Policy and software management functionality, systems administration can specify which applications are associated with which file extensions. File Transfer Protocol (FTP) A simple Internet protocol that transfers complete files reliably from an FTP server to a client running the FTP client. FTP provides a simple, low-overhead method of transferring files between computers but cannot perform browsing functions. Users must know the Uniform Resource Locator (URL) of the FTP server to which they wish to attach. filter action Associated with the use of filters. When you specify a filter action within a filter
it dictates which action should be taken when a security filter match occurs.
Glossary
791
filter list Groups of individual filters that allow you to easily build rules that enforce complicated behavior and then distribute those rules throughout your network as necessary. filtering The process by which permissions on security groups are used to identify which Active Directory objects are affected by Group Policy settings. Through the use of filtering, systems administrators can maintain a fine level of control over Group Policy settings. folder redirection A Group Policy setting that automatically redirects special folders (such as
My Documents) to an alternate location. forward-only server A DNS server that is configured to use forwarders and that does not use
recursion when forwarders fail, but instead fails the query. full zone transfers A type of zone transfer in which the entire zone is propagated. Used in DNS under Windows NT 4 and higher. functional levels Similar to modes in Windows 2000. Windows Server 2003 domain functional level includes all of the new features included in Windows Server 2003, but requires that all domain controllers run Windows Server 2003. The Windows 2000 native domain functional level offers all of the functionality of Native mode in Windows 2000, but all of the domain controllers must run either Windows Server 2003 or Windows 2000 Server. The Windows 2000 mixed domain functional level offers the least amount of functionality but supports domain controllers running Windows Server 2003, Windows 2000 Server, and Windows NT4 Server.
G global group A type of group used to organize users who have similar network access require-
ments. A global group is simply a container of users. Global groups can contain users and global groups (in native mode) from the local domain. glue address (glue A) resource record A type of DNS record that provides the address of the
host specified in the NS record. gpresult.exe A command-line interface for RSoP. See also Resultant Set of Policy (RSoP). group Security entities to which users can be assigned membership for the purpose of applying a broad set of group permissions to the user. By managing permissions for groups and assigning users to groups, rather than assigning permissions to users, administrators can more easily manage security. group affinity An attribute of a dependency between groups that determines the groups’ rel-
ative location in the server cluster. Used to configure the relative location of clustered applications in the event of failure. Group Policy Object (GPO) A set or sets of rules for managing client configuration settings
that pertain to desktop lockdowns and the launching of applications. GPOs are data structures that are attached in a specific hierarchy to selected Active Directory Objects. You can apply GPOs to sites, domains, or organizational units.
792
Glossary
Group Policy policies These policies specify how group policies are applied to a computer. group scope Used to determine if the group is limited to a single domain or if the group can span multiple domains. Group scopes are used to assign permissions to resources. group type Used to organize users, computers, and other groups into logical objects that are used for management purposes. Guest A Windows Server 2003 built-in group that has limited access to the computer. This group can access only specific areas. Most administrators do not allow Guest account access because it poses a potential security risk.
H Hardware Abstraction Layer (HAL) A Windows Server 2003 service that provides basic
input/output services such as timers, interrupts, and multiprocessor management for computer hardware. The HAL is a device driver for the CPU/motherboard circuitry that allows different families of computers to be treated the same by the Windows Server 2003 operating system. hashing algorithm A special type of algorithm, also known as a message authentication algo-
rithm, used to create a digital signature. It calculates a unique mathematical value, known as a digest, from the actual message contents. high-level security A type of DNS security that uses all of the DNS security features of
medium-level security, and adds the advanced security that is available when you run DNS servers on domain controllers and use Active Directory–integrated zones. In this configuration, there is no DNS communication at all with the Internet. home folder A folder where users normally store their personal files and information. A home
folder can be a local folder or a network folder. host record Associates a host’s name to its IP addresses. HyperText Markup Language (HTML) A textual data format that identifies sections of a document such as headers, lists, hypertext links, and so on. HTML is the data format used on the World Wide Web for the publication of web pages.
I incremental backup A backup type that backs up only the files that have changed since the
last normal or incremental backup. It sets the archive attribute (indicating that the file has been backed up) on the files that are backed up. incremental zone transfers (IXFRs) Supported in Windows 2000 Server and higher and
under BIND version 8.2.1 and higher. Just like an incremental backup, an incremental transfer
Glossary
793
enables the secondary server to pull only the changes it needs in order to synchronize its copy of the zone data with its configured source. Zone transfers are completed much more quickly and with far less network traffic generated. inheritance Parent folder permissions that are applied to (or inherited by) files and subfolders of the parent folder. In Windows 2003, the default is for parent folder permissions to be applied to any files or subfolders in that folder. initialization files Files used to specify parameters that are used by an application or a utility. Initialization files are often used by setup programs to determine application installation information. integrity Provides the means of verifying that data was not altered in transit. Data integrity is provided by using a digital signature. Internet Key Exchange (IKE) Security protocol that provides services to dynamically
exchange and manage keys between computers. IKE also dynamically negotiates a common set of security settings, so it is not necessary for both parties to have identical IPSec policies defined. Dynamic rekeying during exchanges over unsecured session pipes blocks most impersonation and interception attacks. Internet Protocol Security Extensions (IPSec) A process that makes it possible to transfer
sensitive information to other hosts across the Internet without fear of compromise. IPSec provides authentication and encryption for transmitted data. Internet Security Agreement/Key Management Protocol (ISAKMP) Security protocol that
provides a way for two computers to agree on security settings and exchange a security key that they will use to communicate securely. Information is secured with a combination of an algorithm and a key. Internet Server Application Programming Interface (ISAPI) filters Used to monitor HTTP
requests and respond to specific events as defined through the filter. When an event triggers a filter, the request is redirected to specific ISAPI applications, which are then run. IPSec client The computer that attempts to establish a connection to another machine. See also IPSec server. IPSec Policy Agent A service running on a Windows 2003 machine that connects to an Active Directory server and fetches the IPSec policy and then passes it to the IPSec code. IPSec server The server that services security requests (for a security key and to initiate a secure communications channel) from IPSec clients. IPv4 The most widely used version of the TCP/IP protocol suite, which is based on a 32-bit address structure.
794
Glossary
K Kerberos A security protocol that is used in Windows Server 2003 to authenticate users and network services. This is called dual verification, or mutual authentication. Kerberos policies Policies that are used to configure computer security settings for Kerberos authentication. Kerberos policies are set through account policies. key An algorithm that “undoes” the work of the encryption algorithm. Used in cryptographic
systems such as Microsoft Certificate Services. key distribution center (KDC) A domain controller that is responsible for holding all of the client passwords and account information. When a Windows Server 2003 computer is installed as a domain controller, it automatically becomes a KDC. key escrow Method employed by some cryptographic systems in which a third party holds a
copy of an organization’s encryption keys.
L License Logging service A service used to track and manage licenses associated with
Windows Server 2003. license server A special server used with Terminal Services that distributes and accounts for
Terminal Services licenses to Terminal Services clients. local group A group that is stored on the local computer’s accounts database. These are the
groups that administrators can add users to and manage directly on a Windows Server 2003 computer. local policies Policies that allow administrators to control what a user can do after logging
on. Local policies include audit policies, security option policies, and user rights policies. These policies are set through Local Computer Policy. local quorum cluster A cluster model that consists of a single node. This type of cluster is commonly used for testing, development, as well as to create dynamic file shares, often for home directories. local security policies Policies that control security at the local computer level. local users A user account stored locally in the user accounts database of a computer that is
running Windows 2003. Local Users and Groups A utility that is used to create and manage local user and group accounts on Windows 2000 Professional, Windows XP Professional computers and Windows 2000 and Windows 2003 member servers. Logging mode An RSoP mode that pulls policy information from a log based on actual logon
activity. See also Resultant Set of Policy (RSoP).
Glossary
795
logon policies These policies specify the restrictions that are associated with a user logging
onto a Windows 2003 computer or domain. logon script A command file that automates the logon process by performing utility functions such as attaching to additional server resources or automatically running different programs based on the user account that established the logon. low-level security Describes a standard DNS deployment with no configured security precautions. Should be used only in cases in which there is absolutely no reason to be concerned for the security of the DNS information. For instance, you may choose this level of security (or nonsecurity) in a private network that has no connection to the Internet and where there is no threat of someone compromising the DNS data.
M machine accounts Special accounts that computers use to transparently log on to a domain
during network initialization and before user logon. They do not have to be on the same domain as the user accounts for users logging on to a particular machine. machine certificates Digital certificates issued to machines instead of to people. mail exchange (MX) record Defines servers that can accept e-mail bound for this domain.
Each MX record contains two parameters—a preference and a mail server—as shown in the following format example: domain IN MX preference mailserver host majority node set cluster A cluster model in which each node maintains its own copy of the cluster configuration data. The quorum resource ensures consistency of the cluster configuration data across the nodes. Frequently used for geographically dispersed clusters. Unlike single quorum device clusters, which can still survive with only one node, majority node set clusters require a majority of the cluster nodes surviving after a failure for the server cluster to continue operating. mandatory profile A user profile created by an administrator and saved with a special extension (.man) so that the user cannot modify the profile in any way. Mandatory profiles can be assigned to a single user or a group of users. medium-level security Uses DNS security features, but not the advanced security that is available when you run DNS servers on domain controllers and use Active Directory–integrated zones. Microsoft Baseline Security Analyzer (MBSA) A utility, downloadable from the Microsoft website, used to ensure that you have the most current security updates. Microsoft Certificate Services (MCS) Microsoft’s service that uses certificates and certifica-
tion authorities (CAs) to provide authentication support, including secure e-mail, Web-based authentication, and smart-card authentication.
796
Glossary
Microsoft Software Update Services (SUS) See Software Update Services (SUS). mirrored When talking about filtering, a mirrored IPSec filter automatically filters its opposite—if you set up a filter from your IP address to a remote address and configure it to allow only port 80, with mirroring you’ll also get a filter that allows traffic from the remote end back to you on port 80. multimaster replication model Used in Active Directory replication and in Active Directory–
Integrated zone transfers. Enables multiple masters to update the zone. A master is any domain controller running Active Directory–Integrated DNS. Any of the domain controllers for the domain can modify the zone and replicate changes to the other domain controllers. This is better than standard DNS replication, in which only the primary server for a zone can modify the zone. multiple-instance application Clustered application in which nodes run either multiple
instances of the same code, or different pieces of code that provide a service. The client sees the application as though only a single instance were running on a single server. Multiple instances of an application are created by either cloning or partitioning the application. mutual authentication The type of authentication used with Kerberos version 5. With mutual authentication, the user is authenticated to the service and the service is authenticated to the user.
N N+I configuration The most common clustered server configuration used for failover policies. In this model, N nodes will host applications and I (for idle) nodes will stand by as spares. name server A server that can give an authoritative answer to queries about its domain. name server (NS) records A file that contains all of the name servers within the domain and is used by other name servers to look up names within the domain. Network Load Balancing (NLB) clusters A special type of server cluster that uses groups of identical computers that can operate independently. All of the nodes in an NLB cluster are active, and they are often cloned. NLB is best suited for applications that are stateless or can otherwise be cloned with no decline in performance. NLB is designed for stateless applications, such as front-end Web servers, FTP servers, and VPNs. Stateless applications treat each client request as an independent operation and have read-only data or data that changes infrequently. Network News Transfer Protocol (NNTP) A protocol used to distribute network news messages to NNTP servers and to NNTP clients (news readers) on the Internet. News articles are stored on an NNTP server in a central database where they can be indexed, retrieved, and posted. node See cluster host. nonrecursive DNS server Unlike a forward-only DNS server, the nonrecursive server will neither build up a cache, nor perform recursion if the query fails. You can disable recursion on
Glossary
797
the entire DNS server, which will prevent you from using forwarders on that server, or you can disable recursion on a per–domain name basis. non-repudiation A benefit of digital signatures that can provide the same assurance and even legal binding for electronic transmissions as currently exists for paper documents with handwritten signatures. Protects against a party to a transaction later claiming that he/she/it didn’t agree to the terms of the contract. normal backup A backup type that backs up all selected folders and files and then marks each file that has been backed up as archived. nslookup A tool that allows one to query a DNS server to see what information it holds for a host record.
O organizational unit (OU) In Active Directory, an organizational unit is a generic folder used
to create a collection of objects. An OU can represent a department, division, location, or project group. Used to ease administration of AD objects and as a unit to which group policy can be deployed.
P partitioned applications Multiple-instance applications designed for server clusters of stateless applications that have frequent updates to memory. An example is a database, where records A through M can reside on one partition, and N through Z can reside on another partition. Other types of applications can partition the functionality rather than the actual data. For instance, billing inquiries could be directed to a separate billing node, which has sole access to the billing database. Catalog inquiries could be directed to a separate catalog node, which has sole access to the catalog database. This example would provide scalability, but not availability because there is no option for failover. passthrough action A security filter action, this “Permit” action tells the IPSec filter to take no action. It neither accepts nor rejects the connection based on security rules, meaning that it adds zero security. It allows traffic to pass without modification. password policies Windows 2003 policies used to enforce security requirements on the com-
puter. Password policies are set on a per-computer basis, and they cannot be configured for specific users. Password policies are set through account policies. patch A Windows Installer file that updates application code. Patches can be used to make sure that new features are installed after an application has already completed installation. Per Seat licensing A client licensing mode used by enterprise environments. This mode requires that you purchase a Client Access License (CAL) for each device or user. Each client is licensed at the client side to access as many servers as needed.
798
Glossary
Per Server licensing A licensing mode for client licensing. In this mode, the server must be
licensed for each concurrent connection. permissions Security constructs used to regulate access to resources by username or group
affiliation. Permissions can be assigned by administrators to allow any level of access (such as read-only, read/write, or delete) by controlling the ability of users to initiate object services. Security is implemented by checking the user’s security identifier (SID) against each object’s access control list (ACL). PING A command used to send an Internet Control Message Protocol (ICMP) echo request and echo reply to verify that a remote computer is available. Planning mode An RSoP mode that is used to plan Group Policy changes before putting them into effect. See also Resultant Set of Policy (RSoP). pointer (PTR) record Record that associates an IP address to a hostname. policies General controls that enhance the security of an operating environment. In Windows
Server 2003, policies affect restrictions on password use and rights assignments, and determine which events will be recorded in the Security log. policy modules Predefined sets of instructions that contain the rules that govern how the CA
handles an incoming request. preshared key A shared, secret key that is previously agreed upon by two users. It is quick to use
and does not require the client to run the Kerberos protocol or to have a public-key certificate. primary DNS server The “owner” of the zone files defined in the DNS database. The primary DNS server has authority to make changes to the zone files it owns. primary zones With a primary zone, the default for a newly created zone, the server has a read/write copy of the zone information and acts as the point of update for the zone. The server periodically replicates its zone file to the secondary zone server to ensure that the secondary zone server’s copy of the file is current. At first the server transfers a complete copy of the zone file. Later transfers consist of changes only. The primary zone server can administer zone information separately. private key Also called a secret key. A key that is known only to its owner and should never
be revealed to any other party. Used in asymmetric encryption systems along with the public key. Can be used to encrypt data that then can be decrypted only with the public key. Can be used to decrypt data that has been encrypted with the public key. product activation Microsoft’s way of reducing software piracy. Unless you have a volume
corporate license for Windows Server 2003 or are using a 64-bit version of Windows Server 2003 (which does not use product activation), you will need to perform post-installation activation. This can be done online or through a telephone call. promotion The act of converting a Windows Server 2003 or 2000 Server computer to a
domain controller. See also Active Directory Installation Wizard (DCPROMO) .
Glossary
799
public key A key that is designed to be freely distributed. Used in asymmetric encryption sys-
tems along with the private key. Can be used to encrypt data that then can only be decrypted with the private key. Can be used to decrypt data that has been encrypted with the private key. public key certificates A form of digital passport used to verify the identities of non-
Windows computers, standalone computers, computers that do not belong to a trusted domain, and computers that do not support Kerberos v5. public key cryptography A cryptographic system that employs a pair of keys: a public key, which is designed to be freely distributed, and a private key (also called a secret key). Public Key Infrastructure (PKI) A system of cryptographic security services that enables users
of a basically unsecure public network, such as the Internet, to securely and privately exchange data and even money through the use of a public and private cryptographic key pair that is obtained and shared through a trusted authority. The PKI uses digital certificates to identify an individual or organization and directory services to store, manage, and revoke the certificates. This approach resolves many security problems by presenting security credentials without compromising them in the process. PKI involves emerging standards and approaches. A PKI is used to provide several security benefits, including certificate-based authentication, data integrity, confidentiality, and nonrepudiation. publishing Making applications available for use by users through Group Policy and Soft-
ware Installation settings. Published applications can be installed on demand or when required by end users through the use of the Add Or Remove Programs item in the Control Panel.
Q quorum resource A disk that maintains configuration data that would enable recovery of the cluster. This data includes all changes that have been applied to the cluster database. By default there is only one quorum resource per cluster, and each cluster node has access to it.
R realm trusts Used to connect to a non-Windows domain that uses Kerberos authentication. Realm trusts can be transitive or nontransitive, one-way or two-way. recovery agents Users who have recovery authority and can use special certificates and keys to enable recovery of lost keys. The Administrator account is automatically set up as the default recovery agent, and additional recovery agents can also be named through Microsoft Certificate Services. reliability Describes the time between failures. You can calculate the mean time between failures using this formula: Mean time between failures = (total elapsed time – sum of downtime)/number of failures Remote Assistance A mechanism for requesting help for x86-based computers through Win-
dows Messenger and e-mail, or by sending a file requesting help.
