MCSE: Windows 2000 Migration Study Guide (Exam 70-222)

MCSE: Windows® 2000 Migration Study Guide Todd Phillips with Quentin Docter and Robert King SYBEX® MCSE: Windows 200...

Author: Todd Phillips | Quentin Docter | Robert King

28 downloads 877 Views 6MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

MCSE: Windows® 2000 Migration Study Guide

Todd Phillips with Quentin Docter and Robert King

SYBEX®

MCSE: Windows 2000 Migration Study Guide

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

MCSE: Windows® 2000 Migration Study Guide

Todd Phillips with Quentin Docter and Robert King

San Francisco • Paris • Düsseldorf • Soest • London Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Associate Publisher: Neil Edde Contracts and Licensing Manager: Kristine O’Callaghan Acquisitions and Developmental Editor: Elizabeth Hurley Editor: Linda Recktenwald Production Editors: Elizabeth Campbell, Lisa Duran, Judith Hibbard, Kelly Winquist Technical Editors: Glenn Fincher, Robert Gradante, Don Fuller Book Designer: Bill Gibson Graphic Illustrator: Tony Jonick Electronic Publishing Specialists: Judy Fung, Jill Niles, Nila Nichols Proofreaders: Nancy Riddiough, Nelson Kim, Laurie O'Connell, Sarah Tannehill, Ted Pushinsky Indexer: Lynnzee Elze CD Coordinator: Kara Eve Schwartz CD Technician: Keith McNeil Cover Designer: Archer Design Cover Photographer: Natural Selection Copyright © 2001 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 00-106413 ISBN: 0-7821-2768-1 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, © 1994, 1997-1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. Microsoft® Internet Explorer © 1996 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft Internet Explorer logo, Windows, Windows NT, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner. This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1


www.sybex.com

To Our Valued Readers: In recent years, Microsoft’s MCSE program has established itself as the premier computer and networking industry certification. Nearly a quarter of a million IT professionals have attained MCSE status in the NT 4 track. Sybex is proud to have helped thousands of MCSE candidates prepare for their exams over these years, and we are excited about the opportunity to continue to provide people with the skills they’ll need to succeed in the highly competitive IT industry. For the Windows 2000 MCSE track, Microsoft has made it their mission to demand more of exam candidates. Exam developers have gone to great lengths to raise the bar in order to prevent a papercertification syndrome, one in which individuals obtain a certification without a thorough understanding of the technology. Sybex welcomes this new philosophy as we have always advocated a comprehensive instructional approach to certification courseware. It has always been Sybex’s mission to teach exam candidates how new technologies work in the real world, not to simply feed them answers to test questions. Sybex was founded on the premise of providing technical skills to IT professionals, and we have continued to build on that foundation, making significant improvements to our study guides based on feedback from readers, suggestions from instructors, and comments from industry leaders. The depth and breadth of technical knowledge required to obtain Microsoft’s new Windows 2000 MCSE is staggering. Sybex has assembled some of the most technically skilled instructors in the industry to write our study guides, and we’re confident that our Windows 2000 MCSE study guides will meet and exceed the demanding standards both of Microsoft and you, the exam candidate. Good luck in pursuit of your MCSE!

Neil Edde Associate Publisher—Certification Sybex, Inc.

SYBEX Inc. 1151 Marina Village Parkway, Alameda, CA 94501 Tel: 510/523-8233 Fax: 510/523-2373 HTTP://www.sybex.com Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the "Software") to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms.

available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to:

The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the "Owner(s)"). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media.

SYBEX Inc. Customer Service Department 1151 Marina Village Parkway Alameda, CA 94501 (510) 523-8233 Fax: (510) 523-2373 e-mail: [email protected] WEB: HTTP://WWW.SYBEX.COM

In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties ("End-User License"), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time. Reusable Code in This Book The authors created reusable code in this publication expressly for reuse for readers. Sybex grants readers permission to reuse for any purpose the code found in this publication or its accompanying CD-ROM so long as all three authors are attributed in any application containing the reusable code, and the code itself is never sold or commercially exploited as a stand-alone product. Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate readme files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s). Warranty SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not

After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX. Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions. Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files. Copy Protection The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.


www.sybex.com

I dedicate nearly everything I do to my wife and son, and the rest of our family for their loving support, and so this book is dedicated to them. But I also wish to dedicate this work to my students wherever they may be and hope that this humble offering helps them to attain their goals.


www.sybex.com

Acknowledgments

I would like to thank all of the wonderful people at Sybex for their support during this difficult process. Most especially, I would like to thank Neil Edde for giving me the opportunity to write this book; Elizabeth Hurley for her unwavering support in the face of adversity; also Judith Hibbard, Lisa Duran, Elizabeth Campbell, Linda Recktenwald, Judy Fung, and my wonderful technical editors Glenn Fincher, Robert Gradante, and Don Fuller. I'm sorry if I’ve missed anyone, as this was a huge undertaking and many talented people were involved at the various steps along the way. I sincerely hope that I will have the opportunity to work with all of you again in the future.


www.sybex.com

Introduction

Microsoft’s new Microsoft Certified Systems Engineer (MCSE) track for Windows 2000 is the premier certification for computer industry professionals. Covering the core technologies around which Microsoft’s future will be built, the new MCSE certification is a powerful credential for career advancement. This book has been developed, in cooperation with Microsoft Corporation, to give you the critical skills and knowledge you need to prepare for one of the elective requirements of the new MCSE certification program for Windows 2000 Server. You will find the information you need to acquire a solid understanding of Windows 2000 Server migration, to prepare for Exam #70-222, Migrating from Microsoft® Windows NT® 4.0 to Microsoft® Windows® 2000, and to progress toward MCSE certification.

Why Become Certified in Windows 2000? As the computer network industry grows in both size and complexity, the need for proven ability is increasing. Companies rely on certifications to verify the skills of prospective employees and contractors. Whether you are just getting started or are ready to move ahead in the computer industry, the knowledge, skills, and credentials you have are your most valuable assets. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. The MCP credential for professionals who work with Microsoft Windows 2000 networks is the new MCSE certification. Over the next few years, companies around the world will deploy millions of copies of Windows 2000 as the central operating system for their missioncritical networks. This will generate an enormous need for qualified consultants and personnel to design, deploy, and support Windows 2000 networks. Windows 2000 is a huge product that requires professional skills of its administrators. Consider that Windows NT 4 has about 12 million lines of code, while Windows 2000 has more than 35 million! Much of this code is needed to deal with the wide range of functionality that Windows 2000 offers.


www.sybex.com

Introduction

xxiii

Windows 2000 actually consists of several different versions: Windows 2000 Professional The client edition of Windows 2000, which is comparable to Windows NT 4 Workstation 4, but also includes the best features of Windows 98 and many new features. Windows 2000 Server/Windows 2000 Advanced Server A server edition of Windows 2000 for small to mid-sized deployments. Advanced Server supports more memory and processors than Server does. Windows 2000 Datacenter Server A server edition of Windows 2000 for large, wide-scale deployments and computer clusters. Datacenter Server supports the most memory and processors of the three versions. With such an expansive operating system, companies need to be certain that you are the right person for the job being offered. The MCSE is designed to help prove that you are.

As part of its promotion of Windows 2000, Microsoft has announced that MCSEs who have passed the Windows NT 4 core exams must upgrade their certifications to the new Windows 2000 track by December 31, 2001, to remain certified. The Sybex MCSE Study Guide series covers the full range of exams required for either obtaining or upgrading your certification. For more information, see the “Exam Requirements” section later in this Introduction.