800
Glossary
Remote Control Allows you to view or control a user’s session from another session. Remote Desktop for Administration A Terminal Services mode that allows administrators
to perform administrative tasks on remote servers and clients from a centralized console. Remote Desktop Protocol (RDP) A connection that needs to be configured in order for cli-
ents to connect to the Terminal Services server. You can configure only one RDP connection per network adapter. resolver DNS client computer that makes requests to a server; these requests ask the server to resolve a client DNS name into the corresponding IP address or vice versa. resource Any useful service, such as a shared folder or a printer. resource groups In server clusters, resources that are treated as a single, indivisible unit and hosted on one node at any point in time. Resource groups can be started and stopped as a unit. resource record (RR) Record that contains information about some resource on the network. There are several types of resource records. Restore Wizard A wizard used to restore data. The Restore Wizard is accessed through the
Backup utility. Resultant Set of Policy (RSoP) A new Windows Server 2003 tool that automatically calculates the actual policy for a user or group based on site, domain, and OU placement, as well as inheritance settings. reverse lookup In DNS, a query process by which the IP address of a host computer is
searched to find its friendly DNS domain name. roaming profile A user profile that is stored on a network share. Users can access their roaming profiles from any location on the network. root certificate authority A top-level CA. Because there is no authority above the root CA in the hierarchy, there’s no higher authority to vouch for its certificate. Instead, the root CA signs its own certificate, asserting that it is the root. root server The root is the highest or uppermost level in a hierarchically organized set of
information. A root server is the DNS server that is authoritative for the root of the namespace.
S scaling out Adding servers to meet demand. In a server cluster, this means adding nodes to the cluster. Scaling out also helps you to improve application and server response time. scaling up Increasing system resources (such as processors, memory, disks, and network adapters) to your existing hardware or replacing existing hardware with greater system resources. Scaling up helps you to improve application and server response time, such as by adding RAM or CPUs.
Glossary
801
script policy A setting within Group Policy objects that specifies login, logoff, startup, and shutdown script settings. secondary DNS server Server that pulls DNS information from the specified master server. Secondary DNS servers receive a read-only copy of zone files. The secondary DNS server can resolve queries from this read-only copy but cannot make changes or updates. secondary zones Store a complete, local, read-only copy of the zone information. They are
used to improve availability and performance at local and remote locations. secret key cryptography A cryptography system in which two parties to a communication
transaction use a single shared key that must be kept secret. This is the equivalent of a secret password on which both parties agree. The same key is used to encrypt and decrypt data, so if the secret key is compromised through loss or theft, then the data encrypted with that key becomes vulnerable. Secret key systems tend to be fast and flexible, but their dependence on a single key makes them better suited for applications like IPSec where you can change the key frequently. In addition, secret key systems can only be used for encryption, not authentication. secured dynamic updates A feature of Active Directory–Integrated zones, which can use the Active Directory security features to provide secured dynamic updates. Dynamic updates enable DNS records to be updated on the fly. security association (SA) An association that provides all the information needed for two computers to communicate securely. It contains a policy agreement that controls which algorithms and key lengths the two machines will use plus the actual security keys used to securely exchange information. Security Configuration and Analysis tool A Windows 2003 utility that is used to analyze
and to help configure a computer’s local security settings. Security Configuration and Analysis works by comparing the computer’s actual security configuration to a security database configured with the desired settings. security database Used with the Security Configuration and Analysis utility to store the
results of a security analysis. security group A logical group of users who need to access specific resources. Security groups are listed in Discretionary Access Control Lists (DACLs) to assign permissions to resources. security identifier (SID) A unique code that identifies a specific user or group to the Windows Server 2003 security system. SIDs contain a complete set of permissions for that user or group. security method A pre-specified encryption algorithm with a negotiated key length and key
lifetime. security options Policies used to configure security for the computer. Security option policies apply to computers rather than to users or groups. These policies are set through Local Computer Policy or Domain Controllers Policy. Security Policy
computers.
A subset of Group Policy settings that define security configurations for
802
Glossary
security principal An Active Directory object that is used to assign and maintain security settings. The primary security principals are Users, Groups, and Computers. security template A tool that works with the Security Configuration and Analysis utility and is where you organize all of your security attributes in a single location. server cluster Two or more computers working together to provide higher availability, reliability, and scalability than can be obtained by using a single system. server role Describes the functional purpose of a network server. There are roles for application servers, such as e-mail, Web, database, and media servers. There are roles for servers that host network resources, such as file and print servers. There are also roles for servers that provide network infrastructure services, such as name resolution and connectivity. Service (SRV) record Record that links the location of a service such as a domain controller with information about how to contact the service. It provides seven items of information: service name, a transport protocol, the domain name for which the service is offered, the priority, the weight, the port number on which the service is offered, and the DNS name of the server that offers the service. shadow copies Used to create copies of shared folders and files at specified points in time. shortcut trust A direct trust between two domains that implicitly trust each other. signing Uses encryption to prove the origin and authenticity of a data transaction. Simple Mail Transfer Protocol (SMTP) An Internet protocol for transferring mail between
Internet hosts. SMTP is often used to upload mail directly from the client to an intermediate host, but can only be used to receive mail by computers constantly connected to the Internet. single quorum device cluster The most widely used cluster model, also known as the stan-
dard quorum model, which uses a single cluster storage device connected to all nodes to store the cluster configuration data. single-instance applications Method of clustered application deployment in which only one application instance is running on the cluster at any time, and the application typically has data sets that cannot be partitioned across multiple nodes. The Dynamic Host Configuration Protocol (DHCP) service is an example of a single-instance application. The set of leased IP addresses that the application provides is small, but would be complicated to replicate across a cluster. Therefore, the DHCP instance exists as a single instance, and high availability is provided by failing over the instance to another node in the cluster. site A term used within the Active Directory to represent different geographical locations. site license server A special server that is responsible for managing all of the Windows
licenses for the site. smart card A special piece of hardware with a microchip, used to store public and private keys, passwords, and other personal information securely. Can be used for other purposes, such as telephone calling and electronic cash payments.
Glossary
803
snap-in An administrative tool developed by Microsoft or a third-party vendor that can be
added to the Microsoft Management Console (MMC) in Windows Server 2003. Software Update Services (SUS) This is used to deploy a limited version of Windows
Update to a corporate server, which in turn provides the Windows updates to client computers within the corporate network. This allows clients that are limited to what they can access through a firewall to still keep their Windows operating systems up-to-date. split-brain A failure scenario that happens when some of the nodes fail and the cluster loses quorum. In this instance, you can force the remaining nodes to form a quorum and restart the cluster. spoofing A form of attack in which an attacker assumes the identity of another computer. standard zone files Also called traditional DNS zone files. Stored as text files on the server’s hard drive. To use standard zone files, you create a zone on a DNS server which then becomes the primary zone server where all updates occur. These updates may include things like resource record additions or deletions. You can use secondary zone servers to provide load balancing and a certain degree of fault tolerance by pointing them to the primary zone server to get a copy of the zone file. standby server configuration A variation of N+I, which uses idle nodes as standbys that are
capable of taking on the workload of one or more of the currently active nodes. Standby servers are used to maintain a performance level after failover that is the same as performance before the failover. Start of Authority (SOA) record Record that defines the general parameters for the DNS
zone, including who the authoritative server is for the zone. stateful applications Applications and services such as SQL Server or Exchange Server, which have a long-running in-memory state, or large frequently updated datasets. These types of applications and services should be hosted on a server cluster. Storage Area Network (SAN) A set of interconnected servers and storage devices such as
disks and tape drives that are connected to a common data transfer infrastructure to provide a pool of storage with multiple server access. stub zone Functions like dynamic delegation. The stub zone server will periodically query the target name servers for updates. This is used to keep the DNS server that hosts the parent zone aware of its child zone for more efficient name resolution. The DNS server that hosts both the parent zone and the stub zone maintains a current list of authoritative DNS servers for the child zone by regularly updating the stub zone. Stub zones keep delegated zone information current, as well as simplify DNS administration. subdomain Branches of a network. symmetric encryption Uses the same key to encrypt and decrypt data. Symmetric encryption is used in preshared secret key systems. The main problem with symmetric encryption is key distribution.
804
Glossary
system policy Under NT, system configuration management was accomplished by creating System Policy files. System Policy was limited in the scope of settings that could be controlled. In addition, settings could not be easily backed out because they were written to various locations in the local Registry. System State data A set of data that is critical to the operating system booting and includes the Registry, the COM+ registration database, and the system boot files.
T tampering A form of attack in which an attacker intercepts and alters data in transit, often by
assuming the identity of another computer. Terminal Server mode Used with Terminal Services to deliver powerful user applications to
computers that may be unable to run such applications locally because of hardware or other limitations. Terminal Services client A client of a Terminal Services server. It uses thin client technology to establish a connection with the server and display the graphical user interface information that it receives from the server. Terminal Services Configuration utility A Windows Server 2003 Terminal Services utility
that is used to change the properties of the RDP-Tcp (Remote Desktop Protocol–Transmission Control Protocol) connection that is created when you install Terminal Services. You can also add new connections with this utility. Terminal Services Manager utility A Windows Server 2003 Terminal Services utility that
allows you to manage and monitor users, sessions, and processes that are connected to or running on any Terminal Services server on the network. Terminal Services server A special type of server running Terminal Services that executes applications and processes all information locally and sends only the data response back to the Terminal Services client. thin client Devices with simple hardware configurations, often legacy desktops, which lack the hardware resources to run the latest Microsoft Windows operating system or applications. ticket-granting service (TGS) The Kerberos service that allows the user to authenticate to
services within the domain. ticket-granting ticket (TGT) In Kerberos v5 authentication, issued by the KDC to an authen-
ticated client. The client uses the TGT to access the ticket-granting service (TGS). top-level domains Internet DNS depends on a set of top-level domains that serve as the level below the root of the DNS hierarchy. These domains include .com, .net, .org, and .uk, among many others.
Glossary
805
traditional DNS zones Store the zone information in a file, use a single master model, replicate through full and incremental zone transfers, and are used for compatibility with NT 4 DNS infrastructures and BIND-based DNS infrastructures hosted on Unix servers. transformation files A type of file used by the Windows Installer to modify the behavior of the application-installation process. transitive trusts A trust relationship that allows for implicit trusts between domains. For example, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. See also trust and two-way trust. Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of Internet protocols upon which the global Internet is based. TCP/IP is a general term that can refer either to the TCP and IP protocols used together or to the complete set of Internet protocols. TCP/IP is the default protocol for Windows Server 2003. transport mode Another name for the end-to-end mode, in which IPSec is used to encrypt
before data is sent and decrypted at the other end; the data is protected during transport. tunnel endpoint The systems at the end of a two-way IPSec tunnel. tunnel mode The use of IPSec to secure traffic that’s being passed over someone else’s wire. two-way trust Occurs when two domains trust each other equally.
U universal groups A special type of group used to logically organize global groups and appear
in the Global Catalog (a search engine that contains limited information about every object in the Active Directory). Universal groups can contain users (not recommended) from anywhere in the domain tree or forest, other universal groups, and global groups. user profile A directory that stores a user’s Desktop configuration and other preferences. A user profile can contain a user’s Desktop arrangement, program items, personal program groups, network and printer connections, screen colors, mouse settings, and other personal preferences. Administrators can create mandatory profiles, which cannot be changed by the users, and roaming profiles, which users can access from any computer they log on to. user profile policies Control the behavior of network connections and roaming profiles. user right policies Policies that control the rights that users and groups have to accomplish
network tasks. User Rights Assignment Determine what rights a user or group has on the computer. User
rights apply to the system. They are not the same as permissions, which apply to a specific object. An example of a user right is the Back Up Files And Directories right.
806
Glossary
V virtual server A collection of services (usually a resource group) that may be hosted on mul-
tiple servers in a server cluster. Clients can access the virtual server as though it were a single physical server. volume shadow copy A point-in-time copy (snapshot) of an entire volume on a Windows Server 2003 server. Volume shadow copies are created through the advanced options of Windows Backup. This new functionality enables you to copy open files.
W Windows Backup The utility used to access the Backup Wizard, the Restore Wizard, and Automated System Recovery options. Windows file protection policies These policies are used to specify how Windows file pro-
tection will be configured. Windows Installer A Windows service that provides for the automatic installation of applications through the use of compatible installation scripts. Windows Installer package Special files that include the information necessary to install
Windows-based applications. Windows Script Host (WSH) A utility for running scripts on Windows-based computers. By
default, WSH includes support for the VBScript and JScript languages. Through the use of thirdparty extensions, scripts can be written in other languages. Windows Server 2003 domain functional level See functional levels. Windows Update A utility that attaches to the Microsoft website through a user-initiated process and allows the Windows users to update their operating systems by downloading updated files (critical and non-critical software updates). WINS forward lookup resource record Lists WINS servers to which a name query can be
sent in the event that the query cannot be resolved in DNS. The WINS record only applies to the topmost level of a zone, and does not apply to subdomains within the zone. The WINS resource record follows a specific syntax as follows: owner class WINS [LOCAL] [Lookup_timeout] [Cache_timeout] wins_server_ip WINS-R resource record Used in a reverse lookup zone for reverse queries that were not
found in the DNS zone. Performs the opposite task of the WINS resource record in the same way that the PTR record performs the opposite task of the A record in DNS.
Glossary
807
Z zone Subtree of the DNS database that is considered a single unit. zone delegation Involves assigning authority over portions of a DNS namespace to other zones. The NS record is used to specify a delegated zone and the DNS name of the server that is authoritative for that zone. Used to assign responsibility for a part of a DNS namespace to another organization, workgroup, or department. zone transfer Action in which information is copied from a primary DNS server to a sec-
ondary DNS server.
Index Note to the Reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations.
A A (host) records defined, 792 purpose of, 257 AAS (application assignment scripts) defined, 784 purpose of, 750 About Windows Update option, 47 Accept Unsecured actions, 471 Accept Unsecured Communication, But I always Respond Using IPSec option, 499 access control. See also security for IIS anonymous access, 164–165 for websites, 178–179 access control entries (ACEs), 675–676 access control lists (ACLs), 390, 675–676, 675 Access This Computer From The Network right, 326 accidental deletion, backups for, 684 Account Is Disabled option, 84 account lockout policies Account Lockout Duration policy, 93, 322, 677 Account Lockout Threshold policy, 92, 322 defined, 784 Account Lockout Policy folder, 319 Account Operators group, 107 account policies, 319 defined, 784 Kerberos, 323–324 for lockout, 322–323 for passwords, 320–321 Account Policies template item, 339 Account tab, 91–93, 91
accounts. See computers and computer management; groups and group accounts; user accounts Accounts category, 330 Accounts: RenameAdminister Account setting, 677 ACEs (access control entries), 675–676 ACLs (access control lists), 390, 675–676, 675 Act As Part Of The Operating System right, 326 actions in IPSec filters, 471, 492, 493, 497–500, 498–499 in Terminal Services Manager utility, 220 Actions menu, 220 activation, product, 31–33, 32 Active Desktop option, 215 Active Directory (AD), 667–668 backing up, 683–685, 684 Backup utility for, 685–689 process, 687, 689–692, 690–691 for certificate services, 541 defined, 784 and DNS. See DNS (Domain Name System) domains in. See domains dynamic updates in, 390 event log for, 615–616, 616 exam essentials, 702 forests in. See forests groups in. See Group Policy and GPOs; groups and group accounts installing. See Active Directory installation for IPSec policies, 476, 479
810
Active Directory Domains and Trusts utility – active servers
key terms, 703 linking GPOs to, 719–720, 719, 722, 723 new features for, 5–6 objects in Contact, 670 locating, 126–128, 127–128 moving, 128–129, 129 PKI with, 566 replicating, 396, 784 restoring, 692–701, 696–700 review question answers, 709–710 review questions, 704–708 security for, 668–669 ACLs and ACEs, 675–676, 675 Group Policy for, 676–680, 678–680 permissions, 673–675, 674 security principals, 669–673, 672–673 smart card authentication, 680–683 summary, 701–702 SUS clients in, 59–61, 59–61 trees in. See trees user accounts in. See user accounts Active Directory Domains and Trusts utility, 618 for trusts, 649, 649 for UPN suffixes, 655, 655 Active Directory installation preparation for, 601 DNS planning and installing, 601–604, 603–604 domain functional levels, 607–609 domain structure, 609–610 file system verification, 604–605 network connectivity verification, 605–607 process, 610–615, 611–615 verifying, 615 administrative tools for, 618, 618 clients for, 618–620, 619 Event Viewer for, 615–617, 616
Active Directory Installation Wizard (DCPROMO) for Active Directory installation, 610–615, 611–615 defined, 784 for demoting domain controllers, 647, 647 for trees joining to forests, 640–644, 641–644 new, 633–640, 634–640 for Windows 2003 Server installation, 20–23, 21–24, 27 Active Directory-Integrated (ADI) zones benefits of, 255, 265 characteristics of, 389 defined, 784 Active Directory Migration Tool (ADMT), 131–132 Active Directory Services Interface (ADSI), 622, 622 Active Directory Sites and Services utility, 618 for certificate templates, 561–562, 561–562 for GC servers, 655 for GPOs, 714 for site licenses, 39, 39 Active Directory Users and Computers (ADUC) utility, 618 for computer accounts, 118–119 defined, 784 for GPOs, 714, 720 for groups, 113, 673 for Manage Your Server, 369 for permissions, 674 for Remote Desktop for Administration, 511 for roaming profiles, 97 for RSoPs, 737 for Terminal Services, 216–218, 217–218 for users, 82–85, 83, 309 active servers, backing up, 693
AD – /all option in ipconfig
AD. See Active Directory (AD) Add/Edit Port Rule dialog box, 445, 445 Add Memory Quotas For A Process right, 326 Add Monitored Server Wizard, 288–289 Add Or Remove Programs applet for application categories, 766 for Configure Your Server Wizard, 367 defined, 784 for IIS, 166 for Terminal Services, 203 for Terminal Services servers, 225 Add/Remove Snap-In dialog box for Certificates, 681 for Group Policy Object Editor, 485 for IP Security Policy Management, 481–482, 481 for Local Group Policy, 319 for Security Configuration and Analysis, 341–342 for SUS clients, 59 Add/Remove Templates dialog box, 722, 722 Add/Remove Windows Components for CAs, 547 for IIS, 166 for Terminal Services, 203, 222 Add ShadowStorage command, 162 Add Standalone Snap-In dialog box for Certificates, 681 for Group Policy Object Editor, 486, 715, 715 for IP Security Policy Management, 481–482, 481 for SUS clients, 59 Add Upgrade Package dialog box, 758, 758 Add User Or Group dialog box, 82 Add Users dialog box, 44, 44 Add Workstations To Domain right, 326 Address tab, 89, 90 addresses for IP filter lists, 496, 497 for users, 89, 90
811
Addresses tab, 496, 497 ADI (Active Directory-Integrated) zones benefits of, 255, 265 characteristics of, 389 defined, 784 Admin Service, 164 administrative inconsistency from multiple domains, 628 administrative templates, 317, 720–722, 722 Administrator account, 79, 309 defined, 784 DNS zone permissions for, 390 Administrator template, 543 Administrators group, 108 ADMT (Active Directory Migration Tool), 131–132 ADSI (Active Directory Services Interface), 622, 622 ADUC. See Active Directory Users and Computers (ADUC) utility Advanced Attributes dialog box, 685, 686 Advanced Restore Options page, 698, 698 Advanced Security Settings, 213, 214 Advanced Simulation Options page, 742, 742 Advanced tab for DNS servers, 269 for searches, 127, 127 for software installation, 764, 764 advertising in Windows Installer, 749–750 Affinity options, 445–446 AHs (Authentication Headers) defined, 785 in IPSec, 465, 468–469, 469 algorithms for CAs, 549 defined, 784 in PKI, 532–533 alias records, 257–258 /all option in ipconfig, 293, 605
812
Allow Certificates To Be Published To The File System option – asynchronous
Allow Certificates To Be Published To The File System option, 558 Allow Dynamic Updates field, 274 Allow Log On Locally Properties dialog box, 82 Allow Log On Locally right, 326 Allow Log On Through Terminal Services right, 327 Allow Unsecured actions, 471 Allow Unsecured Communication With Non IPSec-Aware Computer option, 499 Allow Users To Continue To Use The Software, But Prevent New Installations option, 767 Allow Zone Transfers option, 277 Always Allow Use Of Recognizable Media Without Prompting option, 152 Always Install With Elevated Privileges option, 767 anonymous access in IIS, 164 for websites, 178 Anonymous Logon group, 112 application assignment scripts (AAS) defined, 784 purpose of, 750 application data partitions, 621 creating, 621–623 defined, 784 managing replicas, 623–624 ntdsutil for, 624–626, 627 removing replicas, 624 Application log, 617 Application Server dialog box, 166, 166 Application Service Provider (ASP) model, 771 application services, new features for, 8–9 applications. See also software; software deployment assigning, 751–752, 754–756, 754–756 categories of, 765–766, 766
installation issues with, 748 in server availability, 420 in server clusters, 424–425 on Terminal Services servers, 225–226 website settings for, 177 Apply Group Policy For Users Asynchronously During Startup policy, 334 Apply Static Routes option, 102 Applying Selections page, 367 applying software updates, 757–759, 757–758 Approval Log screen, 56, 56 Approve Updates screen, 55, 55 ASP (Application Service Provider) model, 771 ASR (Automated System Recovery) utility for cluster recovery, 449 defined, 785 in installation, 18 working with, 155–157 Assign a Static IP Address option, 102 Assign This Computer Account As A Backup Domain Controller option, 119 Assign This Computer Account As A Pre-Windows 2000 Computer option, 119 assigning applications, 751–752, 754–756, 754–756 defined, 785 IPSec policies, 488 permissions to templates, 561–562, 561–562 script policies, 729–730, 730–731 assistance, Remote Assistance. See Remote Assistance asterisks (*) in nslookup, 291 asymmetric encryption defined, 785 in PKI, 532 asynchronous replication, 437–438
at sign symbols (@) in zone files – Background Intelligent Transfer Services (BITS)
at sign symbols (@) in zone files, 256 attributes in backups, 685, 686 for certificates, 542–543 defunct, 608 AU domain, 253 Audit category, 330 audit policies defined, 785 setting, 324–326 AUOptions key, 58 Authenticated Session template, 543 Authenticated Users groups description, 112 DNS zone permissions for, 391 authentication for default response rules, 484 defined, 785 in IPSec, 463–465, 471–473 in PKI, 531 reverse lookup files for, 260 smart card, 680–683 SSL for, 165 troubleshooting, 105–106 for websites, 178–179 Authentication Headers (AHs) defined, 785 for IPSec, 465, 468–469, 469 Authentication Method page, 508, 508 Authentication Methods dialog box, 178–179, 179 Authentication Methods tab, 493, 494 authoritative restore mode, 700 authoritative restores defined, 785 process, 692–701, 696–700 Autoenrollment Settings policy, 733 Autoenrollment Settings Properties dialog box, 734, 734 automated operations certificate enrollment, 562–564, 563–564, 732–734, 734 installations, 749 local printer support, 199
813
Terminal Services Licensing connections, 223 for users, groups, and computers, 130–131 Automated System Recovery (ASR) utility for cluster recovery, 449 defined, 785 in installation, 18 working with, 155–157 Automated System Recovery Preparation Wizard, 156 Automated System Recovery Wizard, 155–157 Automatic Certificate Request Wizard, 563–564, 564 Automatic Update feature defined, 785 operation of, 48–49, 48 for SUS clients, 58–59 automatic updates in Group Policy, 759–763, 760–762 Automatic Updates tab, 48–49, 48 Automatically Download The Updates option, 48 Automatically Select The Certificate Store Based On The Type Of Certificate option, 586 availability defined, 785 in NLB clusters, 420 server. See server availability AXFRs (full zone transfers), 264–265, 396, 791
B Back Up Files And Directories right, 327 Back Up The Contents Of Mounted Drives option, 152 Back Up To This Location field, 554 Background Intelligent Transfer Services (BITS), 48
814
Backup and Recovery Wizard – Bypass Traverse Checking right
Backup and Recovery Wizard, 449 Backup Domain Controllers (BDCs), 610 Backup Log tab, 154 Backup Operators group, 108 Backup Or Restore page, 145, 145, 696, 696 Backup Or Restore Wizard, 684 for Active Directory, 690–692, 690–691 for backups, 144–148, 144–146 defined, 785 for restoring, 695–698, 696–698 Backup Progress dialog box, 147–148, 147, 150 Backup Type, Destination, And Name page, 146, 146, 148–150, 691, 691 Backup Type tab, 152–154, 153 Backup utility, 143–144, 684, 684 Automated System Recovery with, 155–157 backup options Backup Type tab, 152–154, 153 Exclude Files tab, 154–155, 155 General tab, 151–152, 151 Restore tab, 152, 153 Backup Or Restore Wizard for Active Directory, 690–692, 690–691 for backups, 144–148, 144–146 defined, 785 for restoring, 695–698, 696–698 backup types in, 685–687, 686 defined, 785 for restoring, 689, 695–701 scheduling in, 687–689, 688 for shadow copies, 157–162, 159–161 for System State data, 148–151, 687, 688, 689 backups Active Directory, 683–685, 684 Backup utility for, 685–689
process, 687, 689–692, 690–691 CA, 553–554, 553 for cluster node failure recovery, 446–447 cryptographic keys, 647 IIS, 183–184, 183–184 for large active servers, 693 scheduling, 687–689, 688 System State data, 148–151, 687, 688 types of, 685–687, 686 bandwidth throttling defined, 785 in SUS, 372 for websites, 173–174 Basic Authentication (Password Is Sent In Clear Text) option, 179 Basic constraints attribute, 542 Basic EFS template, 543 Batch group, 112 BDCs (Backup Domain Controllers), 610 bidirectional trusts, 648–649, 648 BIND (Berkeley Internet Name Daemon) defined, 786 in DNS, 263–266 BITS (Background Intelligent Transfer Services), 48 Block actions, 471 Block Inheritance option, 316–317 boot files backing up, 687 for zones, 260–261 bottlenecked servers, 429 Browse For A Group Policy Object dialog box, 486, 486 built-in users, 79–80 Builtin folder, 107–109 bus architecture in Terminal Services, 203 business requirements in server clusters, 424–425 Bypass Traverse Checking right, 327
CA domain – Certificate Template page
C CA domain, 253 CA Identifying Information page, 549, 549 CA Properties dialog box, 565 CA Type page, 547–548, 548 cache command for boot files, 260 Cache_timeout field, 393 caching and forwarding in DNS, 262–263, 399 caching-only servers, 268, 268, 399 conditional forwarders, 400–401 forward-only servers, 402 for zones, 260, 400 caching-only servers, 268, 268, 399, 786 Callback Options option, 102 CALs (Client Access Licenses) defined, 786 for Per Seat licensing, 34–35, 34 canonical names (CNAMEs), 257–258, 787 capacity of server clusters, 428–430, 429–430 of servers, 403–404 CAs (certificate authorities), 535–538, 733 backing up, 553–554, 553 certificate templates for, 560–564, 561–564 installing, 547–551, 548–551 planning, 572–573 properties for Exit Module tab, 558–559, 558 General tab, 556, 557 Policy Module tab, 556, 557 Security tab, 559–560, 560 Storage tab, 559, 559 renewing, 555, 556 restoring, 554–555, 555 roles for, 539 stand-alone, 538–539, 564–565 starting and stopping services for, 553
815
switching, 552–553 trusts for, 565–572, 567–568, 570–571 types of, 538–539 Web enrollment agents for, 580–582, 581–582 categories security option, 330 in software deployment, 765–766, 766, 769 Categories tab, 765–766, 766 Cert Publishers group, 109 certificate authorities. See CAs (certificate authorities) Certificate Database Settings page, 550, 550 Certificate Export Wizard, 583–585, 584 Certificate Friendly Name And Description page, 580, 580 Certificate Import Wizard, 585–587, 586–587 Certificate Issued page, 582 Certificate Path tab, 576–577, 577 certificate practices statements (CPSs), 536 defined, 786 purpose of, 575–576 Certificate Renewal Wizard, 582–583 Certificate Request Wizard, 579–580, 579–580, 682 certificate revocation lists (CRLs), 535, 565–566 defined, 786 delta, 572 distribution points for, 572 publishing, 570–572, 571 Certificate Services. See certificates and Certificate Services Certificate Store page, 586–587, 587 certificate stores defined, 786 settings for, 586–587, 587 Certificate Template page, 563, 564
816
certificate templates – Client Compatible encryption option
certificate templates configuring, 560–564, 561–564 in PKI, 733 Certificate Templates folder, 552 Certificate Templates snap-in, 551 Certificate Trust List Purpose page, 567, 567 Certificate Trust List Wizard, 567–569, 567–568 Certificate Trust Lists (CTLs), 565–566 creating, 567–569 defined, 786 purpose of, 542 Certificate Types page, 578–579, 579 certificates and Certificate Services, 530–531, 534–535, 573 attributes for, 542–543 Certificates snap-in for, 551, 573–574, 574, 681 Certification Authority snap-in for, 551–552, 551 enrolling in Group Policy, 732–734, 734 exam essentials, 588–589 exporting, 583–585, 584 hierarchy of, 536, 537, 786 importing, 585–587, 586–587 in IPSec, 472–473 key terms, 590 mapping, 467 operation of, 540, 540 and PKI. See PKI (public key infrastructure) properties for, 574–575 Certificate Path tab, 576–577, 577 Details tab, 576, 576 General tab, 575–576, 575 publication methods for, 540–541 purpose of, 577–578 rekeying, 582 renewing, 582–583 requesting, 578–582, 579–582 review question answers, 596–597 review questions, 591–595
revoking, 569–572, 570–571 servers for, 546 controlling CA service in, 552–556 installing, 546–552, 548–551 smart cards, enrollment stations for, 681–683 summary, 587 templates for, 543–544 configuring, 560–564, 561–564 in PKI, 733 Certificates in the CTL page, 568, 568 Certificates snap-in, 551, 573–574, 574, 681 Certification Authorities page, 564 Certification Authority Backup Wizard, 553–554, 553 Certification Authority page, 580 Certification Authority Restore Wizard, 554–555, 555 Certification Authority snap-in, 551–552, 551 chained installation, 46 Change The System Time right, 327 changing user passwords, 88–89 child CAs, 538 Child Domain Installation page, 636, 636 child domains, 630, 630 Choose Licensing Mode dialog box, 37–38, 37, 41, 41, 45 Choose Setup Type dialog box, 52 CIPHER utility, 786 ciphers, 530 ciphertext defined, 786 in PKI, 532 Class-C affinity options, 446 Class field, 393 CLB (Component Load Balancing), 420 clean installs vs. upgrades, 16 Client Access Licenses (CALs) defined, 786 for Per Seat licensing, 34–35, 34 Client Compatible encryption option, 207
Client Connection Manager – Completing The Microsoft Software Update Services
Client Connection Manager, 199 client license key packs defined, 786 installing, 224 Client (Respond Only) policy, 475 Client Settings tab, 210–211, 211 clients Active Directory installation testing from, 618–620, 619 DNS, 253–255 defined, 789 dynamic updates from, 390 GPOs for, 317 IPSec, 463, 793 for Remote Desktop, 230–234, 231–234 for shadow copies, 160–162, 161 in SUS in Active Directory networks, 59–61, 59–61 in non-Active Directory networks, 58 requirements for, 57 Terminal Services, 201–202, 210–211, 211 testing access to, 605 Clients tab, 42–43, 43 clipboard redirection, 199 cloned applications defined, 787 multiple-instance, 425, 425 cluster-aware applications, 424, 787 cluster disks backing up, 446–447 recovering, 447 cluster hosts defined, 787 in server clusters, 423 Cluster IP Addresses tab, 444, 444 cluster node failure recovery, 446 backups for, 446–447 process, 447–449 cluster nodes, 15, 447 backing up, 447 requirements for installation, 15