Is This Book for You? If you want to acquire a solid foundation in migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp. If you want to become certified as an MCSE, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows 2000, this book is not for you. This book is written for those who want to acquire hands-on skills and in-depth knowledge of Windows 2000. If your goal is to prepare for the exam by learning how to use and manage the new operating system, this book is for you. It will help you to achieve the high level of professional competency you need to succeed in this field.


www.sybex.com

xxiv

Introduction

What Does This Book Cover? This book contains detailed explanations, hands-on exercises, and review questions to test your knowledge. Think of this book as your complete guide to Windows 2000 Server migration issues. It begins by covering the most basic concepts, such as planning and preparing for the migration. Next, you will learn how to perform important tasks, including:

Setting up target domains

Performing domain upgrades as well as intra-forest and inter-forest migrations

Using migration tools

Backing out of a troubled migration

You also learn how to configure aspects of the Windows 2000 operating system configure protocols and network services, and troubleshoot your migration. Throughout the book, you will be guided through hands-on exercises, which give you practical experience for each exam objective. At the end of each chapter, you’ll find a summary of the topics covered in the chapter, which also includes a list of the key terms used in that chapter. The key terms represent not only the terminology that you should recognize, but also the underlying concepts that you should understand to pass the exam. All of the key terms are defined in the glossary at the back of the study guide. Finally, each chapter concludes with 20 review questions that test your knowledge of the information covered. Two practice exams are included on the CD that accompanies this book, as explained in the “What’s on the CD?” section at the end of this Introduction.

The topics covered in this book map directly to Microsoft’s official exam objectives. Each exam objective is covered completely.


www.sybex.com

Introduction

xxv

How Do You Become an MCSE? Attaining MCSE certification has always been a challenge. However, in the past, individuals could acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new MCSE exams, this simply will not be the case. To avoid the “paper-MCSE syndrome” (a devaluation of the MCSE certification because unqualified individuals manage to pass the exams), Microsoft has taken strong steps to protect the security and integrity of the new MCSE track. Prospective MSCEs will need to complete a course of study that provides not only detailed knowledge of a wide range of topics, but true skills derived from working with Windows 2000 and related software products. In the new MCSE program, Microsoft is heavily emphasizing hands-on skills. Microsoft has stated that, “Nearly half of the core required exams’ content demands that the candidate have troubleshooting skills acquired through hands-on experience and working knowledge.” Fortunately, if you are willing to dedicate time and effort with Windows 2000, you can prepare for the exams by using the proper tools. If you work through this book and the other books in this series, you should successfully meet the exam requirements.

Exam Requirements Successful candidates must pass a minimum set of exams that measure technical proficiency and expertise:

Candidates for MCSE certification must pass seven exams, including four core operating system exams, one design exam, and two electives.

Candidates who have already passed three Windows NT 4 exams (70-067, 70-068, and 70-073) may opt to take an “accelerated” exam plus one core design exam and two electives.


www.sybex.com

xxvi

Introduction

If you do not pass the accelerated exam after one attempt, you must pass the five core requirements and two electives.

The following tables show the exams a new certification candidate must pass. All of these exams are required: Exam # Title

Requirement Met

70-216

Implementing and Administering a Microsoft® Windows® 2000 Network Infrastructure

Core (Operating System)

70-210

Installing, Configuring, and Administering Microsoft® Windows® 2000 Professional


70-215

Installing, Configuring, and Administering Microsoft® Windows® 2000 Server


70-217

Implementing and Administering a Microsoft® Windows® 2000 Directory Services Infrastructure


One of these exams is required: Exam # Title

Requirement Met

70-219

Designing a Microsoft® Windows® 2000 Directory Services Infrastructure

Core (Design)

70-220

Designing Security for a Microsoft® Windows® 2000 Network

Core (Design)

70-221

Designing a Microsoft® Windows® 2000 Network Infrastructure

Core (Design)


www.sybex.com

Introduction

xxvii

Two of these exams are required: Exam #

Title

Requirement Met

70-219

Designing a Microsoft® Windows® 2000 Directory Services Infrastructure

Elective

70-220

Designing Security for a Microsoft® Windows® 2000 Network

Elective

70-221

Designing a Microsoft® Windows® 2000 Network Infrastructure

Elective

70-222

Migrating from Microsoft® Elective Windows NT® 4.0 to Microsoft® Windows® 2000

Any current MCSE electives

Exams cover topics such as Exchange Server, SQL Server, Systems Management Server, Internet Explorer Administrators Kit, and Proxy Server (new exams are added regularly)

Elective

For a more detailed description of the Microsoft certification programs, including a list of current MCSE electives, check Microsoft’s Training and Certification Web site at www.microsoft.com/trainingandservices.


www.sybex.com

xxviii

Introduction

The Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 Exam The Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 exam covers concepts and skills required for migrating Windows NT 4.0 computers to Windows 2000 computers. It emphasizes the following areas of support:

Standards and terminology

Planning

Implementation

Troubleshooting

This exam can be quite specific regarding Windows 2000 requirements and operational settings, and it can be particular about how administrative tasks are performed in the operating system. It also focuses on fundamental concepts relating to Windows NT 4.0’s and Windows 2000’s operation. Careful study of this book, along with hands-on experience, will help you prepare for this exam.

Microsoft provides exam objectives to give you a very general overview of possible areas of coverage of the Microsoft exams. For your convenience, we have added in-text objectives listings at the points in the text where specific Microsoft exam objectives are covered. However, exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s Training and Certification Web site (www.microsoft.com/ trainingandservices) for the most current exam objectives listing.

Types of Exam Questions In the previous tracks, the formats of the MCSE exams were fairly straightforward, consisting almost entirely of multiple-choice questions appearing in a few different sets. Prior to taking an exam, you knew how many questions you would see and what type of questions would appear. If you had purchased the right third-party exam preparation products, you could even be quite familiar with the pool of questions you might be asked. As mentioned earlier, all of this is changing.


www.sybex.com

Introduction

xxix

In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has introduced adaptive testing, as well as some new exam elements. You will not know in advance which type of format you will see on your exam. These innovations make the exams more challenging, and they make it much more difficult for someone to pass an exam after simply “cramming” for it.

Microsoft will be accomplishing its goal of protecting the exams by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements.

Exam questions may be in multiple-choice, select-and-place, simulation, or case study-based formats. You may also find yourself taking an adaptive format exam. Let’s take a look at the exam question types and adaptive testing, so you can be prepared for all of the possibilities.

Multiple-Choice Questions Multiple-choice questions include two main types of questions. One is a straightforward type that presents a question, followed by several possible answers, of which one or more is correct. The other type of multiple-choice question is more complex. This type presents a set of desired results along with a proposed solution. You must then decide which results would be achieved by the proposed solution.

You will see many multiple-choice questions in this study guide and on the accompanying CD, as well as on your exam.

Case Study–Based Questions Case study–based questions first appeared in the Microsoft Certified Solution Developer program (Microsoft’s certification program for software programmers). Case study–based questions present a scenario with a range of requirements. Based on the information provided, you need to answer a series of multiple-choice and ranking questions. The interface for case study– based questions has a number of tabs that each contains information about the scenario.


www.sybex.com

xxx

Introduction

Adaptive Exam Format Microsoft presents many of its exams in an adaptive format. This format is radically different from the conventional format previously used for Microsoft certification exams. Conventional tests are static, containing a fixed number of questions. Adaptive tests change, or “adapt,” depending on your answers to the questions presented. The number of questions presented in your adaptive test will depend on how long it takes the exam to ascertain your level of ability (according to the statistical measurements on which the exam questions are ranked). To determine a test-taker’s level of ability, the exam presents questions in increasing or decreasing order of difficulty.

Unlike the previous test format, the adaptive format will not allow you to go back to see a question again. The exam only goes forward. Once you enter your answer, that’s it—you cannot change it. Be very careful before entering your answer. There is no time limit for each individual question (only for the exam as a whole.) Your exam may be shortened by correct answers (and lengthened by incorrect answers), so there is no advantage to rushing through questions.