817
Cluster Parameters tab, 443, 443 cluster quorum data backing up, 447 recovering, 447 Cluster Service defined, 787 support for, 423 clusters, servers. See server clusters CNAMEs (canonical names), 257–258, 787 Code Signing template, 543 COM+ Class Registration database backups, 687 Com domain, 252 Common.adm administrative template, 720 Common Name field, 549 compatibility hardware, 15 system, 16 compatibility scripts defined, 787 for Terminal Services servers, 226 Compatible (Compatws.inf) template, 338 complete cluster failure, recovery from, 449 Completing The Active Directory Installation Wizard dialog box, 23, 27 Completing The Automatic Certificate Request Setup Wizard page, 564 Completing The Backup Or Restore page, 697, 697 Completing The Backup Or Restore Wizard dialog box, 146–147, 691, 691, 699, 699 Completing The Backup Wizard dialog box, 149–150 Completing The Certificate Import Wizard page, 587 Completing The IP Security Policy Wizard page, 505 Completing The Microsoft Software Update Services Setup Wizard dialog box, 52
818
Completing The Network Identification Wizard dialog box – copy backups
Completing The Network Identification Wizard dialog box, 30–31 Completing The Resultant Set Of Policy Wizard page, 741, 744 Completing The Security Rule Wizard page, 508 Completing The Windows Components Wizard dialog box, 166, 222 Component Load Balancing (CLB), 420 Compute Selection Information Before Backup And Restore Operations option, 151 computer certificates, 732–734, 734 Computer Configuration Properties dialog box, 739 Computer Name And Administrator Password dialog box, 19, 26, 29 Computer Name Changes dialog box, 31, 119–120, 120 Computer Name field, 118 Computer Name tab, 119–121, 119 Computer Network Options settings, 731 Computer Selection page, 737, 737, 741 Computer template, 543 computers and computer management accounts for in Active Directory, 670 creating, 117–121, 118–120 properties for, 121–124 resetting, 124–125 troubleshooting, 125–126 automation for, 130–131 exam essentials, 132–133 key terms, 133 locating, 128, 128 review question answers, 139–140 review questions, 134–138 summary, 132 conditional forwarders, 400–401, 787 Conf.adm template, 317, 720 confdisk utility, 448 confidentiality defined, 787 in PKI, 531
Configuration Backup dialog box, 184, 184 Configuration Backup/Restore dialog box, 183, 183 Configure A DNS Server Wizard, 273 Configure Automatic Updates Properties dialog box, 59–60, 60, 761, 761 Confirm Password option, 83Configure Your Server Wizard, 365–367, 366, 603 conflicts in GPOs, 316 in Windows Installer, 749 Connect action, 220 Connecting To The Network dialog box, 30 Connection command, 625 Connection Method page, 223, 223 Connection Timeout setting, 173 Connection Type tab, 494, 494 connection types defined, 787 in IPSec, 474, 494, 494 connections for websites, 175 connectivity, verifying in Active Directory installation, 605–607, 619 in software deployment, 769 consistency in software deployment, 770 Contact e-mail field, 256 contacts groups for, 670 locating, 126–127 content of websites settings for, 175, 180 verifying location of, 185 Control Access permission, 674 Control Panel for application categories, 766 for Remote Assistance, 512 for Remote Desktop, 229 for SUS clients, 58 copy backups defined, 787 description, 154, 685
Copy To dialog box – DCPROMO (Active Directory Installation Wizard)
Copy To dialog box, 96–98, 96 copying user profiles, 99 corrupted applications, Windows Installer for, 749 Country/Region Selection dialog box, 224 CPSs (certificate practices statements), 536 defined, 786 purpose of, 575–576 CPU requirements, 14 Create A Pagefile right, 327 Create A Token Object right, 327 Create Child permission, 674 Create NC command, 625 Create New Domain page, 21, 22, 26, 611, 611, 635, 635, 641, 641 Create Permanent Shared Objects right, 327 Create Shadow command, 162 Create Shortcut dialog box, 95, 98 Creator group defined, 787 description, 111 Creator Owner group description, 111 DNS zone permissions for, 391 CRL Publishing Parameters tab, 570, 571 CRLs (certificate revocation lists), 535, 565–566 defined, 786 delta, 572 distribution points for, 572 publishing, 570–572, 571 cross-forest trusts defined, 787 for multiple domains, 649 cryptographic keys, backing up, 647 Cryptographic Service Provider page, 579, 579 cryptography, 530, 787. See also encryption CSPs (cryptographic service providers), 541
819
CTLs (Certificate Trust Lists), 565–566 creating, 567–569 defined, 786 purpose of, 542 Custom Errors tab, 181–182, 182 Custom Security Method Settings dialog box, 501, 501 customized failover policies, 433
D DACLs (discretionary access control lists) defined, 788 for zones, 390 daily backups, 686 defined, 788 description, 154 data location for zones, 388–389 Database And Log Folders page, 21, 22, 27, 613, 613, 637, 637, 642 database files migrating, 265–266 for zones, 259–261 database records. See resource records (RRs) Datacenter Edition features in, 12–13 hardware requirements for, 14–15 Date And Time Settings dialog box, 20, 26, 29 DC Security.inf (dedicated domain controller) template, 339 DCPROMO (Active Directory Installation Wizard) for Active Directory installation, 610–615, 611–615 defined, 784 for demoting domain controllers, 647, 647 for trees joining to forests, 640–644, 641–644 new, 633–640, 634–640 for Windows 2003 Server installation, 20–23, 21–24, 27
820
DDNS (Dynamic DNS) standard – Dependencies tab
DDNS (Dynamic DNS) standard defined, 789 purpose of, 255 Debug Logging tab, 285, 285 Debug Programs right, 327 decentralized administration, multiple domains for, 628 decryption defined, 788 in PKI, 532 dedicated domain controller (DC Security.inf) template, 339 Default CSP list attribute, 542 Default Domain Controller Security Settings dialog box, 82 Default Domain Policy Properties dialog box, 680, 680 Default Quota Limit And Warning Level policy, 334 Default Response Rule Authentication Method page, 484, 485 Default security (Setup security.inf) template, 338 Default WebSite Properties dialog box, 182 defaults CA request actions, 564 domain groups, 107–113 in IPSec policies, 474–477 response rules, 483–484, 484 traffic exemptions, 467 for packages, 763, 764 website documents, 177 website properties, 182, 183 zone permissions, 390–391 defunct schema classes and attributes, 313, 608 delegated namespaces, 386, 788 delegation of administrative control, 314–315, 726–727, 727
of computer security, 122–123, 123 defined, 788 of zones, 279–280, 280, 397–399 Delegation Of Control Wizard, 726–727, 727 delegation resource records defined, 788 in stub zones, 400 Delegation tab, 122–123, 123 Delete Cached Copies Of Roaming Profiles policy, 332 Delete Child permission, 674 Delete NC command, 625 Delete Shadows command, 162 Delete ShadowStorage command, 162 Delete Temporary Folders On Exit option, 215 Delete The Private Key If The Export Is Successful option, 584 Delete Tree permission, 674 deleted accounts in authentication, 105 deleting certificates, 566 programs, 747–748, 766–767, 766–767 replicas, 624 shadow copies, 162 user accounts, 86–87 delta CRLs, 572 demoting domain controllers, 646–647, 647 Deny Access To This Computer From The Network right, 327 Deny Log On Through Terminal Services right, 327 Deny Logon As A Batch Job right, 327 Deny Logon As A Service right, 327 Deny Logon Locally right, 327 Dependencies tab, 345–346, 346
Deploy Software dialog box – DNS (Domain Name System)
Deploy Software dialog box, 755–756, 755 deploying IPSec policies, 484–488, 485–487 software. See software deployment Deployment tab, 756, 756 Description tab, 496 destination addresses for IP filter lists, 496 Detailed option for backups, 155 Devices category, 330 dfs support, Terminal Services for, 199 DHCP (Dynamic Host Configuration Protocol), 255 DHCP Administrators group, 110 DHCP servers, 363 DHCP Users group, 110 Dial-in tab for computer accounts, 124, 125 for user accounts, 102, 103 Dialup group, 112 differential backups, 685, 686 defined, 788 description, 154 Diffie-Hellman algorithm, 473 Digest Authentication For Windows Domain Servers option, 179 digests defined, 788 for digital signatures, 533 digital certificates. See certificates and Certificate Services digital signatures for authenticity, 533–534 defined, 788 Direction Of Trust page, 652, 652 Directory Browsing permission, 177 directory command, 260 Directory Security tab, 177–180, 178 Directory service log, 617 Directory Services Restore Mode defined, 788 for System State data, 149, 689
821
Directory Services Restore Mode Administrator Password page, 23, 24, 27, 614, 614, 639, 639 Disable All Purposes For This Certificate option, 577 Disable Media Source For Any Install option, 768 Disable Rollback option, 768 disabled accounts in authentication, 105 Disabling option for NLB, 445 disabling user accounts, 86–87 Disconnect action, 220 discrepancies, security, 340–342, 341 discretionary access control lists (DACLs) defined, 788 for zones, 390 disk drives for Terminal Services, 203 for Windows XP Professional, 28 Disk Quota Policy Processing policy, 335 disk quotas, 333–334, 789 Display name attribute, 542 Display Properties dialog box, 95 Display tab, 232, 232 /displaydns option in ipconfig, 293 Distinguished Name Suffix field, 549 distribution groups, 107 in Active Directory, 669, 671 defined, 789 Distribution option, 114 distribution points for CRLs, 572 in software deployment, 769 DNS (Domain Name System), 250–251 clients for, 253–255 defined, 789 dynamic updates from, 390 database file migration in, 265–266 defined, 789 dynamic, 255 environment for, 601–602
822
DNS proxies – domain local groups
exam essentials, 295–296 installing, 602–604 for Internet, 252–253 key terms, 296 monitoring, 283 with DNS snap-in, 283–285, 284–285 with Event Viewer, 286–287 with Replication Monitor, 287–289 with System Monitor, 285–286 name resolution in, 261–264, 262 namespaces in, 385–387, 789 operation of, 251–253, 251 planning. See planning DNS politics in, 282–283 resolvers in, 253–254 resource records in. See resource records (RRs) review question answers, 303–305 review questions, 297–302 security for, 404–406 servers for, 362 capacity planning, 403–404 configuring, 268–269, 268, 273 defined, 789 general requirements, 403 installing, 267–268, 267, 272–273 manual resource record creation for, 280–282, 281–282 number of, 404 placement of, 403–404 securing, 404–406 zones in. See zones summary, 294 troubleshooting, 289–294 and Windows Server 2003, 254–255 WINS integration with, 392–394 zones in. See zones DNS proxies defined, 789 security for, 278 DNS Registration Diagnostics page, 22, 23, 27, 638, 638 DNS server log, 617
DNS snap-in, 267 for monitoring DNS, 283–285 for zone delegation, 279 DnsAdmins groups description, 110 DNS zone permissions for, 391 DnsUpdateProxy group, 110 Do Not Detect Slow Network Connections policy, 332 Do Not Trust This Computer For Delegation option, 123 Documents tab, 177, 178 Domain Admins groups description, 110 DNS zone permissions for, 391 Domain Computers group, 110 Domain Controller: Allow Server Operators To Schedule Tasks setting, 677 Domain Controller category, 330 Domain Controller Security Policy tool, 714 Domain Controller template, 544 Domain Controller Type page, 21, 21, 26, 611, 611, 634, 634, 641, 641 domain controllers adding, 644–646 defined, 789 demoting, 646–647, 647 multiple domains for, 626 placement of, 645 promoting, 610–615, 611–615 for server clusters, 439–440 servers for, 362 upgrading servers to, 20–23, 21–24 Windows 2003 Server installation as, 24–27 Domain Controllers group, 110 Domain Guests group, 110 domain license servers, 221 domain local groups, 106, 310 defined, 789 scope changes for, 673 uses for, 671
Domain Local option – Encapsulating Security Payload (ESP)
Domain Local option, 114 Domain Member category, 330 domain name files, 259 Domain Name System. See DNS (Domain Name System) domain policies, 311, 789 Domain Security Policy tool, 714 domain users, 309, 789 Domain Users group, 110 domains, 311. See also Active Directory (AD); domain controllers defined, 789 forests in. See forests functional levels, 312–314, 607–609 joining, 620 key terms, 659 multiple. See multiple domains names in. See DNS (Domain Name System) promoting, 633 renaming, 312, 314, 609 review question answers, 664–665 review questions, 660–663 structure of, 609–610 summary, 656–657 trees in. See trees for websites, 180 Domains/OUs tab, 716, 716 Don't Run Specified Windows Applications Properties dialog box, 718 Download A CA Certificate, Certificate Chain, Or CRL task, 580 Download The Updates Automatically option, 48 Dsadd utility, 130 Dsget utility, 130 Dsmod utility, 131 Dsmove utility, 131 Dsquery utility, 131 dual authentication, 472 dual-boot computers with shadow copies, 162
823
Dynamic DNS (DDNS) standard defined, 789 purpose of, 255 Dynamic Host Configuration Protocol (DHCP), 255 dynamic updates, 271 methods for, 389–390 zones for, 278–279
E E-Mail name attribute, 543 Edit Rule Properties dialog box, 492–495, 492–494, 500–501, 503, 503 editing certificates, 566 licensing groups, 45 Edu domain, 252 EFS (Encrypting File System) defined, 790 as PKI-aware application, 535 EFS Recovery Agent template, 544 EFS Recovery Policy Processing policy, 335 elevated privileges in Windows Installer, 749, 767 Enable All Purposes For This Certificate option, 577 Enable Computer And User Accounts To Be Trusted For Delegation right, 327 Enable Disk Quotas policy, 334 Enable Logging option, 173 Enable Only The Following Purposes option, 577 Enable Shadow Copies dialog box, 158–160, 159 Enable Strong Protection option, 584 enabling Remote Assistance, 237 Encapsulating Security Payload (ESP) defined, 790 for IPSec, 465, 469, 469
824
Encrypt Backup Using Password option – Experience tab
Encrypt Backup Using Password option, 184 Encrypting File System (EFS) defined, 790 as PKI-aware application, 535 encryption defined, 790 in IPSec authentication, 465 in ISAKMP, 469 in PKI, 532 SSL for, 165 in Terminal services, 207 for Zone Transfers tab, 397 Encryption Level list, 207 End Process action, 220 End-User License Agreement dialog box, 52 Enforce Disk Quota Limit policy, 334 Enforce Password History policy, 80, 320, 677 Enforce User Logon Restrictions policy, 323 enrolling user and computer certificates, 732–734, 734 Enrollment Agent template, 544 enrollment stations for smart cards, 681–683 Enterprise Admins group description, 110 DNS zone permissions for, 391 enterprise CAs, 538 Enterprise Domain Controllers groups, 391 Enterprise Edition features in, 12–13 hardware requirements for, 14–15 enterprise license servers, 220 enterprise root CAs, 539 Enterprise Trust folder, 567, 574 entities, 790 Environment tab in Active Directory Users And Computers, 216, 217 in Terminal Services Configuration, 208–209, 209
Error Information tab, 739, 739 ESP (Encapsulating Security Payload) defined, 790 for IPSec, 465, 469, 469 Event IDs, 286–287 Event Log security templates item, 339 Event Logging tab, 283, 284 Event Viewer utility for Active Directory installation, 615–617, 616 for audit policies, 324 for DNS, 286–287 Everyone group description, 112 DNS zone permissions for, 391 exam essentials Active Directory, 702 certificate services, 588–589 computer management, 132–133 DNS, 295–296 domains, 657–658 group management, 132–133 Group Policy, 772–773 for installation, 67 for license management, 67 network security, 518 planning DNS, 407 remote management, 241 security policy, 347 server availability, 450–451 server roles, 376 system recovery and web services, 186 for updating, 67 user management, 132–133 Exchange Enrollment Agent template, 544 Exchange User template, 544 Exclude Files tab, 154–155, 155 Execute Permissions option, 177 Exit Module tab, 558–559, 558 exit modules for CAs, 558–559, 558 defined, 790 in PKI, 541–542 Experience tab, 233, 234
expiration – Folder Redirection Policy Processing policy
expiration of user accounts, 93 of website content, 180 Expiration time field, 256 Expires After field, 275 Export File Format page, 583–584, 584 Export Private Key page, 583 exporting certificates, 583–585, 584 IPSec policies, 488 Extended key usage attribute, 543 extension mappings, 765, 765 extensions, certificate, 542 external trusts, 649, 790
F failback defined, 790 in server clusters, 423 Failed Requests folder, 552 failover defined, 790 policies for, 430–433, 431–432 process, 421 in server clusters, 423 failover pairs configuration defined, 790 for server clusters, 432–433, 432 failures in server availability, 420–421 fault tolerance defined, 790 domain controllers for, 644–645 in NLB clusters, 420 shadow copies for, 158 FC-SW (switched Fibre Channel fabric), 426 file and print services, 6–7 file conflicts, 749 file deployment policies, 311 file extensions defined, 790 mapping, 765, 765 File Extensions tab, 765, 765
825
file servers, 361 File System security templates item, 339 file system verification, 604–605 File To Import page, 585, 586 File Transfer Protocol (FTP) defined, 790 purpose of, 163 Filter Action page, 507, 507 Filter Action tab, 492, 493 filter actions in IPSec adding, 497–500, 498–499 defined, 790 settings for, 492, 493 types of, 471 filter lists in IPSec, 491 adding, 495–497, 495–497 defined, 791 settings for, 492, 492 for tunnels, 502, 502 working with, 470–471 Filter Properties dialog box, 501 filtering, 723 defined, 791 GPOs, 723–729, 724–725, 728 Find Computers dialog box, 128, 128 Find Users, Contacts, And Groups dialog box, 126–128, 127 finding Active Directory objects, 126–128, 127–128 FIPS Compliant encryption option, 207 firewalls with Remote Assistance, 236, 514 First Name field, 83 fixes, 370 /fixquorum option for Cluster Service, 448 flexibility with multiple domains, 628 /flushdns option in ipconfig, 293 folder redirection defined, 791 with Group Policy, 734–736, 735–736 Folder Redirection Policy Processing policy, 335
826
Force Shut Down From A Remote System right – Group Policy and GPOs
Force Shut Down From A Remote System right, 328 forcing IPSec group policy updates, 488 forests joining trees to, 640–644, 641–644 planning, 629–633, 630, 632 trusts for, 313, 609 using, 631–633, 632 forward lookup zones, 269–271, 271 forward-only servers defined, 791 planning, 402 forwarding in DNS, 400–402 four-node clusters, 429–430, 429–430 FQDNs (fully qualified domain names), 251, 290 FTP (File Transfer Protocol) defined, 790 purpose of, 163 Full Control permissions, 212 Full Name field, 83 full zone transfers (AXFRs), 264–265, 396, 791 fully qualified domain names (FQDNs), 251, 290 functional levels in Active Directory, 312–314, 607–609 defined, 791
G GCs (Global Catalogs) for multiple domains, 654–656, 656 purpose of, 632–633 replicating, 313, 608 for universal groups, 672 General tab for backups, 151–152, 151 for CAs, 556, 557 for certificates, 575–576, 575 for computer accounts, 121, 121 for groups, 114, 114
for IPSec policies, 489–491, 490 for packages, 763, 764 for Remote Desktop Connection, 231, 231 for services, 343–344, 344 for Terminal Services Configuration Utility, 206–208, 206 for users, 89, 90 for zones, 274, 274 Generate Security Audits right, 328 Get Help And Support option, 47 Global Catalogs (GCs) for multiple domains, 654–656, 656 purpose of, 632–633 replicating, 313, 608 for universal groups, 672 global groups, 106, 310, 671 defined, 791 scope changes for, 673 Global option, 114 glue address resource records defined, 791 in stub zones, 400 Gov domain, 252 Gpedit.msc utility, 318 GPO Properties dialog box, 723–726, 724–725 GPOs. See Group Policy and GPOs gpresult.exe utility, 737 defined, 791 for Group Policy, 744–745 GPT (GUID partition table) disks, 423 gpupdate utility, 321 group affinity defined, 791 for server clusters, 433 Group nesting functional level, 313, 608 Group Policy and GPOs, 310, 318, 676–680, 678–680, 712–713 in Active Directory, 311–317 administrative templates for, 720–722, 722 automatic certificate enrollment in, 732–734, 734
Group Policy Creator Owners group – GUID partition table (GPT) disks
automatic updates in, 759–763, 760–762 for CAs, 562–564, 563–564 for clients, 317 creating, 311, 677, 714–719, 715–717 defined, 791 delegating control of, 726–727, 727 exam essentials, 772–773 filtering, 723–726, 724–725 for folder redirection, 734–736, 735–736 inheritance in, 727–729, 728 for IPSec, 466, 478, 486 key terms, 774 linking to Active Directory, 719–720, 719, 722, 723 managing, 722–723 for network configuration, 731–732, 732 policies for, 334–335 for Remote Assistance, 514–516, 515–517 review question answers, 781–782 review questions, 775–780 script policies for, 730–731 for security, 676–680, 678–680 for smart cards, 683 in software deployment. See software deployment strategy for, 713 summary, 772 troubleshooting, 736–737 gpresult.exe command, 744–745 RSoP in Logging mode, 737–741 RSoP in Planning mode, 741–744, 742–743 Group Policy Creator Owners group, 110 Group Policy Object Editor, 715, 717–718, 717 for deployment, 756
827
for IPSec policies, 486 for SUS clients, 59 Group Policy Objects. See Group Policy and GPOs Group Policy Refresh Intervals For Computers policy, 334 Group Policy Refresh Intervals For Domain Controllers policy, 335 Group Policy Slow Link Detection policy, 335 Group Policy tab, 678, 678, 680 for inheritance, 727–729, 728 for publishing, 754, 754 Group Policy Test Properties dialog box, 719, 719 groups and group accounts, 106, 310 in Active Directory, 669 automation for, 130–131 creating, 113–114 default, 107–113 defined, 791 effective use of, 676 exam essentials, 132–133 Group Policy for. See Group Policy and GPOs IIS access control for, 164 key terms, 133 licensing, 44–45, 44 locating, 126–127 membership in, 102, 102, 116–117, 117, 121, 122 properties for, 114–116, 114–116 review question answers, 139–140 review questions, 134–138 scope of, 106–107, 671–673, 672–673, 792 summary, 132 types of, 106–107, 670–671, 792 Guest Access permissions, 213 Guest account defined, 792 purpose of, 80, 309 Guests group, 108 GUID partition table (GPT) disks, 423
828
HAL (Hardware Abstraction Layer) – IIS (Internet Information Server)
H HAL (Hardware Abstraction Layer), 792 hands-on exercises setup, 24 installing Windows Server 2003 for, 24–27 installing Windows XP Professional for, 27–31 Hardware Compatibility List (HCL), 15 hardware failures backups for, 684 in server availability, 420–421 hardware requirements for DNS servers, 403 for installation, 14–15 for Terminal Services, 202–203 for Windows XP Professional, 28 hashing algorithms for CAs, 549 defined, 792 for digital signatures, 533 HBAs (host bus adapters), 428 HCL (Hardware Compatibility List), 15 Help And Support Center dialog box for Remote Assistance, 238, 240, 512, 513 for Windows Update, 46–47 Help command, 625 HelpServicesGroup group, 110 HFNetChk tools, 374 Hide The File Scan Progress Window policy, 336 hierarchies, multiple domains for, 627–628 High encryption option, 207 high-level security defined, 792 for DNS servers, 405–406 High security method in IPSec, 469 historical information, backups for, 684Hisec*.inf (Highly secure) template, 338
Home Directory tab, 175–177, 176 home folders defined, 792 user profiles for, 100 host bus adapters (HBAs), 428 host (A) records defined, 792 purpose of, 257 hostnames in DNS, 251–252 HOSTS file, 250–251 hosts for IIS access control, 165 How To Restore page, 698, 698 HTML (HyperText Markup Language), 792 HTTP (Hypertext Transfer Protocol), 163 HTTP Headers tab, 180–181, 181 HyperText Markup Language (HTML), 792 Hypertext Transfer Protocol (HTTP), 163
I I (idle) nodes for server clusters, 431 IANA (Internet Assigned Numbers Authority), 362 ICANN (Internet Corporation for Assigned Names and Numbers), 362 identification, website, 172–173 idle (I) nodes for server clusters, 431 IIS (Internet Information Server) backups for, 183–184, 183–184 benefits of, 163 configuring and administering, 167–168, 167–168 installing, 165–167 key services in, 163–164 MBSA for, 64 new features for, 10 restarting, 185 security for, 164–165 SSL for, 165
IIS_WPG group – installing
troubleshooting, 184–185 verifying content page locations, 185 for websites. See websites IIS_WPG group, 111 IKE (Internet Key Exchange) defined, 793 in ISAKMP, 469 Immediate Certification Authorities folder, 574 Immediately Uninstall The Software From Users And Computers option, 767 Import Certificate Wizard, 567 Import Template dialog box, 337, 342 importing certificates, 585–587, 586–587 IPSec policies, 488 security templates, 337–340, 342 users, 131–132 inbound IPSec filters, 470 Include All Certificates In The Certification Path If Possible option, 584 Incoming Forest Trust Builders group, 108 inconsistency from multiple domains, 628 Increase Scheduling Priority right, 328 incremental backups, 685, 686 defined, 792 description, 154 incremental zone transfers (IXFRs), 264–265 defined, 792–793 support for, 396 Index This Resource permission, 177 Indexing Service, 361 Inetcorp.adm template, 720 InetOrgPerson objects functional level, 313, 608 \Inetpub directory, 166 Inetres.adm template, 317, 720 Inetset.adm template, 720 inf subdirectory, 721
829
inheritance in Active Directory, 315–317 defined, 793 in GPOs, 727–729, 728 Inheritance Overrides dialog box, 182 .ini file mappings, 225 initialization (ZIP) files defined, 793 purpose of, 750 Initials field, 83 initiating Remote Assistance sessions, 240 Insert Disk dialog box, 166 installation log files, 769 installation routines in Windows Installer, 748 installing Active Directory. See Active Directory installation applications on Terminal Services servers, 225 CAs, 547–551, 548–551 DNS, 602–604, 603–604 DNS servers, 267–268, 267, 272–273 IIS, 165–167 Microsoft Certificate Server, 546–552, 548–551 Replication Monitor, 287 software. See software deployment SUS servers, 51–52, 52 Terminal Services server, 203–205, 204–205 Windows Server 2003, 4, 17 clean installs vs. upgrades, 16 as domain controller, 24–27 exam essentials for, 67 Hardware Compatibility List for, 15 hardware requirements for, 14–15 information collection for, 18–19 key terms for, 67 options in, 17 preparation for, 13–14 product activation, 31–33, 32
830
Int domain – IPSec (Internet Protocol Security Extensions)
review question answers, 75–76 review questions, 68–74 steps for, 17–20 summary, 66–67 system compatibility for, 16 Windows XP Professional, 27–31 Int domain, 252 Integrated Windows Authentication option, 179 integrating DNS and WINS, 392–394 integrity defined, 793 in PKI, 531 Interactive group, 112 Interactive Logon category, 330 Interactive Logon: Do Not Display Last User Name setting, 678, 717 intermediate CAs, 538 Internet DNS for, 252–253 testing access to, 605 Internet Assigned Numbers Authority (IANA), 362 Internet Corporation for Assigned Names and Numbers (ICANN), 362 Internet Explorer Maintenance Policy Processing policy, 335 Internet Information Server (IIS). See IIS (Internet Information Server) Internet Information Services (IIS) Manager, 167, 167 Internet Information Services servers, 363 Internet Key Exchange (IKE) defined, 793 in ISAKMP, 469 Internet Protocol Security Extensions. See IPSec (Internet Protocol Security Extensions) Internet Security Agreement/Key Management Protocol (ISAKMP) defined, 793 for IPSec, 468–469
Internet Server Application Programming Interface (ISAPI) filters defined, 793 for websites, 175, 175 invitations in Remote Assistance, 237–238, 237–239, 240 IP Address And Domain Name Restrictions dialog box, 180, 180 IP Address And Port Settings dialog box, 169, 170 IP addresses DNS for. See DNS (Domain Name System) for NLB, 443–444, 443–444 in stub zones, 400 for websites, 173, 180 IP Filter List dialog box, 496, 496 IP Filter List page, 507, 507 IP Filter List tab, 492, 492 IP Filter Properties dialog box, 496–497, 497–498 IP Security Policy Management snap-in, 480–483, 480–483 IP Security Policy Processing policy, 335 IP Security Policy Wizard, 483–484, 484, 504, 504 ipconfig utility for DNS, 293 for network connectivity, 605, 606 IPSec (Internet Protocol Security Extensions), 463–464 Authentication Headers for, 465, 468–469, 469 certificate-to-account mapping in, 467 clients in, 463, 793 considerations for, 478 default traffic exemptions in, 467 defined, 793 Encapsulating Security Payload for, 465, 469, 469 fundamentals, 464–465 ISAKMP for, 468
IPSec Policy Agent – key terms
L2TP/IPSec for, 466 MMC for, 465 netsh for, 467 policies for components in, 470–474 creating, 483–484, 484 default, 474–477 deploying, 484–488, 485–487 deployment options for, 478–479 filter actions, 497–500, 498–499 filter lists, 495–497, 495–497 General tab for, 489–491, 490 group, 466, 478, 486 IP Security Policy Management for, 480–483, 480–483 Rules tab for, 491–495, 491 for transport mode, 500–501, 500–501 in practice, 477 Resultant Set of Policy for, 466 security methods in, 469 servers in, 463, 793 strategies for, 489 in tunnel mode, 464, 501–509, 502–508 IPSec Policy Agent, 466, 793 IPv4, 793 ISAKMP (Internet Security Agreement/ Key Management Protocol) defined, 793 for IPSec, 468–469 ISAPI (Internet Server Application Programming Interface) filters defined, 793 for websites, 175, 175 ISAPI Filters tab, 175, 175 Issue and Manage Certificates permission, 560 Issued Certificates folder, 552 Items To Back Up page, 145, 146, 148, 553–554, 553, 690 Items To Restore page, 554–555, 555 iterative DNS queries, 261
831
IXFRs (incremental zone transfers), 264–265 defined, 792–793 support for, 396
J Join Computer To Domain dialog box, 30 joining domains, 620 trees to forests, 640–644, 641–644 Windows XP Professional computers to Windows 2003 domains, 30–31 JP domain, 253
K KDCs (key distribution centers) defined, 794 for Kerberos, 323, 472 Keep My Computer Up To Date option, 48 Kerberos KDC key version numbers functional level, 312, 608 Kerberos protocol defined, 794 in IPSec, 472 policies in, 323–324, 794 key distribution centers (KDCs) defined, 794 for Kerberos, 323, 472 key escrow, 545, 794 Key Exchange Settings dialog box, 490, 490 Key Length list, 549 key terms Active Directory, 703 certificate services, 590 computer management, 133 DNS, 296
832
Key usage attribute – load balancing
domains, 659 group management, 133 Group Policy, 774 installation, 67 license management, 67 network security, 519 planning DNS, 407 remote management, 242 server availability, 452 server roles, 376 system recovery and web services, 186 updating, 67 user management, 133 Key usage attribute, 543 keys defined, 794 in ISAKMP, 469 in PKI, 532, 545 preshared, 473
L L2TP/IPSec (Layer Two Tunneling Protocol over IPSec), 466 LAN access, 605 large servers, backing up, 693 Last Name field, 83 Layer Two Tunneling Protocol over IPSec (L2TP/IPSec), 466 LDAP (Lightweight Directory Access Protocol), 362 LDP tool, 622–623 Let's Activate Windows dialog box, 32–33 License Agreement dialog box, 29 License Logging Properties dialog box, 35–36, 36 License Logging service, 35–36, 36, 794 license management, 33 in enterprises, 38–45 exam essentials for, 67 key terms for, 67 License Logging service, 35–36, 36 licensing modes, 33–35, 34–35 Licensing utility for. See Licensing utility
local administration, 36–38, 37 review question answers, 75–76 review questions, 68–74 summary, 66–67 License Server Activation dialog box, 224, 224 license servers, 794 License Violation dialog box, 38 Licensing Groups, 44 Licensing Modes dialog box, 19, 26 Licensing option, 215 Licensing Site Settings Properties dialog box, 39, 40 licensing Terminal Services, 220–224, 222–224 Licensing utility, 40–41, 40 Clients tab, 42–43, 43 for groups, 44–45, 44 Products View tab, 42, 42 Purchase History tab, 41–42 for replication, 45 Server Browser tab, 43, 43 Lightweight Directory Access Protocol (LDAP), 362 Limit Windows File Protection Cache Size policy, 336 linked values, replicating, 313, 609 linking GPOs to Active Directory, 719–720, 719, 722, 723 List Contents permission, 674 List NC Information command, 625 List NC Replicas command, 625 List Object permission, 674 List Providers command, 162 List Shadows command, 162 List ShadowStorage command, 162 List Volumes command, 162 List Writers command, 162 Load And Unload Device Drivers right, 328 load balancing defined, 796 monitoring, 442–446, 442–445 remote administration of, 446 round robin DNS with, 263, 441
local administration of license management – Low encryption option
with server clusters, 419–420, 440–442 Terminal Services for, 199 local administration of license management, 36–38, 37 Local Area Connection Properties dialog box, 23, 27, 273 Local Computer Group Policy Objects. See Group Policy and GPOs LOCAL field, 393 Local Group Policy snap-in, 318–319 local groups, 794 local paths, 176 local policies, 310, 318–319, 318, 324 audit, 324–326 defined, 794 disk quotas, 333–334 Group Policy, 334–335 for IPSec, 478 scripts, 333 security options, 329–331 user profiles, 332–333 user rights, 326–329 windows file protection, 335–336 Local Policies security templates item, 339 local printer support, 199 local quorum clusters defined, 794 for server clusters, 434 Local Resources tab, 232, 233 Local Security Policy Setting dialog box, 329 Local Security Policy utility, 714 local user profiles, 94–95 local users, 308, 794 Local Users and Groups utility, 309 defined, 794 for Remote Desktop for Administration, 511 locating Active Directory objects, 126–128, 127–128
833
location of packages, 763 Location Tab, 123, 124 Lock Pages In Memory right, 328 lockouts, account, 92–93, 322–323 Log Event When Quota Limit Exceeded policy, 334 Log Event When Quota Warning Level Exceeded policy, 334 log files. See logs and log files Log Off action, 220 Log On As A Batch Job right, 328 Log On As A Service right, 328 Log On tab, 344–345, 344 Log On To Windows dialog box, 30, 234 Log Users Off When Roaming Profile Fails policy, 333 Log Visits permission, 177 Logging mode defined, 794 RSoP in, 737–741 Logon Hours dialog box, 91, 92 logon/logoff scripts, 730 Logon Settings tab, 208, 208 Logon Timestamp updates functional level, 312, 608 Logon Workstations dialog box, 92, 92 logons performance problems in, 745–746 policies for, 795 scripts for, 99–100, 795 smart cards for, 682 Terminal Services support for, 199, 208, 208 logs and log files backing up, 554 in DNS, 293–294 in Event Viewer, 616–617 for licenses, 35–36, 36 for software deployment, 769 for websites, 173 lookup_timeout field, 393 Low encryption option, 207
834
low-level security – Microsoft Baseline Security analyzer
low-level security defined, 795 for DNS servers, 404–405 LUN masking, 427, 427