How Adaptive Exams Determine Ability Levels As an example of how adaptive testing works, suppose that you know three people who are taking the exam: Herman, Sally, and Rashad. Herman doesn’t know much about the subject, Sally is moderately informed, and Rashad is an expert. Herman answers his first question incorrectly, so the exam presents him with a second, easier question. He misses that, so the exam gives him a few more easy questions, all of which he misses. Shortly thereafter, the exam ends, and he receives his failure report. Sally answers her first question correctly, so the exam gives her a more difficult question, which she answers correctly. She then receives an even more difficult question, which she answers incorrectly. Next, the exam gives her a somewhat easier question, as it tries to gauge her level of understanding. After numerous questions of varying levels of difficulty, Sally’s exam ends, perhaps with a passing score, perhaps not. Her exam included far more questions than were in Herman’s exam, because her level of understanding needed to be more carefully tested to determine whether or not it was at a passing level.


www.sybex.com

Introduction

xxxi

When Rashad takes his exam, he answers his first question correctly, so he is given a more difficult question, which he also answers correctly. Next, the exam presents an even more difficult question, which he also answers correctly. He then is given a few more very difficult questions, all of which he answers correctly. Shortly thereafter, his exam ends. He passes. His exam was short, about as long as Herman’s test. Benefits of Adaptive Testing Microsoft has begun moving to adaptive testing for several reasons:

It saves time by focusing only on the questions needed to determine a test-taker’s abilities. An exam that might take an hour and a half in the conventional format could be completed in less than half that time when presented in adaptive format. The number of questions in an adaptive exam may be far fewer than the number required by a conventional exam.

It protects the integrity of the exams. By exposing a fewer number of questions at any one time, it makes it more difficult for individuals to collect the questions in the exam pools with the intent of facilitating exam "cramming."

It saves Microsoft and/or the test-delivery company money by reducing the amount of time it takes to deliver a test.

Exam Question Development Microsoft follows an exam-development process consisting of eight mandatory phases. The process takes an average of seven months and involves more than 150 specific steps. The MCP exam development consists of the following phases: Phase 1: Job Analysis Phase 1 is an analysis of all of the tasks that make up a specific job function, based on tasks performed by people who are currently performing that job function. This phase also identifies the knowledge, skills, and abilities that relate specifically to the performance area to be certified.


www.sybex.com

xxxii

Introduction

Phase 2: Objective Domain Definition The results of the job analysis provide the framework used to develop objectives. The development of objectives involves translating the job-function tasks into a comprehensive set of more specific and measurable knowledge, skills, and abilities. The resulting list of objectives—the objective domain—is the basis for the development of both the certification exams and the training materials. Phase 3: Blueprint Survey The final objective domain is transformed into a blueprint survey in which contributors are asked to rate each objective. These contributors may be past MCP candidates, appropriately skilled exam development volunteers, or Microsoft employees. Based on the contributors’ input, the objectives are prioritized and weighted. The actual exam items are written according to the prioritized objectives. Contributors are queried about how they spend their time on the job. If a contributor doesn’t spend an adequate amount of time actually performing the specified job function, his or her data is eliminated from the analysis. The blueprint survey phase helps determine which objectives to measure, as well as the appropriate number and types of items to include on the exam. Phase 4: Item Development A pool of items is developed to measure the blueprinted objective domain. The number and types of items to be written are based on the results of the blueprint survey. Phase 5: Alpha Review and Item Revision During this phase, a panel of technical and job-function experts reviews each item for technical accuracy, then answers each item, reaching a consensus on all technical issues. Once the items have been verified as technically accurate, they are edited to ensure that they are expressed in the clearest language possible. Phase 6: Beta Exam The reviewed and edited items are collected into beta exams. Based on the responses of all beta participants, Microsoft performs a statistical analysis to verify the validity of the exam items and to determine which items will be used in the certification exam. Once the analysis has been completed, the items are distributed into multiple parallel forms, or versions, of the final certification exam. Phase 7: Item Selection and Cut-Score Setting The results of the beta exams are analyzed to determine which items should be included in the certification exam based on many factors, including item difficulty and


www.sybex.com

Introduction

xxxiii

relevance. During this phase, a panel of job-function experts determines the cut score (minimum passing score) for the exams. The cut score differs from exam to exam because it is based on an item-by-item determination of the percentage of candidates who answered the item correctly and who would be expected to answer the item correctly. Phase 8: Live Exam As the final phase, the exams are given to candidates. MCP exams are administered by Sylvan Prometric and Virtual University Enterprises (VUE).

Microsoft will regularly add and remove questions from the exams. This is called item seeding. It is part of the effort to make it more difficult for individuals to merely memorize exam questions passed along by previous test-takers.

Tips for Taking the Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 Exam Here are some general tips for taking the exam successfully:

Arrive early at the exam center so you can relax and review your study materials. During your final review, you can look over tables and lists of exam-related information.

Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.

Answer all questions. Remember that the adaptive format will not allow you to return to a question. Be very careful before entering your answer. Because your exam may be shortened by correct answers (and lengthened by incorrect answers), there is no advantage to rushing through questions.

On simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used.

Use a process of elimination to get rid of the obviously incorrect answers first on questions that you’re not sure about. This method will improve your odds of selecting the correct answer if you need to make an educated guess.


www.sybex.com

xxxiv

Introduction

Exam Registration You may take the exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) and VUE Testing Centers around the world. For the location of a testing center near you, call Sylvan Prometric at 800-755EXAM (755-3926), or call VUE at 888-837-8616. Outside the United States and Canada, contact your local Sylvan Prometric or VUE registration center. You should determine the number of the exam you want to take, and then register with the Sylvan Prometric or VUE registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $100 each. Exams must be taken within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.

You may also register for your exams online at www.sylvanprometric.com or www.vue.com.

When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Sylvan Prometric or VUE. Microsoft requires certification candidates to accept the terms of a NonDisclosure Agreement before taking certification exams.

What’s on the CD? With this new book in our best-selling MCSE study guide series, we are including quite an array of training resources. On the CD are numerous simulations, practice exams, and flashcards to help you study for the exam. Also included are the entire contents of the study guide. These resources are described in the following sections.


www.sybex.com

Introduction

xxxv

The Sybex Ebook for MCSE: Windows 2000 Migration Study Guide Many people like the convenience of being able to carry their whole study guide on a CD. They also like being able to search the text to find specific information quickly and easily. For these reasons, we have included the entire contents of this study guide on a CD, in PDF format. We’ve also included Adobe Acrobat Reader, which provides the interface for the contents, as well as the search capabilities.

The Sybex MCSE Edge Tests The Edge Tests are a collection of multiple-choice questions that can help you prepare for your exam. Features:

Bonus questions specially prepared for this edition of the study guide, including 100 questions that appear only on the CD

All of the questions from the study guide presented in a test engine for your review

A sample screen from the Sybex MCSE Edge Tests is shown below.


www.sybex.com

xxxvi

Introduction

Sybex MCSE Flashcards for PCs and Palm Devices The “flashcard” style of exam question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 exam. The Sybex MCSE Flashcards set consists of more than 130 questions presented in a special engine developed specifically for this study guide series. The Sybex MCSE Flashcards interface is shown below.

Because of the high demand for a product that will run on Palm devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).

How Do You Use This Book? This book can provide a solid foundation for the serious effort of preparing for the Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 exam. To best benefit from this book, you may wish to use the following study method: 1. Study each chapter carefully. Do your best to fully understand the

information. 2. Complete all hands-on exercises in the chapter, referring back to the

text as necessary so that you understand each step you take.


www.sybex.com

Introduction

xxxvii

3. Answer the review questions at the end of each chapter. If you would

prefer to answer the questions in a timed and graded format, install the Edge Tests from the CD that accompanies this book and answer the chapter questions there instead of in the book. 4. Note which questions you did not understand and study the corre-

sponding sections of the book again. 5. Make sure you complete the entire book. 6. Before taking the exam, go through the training resources included on

the CD that accompanies this book. Try the adaptive version that is included with the Sybex MCSE Edge Test. Review and sharpen your knowledge with the MCSE Flashcards.