M machine accounts, 795 machine certificate template attribute, 543 machine certificates defined, 795 in IPSec, 473 mail exchange (MX) records defined, 795 purpose of, 258 maintaining software, 747 majority node set clusters, 423, 435, 435 defined, 795 recovering, 448–449 majority node set quorums, 438 malicious deletion, backups for, 684 Manage Auditing And Security Log right, 328 Manage CA permission, 560 Manage Filter Actions tab, 497, 498 Manage IP Filter Lists And Filter Actions dialog box, 492, 495, 495, 497–498, 498 Manage IP Filter Lists tab, 495, 495 Manage Your Server utility, 20, 368–370, 369, 602–603, 604 Managed By tab for computer accounts, 124, 124 for groups, 115, 116 management services, 9 mandatory profiles, 99, 795 mandatory software upgrades, 759 mappings for IPSec certificates, 467 for software installation, 765, 765 master boot record (MBR) disks, 423 Master DNS Servers page, 271, 271
Master GPO Options dialog box, 729 master keys in ISAKMP, 469 Maximum Lifetime For Service Ticket policy, 324 Maximum Lifetime For User Ticket policy, 324 Maximum Lifetime For User Ticket Renewal policy, 324 Maximum Password Age policy, 81, 320 Maximum Retries To Unload And Update User Profile policy, 333 Maximum Tolerance For Computer Clock Synchronization policy, 324 Maximum Wait Time For Group Policy Scripts policy, 333 MBR (master boot record) disks, 423 MBSA (Microsoft Baseline Security Analyzer), 62, 373 defined, 795 GUI version, 62–65, 63–65 mbsacli.exe for, 66 operation of, 373–374 troubleshooting, 375 mbsacli.exe utility, 66 MCS (Microsoft Certificate Server), 546–552, 548–551 MCS (Microsoft Certificate Services), 530, 581, 795 Media Services servers, 365 medium-level security defined, 795 for DNS servers, 405 Medium security method in IPSec, 469 Member Of tab for computer accounts, 121, 122 for groups, 115–116, 115, 117 for users, 102, 102 Members tab, 115, 115 messaging support in Terminal Services, 200 Microsoft Baseline Security analyzer. See MBSA (Microsoft Baseline Security Analyzer)
Microsoft Certificate Server (MCS) – multiple-instance applications
Microsoft Certificate Server (MCS), 546–552, 548–551 Microsoft Certificate Services (MCS), 530, 581, 795 Microsoft Installer packages, 769–770 Microsoft Logging Properties dialog box, 173, 174 Microsoft Management Console. See MMC (Microsoft Management Console) model Microsoft Network Client category, 330 Microsoft network Server category, 330 Microsoft Personal Security Advisor (MPSA), 374 Microsoft Software Update Services. See SUS (Software Update Services) Microsoft Software Update Services Setup Wizard, 51–52, 52 migration DNS database files in, 265–266 namespace planning for, 386 Mil domain, 252 MIME (Multipurpose Internet Mail Extensions) maps, 181 Minimum (Default) TTL field, 275 Minimum Password Age policy, 81, 320 Minimum Password Length policy, 81, 320–321, 677 mirroring defined, 796 for IP filter lists, 496–497 for multisite clusters, 437–438 MMC (Microsoft Management Console) model for certificates, 551 for DNS, 267 for Group Policy, 714 for IPSec, 465 for Local Group Policy, 318–319 for Security Settings, 319 for Security Templates, 339 Modem Dialing Information dialog box, 20, 26, 29 modification of data, backups for, 684
835
Modify Firmware Environment Variables right, 328 Monitor Server screen, 56, 57 monitoring DNS, 283 with DNS snap-in, 283–285, 284–285 with Event Viewer, 286–287 with Replication Monitor, 287–289 with System Monitor, 285–286 network load balancing, 442–446, 442–445 SUS updates, 56, 57 Monitoring tab, 284–285, 284 mounted drives with shadow copies, 162 Move dialog box, 128, 129 moving Active Directory objects, 128–129, 129 MPSA (Microsoft Personal Security Advisor), 374 _msdcs domain, 264 MSI (Windows Installer package) files, 750, 751, 806 msiexec.exe program, 748 MSP (patch) files, 750 mssecure.xml file, 374–375 MST (transformation) files, 750, 805 MSTSC utility, 234 Multicast mode for NLB, 443 multihomed nodes, 439 multimaster replication model, 396, 796 multiple DNS and domain names, domains for, 628 multiple domains, 626, 648 drawbacks of, 628–629 global catalog servers for, 654–656, 656 trusts in, 648–653, 648, 650–653 UPN suffixes for, 654 uses for, 626–628 Multiple Host Filtering option, 445 multiple-instance applications defined, 796 deploying, 425, 425–426
836
multiple logon support – network security
multiple logon support, 199 multiprocessor support requirements, 15 Multipurpose Internet Mail Extensions (MIME) maps, 181 multisite clusters, 436–438, 436 mutual authentication defined, 796 in Kerberos, 472 MX (mail exchange) records defined, 795 purpose of, 258 My Documents Properties dialog box, 735–736, 735–736
N name server (NS) records defined, 796 purpose of, 256–257 for zones, 275–276, 276 delegation, 398 stub, 400 name servers defined, 796 DNS, 252, 275–276, 276 Name Servers tab, 275–276, 276 names compatibility of, 266 domain, 252, 628 for forward zones, 270 resolving. See DNS (Domain Name System) for services, 346 namespaces, DNS, 384–387 NAT for IPSec, 466 Net domain, 252 .NET Passport Authentication option, 179 NetBIOS Domain Name page, 612, 612, 636, 636, 642, 642 NetBIOS Name dialog box, 21, 27 netmask ordering, 263 netsh utility, 467
Network Access category, 330 Network Adapter tab, 211, 212 network adapters in Terminal Services, 203, 211, 212 testing, 605 network configuration, 731–732, 732 Network Configuration Operators group, 108 network connectivity in server availability, 421 verifying, 605–607 Network Credentials page, 635, 635 Network group, 112 Network Identification tab, 620 Network Identification Wizard, 30 network IDs, 272 Network Information dialog box, 31 Network Load Balancing (NLB) defined, 796 monitoring, 442–446, 442–445 remote administration of, 446 round robin DNS with, 263, 441 with server clusters, 419–420, 440–442 Terminal Services for, 199 Network Load Balancing Manager, 442, 442 Network News Transfer Protocol (NNTP) defined, 796 purpose of, 163 network requirements for Windows XP Professional, 28 network security, 462 exam essentials, 518 IPSec for. See IPSec (Internet Protocol Security Extensions) key terms, 519 remote administration methods, 509 Remote Assistance, 512–517 Remote Desktop for Administration, 509–511 review question answers, 526–527 review questions, 520–525 summary, 517
Network Security category – ntdsutil utility
Network Security category, 330 Network Settings dialog box, 20, 26, 29 Network Type page, 506, 506 networking new features for, 8 with server clusters, 438–440 New Client Access License dialog box, 37–38, 37, 41 New Delegation Wizard, 279–280, 280 New Domain page, 612, 612 New Domain Name page, 21, 26, 642, 642 New Filter Action Properties dialog box, 498–499, 499 New License Group dialog box, 44, 44 New Object---Computer dialog box, 118, 118 New Object---Group dialog box, 113–114, 113, 672, 672 New Object---Organizational Unit dialog box, 129 New Object---User dialog box, 84–85, 84–85 for roaming profiles, 97–98 for templates, 104 New Resource Record dialog box, 281–282, 281–282 New Rule Properties dialog box, 508, 508 New Security Method dialog box, 500, 500 New Trust Wizard, 650–653, 651–653 New Zone Wizard for forward lookup zones, 269–271, 271 for reverse lookup zones, 272, 272 N+I configurations defined, 796 for server clusters, 431, 431 NLB (Network Load Balancing) defined, 796 monitoring, 442–446, 442–445 remote administration of, 446 round robin DNS with, 263, 441
837
with server clusters, 419–420, 440–442 Terminal Services for, 199 NNTP (Network News Transfer Protocol) defined, 796 purpose of, 163 No Auto-Restart For Scheduled Automatic Updates Installations dialog box, 60, 61, 762, 762 No Override option, 316–317, 728–729, 728 NoAutoUpdate key, 58 nodes, cluster, 419, 423 backing up, 447 requirements for installation, 15 nonauthoritative restores, 701 nonmandatory software upgrades, 759 nonrecursive DNS servers, 402, 796–797 nonrepudiation defined, 797 in PKI, 531 normal backups, 685, 686 defined, 797 description, 153 Notify dialog box, 277 Notify Me Before Downloading Any Updates option, 48 NS (name server) records defined, 796 purpose of, 256–257 for zones, 275–276, 276 delegation, 398 stub, 400 nslookup utility defined, 797 for DNS, 290–293 Ntbackup utility, 157 NTDS Settings Properties dialog box, 656, 656 ntdsutil utility, 623 for application data partitions, 624–626, 627 for authoritative restores, 695, 700–701, 700
838
objects in Active Directory – Per Server connections
O objects in Active Directory locating, 126–128, 127–128 moving, 128–129, 129 Offer Remote Assistance feature, 240 on-demand installations, 749–750 one-way trusts, 648–649 Only To Servers Listed On The Name Servers Tab option, 277 Only To The Following Servers setting, 277 Open Database dialog box, 337, 341 opening security templates, 340 Operating System Compatibility dialog box, 21, 26 Operating System Compatibility page, 634, 634 Operating System Compatibility screen, 641 optimizing software deployment, 768–772Operating System tab, 121, 122 Option dialog box, 728, 728 Optional Networking Components dialog box, 27 order of IPSec policy application, 487–488 Org domain, 253 Organization tab, 101, 101 organizational reasons, multiple domains for, 627 OUs (organizational units) defined, 797 purpose of, 314 outbound IPSec filters, 470 Override User Settings option, 208–209 Owner field, 393
P Package Properties dialog box, 757–758, 757–758
packages defaults for, 763, 764 testing, 768 in Windows Installer, 749 parent-child relationships, 315 parent domains, 630 Parent OU Properties dialog box, 729 partitioned applications, 425, 426, 797 partitions, application data, 621 creating, 621–623 defined, 784 managing replicas, 623–624 ntdsutil for, 624–626, 627 removing replicas, 624 passthrough actions defined, 797 in IPSec, 471 Password field, 83 Password Never Expires option, 84, 93 Password Policy folder, 319 passwords in authentication, 105 changing, 88–89 for domains, 639 guidelines for, 309 MBSA for, 64 policies for, 320–321, 797 for user accounts, 80–82 Passwords Must Meet Complexity Requirements policy, 81–82, 320–321 patch (MSP) files, 750 patches, 370, 797 paths for websites, 176 PDCs (Primary Domain Controllers), 610 pending CA requests, 565 Pending Requests folder, 552 Per Device connections, 38 Per Device dialog box, 42 Per Seat licensing mode, 34, 797 Per Server connections managing, 37 switching from, 38
Per Server Licensing Agreement dialog box – planning DNS
Per Server Licensing Agreement dialog box, 38 Per Server licensing mode, 33–34, 34, 798 Per User connections, 38 Per-User Data for Terminal Services servers, 226 Per User Licensing dialog box, 42 Perform Volume Maintenance Tasks right, 328 performance audit effects on, 325 domain controllers for, 645 logon, 745–746 of replication traffic, 396 Terminal Services for, 199 website settings for, 173–175, 174 Performance Log Users group, 108 Performance Monitor Users group, 108 Performance tab, 173–175, 174 Permission Compatibility option, 215 Permission Entry For RDP-Tcp dialog box, 213, 214 permissions for Active Directory, 669, 673–675, 674 assigning to templates, 561–562, 561–562 for CAs, 559–560, 560 defined, 798 for domain controllers, 614, 614 for domains, 638, 638 for Terminal Services Configuration Utility, 212–213, 213 for trees, 643, 643 for websites, 176–177, 185 for zones, 390–391 Permissions dialog box, 23, 27 Permissions For Profiles dialog box, 98 Permissions page for domain controllers, 614, 614 for domains, 638, 638 for Terminal Services Configuration Utility, 212–213, 213 for trees, 643, 643
839
Permit actions, 471 Personal folder, 574 Personalize Windows Update option, 47 Personalize Your Software dialog box, 19, 25, 29 Pick A Computer To Scan screen, 63–64, 64 Pick Updates To Install option, 46 ping utility defined, 798 for IIS, 184 for network connectivity, 606 PKCS#7 binary format, 584–585 PKCS#12 format, 585 PKI (public key infrastructure), 531–532 with Active Directory, 566 certificates in. See certificates and Certificate Services concepts in, 532–535 cryptographic service providers in, 541 defined, 799 elements of, 535–536 functions in, 733 in IPSec, 472–473 policy modules and exit modules in, 541–542 recovery keys in, 545 Server Gated Cryptography for, 545 smart cards in, 545–546 PKI-aware applications, 535, 733 Place All Certificates In The Following Store option, 586 Plain binary X.509 format, 583 planning DNS, 384, 601–602, 603 caching and forwarding, 399 caching-only servers, 399 conditional forwarders, 400–401 forward-only servers, 402 stub zones, 400 exam essentials, 407 key terms, 407 namespaces, 384–387 review question answers, 414–416
840
Planning mode – Product IDs
review questions, 408–413 server resources, 402 capacity, 403–404 general requirements, 403 securing DNS, 404–406 summary, 406 zones in, 387 data location, 388–389 delegating, 397–399 integrating DNS and WINS, 392–394 replicating, 396 secondary, 395 securing, 389–392, 397 transfers, 395–397 type, 387–388 Planning mode defined, 798 RSoP in, 737, 741–744, 742–743 pointer (PTR) records defined, 798 purpose of, 257 policies account. See account policies audit, 324–326 defined, 798 for disk quota, 333–334 for groups. See Group Policy and GPOs for IPSec. See IPSec (Internet Protocol Security Extensions) for scripts, 333, 729–730, 730–731 security. See security for user profiles, 332–333 for Windows file protection, 335–336 Policy Module tab, 556, 557, 565 policy modules defined, 798 in PKI, 541–542 politics in DNS, 282–283 multiple domains for, 627
POP3 (Post Office Protocol, version 3), 364 Port Rules tab, 444, 444 ports for IP filter lists, 496 for NLB, 444, 444 for websites, 173 Post Office Protocol, version 3 (POP3), 364 Pre-Windows 2000 Compatible Access group description, 108 DNS zone permissions for, 391 Precedence tab, 740, 740 Precreate command, 625 Preliminary Steps page, 365 Preserve Existing Certificate Database, 550 preshared keys defined, 798 in IPSec, 473 Previous Versions tab, 161, 161 primary command, 260 primary DNS servers, 253, 798 Primary Domain Controllers (PDCs), 610 Primary Server field, 275 primary zones, 387, 798 Print Operators group, 109 print servers, 361 printer support, 199 priority field in service records, 259 Private Key And CA Certificate setting, 554 private keys defined, 798 in public key cryptography, 533 privileges in Windows Installer, 749, 767 processor requirements for Terminal Services, 202 for Windows XP Professional, 28 product activation, 31–33, 32, 798 Product IDs, 32, 32, 47
Product Key – recovery
Product Key, 47 Products View tab, 42, 42 Profile Single Process right, 328 Profile System Performance right, 328 Profile tab, 93, 94–100 profiles. See user profiles programs. See software; software deployment Programs tab, 233, 233 promoting defined, 798 domain controllers, 610–615, 611–615 domains, 633 Prompt User When Slow Link Is Detected policy, 332 Protocol tab, 497, 498 protocols for IP filter lists, 496–497, 498 PTR (pointer) records defined, 798 purpose of, 257 Public And Private Key Pair Selection page, 548, 548 public key certificates defined, 799 in IPSec, 472–473 public key cryptography, 533, 799 public key infrastructure. See PKI (public key infrastructure) public key policies, 331 public keys defined, 799 in public key cryptography, 533 publishers certificate, 535 in PKI, 733 publishing applications, 752, 754–756, 754–756 certificates, 535, 540–541 CRLs, 570–572, 571 defined, 799 Purchase History tab, 41–42
841
Q queries, DNS, 254, 261–264, 262 queue files, backing up, 554 quorum resources, 423, 434, 799 quotas, disk, 333–334, 789
R RAID (Redundant Array of Inexpensive Disks), 420–421, 426 RAM requirements for DNS servers, 403 for installation, 14 for Terminal Services, 202 for Windows XP Professional, 28 random failover policies, 433 RAS and IAS Servers group, 111 ratings of website content, 180 RDP (Remote Desktop Protocol), 201, 800 RDP-Tcp Properties dialog box Client Settings tab, 210–211, 211 Environment tab, 208–209, 209 General tab, 206–208, 206 Logon Settings tab, 208, 208 Network Adapter tab, 211, 212 Permissions tab, 212–213, 213 Remote Control tab, 210, 210 Sessions tab, 208–209, 209 Read permission for Active Directory, 675 for CAs, 560 for websites, 176 Ready To Install screen, 52, 52 realm trusts, 649, 799 records in DNS. See resource records (RRs) recovery, 142 backups for. See backups cluster node, 446–449 exam essentials, 186
842
recovery agents – Remote Desktop Protocol (RDP)
key terms, 186 review question answers, 193–194 review questions, 187–192 safeguarding computers, 142–143 shadow copies for. See shadow copies summary, 185–186 recovery agents, 545, 799 Recovery Console category, 330 recovery keys in PKI, 545 Recovery tab, 345, 345 recursive DNS queries, 261 redirecting folders defined, 791 with Group Policy, 734–736, 735–736 redundancy in software deployment, 769 Redundant Array of Inexpensive Disks (RAID), 420–421, 426 Refresh Interval field, 275 Refresh time field, 256 Regional And Language Options dialog box, 19, 25, 29 Register With Microsoft? dialog box, 32 /registerdns option in ipconfig, 293 Registration database, backing up, 687 Registry for Automatic Updates, 58 backing up, 687 for Terminal Services server applications, 225 Registry Policy Processing policy, 335 Registry security templates item, 339 rekeying certificates, 582 reliability defined, 799 domain controllers for, 644–645 in NLB clusters, 420 Remote Access Permission option, 102 remote administration, 196, 509 exam essentials, 241 key terms, 242 network load balancing, 446 Remote Assistance. See Remote Assistance