In order to complete the exercises in this book, your hardware should meet the minimum hardware requirements for Windows 2000. See Chapter 4 for the minimum and recommended system requirements.

To learn all of the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!

Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Sylvan Prometric or VUE, or to get other useful information, check the following resources. Microsoft Certification Development Team www.microsoft.com/trainingandservices Contact the Microsoft Certification Development Team through their Web site to volunteer for one or more exam development phases or to report a problem with an exam. Address written correspondence to: Certification Development Team Microsoft Education and Certification One Microsoft Way Redmond, WA 98052


www.sybex.com

xxxviii

Introduction

Microsoft TechNet Technical Information Network www.microsoft.com/technet/subscription/about.htm (800) 344-2121 Use this Web site or number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information. Microsoft Training and Certification Home Page www.microsoft.com/trainingandservices This Web site provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Palm Pilot Training Product Development: Land-J www.land-j.com (407) 359-2217 Land-J Technologies is a consulting and programming business currently specializing in application development for the 3Com PalmPilot Personal Digital Assistant. Land-J developed the Palm version of the Edge Tests, which is included on the CD that accompanies this study guide. Sylvan Prometric www.sylvanprometric.com (800) 755-EXAM Contact Sylvan Prometric to register to take an MCP exam at any of more than 800 Sylvan Prometric Testing Centers around the world. Virtual University Enterprises (VUE) www.vue.com (888) 837-8616 Contact the VUE registration center to register to take an MCP exam at one of the VUE Testing Centers.


www.sybex.com

Assessment Test 1. What does DNS stand for? A. The Danish Network Society B. The Domain Name Service C. The Domain Name System D. Downsize Network Staff 2. When upgrading NT to Windows 2000 you could install a dual boot,

or you could format and start over on a computer. A. True B. False 3. You are concerned about providing a way to fall back to a stable NT 4

environment in case the network migration fails. What is the best way to do this? A. Hold a backup domain controller in reserve that can be used to

restore the NT 4 configuration. B. Trust your tape backups to restore all of the information. C. Migrations don’t fail. Don’t worry about it. It’s only your job if

you fail. D. Don’t migrate to Windows 2000.


www.sybex.com

xl

Assessment Test

4. You are migrating your Windows NT network to a Windows 2000

network. The network has two master domains and three resource domains. Master domain Accts has 1500 users, and master domain Accts2 has 4500 users. The resource domains, from smallest to largest, are Research, Sales, and Technical. In which order should you upgrade the domains? A. Accts, Accts2, Technical, Sales, Research B. Accts2, Accts, Technical, Sales, Research C. Accts, Accts2, Research, Sales, Technical D. Accts2, Accts, Research, Sales, Technical 5. When installing Windows 2000 on a single computer, who has per-

mission to run the Setup program? A. Only an IT supervisor B. Helpdesk staff C. Only a member of the local administrators D. Anyone staff member with server access 6. Your migration plan for Windows 2000 calls for existing computers

to be upgraded. You are concerned about the suite of applications already installed on the computers. How can you determine if these applications are compatible with Windows 2000? A. Download and run the Readiness Analyzer utility. B. Check with the manufacturer of the application for compatibility

information. C. Browse Microsoft’s Web site for information. D. Talk to other people who have already run the applications on

Windows 2000.


www.sybex.com

Assessment Test

xli

7. Which of the following folders cannot be redirected using Folder

Redirection? A. My Documents B. Application Data C. Start Menu D. Program Files 8. You have a user on your network who reports that she is unable to

connect to a server. When you investigate, you discover that you cannot ping by name, but that you can get a response when you ping by IP address. What is the problem? A. The server is only intermittently available. B. Name resolution is failing. C. You probably used the wrong name the first time. D. When you use a server name to connect, it requires NetBEUI for

the communication. 9. What Active Directory object enables you to distribute administration

without giving up central control of the network? A. Forest B. Tree C. Organization unit D. Object 10. A user in your organization is unable to receive the standard logon

script. What should you verify first when troubleshooting this problem? A. That the user’s computer is plugged in B. That the user can connect to the domain controller C. That the user has the Logon to Domain permission D. That the user is logging on to the domain


www.sybex.com

xlii

Assessment Test

11. If a user is unable to log on to your Windows 2000 domain, what

is another step you can have him try to make sure his credentials are correct? A. Have the user log on with his UNC. B. Have him type more slowly. C. Have the user log on with his UPN. D. Type the domain information and user name for the user. 12. Which Windows 2000 command will enable you to verify that you

have an IP address configured? A. netdom B. tracert C. ipconfig D. ping 13. You have an NT 4 network using the Single Master Domain model. You

have decided to convert this structure to a single domain as part of the migration to Windows 2000. What type of migration will accomplish this with the least amount of effort? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure


www.sybex.com

Assessment Test

xliii

14. You want to upgrade your computer running NT 4 to Windows 2000,

but you receive a message telling you that you do not have permission to run the Setup program. Why not? A. You must be logged on as a user with administrative permissions

to perform the setup. B. You must be logged on with a domain Admin account. C. You must be logged on with a normal user account to perform the

setup. D. Your user account must have the logon as a batch job to perform

the setup. 15. You are trying to replicate your Dfs topology information to Active

Directory, but the option is unavailable. What is the most likely reason for this? A. The Global Catalog server is unavailable. B. The DNS server doesn’t have the correct SRV record for your Dfs

server. C. The Dfs root is on a member server. D. You haven’t changed the Registry settings that control Active

Directory integration of Dfs. 16. True or false: You can have over 40,000 accounts in a Windows 2000

domain that is running in mixed mode. A. True B. False 17. What new feature of Windows 2000 preserves an account’s resource

access even after it is moved to a new location? A. Active Directory B. Microsoft Management Console C. SIDHistory D. ACLhistory


www.sybex.com

xliv

Assessment Test

18. Which server in an Active Directory environment keeps track of the

unique portions of Security Identifiers? A. The SID Master B. The RID Master C. The PDC D. One of the BDCs 19. You are testing the application compatibility of the program devel-

oped within your organization to monitor financial transactions. You discover that the program is incompatible with Windows 2000. Where can you go to gain a solution for this problem? A. Microsoft’s Web site. B. The manufacturer’s Web site. C. Your internal software development team. D. You will have to purchase a new version of the program. 20. Which tool enables you to boot to a command prompt and replace

corrupted Windows 2000 files? A. Emergency Repair B. Recovery Console C. Active Directory Recovery Mode D. Safe Mode 21. The Windows 2000 Domain Manager is also known as which tool? A. NETDOM B. Clonepr.dll C. ADMT D. ADSIEdit


www.sybex.com

Assessment Test

xlv

22. Target domains are useful for what functions in Windows 2000?

(Choose all that apply.) A. Restructuring B. Migrating C. Upgrading D. Reorganizing 23. Which Windows 2000 migration tool should you use to move user

accounts to the target domain without disrupting the original domain? A. ADMT B. ClonePrincipal C. NETDOM D. User Manager for Domains 24. How can you ensure that your users will still have access to their

resources during a migration to Windows 2000 and Active Directory? A. Use the Update Security Wizard. B. Do nothing; the Windows 2000 migration tools will set the

SIDHistory attribute automatically. C. Use the Transfer DACL Wizard. D. Use the Active Directory Files and Folders console. 25. Which Windows 2000 tool will assist you in testing basic network

connectivity? A. GPResult.exe B. Netdiag.exe C. GPOtool.exe D. Replmon.exe


www.sybex.com

xlvi

Assessment Test

26. You have successfully migrated all of your user accounts to the target

domain, but now users are reporting that they cannot receive e-mail. What is wrong? A. Your network has been hacked. B. Probably there’s an e-mail macro virus attacking Exchange. C. The password was reset on the Exchange service account when it

was migrated. D. I don’t know; it’s not my problem. 27. What is ClonePrincipal? A. One of several wizards in the ADMT management console tools

designed to help you migrate information from an NT 4 domain to your Windows Active Directory domain B. A collection of Visual Basic scripts that help copy objects to a new