Remote Desktop. See Remote Desktop review question answers, 247–248 review questions, 243–246 summary, 241 Terminal Services. See Terminal Services Remote Assistance, 235–236, 512 defined, 799 enabling, 237 initiating sessions for, 240 operation of, 512–514, 513 vs. Remote Desktop, 236 requesting, 237–238, 237–239, 240 responding to requests, 239 security for, 240, 514–517, 515–517 Remote Assistance Settings dialog box, 238, 512, 513 Remote Control, 800 Remote Control action, 220 Remote Control tab in Active Directory Users And Computers, 217, 218 in Terminal Services Configuration Utility, 210, 210 Remote Desktop, 228, 509–510 client software for, 230–234, 231–234 components of, 511 configuration for, 229, 230 defined, 800 ending sessions in, 235 options for, 236 vs. Remote Assistance, 236 requirements for, 229 restrictions on, 228–229 security for, 510–511 starting sessions in, 234 Remote Desktop Connection, 200, 230–234, 231–234, 511 Remote Desktop For Administration mode, 198, 200 Remote Desktop Protocol (RDP), 201, 800
Remote Desktop Users dialog box – resources
Remote Desktop Users dialog box, 229, 230 Remote Desktop Users group, 109, 510 Remote Desktop Web Connection, 511 Remote Desktops snap-in, 511 Remote tab for Remote Assistance, 237, 237, 517 for Remote Desktop, 229, 230 Remove Computer From Docking Station right, 328 Remove NC Replica command, 625 removing certificates, 566 programs, 747–748, 766–767, 766–767 replicas, 624 shadow copies, 162 user accounts, 86–87 renaming domains, 312, 314, 609 users, 87–88 Renew CA Certificate dialog box, 555, 556 renewing CAs, 555, 556 certificates, 582–583 repairing corrupted applications, 749 Replace A Process Level Token right, 328 replay attacks, 465 replicas and replication Active Directory, 396, 784 Global Catalogs, 313, 608 licensing for, 45, 45 linked values, 313, 609 managing, 623–624 multiple domains for, 627 for multisite clusters, 437–438 removing, 624 Replication Configuration dialog box, 45, 45 Replication indicator for zones, 274 Replication Monitor, 287–289 Replicator group, 109 Request A Certificate task, 581
843
Request certificates permission, 560 Request Timed Out error, 184 requesting certificates, 578–582, 579–582 Remote Assistance, 237–238, 237–239, 240 Requests For Secure Communication page, 483–484, 484, 504 Reschedule Automatic Updates Scheduled Installations Properties dialog box, 60, 61, 762, 762 Reset Account Lockout Counter After policy, 93, 322 Reset action, 220 Reset Password dialog box, 89 /resetquorumlog option for Cluster Service, 449 resetting computer accounts, 124–125 Resize ShadowStorage command, 162 resolvers defined, 800 DNS, 253–254 resource groups defined, 800 in server clusters, 423 Resource Kit, 448 Resource Record Type dialog box, 281, 281 resource records (RRs), 255, 403 alias, 257–258 creating, 280–282, 281–282 defined, 800 host, 257 mail exchange, 258 name server, 256–257 pointer, 257 service, 258–259 start of authority, 256 in stub zones, 400 WINS, 392–393 WINS-R, 393 resources defined, 800 server cluster, 423
844
responding to Remote Assistance requests – Routing and Remote Access Service
responding to Remote Assistance requests, 239 Responsible Person field, 275 restarting IIS, 185 Restore Files And Directories right, 329 Restore Progress dialog box, 699, 699 restore subtree command, 701 Restore tab, 152, 153 Restore Wizard, 800 restoring Active Directory, 692–701, 696–700 CAs, 554–555, 555 with shadow copies, 162 System State data, 689, 694–701, 696–700 Restrict Each User To One Session option, 216 Restricted Groups security templates item, 339 Resultant Set of Policy (RSoP) utility defined, 800 for IPSec, 466 in Logging mode, 737–741 in Planning mode, 741–744, 742–743 Resultant Set of Policy Wizard for Logging mode, 737–741, 737–739 for Planning mode, 742–744, 742–743 Retry Interval field, 275 Retry time field, 256 reverse lookup files, 259–260 Reverse Lookup Zone Name page, 272, 272 reverse lookup zones, 272, 272 reverse lookups defined, 800 pointer records for, 257 Review And Install Updates option, 47 review questions and answers Active Directory, 704–710 certificate services, 591–597 computer management, 134–140 DNS, 297–305
domains, 660–665 group management, 134–140 Group Policy, 775–782 installation, 68–76 license management, 68–76 network security, 520–527 planning DNS, 408–416 remote management, 243–248 security policy, 349–356 server availability, 452–460 server roles, 377–382 system recovery and web services, 187–194 updating, 68–76 user management, 134–140 revocation, certificate. See CRLs (certificate revocation lists) Revoked Certificates folder, 552 Revoked Certificates Properties dialog box, 570–572, 571 revoking certificates, 569–572, 570–571 roaming disconnect support, 199 roaming user profiles creating, 95–98, 96–97 defined, 800 Role Removal Confirmation page, 366, 366 roles CA, 539 server. See server roles rollouts. See software deployment root CAs, 537–539, 800 root domains, 630, 630 Root Hints tab, 268, 268 root name DNS servers, 269 root servers, 254, 800 rootsec.inf (System root security) template, 339 round robin DNS, 263, 441 Routing and Remote Access console, 367 Routing and Remote Access Service (RRAS) servers, 364
RRs. See resource records (RRs) – Secure Sockets Layer (SSL)
RRs. See resource records (RRs) RSoP (Resultant Set of Policy) utility defined, 800 for IPSec, 466 in Logging mode, 737–741 in Planning mode, 741–744, 742–743 rules in IPSec, 483–484, 484, 491–495, 491, 502, 502 Rules tab, 491–495, 491 Run As Option, 104–105 Run dialog box, 26 for Dcpromo, 21 for Local Group Policy, 318 Run Logon Scripts Synchronously policy, 333 Run Shutdown Scripts Visible policy, 333 Run Startup Scripts Asynchronously policy, 333 Run Startup Scripts Visible policy, 333 runas command, 310
S /S option in gpresult.exe, 744 Safe Mode, 31 SANs (Storage Area Networks) defined, 803 for server clusters, 424, 426–428, 427 SAs (security associations) defined, 801 in ISAKMP, 469 scalability methods, 421 multiple domains for, 626 server, 418–420 in Terminal Services, 200 scaling out method, 421, 800 scaling up method, 421, 800 Scan For Updates option, 46 Schedule Jobs tab, 687, 688 Schedule Synchronization---Web Page Dialog dialog box, 54, 55
845
ScheduledInstallDay key, 58 schedules for backup jobs, 687–689, 688 for server synchronization, 54, 55 for shadow copies, 159, 160 Schema Admins group, 111 schema classes and attributes default, 313 defunct, 608 schema in Active Directory, 632, 632 /SCOPE MACHINE option in gpresult.exe, 745 scope of groups, 106–107, 671–673, 672–673 /SCOPE USER option in gpresult.exe, 745 script policies, 333 assigning, 729–730, 730–731 defined, 801 Script Source Access permission, 176 scripts application assignment, 750 in group policies, 311 for Terminal Services servers, 226 user profiles for, 99–100 Scripts Policy Processing policy, 335 SCSI disk drives, 203 Search Order setting, 767 searching for Active Directory objects, 126–128, 127–128 secondary command, 260–261 secondary DNS servers, 253, 801 secondary domains, 260 secondary zones, 271, 389 creating, 395 defined, 801 purpose of, 387–388 secret key cryptography, 532, 801 Secure communications setting, 180 Secure Server (Require Security) policy, 476 Secure Sockets Layer (SSL) for IIS, 165 vs. IPSec, 463
846
Secure (Secure*.inf) template – Security Policy Setting dialog box
Secure (Secure*.inf) template, 338 Secure Timestamp page, 569 secured dynamic updates, 389–390, 801 security for Active Directory, 668–669 ACLs and ACEs, 675–676, 675 Group Policy for, 676–680, 678–680 permissions, 673–675, 674 security principals, 669–673, 672–673 smart card authentication, 680–683 DNS infrastructure, 406 DNS servers, 404–406 Group Policy for. See Group Policy and GPOs for IIS, 164–165 network. See IPSec (Internet Protocol Security Extensions); network security new features for, 7–8 policies in, 308 account policies, 319–324 defined, 801 exam essentials, 347 group accounts in, 310 group policies, 311–317 key terms, 348 local policies. See local policies multiple domains for, 628 review question answers, 355–356 review questions, 349–354 Security Configuration and Analysis for. See Security Configuration and Analysis utility for services, 343–346, 343–346 summary, 347 user accounts in, 308–310 for Remote Assistance, 240, 514–517, 515–517 for Remote Desktop, 228–229, 510–511 Terminal Services for, 199
update checks for, 65 update infrastructure for, 370–371 Microsoft Baseline Security Analyzer, 373–375 Microsoft Software Update services, 371–373 for zones, 389–392 transfers, 397 updates, 278 security analyses, 340–342, 341 security associations (SAs) defined, 801 in ISAKMP, 469 Security Configuration and Analysis utility, 336–337, 340 defined, 801 for importing security templates, 337–340 for security analyses, 340–342, 341 for specifying security databases, 337, 337 security databases defined, 801 specifying, 337, 337 security groups, 107, 310 in Active Directory, 669–670 defined, 801 security identifiers (SIDs) defined, 801 for security principals, 669–670 for usernames, 82 Security log, 617 security methods defined, 801 in IPSec, 469, 498, 499 Security Methods tab, 498, 499 security options defined, 801 for local policies, 329–331 Security permissions attribute, 543 Security Policy Processing policy, 335 Security Policy Setting dialog box, 679, 679
security principals – server roles
security principals in Active Directory, 669–673, 672–673 defined, 802 Security Rule Wizard, 505–509, 505–508 Security tab for Active Directory, 675, 675 for CAs, 559–560, 560 for GPOs, 723–724, 724–725 for Group Policy, 680, 680 for zones, 273 security templates, 61 creating, 338–340, 342 defined, 802 importing, 337–340, 342 Security Templates snap-in, 339–340 Select Certificate To Remove Licenses dialog box, 37 Select Computer dialog box for IP Security Policy Management, 482, 482 for Local Group Policy, 319 for site licenses, 39 Select Group Policy Object dialog box, 59, 486 Select Group Policy Object Wizard, 715, 715 Select Operation Target command, 625 Select The Method For Sending E-Mail Invitations setting, 516 Select User Or Group dialog box, 97, 97 Select Users Or Groups dialog box, 329 Send Message action, 220 Serial Number field, 256, 275 server availability, 418 cluster node failure recovery, 446 backups for, 446–447 process, 447–449 clustering technologies for. See server clusters evaluating, 418–420 exam essentials, 450–451
847
key terms, 452 network load balancing, 440–442 administering remotely, 446 monitoring, 442–446, 442–445 review question answers, 459–460 review questions, 452–458 scalability methods, 421 summary, 450 threats to, 420–421 Server Browser tab, 43, 43 server clusters, 418–420 business and application requirements, 424–425 capacity for, 428–430, 429–430 defined, 802 deployment considerations, 425–433, 425–427, 429–432 evaluating, 421–422 failover policies for, 430–433, 431–432 models for, 433–436, 435 multisite clusters, 436–438, 436 networking, 438–440 NLB, 419–420 planning, 422–423 storage methods for, 426–428, 427 terminology for, 423–424 Server Gated Cryptography (SGC), 545 Server Operators group, 109 Server (Request Security) policy, 475 Server Role page, 366, 366 server roles, 360 Configure Your Server Wizard for, 365–367, 366 defined, 802 defining, 360–365 exam essentials, 376 key terms, 376 Manage Your Server tool for, 368–370, 369 planning, 602 review question answers, 381–382 review questions, 377–380
848
server-side components in SUS – SGC (Server Gated Cryptography)
security update infrastructure for, 370–371 Microsoft Baseline Security Analyzer, 373–375 SUS for, 371–373 summary, 375 server-side components in SUS, 371 servers availability of. See server availability certificate, 546 controlling CA service in, 552–556 clusters for. See server clustersinstalling, 546–552, 548–551 DHCP, 363 DNS. See DNS (Domain Name System) for domain controllers, 362 global catalog, 654–656, 656 IPSec, 463 license, 220–224, 222–224 roles for. See server roles scalability of, 418–420 for shadow copies, 158–159, 159–160 site license, 39, 39 SUS installing, 51–52, 52 options for, 53, 53 requirements for, 51 synchronization for, 54, 54–55 Terminal Services, 201, 364 applications on, 225–226 defined, 804 installing, 203–205, 204–205 Terminal Services Configuration Utility for, 215–216, 215 upgrading domain controllers to, 20–23, 21–24 service failures in availability, 420 Service group, 112 Service Location Resource Records, 253 service packs, 370 service (SRV) records defined, 802 purpose of, 258–259
service recovery properties for services, 345, 345 services certificate. See certificates and Certificate Services Dependencies tab for, 345–346, 346 General tab for, 343–344, 344 Log On tab for, 344–345, 344 Recovery tab for, 345 security policy for, 343, 343 Terminal. See Terminal Services using, 346 web. See web services Session Directory setting, 216 session remote control, 199 sessions, Remote Desktop ending, 235 starting, 234 Sessions tab in Active Directory Users And Computers, 217, 217 in Terminal Services Configuration Utility, 208–209, 209 set command, 290 set all command, 290 set d2 command, 290 set domain=domain command, 291 Set NC ReferenceDomain command, 625 Set NC ReplicateNotificationDelay command, 625 set timeout command, 291 set type command, 291 Set Windows File Protection Scanning policy, 336 Setting Properties dialog box, 740, 740 Setting tab for automatic updates, 761, 761 for RSoPs, 740, 740 Settings dialog box, 159, 160 Setup security.inf (Default security) template, 338 Setup Wizard, 19–20 SGC (Server Gated Cryptography), 545
shadow copies – software
shadow copies, 157–158 client configuration for, 160–162, 161 defined, 802 for fault tolerance, 158 server configuration for, 158–159, 159–160 Shadow Copies tab, 158–159, 159 Shared System Volume page, 22, 27, 613, 613, 637, 637, 643, 643 sharing in software deployment, 753, 753 on Terminal Services servers, 225–226 Sharing tab, 753, 753 shortcut trusts, 649, 802 Show Alert Message When I Start The Backup Utility And Removable Storage Is Not Running option, 152 Show Alert Message When I Start The Backup Utility And There Is Recognizable Media Available option, 152 Show Alert Message When New Media Is Inserted option, 152 Shut Down The System right, 329 Shutdown: Allow System To Be Shut Down Without Having To Log On setting, 678 Shutdown category, 330 SID history functional level, 313, 608 SIDs (security identifiers) defined, 801 for security principals, 669–670 for usernames, 82 Signature Certificate page, 568, 568 signing for authenticity, 533–534 defined, 802 Simple Mail Transfer Protocol (SMTP), 163, 364, 802 Single affinity options, 446 single cluster node corruption or failure, recovery from, 448 Single Host Filtering option, 445
849
single-instance applications defined, 802 deploying, 425 single points of failure, 432 single quorum device clusters defined, 802 for multisite clusters, 438 for server clusters, 434, 435 single trees, 630–631, 630 site failures in availability, 421 site license servers defined, 802 specifying, 39, 39 sites defined, 802 purpose of, 314 web. See websites _sites domain, 264 64-bit edition, 13 Slow Network Connection Timeout For User Profiles policy, 332 Smart Card Certificate Enrollment Station page, 682 smart cards, 680–681 certificate enrollment stations for, 681–683 defined, 802 in PKI, 545–546 planning, 546 Smartcard Logon template, 544 Smartcard User template, 544 SMS (Systems Management Server), 371 SMTP (Simple Mail Transfer Protocol), 163, 364, 802 snap-ins, 803 SOA (start of authority) records defined, 803 purpose of, 256 in stub zones, 400 software maintaining. See updates policies for, 311 removing, 747–748, 766–767, 766–767
850
software deployment – Status indicator for zones
software deployment, 746 group policies for, 311 managing, 770–771 optimizing and troubleshooting, 768–772 preparing for, 752–754 process, 751–752 publishing and assigning applications, 754–756, 754–756 server cluster considerations for, 425–433, 425–427, 429–432 settings, 763 for removing programs, 766–767, 766–767 Software Installation Properties dialog box, 763–766, 764–766 for Windows Installer, 767–768 software management life cycle, 746–747 Terminal Services for, 198 updates applying, 757–759, 757–758 automatic, 759–763, 760–762 verifying installation, 759 Windows Installer for, 747–751 Software Installation Policy Processing policy, 335 Software Installation Properties dialog box, 763 Advanced tab, 764, 764 Categories tab, 765–766, 766 File Extensions tab, 765, 765 General tab, 763, 764 Software Properties dialog box for publishing, 754, 754 for sharing, 753, 753 Software Update Services. See SUS (Software Update Services) Solicited Remote Assistance Policy Properties dialog box, 516–517, 517 source addresses for IP filter lists, 496 Source host field, 256 Special permissions for Terminal Services, 213
Specify Intranet Microsoft Update Service Location Properties dialog box, 60, 761–762, 761 Specify Windows File Protection Cache Location policy, 336 split-brain causes of, 449 defined, 803 scenarios for, 434 spoofing defined, 803 IPSec for, 465 SQL vulnerabilities, MBSA for, 64–65 SRV (service) records defined, 802 purpose of, 258–259 SSL (Secure Sockets Layer) for IIS, 165 vs. IPSec, 463 SST format, 586 stages in software deployment, 769 stand-alone CAs, 538–539 configuring, 564–565 root, 539 subordinate, 539 Standard Edition features in, 12–13 hardware requirements for, 14–15 standard quorum model, 434 standard zone files, 387, 803 standby server configuration defined, 803 for server clusters, 431–432, 432 start of authority (SOA) records defined, 803 purpose of, 256 in stub zones, 400 starting CA services, 553 Startup Properties dialog box, 730, 731 startup/shutdown Scripts, 730, 730 stateful applications, 418, 803 stateless applications, 419 Status action, 220 Status indicator for zones, 274