Windows 2000 domain C. The strategy used to structure Active Directory to provide for fault

tolerance D. The trust that you establish between the source domain and the

target domain 28. How would you back up the Registry and Active Directory on a Win-

dows 2000 domain controller? A. Perform a full backup and include the Registry. B. Back up the System State. C. Use the Recovery Console to back up the Active Directory

database. D. Use the regback.exe utility from the Resource Kit.


www.sybex.com

Assessment Test

xlvii

29. What type of DNS resource records is most important to Windows 2000

Active Directory? A. Dynamic records B. MX records C. SRV records D. WINS records 30. You must have the Windows Internet Name Service installed in order

to use Active Directory. A. True B. False


www.sybex.com

xlviii

Answers to Assessment Test

Answers to Assessment Test 1. C. DNS is the Domain Name System. It is commonly, and mistakenly,

called the Domain Name Service, but that is incorrect. See Chapter 3 for more information. 2. A. The ability to upgrade from Windows 9x is new to Windows 2000.

Windows 2000 supports FAT32, which makes dual booting easy with either version of Windows, and the Windows 2000 Setup program knows how to upgrade the Windows Registry. See Chapter 1 for more information. 3. A. Using a BDC as a reserve is a good idea. It can be synchronized and

taken offline to provide a safe restore path. If it is needed, promote it to PDC and restore the other domain controllers by reinstalling them with NT 4 as BDCs. See Chapter 3 for more information. 4. B. You should upgrade account domains before resource domains.

When upgrading account domains, upgrade the domains with the most users first, unless there is a pressing need to do otherwise. When upgrading resource domains, choose either domains that have mission-critical applications or the largest domains first. See Chapter 2 for more information. 5. C. When installing Windows 2000 on a single computer, only a

member of the local administrators group can run the Setup program (winnt32.exe). Limiting access to just local administrators can be bypassed during unattended installations, but only administrators can perform a local upgrade. See Chapter 1 for more information. 6. A. While all of these answers have some validity, answer A would be

the best choice. You can run the Readiness Analyzer utility as a standalone application or during the setup of Windows 2000. The manufacturer of the application would undoubtedly have some information about its compatibility with Windows 2000. See Chapter 14 for more information.


www.sybex.com


xlix

7. D. The Program Files folder cannot be redirected but always remains

on the local computer. See Chapter 4 for more information. 8. B. If you can communicate with the server using the IP address but not

the name, the networking is functional but name resolution is failing. See Chapter 12 for more information. 9. C. You can designate as organizational units (OUs) sections of your

company to whom you want to delegate administrative control, while still being able to administer the entire network from the enterprise level. See Chapter 2 for more information. 10. B. Start with basic network troubleshooting. Can the user connect to

the domain controller? And if so, can they open a session by mapping a drive to the Sysvol folder? See Chapter 11 for more information. 11. C. Have the user log on with his user principal name (UPN), which

takes the form [email protected]. This form specifies the user account and the domain that houses the account. See Chapter 12 for more information. 12. C. The ipconfig command can be used to display your entire current

TCP/IP configuration for every network interface in the computer. See Chapter 10 for more information. 13. A. You could answer A, B, or C, but answer A would require the least

effort because it is easier to move security principals once the network is fully Windows 2000 and running in native mode. See Chapter 5 for more information. 14. A. Only a user account with administrative privileges on the local

computer can perform the upgrade to Windows 2000. See Chapter 10 for more information. 15. C. To replicate Dfs topology information, the Dfs root must be located

on a domain controller. See Chapter 13 for additional information.


www.sybex.com

l


16. False. In mixed mode, Windows 2000 must maintain compatibility

with NT, including the limitation of 40,000 accounts per domain. See Chapter 4 for more information. 17. C. SIDHistory is a new feature that maintains a record of the

account’s previous SID as well as the current SID. See Chapter 5 for more information. 18. B. The unique portion of a SID is the Relative Identifier (RID). The

RID Master is the one server in the forest that creates and maintains the pools of available RIDs that can be used to create new SIDs. See Chapter 9 for more information. 19. C. Since the program was developed internally in your organization,

you’ll have to turn to the developers within your organization to fix the incompatibility issue. See Chapter 14 for more information. 20. B. The Recovery Console boots the computer to a command prompt

with a subset of Windows 2000 commands to repair the system. See Chapter 8 for more information. 21. A. The Windows 2000 Domain Manager is Netdom.exe. See Chap-

ter 7 for more information. 22. A and B. Target domains are used in either migrating or restructuring

domains to give your security principals a place to move to. See Chapter 6 for more information. 23. B. ClonePrincipal copies accounts from the source domain to the target

domain without disrupting the original environment. It creates new SIDs for the accounts and stores the original SID in the SIDHistory attribute. See Chapter 7 for more information. 24. B. The SIDHistory attribute is a new feature of Active Directory

that keeps a copy of the old SID for every account that is moved or copied to Active Directory. This will enable your users to still maintain access to their resources during the migration. See Chapter 9 for more information.


www.sybex.com


li

25. B. Netdiag.exe can assist in verifying basic network connectivity in

Windows 2000 networks. See Chapter 11 for more information. 26. C. The Active Directory Migration Tool resets passwords on the

migrated user accounts. Either the service account for Exchange must be updated with the new password in Exchange, or the password must be changed back to what it was before the migration. See Chapter 5 for more information. 27. B. ClonePrincipal is a collection of scripts that copy objects from an

existing domain to a new Windows 2000 Active Directory. See Chapter 7 for more information. 28. B. Backing up the System State information backs up all configuration

information, including the Active Directory database. See Chapter 8 for more information. 29. C. SRV records identify well-known network services. Windows 2000

computers use these records to locate domain controllers for logons and authentications. See Chapter 13 for additional information. 30. B. WINS is not required for Windows 2000 or for Active Directory.

See Chapter 6 for more information.


www.sybex.com

Chapter

1

Planning for Deployment MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Evaluate the current environment.

Evaluate current hardware.

Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.

Evaluate application compatibility. Considerations include Web server, Microsoft BackOffice products, and line of business (LOB) applications.

Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

Develop a domain upgrade strategy. Configure networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service. Develop an operating system upgrade path. Considerations may include operating system version and service packs.


www.sybex.com

S

uppose you’ve just been given that most enviable of projects: deploying a new network operating system. What will you do first? Why? A rollout project can be one of the most rewarding efforts of your professional life, or it can be a complete nightmare. The difference between the outcomes is the amount of planning you’re willing to put into the project. Windows 2000 includes several tools that will make the deployment easier, but the success of the project still hinges upon your planning. Toward that end, in this chapter we’ll look at some of the basics that you should cover in your plan. If you have had exposure to good project management practices, the idea of planning a deployment probably isn’t too frightening. If you haven’t…well, that’s what this chapter is for. One bit of advice, before you go any further: Watch out for “project creep.” This problem occurs with many large projects. You develop a solid plan and are entering the final testing phase when someone decides to add a few things to the scope of the project. “As long as you’re already deploying Windows 2000, why don’t we add Office 2000 at the same time?” I watched a client do this for almost a year and a half while trying to deploy Windows NT Workstation. To avoid this situation, get a buy-in from someone in power so his or her authority gives you the ability to say no. In this chapter, you will learn to prepare for upgrading your Windows NT 4 network to Windows 2000. Planning for an upgrade requires careful consideration of the hardware requirements, software needed, and how the upgrade will affect your current infrastructure. By carefully planning for the upgrade, you will ensure the greatest chances of success later. You will learn how to evaluate the current software and hardware present in your network and how Windows 2000 will affect that structure. We will discuss ways that the upgrade can affect the security of your network and how to properly assess application compatibility. We will also discuss how the upgrade will change the current network services in use.


www.sybex.com

Planning the Upgrade

3

Once we have covered the three basic areas, we will take a step back and learn how to effectively plan a successful upgrade procedure. We will finish by examining the possible upgrade paths for Windows 2000.


O

ne of the most noticeable features of Windows 2000 is its scalability. Whether you are planning an upgrade for a department server or rolling out Windows 2000 to a world-class data center, the basic planning elements are the same. It is critical to consider three important elements while doing so: your hardware, software, and infrastructure. It is also important to use a methodical approach to the planning phase. This will help you to avoid mistakes and to create contingency plans. When working with any complex system, such as an operating system, things can (and usually do) go wrong. Proper planning helps to minimize the consequences of those problems.

Microsoft Exam Objective

Evaluate the current environment.

Upgrade planning for an operating system normally falls into three basic areas: hardware, security, and application compatibility. Since we are discussing network servers, add network services to that list and you should have all the elements of a well-planned rollout. One of the very first questions you’ll ask in your planning phase is “Can our hardware run the new operating system?” Then you’ll need to determine the effects of the deployment on your existing security structures. And, of course, you’ll need to know if your applications will run on the new operating system. Windows 2000 will assist the use of newer hardware through the introduction of Plug and Play to the operating system. Another benefit is the introduction of the Windows Driver Model (WDM), in which there is one set of drivers for both Windows 98/Millennium and Windows 2000. This should make it very easy to add drivers for new hardware in your Windows 2000 computer.


www.sybex.com

4

Chapter 1

Planning for Deployment

There are four versions of Windows 2000 to consider: Professional, Server, Advanced Server, and Datacenter Server. Windows 2000 Professional is intended to be a business desktop operating system and contains optimizations that make it desirable for this role. Professional is an excellent choice for laptop computers with Plug and Play and support for the Advanced Configuration and Power Interface (ACPI). Windows 2000 introduces some new security features for networking. Some of my Unix friends are even impressed by the new network features of Windows 2000, something that was hard to imagine just a few months ago. Windows 2000 uses Kerberos security for all logon validations within a domain, an industry-standard security service that uses encrypted keys for validation. Another new feature is the inclusion of IP Security (IPSec) standards, which allow for various encryption schemes for data transmissions of TCP/IP. Windows 2000 has even addressed application compatibility. With the addition of DirectX 7.0A in the operating system, Windows 2000 will support more of today’s user applications such as games. And many of us will admit that’s the real reason why we run a computer, right? The new network features and security options will support network applications even better than on NT 4. One thing about application support on Windows 2000 that I really love is the commitment Microsoft is making to providing application support patches on their Web site.

Assessing Existing Hardware When determining the suitability of your current computer hardware for Windows 2000, the best place to start is with the minimum hardware requirements. If you’ve used earlier versions of Windows NT, you’ll notice that the hardware requirements for Windows 2000 are significantly higher. This may mean that part of your deployment plan will encompass either the purchase of new computers or the upgrade of the existing systems. Something you will notice on nearly every Microsoft operating system exam is the section on hardware requirements. With Windows 2000, it will also be important to remember the recommended hardware.





www.sybex.com


5

Fortunately, this time the minimum hardware requirements should also be fairly easy to come by if you are buying new computers. With NT 4, many offices still used 80386 computers. With Windows 2000, you must have a Pentium system, and these are very common in most offices. The server versions differ mostly in the level of hardware support, as Tables 1.1 through 1.4 show. TABLE 1.1

Hardware Requirements for Windows 2000 Professional

Hardware Resource

TABLE 1.2

Minimum Requirement

CPU (Central Processing Unit)

133MHz Pentium Up to two processors supported

Memory

32MB

Hard disk

2GB with at least 650MB free space

Recommended

64MB

Hardware Requirements for Windows 2000 Server

Hardware Resource

Minimum Requirement

Recommended

CPU

133 MHz Pentium Up to four processors supported

Memory

128MB - Up to 4GB supported

256MB

Hard disk

2GB with at least 1GB free space

Requires more free space if installing over a network.


www.sybex.com

6

Chapter 1


TABLE 1.3

Hardware Requirements for Windows 2000 Advanced Server

Hardware Resource

TABLE 1.4

Minimum Requirement

Recommended

CPU

133MHz Pentium Up to eight processors supported

Memory


256MB

Hard disk


Requires more free space if installing over a network.

Hardware Requirements for Windows 2000 Datacenter Server

Hardware Resource

Minimum Requirement

Recommended

CPU

Pentium III Xeon Processors or higher Up to 32 processors supported

Memory


256MB

Hard disk


Requires more free space if installing over a network

Microsoft recommends using at least an eight-way capable server for Datacenter. The hardware requirements are tuned for the very high-end servers, as is logical for a product called Datacenter.


www.sybex.com


7

With these requirements in mind, you should carefully assess your current hardware on any computer that will be upgraded to Windows 2000. In some cases, you will find systems that need to have one or more resources upgraded before the operating system can be upgraded. Please note that the hardware listed in the tables above shows the minimum requirements or minimum recommended levels. You will achieve significantly better performance if you add higher levels of hardware. Another resource to help you evaluate your current hardware’s suitability to run Windows 2000 is the Hardware Compatibility List (HCL) available from Microsoft’s Web site at http://www.microsoft.com/windows2000/ upgrade/compat/default.asp. On their compatibility Web page, Microsoft has also included an option to download the Readiness Analyzer, shown in Figure 1.1, which is a program that can analyze your system and report on the compatibility of the installed hardware. FIGURE 1.1

The Readiness Analyzer helps you to determine whether your computer is ready to upgrade to Windows 2000.

Microsoft has done their best to help you plan for hardware compatibility. The Windows 2000 Setup program includes the Readiness Analyzer. When installing Windows 2000, you will be notified of most software or hardware incompatibilities that the Setup program can detect at that time. This gives you some of the information you need before you’ve passed the point of no return in an upgrade. The Readiness Analyzer will warn you of


www.sybex.com

8

Chapter 1


incompatible hardware and/or software, and it will notify you whether the incompatibility is something that will cause the setup to fail or is just a device or program that won’t work properly with Windows 2000 after the setup completes. If you just want to run the Readiness Analyzer but not set up Windows 2000, you can run winnt32.exe /checkupgradeonly.

Migration Scenario Your company has been hired to plan and implement the migration of a network from Windows NT 4.0 to Windows 2000. You have been assigned the task of suggesting hardware upgrades or replacements for their existing servers. You have been given the following list of current resources:

Server1: Pentium 133 MHz, 96MB RAM, two 6GB hard disks. This server currently acts as a file and print server and as a backup domain controller (BDC).

Server2: Dual-Pentium 550MHz, 256MB RAM, RAID5 disk system. This server currently supports both the company e-mail and Web services. It also provides DHCP and DNS services.

Server3: Pentium 133MHz, 64MB RAM, two 9GB hard disks. This server is the primary domain controller (PDC) and supplies WINS services.

Things to consider:

Does the hardware meet minimum configuration needs for Windows 2000?

Can you suggest any hardware upgrades that will increase performance?

Should any network services be moved to other servers?