stopping CA services – System log
stopping CA services, 553 Storage Area Networks (SANs) defined, 803 for server clusters, 424, 426–428, 427 storage management services, 9–10 storage methods for server clusters, 426–428, 427 Storage tab, 559, 559 Store Passwords Using Reversible Encryption policy, 81, 93, 320–321 Store The Zone In Active Directory option, 269 streaming media servers, 365 strong group affinity, 433 stub zones vs. conditional forwarders, 401 defined, 803 operation of, 388 planning, 400 uses for, 270 subdomains, 251, 253 creating, 634–640, 634–640 defined, 803 in WINS, 394 subnets for multisite clusters, 437 for server clusters, 439 subordinate CAs, 538–539 Subordinate Certification Authority template, 544 Summary Of Selections page, 738, 738, 741, 743 Summary option for backups, 155 Summary page, 23, 27 for DNS servers, 273 for domain controllers, 615, 615 for domains, 639, 639 for trees, 644, 644 Support Tools Installation Wizard, 287 SupTools.msi file, 622 SUS (Software Update Services), 371 approval log in, 56, 56 client-side components in, 372
851
clients in in Active Directory networks, 59–61, 59–61 in non-Active Directory networks, 58 requirements for, 57 defined, 796, 803 implementing, 372–373 server-side components in, 371 servers for installing, 51–52, 52 options for, 53, 53 requirements for, 51 synchronization for, 54, 54–55 synchronization log in, 56 updates in approving, 55, 55 automatic, 759–763, 760–762 monitoring, 56, 57 switched Fibre Channel fabric (FC-SW), 426 switching CAs, 552–553 from Per Server Connections, 38 symmetric encryption defined, 803 in PKI, 532 synchronization in SUS, 54, 54–55, 373 Synchronization Log screen, 56 Synchronize Directory Service Data right, 329 Synchronize Server screen, 54 synchronous replication, 437–438 System.adm template, 61, 317, 720, 763 System applet, 512 system compatibility, 16 System Cryptography category, 330 System Domain dialog box, 119 system failures in availability, 420–421 System groups description, 113 DNS zone permissions for, 390 System log, 617
852
System Monitor – Terminal Services
System Monitor for DNS, 285–286 integration with Terminal Services, 200 System Objects category, 330 system policy, 804 System Properties dialog box for Automatic Updates, 48–49, 48 for computer accounts, 119–121, 119 for Product ID, 32, 32 for Remote Assistance, 237, 237, 517 for Remote Desktop, 229, 230 for Windows XP Professional, 30 system recovery, 142 backups for. See backups exam essentials, 186 key terms, 186 review question answers, 193–194 review questions, 187–192 safeguarding computers, 142–143 shadow copies for. See shadow copies summary, 185–186 System root security (rootsec.inf) template, 339 System Services security templates item, 339 System Settings category, 330 System Settings Change page, 205 System State data backing up, 148–151, 687 defined, 804 restoring, 689, 694–701, 696–700 Systems Management Server (SMS), 371 SYSVOL directory, backing up, 149, 687
T Take Ownership Of Files Or Other Objects right, 329 tampering defined, 804 IPSec for, 465
Tasks To Delegate page, 727, 727 _tcp domain, 264 TCP/IP (Transmission Control Protocol/ Internet Protocol), 601 defined, 805 testing, 605, 606 TCP ports for websites, 173 Telephone connections, 223 Telephones tab, 100, 101 TelnetClients group, 111 templates administrative, 317, 720–722, 722 for certificates, 543–544 configuring, 560–564, 561–564 in PKI, 733 security, 61 creating, 338–340, 342 defined, 802 importing, 337–340, 342 for user accounts, 103–104 Terminal Server License Servers group, 109 Terminal Server mode, 197–198 defined, 804 maximizing services in, 227 Terminal Server Setup page, 204–205, 204–205 Terminal Server User group, 113 Terminal Services, 196–197 benefits of, 198–200 clients for, 201, 804 components of, 201 configuring, 201–202 client applications, 202 hardware requirements, 202–203 Terminal Services Configuration Utility for. See Terminal Services Configuration Utility (TSCC.msc) improvements and enhancements to, 200–201 licensing, 220–224, 222–224 modes for, 197–198 new features for, 10
Terminal Services Configuration Utility (TSCC.msc) – Trust List Signing template
servers for, 201, 364 applications on, 225–226 defined, 804 installing, 203–205, 204–205 Terminal Services Configuration Utility for, 215–216, 215 troubleshooting, 226–227 Terminal Services Configuration Utility (TSCC.msc), 200, 206, 206, 511 Client Settings tab, 210–211, 211 defined, 804 Environment tab, 208–209, 209 General tab, 206–208, 206 Logon Settings tab, 208, 208 Network Adapter tab, 211, 212 Permissions tab, 212–213, 213 Remote Control tab, 210, 210 for server settings, 215–216, 215 Sessions tab, 208–209, 209 Terminal Services users, 216–218, 217–218 Terminal Services Group Policies, 511 Terminal Services License Activation Wizard, 223–224, 223–224 Terminal Services Licensing Setup dialog box, 222, 222 Terminal Services Licensing utility, 199 Terminal Services Manager utility, 200 defined, 804 purpose of, 511 working with, 219–220, 219 Terminal Services Profile tab, 218, 218 Test Group Properties dialog box, 116 testing packages, 768 TGSs (ticket-granting services) defined, 804 for Kerberos, 323, 472 TGTs (ticket-granting tickets) defined, 804 for Kerberos, 323, 472 thin clients, 196, 804 32-bit editions, 13 ticket-granting services (TGSs) defined, 804 for Kerberos, 323, 472
853
ticket-granting tickets (TGTs) defined, 804 for Kerberos, 323, 472 Time Out For Dialog Boxes policy, 332 time to live (TTL) in DNS queries, 262–263 in SOA records, 256, 275 timeouts Terminal Services for, 200 for websites, 173 To Any Server setting, 277 top-Level DNS domains, 252–253, 804 TRACERT utility, 606 traditional DNS zone files, 387–388, 805 transformation (MST) files, 750, 805 transitive trusts, 648–649, 648, 805 Transitivity Of Trust page, 652, 652 Transmission Control Protocol/Internet Protocol (TCP/IP), 601 defined, 805 testing, 605, 606 Transport mode in IPSec, 464, 500–501, 500–501, 805 trees creating, 633–640, 634–640 joining to forests, 640–644, 641–644 planning, 629–633, 630, 632 Trojan horses, 309 troubleshooting computer accounts, 125–126 DNS, 289–294 Group Policy, 736–737 gpresult.exe for, 744–745 RSoP in Logging mode, 737–741 RSoP in Planning mode, 741–744, 742–743 IIS, 184–185 logon performance problems, 745–746 MBSA, 375 software deployment, 768–772 Terminal Services, 226–227 user authentication, 105–106 Trust List Signing template, 544
854
Trust Name page – US domain
Trust Name page, 651, 651 Trust Password page, 653, 653 Trust Selections Complete page, 653, 653 Trust This Computer For Delegation To Any Service option, 123 Trust This Computer For Delegation To Specified Services Only option, 123 Trust Type page, 651, 651 Trusted Root Certification Authorities folder, 565–566, 574 trusts for CAs, 565–572, 567–568, 570–571 for forests, 313, 609 in multiple domains, 648–653, 648, 650–653 Trusts tab, 650, 650 TTL (time to live) in DNS queries, 262–263 in SOA records, 256, 275 TTL For This Record field, 275 Tunnel Endpoint page, 506, 506 tunnel endpoints defined, 805 in IPSec, 474 Tunnel mode in IPSec, 464 configuring, 501–509, 502–508 defined, 805 Tunnel Setting tab, 493, 503, 503 Tunnel To B Properties dialog box, 505, 505 Turn Off Background Refresh Of Group Policy policy, 334 two-way trusts, 648–649, 648, 805 Type indicator for zones, 274 types, group, 106–107, 670–671, 792
U UDDI (Universal Description, Discovery and Integration) services, 11 _udp domain, 264
UK domain, 253 unassigning IPSec policies, 488 Unicast mode, 443 Uninstall The Applications When They Fall Out Of The Scope Of Management option, 764 Universal Description, Discovery and Integration (UDDI) services, 11 universal groups, 107, 310 defined, 805 working with, 671–673 Universal Groups functional level, 313, 608 Universal option, 114 Unknown Host error, 184 updates, 370 automatic, 48–49, 48 in Group Policy, 759–763, 760–762 in SUS, 58–59 exam essentials for, 67 group policies, 321 key terms for, 67 review question answers, 75–76 review questions, 68–74 software, 45–46 applying, 757–759, 757–758 MBSA for, 62–66 SUS for. See SUS (Software Update Services) Windows Automatic Updates, 48–49, 48 Windows Update for, 46–47 summary, 66–67 Upgrades tab, 758, 758 upgrading vs. clean installs, 16 DNS database files in, 265 servers to domain controllers, 20–23, 21–24, 26–27 UPN (User principal name) suffixes, 654, 655 UPN Suffixes tab, 655, 655 US domain, 253
Use Add Wizard option – users
Use Add Wizard option, 491–492, 498 Use An Existing Key option, 549 Use Session Key Perfect Forward Secrecy option, 499 Use Temporary Folders Per Session option, 215 Use The Catalogs On The Media To Speed Up Building Restore Catalogs On Disk option, 151 Use The Certificate Associated With This Key option, 549 Use These Security Settings option, 471 User Access permissions, 212–213 User Account And Domain Information dialog box, 31 User Account dialog box, 30–31 user accounts, 78–79, 308–310 account policies for. See account policies in Active Directory, 669 built-in users in, 79–80 creating, 82–89 defined, 784 deleting, 86–87 disabling, 86–87 expiration of, 93 lockouts, 92–93 passwords for, 80–82, 88–89 profiles for. See user profiles properties for, 89 Account tab, 91–93, 91 Address tab, 89, 90 Dial-in tab, 102, 103 General tab, 89 Member Of tab, 102, 102 Organization tab, 101, 101 Profile tab, 93, 94–100 Telephones tab, 100, 101 renaming users, 87–88 Run As option, 104–105 security identifiers for, 82 templates for, 103–104 troubleshooting user authentication, 105–106 usernames for, 80–82
855
User And Computer Selection page, 742, 742 User Cannot Change Password option, 84, 93 User Certificate-Identifying Information page, 582 user certificates, enrolling in Group Policy, 732–734, 734 User Group Policy Loopback Processing Mode policy, 335 user interface options for packages, 763 User Logon Name field, 83 User Must Change Password At Next Logon option, 84, 93 User Network Options settings, 731, 732 /USER option in gpresult.exe, 744 User or Group field, 119 User principal name (UPN) suffixes, 654, 655 user profiles, 93, 94 copying, 99 defined, 805 for home folders, 100 local, 94–95 for logon scripts, 99–100 mandatory, 99 policies for, 332–333, 805 roaming, 95–98, 96–97 User Profiles dialog box, 96, 96, 98 user rights assignment, 805 in authentication, 105 policies for, 326–329, 805 User Security Groups page, 743, 743 User Selection page, 738, 738, 741 User Signature Only template, 544 User template, 544 usernames in authentication, 105 security identifiers for, 82 for user accounts, 80–82 users accounts for. See user accounts authenticating, 105–106
856
Users folder – web services
automation for, 130–131 exam essentials, 132–133 group membership of, 102, 102 IIS access control for, 164 importing, 131–132 key terms, 133 locating, 126–127 profiles for. See user profiles renaming, 87–88 review question answers, 139–140 review questions, 134–138 summary, 132 Users folder, 109–111 Users group, 109 UseWUServer key, 58
Virtual Private Networking (VPN) with IPSec, 463 in Remote Desktop, 229 for RRAS, 364 virtual servers defined, 806 in server clusters, 423 virus scanners with SUS, 51 viruses and administrators, 309 volume shadow copies, 162, 806 VPN (Virtual Private Networking) with IPSec, 463 in Remote Desktop, 229 for RRAS, 364 Vssadmin utility, 162
V
W
/V option in gpresult.exe, 744 Validity Period field, 549 Verify Caller ID option, 102 Verify Data After The Backup Completes option, 152 verifying Active Directory installation, 615 administrative tools for, 618, 618 clients for, 618–620, 619 Event Viewer for, 615–617, 616 connectivity in Active Directory installation, 605–607, 619 in software deployment, 769 DNS configuration, 604 file system, 604–605 software installation, 759 website content locations, 185 website permissions, 185 View Certificate option, 549 View CRLs tab, 570, 571 View Installation History option, 47 View Security Report dialog box, 65, 65 View The Status Of A Pending Certificate Request task, 581
Wait For Remote User Profile policy, 332 WAN access, 605 WBTs (Windows-based terminals), 196, 199 weak group affinity, 433 weak passwords, MBSA for, 64 Web Browser connections, 223 Web Edition features in, 12–13 hardware requirements for, 14–15 Web enrollment agents, 580–582, 581–582 Web Server Certificate Wizard, 180 web services exam essentials, 186 IIS. See IIS (Internet Information Server) key terms, 186 review question answers, 193–194 review questions, 187–192 strategies for, 367–368 summary, 185–186 websites. See websites
Web Site Access Permissions dialog box – Windows Media Services
Web Site Access Permissions dialog box, 169, 171 Web Site Creation Wizard, 169 Web Site Description dialog box, 169, 170 Web Site Home Directory dialog box, 169, 170 Web Site Properties dialog box, 182 Web Site tab, 172–173, 172 websites configuring, 171–172 Custom Errors tab, 181–182, 182 default properties, 182, 183 Directory Security tab, 177–180, 178 Documents tab, 177, 178 Home Directory tab, 175–177, 176 HTTP Headers tab, 180–181, 181 ISAPI Filters tab, 175, 175 Performance tab, 173–175, 174 Web Site tab, 172–173, 172 creating, 168–171, 170–171 permissions for, 176–177, 185 weight field, 259 Welcome To Setup screen, 18, 25, 29 Welcome To The Active Directory Installation Wizard, 21, 26, 611 Welcome To The Backup Or Restore Wizard page, 144, 144 Welcome To The Backup Utility Advanced Mode dialog box, 144, 148–150, 149 Welcome To The Backup Wizard dialog box, 149–150 Welcome To The Create IP Security Rule Wizard, 505, 505 Welcome To The Microsoft Software Update Services Setup Wizard screen, 51 Welcome To Windows dialog box, 30 Welcome To Windows Update dialog box, 46–47
857
What To Back Up page, 145, 145, 148–149, 150, 690, 690 What To Restore page, 696, 696 Where To Restore page, 697, 697 wildcard characters in nslookup, 291 Windir folder, 226 \Windir\Help\IisHelp directory, 166 \Windir\System32\Inetsrv directory, 166 Windows.adm administrative template, 720 Windows Authorization Access Group, 109 Windows Automatic Updates, 48–49, 48 Windows Backup. See Backup utility Windows-based terminals (WBTs), 196, 199 Windows Components dialog box, 166 Windows Components Wizard for Configure Your Server Wizard, 367for CAs, 547–551, 548–550 for Terminal Services, 204–205, 204–205 for Terminal Services Licensing, 222, 222 Windows file protection policies, 335–336, 806 Windows Installer, 747–748 benefits of, 748–750 defined, 806 file types in, 750–751 settings, 767–768 Windows Installer package (MSI) files, 750, 751, 806 Windows Internet Name Service (WINS) servers integrating DNS with, 392–394 purpose of, 363 Windows License Agreement dialog box, 18, 25 Windows Management Instrumentation (WMI), 446 Windows Management Instrumentation (WMI) Print Provider, 361 Windows Media Services, 11
858
Windows NT Server migration – zone transfers
Windows NT Server migration, 386 Windows Script Host (WSH) defined, 806 for script policies, 729–730 Windows Server 2003 Client Access licenses, 221 Windows Server 2003 features, 4–5 Active Directory, 5–6 application services, 8–9 family, 11–13 file and print services, 6–7 Internet Information Server (IIS), 10 management services, 9 networking and communications, 8 security, 7–8 storage management services, 9–10 terminal services, 10 UDDI services, 11 Windows Media Services, 11 Windows Server 2003 functional levels, 607 Windows Server 2003 licenses, 221 Windows Server 2003 Terminal Services Client Access licenses, 221 Windows Terminal Services Internet Connector licenses, 221 Windows Update, 46–47, 806 windows vulnerabilities, MBSA for, 63 Windows XP Professional, 27–31 Winnt.adm template, 720 WINS (Windows Internet Name Service) servers integrating DNS with, 392–394 purpose of, 363 Wins_ip_addresses field, 393 WINS resource records, 392–393, 806 WINS-R resource records, 393, 806 WINS tab, 276, 276, 278 WINS Users group, 111 Wizard Summary dialog box, 580 WMI (Windows Management Instrumentation), 446
WMI (Windows Management Instrumentation) Print Provider, 361 WMI Filters For Users page, 743, 743 Wmplayer.adm template, 317, 721 Work At Home Windows Terminal Services Client Access licenses, 221 Workgroup And Computer Domain dialog box, 30 Workgroup Or Computer Domain dialog box, 20, 26 World Wide Web (WWW) service, 163 Write permission for Active Directory, 675 for websites, 176 WSH (Windows Script Host) defined, 806 for script policies, 729–730 Wuau.adm template, 61, 317, 721, 763 WWW (World Wide Web) service, 163
X X.500/LDAP-compliant certificate directories, 541 X.509 format, 584
Y Your Product Key dialog box, 19, 26, 29
Z /Z option in gpresult.exe, 745 ZIP (initialization) files, 750 Zone File page, 270, 271 zone transfers, 253 characteristics of, 264–265 defined, 807 operation of, 395–396 securing, 397
Zone Transfers tab – zones
Zone Transfers tab, 277, 277, 397 zones, 254, 387 Active Directory-Integrated, 255, 265, 389 characteristics of, 389 data location for, 388–389 database files for, 259–261 default permissions for, 390–391 defined, 807 delegating, 279–280, 280, 397–399, 807 for dynamic updates, 278–279 forward lookup, 269–273, 271–272 integrating DNS and WINS, 392–394
859
planning, 602 properties for General tab, 274, 274 Name Servers tab, 275–276, 276 Security tab, 273 Start Of Authority (SOA) tab, 275, 275 WINS tab, 276, 276 Zone Transfers tab, 277, 277, 397 secondary, 271, 387–389, 395 securing, 389–392 for server clusters, 426–427, 427 strategy for, 391–392 types, 387–388