Evaluating Other Hardware Needs So you’re in the process of planning to upgrade the operating systems on your network computers. Have you taken a good look at the network hardware itself? Windows 2000 does support many different types of network


www.sybex.com


9

hardware, and like everything else in this world, some of it is better than others. Perhaps this would be the perfect opportunity to upgrade your network to 100Mb or create a new subnet to reduce the load on a segment. These issues could seriously affect the overall performance of your network—and thus your satisfaction with the deployment of Windows 2000. Network Cabling An important element to consider when upgrading is whether to upgrade your cabling at the same time. The cabling in your network carries all of the data that is transmitted from computer to computer. Obviously, the quality of this cabling will be important to the outcome of your network’s performance. This is more than just saying “you get what you pay for,” though; when evaluating the network cabling, you must consider whether it will support your needs for years to come. Why install network cable that is adequate now for 10Mb data transmission but won’t handle an upgrade to 100Mb later down the line? If your business network is likely to grow over the next five years, you should plan to incorporate the fastest network hardware that is practical for your budget. On the other hand, you might want to practice a little restraint. Will you really need gigabit networking anytime soon? For most small networks, 10Mb is just fine, though even a small network would appreciate 100Mb. Larger networks should be quite happy with 100Mb, and the cost versus the speed makes 10 or 100Mb fine for widespread application. Gigabit networking hardware is still pretty expensive. Most existing networks are using some form of Ethernet for their physical network. If your network is one of these, determine if the cable being used is category 3 or category 5. If you are using category 5 cable, your network can easily make the transition to 100Mb.

Ethernet Cables I recently had the opportunity to work in a large data center and ran into an interesting issue regarding network cabling. I was installing 100Mb switching hubs into my classroom to improve the network performance for some Windows 2000-related training I was conducting. To save some money on the upgrade, I was scrounging around for cable from some leftover materials in the data center.


www.sybex.com

10

Chapter 1


I found some category 5 cable that someone had custom-made some time before, and I grabbed several lengths to use in my network. When I had installed them, I found that several of the computers were connecting to the network at only 10Mb speeds even though they had 10/100Mb network cards! Upon investigating the cables more carefully, I discovered that they were using only four wires to make the connection from end to end. 100Mb Ethernet requires all eight wires in a category 5 cable to make a connection that is suitable for the full speed rating. I ended up having to go back to the local computer store to purchase category 5 cables that were properly made for 100Mb Ethernet use.

Network Routers and Subnets If you are looking for ways to improve network performance on an existing network, you may want to consider breaking up your network using a router. Experienced network professionals will tell you that one type of traffic that slows down a network more than anything else is broadcast traffic, because every computer that “hears” the broadcast has to process the data contained in it. Many legacy NT network services are broadcast-based, or what many people refer to as “chatty.” By using a router and breaking your network in half, you can effectively cut the broadcast traffic in half, too. Routers are normally configured to block broadcast traffic as a means to reduce the impact of broadcasts upon the entire network. Windows 2000 will help with this somewhat by eliminating many of the broadcasts that NT used, but breaking the network up into subnets with routers is still a good way to improve performance.

Creating a Hardware Inventory So, now that you’re planning this deployment and you’re evaluating your hardware, are you updating your hardware inventory list? What? You don’t have a hardware inventory list? What a wonderful opportunity to create one! Many businesses don’t really keep track of what computer hardware is in use. You will usually find that the accounting department knows what was purchased, when it was purchased, and how much was paid for it, but the network administrators haven’t a clue where that hardware is. Joking aside, you will benefit from creating a list of your current hardware. List things like how many computers you have, what they contain (processors, RAM, disks, etc.), and where they are located. You will need


www.sybex.com


11

this information when creating the automated installation scripts anyway, and getting the information now means that you can create your shopping list for all of the things that will need to be upgraded before you deploy Windows 2000.

Evaluating Security Concerns Planning for network security is extremely important when considering a move to Windows 2000 because so many of the security features have changed from NT 4. Since so many networks today are connected to the Internet, detecting and preventing intrusion is a vital concern for the network administrator. Windows 2000 will help you defend your kingdom well, but you need to know exactly what you are defending and from whom.


Evaluate the current environment. Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.

It is easy to overlook security when planning an upgrade. When upgrading a single computer, security is only a matter of who can run the setup program. But upgrading a network may have serious implications for the entire network’s security, such as domain trusts, folder permissions, and lost access. Maybe even worse than someone losing access is the idea that a user may suddenly have access to resources they shouldn’t be able to see on the network. Evaluating network security needs can be a very time-consuming process. Consider the following points:

Current domain structures

High-security resources such as employee files, research, and accounting information

Access to applications with limited licensing

Access to or from the Internet

Domain namespaces

Future growth of the network


www.sybex.com

12

Chapter 1


When installing Windows 2000 on a single computer, only a member of the local administrators group can run the Setup program (winnt32.exe). Limiting access to just local administrators can be bypassed during unattended installations, but only administrators can perform a local upgrade. Of course, this won’t stop a user who wants to steal your data from booting the computer into setup either by using the setup floppies or by booting from the CD-ROM. And once they have reinstalled Windows 2000 to a new folder, they will have access to all of the data on the computer.

Current Domain Structures When evaluating security concerns, domains are something you’ll want to plan carefully because they form the basis of all of your security in Windows 2000. You’ll also want to consider where your network is today, as well as where it is projected to go in the next few years. Microsoft recommends that your domain planning take into consideration any planned growth for the next three to five years. The domain functionality in Windows 2000 may change the network a great deal. This really depends on whether you will be implementing Active Directory immediately or running your Windows 2000 Servers in mixed mode. Mixed mode refers to the combination of NT 4 Servers and Windows 2000 Servers making up the domain security model. In NT 4, the domain directory database had a performance limitation of approximately 40,000 objects (groups, users, and computers). In Active Directory, you can easily have millions of objects in a domain, so you need to consider where the security boundaries of your organization need to be. It is possible to collapse almost any multiple-domain structure into a single domain using Active Directory. It may or may not be desirable to do this, based on your network needs. There are a few main reasons for splitting domains in Windows 2000. One, if you want to ensure completely isolated administrative controls, multiple domains may be necessary. Two, if different locations represented in your network have different geographical settings, different domains are the way to go. An example of this second point is an international network. The portion of the network in the United States would use English, whereas the network portion in France would use French. This is a good time to use multiple domains. It’s easy to create a multiple-domain structure using Active Directory in a single security context. But even though the process is relatively easy, the planning takes serious consideration. For instance, if your organization currently has a complete trust model in place, which domain will you pick to


www.sybex.com


13

become the root of the tree? There may be serious political consequences to consider. It may be better to create a new domain whose sole purpose will be to become the root of the tree. We discuss Active Directory planning in detail in Chapter 2, “Planning for Active Directory.”

High-Security Resources If you work in an industry where the security of your research is a high priority, consider these needs carefully while designing your deployment strategy. How you design your domain structure and how you delegate the administrative load may create gaps in your security. An example would be if you intended to delegate administrative control to an Organizational Unit (OU) but instead gave control to the whole domain. Or if that OU contained resources that were inappropriate for the administrator of the OU to have control of, such as employee records. If the high-security resources are contained within a physical location, things will be somewhat easier. In this case, simply create a separate tree to contain all of the resources in this location and administer it as a separate entity. Another consideration that nearly every network will encounter is the need to protect employee files. In this situation, there are people on the network who definitely need access to the files, such as the human resources personnel, and others who definitely should not have access to the files. Identify where these needs exist by talking with people in every department of the organization. Find out which resources they use and which resources they need to protect.

Securing Access to Applications with Limited Licensing Does your company have applications that have been purchased at great expense for limited use? Say, copies of Adobe Photoshop that are used by staff members in your art department? You probably spent quite a bit of money buying full licensed copies of this professional software with the intent that the people who need it are the ones who will install it, right? What about the other users who just happen to find it on a server share and want to install it or take it home? You will often encounter predicaments like this in any network. Software can be very expensive, and you will want to optimize your expenses by limiting your purchases to what is needed. Licenses are often expensive, too. You won’t want to allow just anyone to use up those licenses you have purchased for a specific need.


www.sybex.com

14

Chapter 1


Identify where these applications are installed and who has a legitimate need to use them. Keep entries for each of these in your inventory lists. One approach would be to prevent normal users from having access to the files and use Group Policies to install the applications where they are needed. This way, only your IT staff would have direct access to the install files, and only the appropriate users would have the programs installed.

Accessing the Internet Internet access, and how it is used, is a hot topic in network security. Many large networks provide access to the Internet for their users through proxy servers. A proxy server translates network requests from a secure internal network to one real IP address on the Internet. They often provide caching services for content downloaded from the Internet and can even act as a firewall to protect the network from intrusion. Consider this type of access in your deployment plan. Does the proxy software you are using run on Windows 2000? Will all segments of the network require access to the Internet through these proxies? Will all of your users be granted permission to access the Internet from the internal network? Consider as well a plan to monitor what software is in use on the network to prevent users from downloading and running software from the Internet. This can be a source of viruses, licensing violations, and lost productivity.

Domain Namespaces What’s in a name? Probably your whole company if it has an Internet domain name. So many companies have domain names on the Internet now that it’s almost impossible to look at any advertisement without seeing a URL to the company’s Web site. Some large companies have even more than one domain name that they’re responsible for. These domain names, or the domain namespace, for your company will be very important to your Windows 2000 planning because Active Directory is based on Internet-type namespaces. More to the point, when you set up Active Directory it wants a fully qualified domain name (such as somecompanyname.com) to use as the Windows 2000 domain name. Have I confused you yet? Don’t worry, we’ll sort it all out in Chapter 2. Your namespace will probably be the same as your company’s Internet domain name. But do you already have one? You may be planning to get on the Internet soon but haven’t done anything yet. This would be a great time to register your domain name so you can use it to create your Active Directory structure during your deployment.


www.sybex.com


15

Planning Security for Future Growth Up till now we’ve been talking mostly about software and hardware. Planning for the future growth of your network is mostly about policies and procedures. If your current practices to protect your network security are working, what makes you think they will work in the future as your environment grows larger? As you build an inventory of security needs for your deployment of Windows 2000, think about how the current size of the network affects your decisions. Then try to predict what those decisions would have to be if the network were 5 percent larger or 10 percent larger, and so on.

Assessing Application Compatibility Application compatibility is one of the greatest concerns in any operating system upgrade and one that should be tested thoroughly before the upgrade process. When considering application compatibility, you should be focusing on your servers, all of your line of business applications, and Microsoft Exchange.


Evaluate the current environment. Evaluate application compatibility. Considerations include Web server, Microsoft BackOffice products, and line of business (LOB) applications.

A variety of methods can be used during this phase of planning:

Consult the manufacturer’s Web site for Windows 2000 support information.

Use the Windows 2000 Setup program to detect many compatibility issues.

Test the applications in a limited environment before rolling out Windows 2000.

Consider all types of applications in use in your environment, from user applications such as Office 2000 to server applications such as SQL Server or Exchange. Shareware or third-party applications installed on users’


www.sybex.com

16

Chapter 1


computers will complicate your evaluation of compatibility issues. Customwritten line of business applications can also cause difficulties. The Windows 2000 Application Specification defines various levels of software support under Windows 2000. There are four Application Levels: Certified Means that the application meets every requirement for compatibility and that both Microsoft and an independent test laboratory have tested it. This is the highest level of certification an application can achieve. Ready Indicates that the Independent Software Vendor (ISV) has performed Windows 2000 compatibility testing and certifies that the application will run correctly on Windows 2000. The ISV also promises to provide support for their application on Windows 2000. Planned Means that the ISV intends to provide support for Windows 2000 in a future release of the application. Caution Means that you may very well encounter problems with this application on Windows 2000. In this case, there is most likely a known issue that is documented and probably has a workaround or solution. By recognizing these certification levels, you will be better prepared to deploy applications for your Windows 2000 network. Microsoft is committed to application compatibility in Windows 2000. On the Microsoft Web site at http://www.microsoft.com/windows2000/ downloads you can check for periodic updates to the operating system for greater application support. The network administrator should make a point of monitoring this Web page from time to time to see if there are updates that affect applications in their environment. Windows will also do this for you, and it’s included in Windows 2000. A testing environment offers you the chance to fully test these applications before the changes will affect either your network or your users. It will be very helpful if your organization has created standard software configurations for the various computers in use on your network.

Web Services Web services have become very important to most businesses, and they should be a critical component of your assessment. Whether you are serving Web pages to the Internet as a means of selling your product or simply hosting an internal Web site to share information with coworkers, having a stable Web server is probably important to you.


www.sybex.com


17

Windows 2000 comes with Internet Information Services (IIS) version 5 right out of the box. Notice that the name has changed slightly: Services instead of Server. IIS 5 does provide backward compatibility for Web services running on earlier versions of IIS, including full support for common Internet standards, as well as Microsoft extensions. This means that there shouldn’t be any compatibility issues, but you should still install a test server to fully evaluate the compatibility with your own Web content. The administration console for IIS has changed, at least in its location. You can find the Internet Services Manager in the Administrative Tools group on the Start menu. This is a standard Microsoft Management Console (MMC) interface, and it supports all of the functionality of IIS 4 while adding features that reflect the increased security of Windows 2000. The Internet Information Services console is shown in Figure 1.2. FIGURE 1.2

The Internet Information Services console lets you manage the IIS properties for multiple webs on your server.

IIS 5 installs support for the FrontPage 2000 Server Extensions, which may or may not be a good thing, depending on your views of FrontPage. You can specify which of the webs hosted on your server will support the FrontPage extensions. This feature will enable you to turn off the extensions for customers who really don’t want anything to do with FrontPage.


www.sybex.com

18

Chapter 1


With any Web server installed, it is a good idea to check with the manufacturer to see if there are any program updates or known issues with the installation of Windows 2000. If you are running a third-party Web server, you will want to deselect IIS during the installation of Windows 2000 to avoid breaking the Web service already installed. Also, be aware that the default options for installing IIS during setup include the Simple Message Transport Protocol (SMTP) mail service, in addition to World Wide Web (WWW) and File Transfer Protocol (FTP). You may want to disable the SMTP mail service if your server won’t be handling SMTP mail directly. IIS 5 also includes support for various Web-related network services, such as File Transfer Protocol IIS 5 provides a full FTP server for serving files over the Internet or the local intranet. Network News Transport Protocol NNTP support is included if your Windows 2000 Server will participate in routing Internet News messages. Simple Message Transport Protocol This service provides support for an Internet e-mail server under Windows 2000. Visual Interdev RAD Remote Deployment Support This service enables you to use your IIS server to distribute applications through a Web interface.

Exchange Server Exchange Server 5.5 will run on Windows 2000 and is very common in NT 4 or Windows 2000 networks. Microsoft has integrated the Exchange Directory with Windows 2000’s Active Directory in Exchange 2000. This simplifies the administration of Directory objects such as users and distribution lists by enabling the administrator to manage all objects from a single Microsoft Management Console (MMC) interface. Using Exchange Server with Windows 2000 gives you some very nice administrative abilities, so it’s definitely worth keeping in mind. To fully integrate the Exchange Directory with Windows 2000’s Active Directory, Microsoft has provided the Active Directory Connector (ADC). The ADC integrates the two directory services for user and group administration, which enables you to administer both Active Directory and your Exchange Directory from the same administrative tool. This means that if you are an experienced Exchange admin, but are not very comfortable with the Active Directory tools, you can set up the ADC to let you administer the


www.sybex.com


19

Active Directory from the Exchange Administrator console. Conversely, if you are more comfortable with the Active Directory tools, you can also use them to manage your Exchange Directory. The ADC is installed from the Windows 2000 Server CD-ROM in the ValueAdd\MSFT\Mgmt\ADC folder. The ADC Setup Wizard will walk you through the necessary steps to add the service to your server. The connector itself seems to work best when installed on the first domain controller in the domain. It’s true (mostly) that all domain controllers in an Active Directory domain are equal, but by default the first domain controller installed has some special duties. One of those extra duties is to manage the schema for the entire domain as the Schema Master. A schema is a description of the containers and objects within a directory. Because the ADC will need to modify the schema for the domain, it works best from the Schema Master. The management tool can be installed on any Windows 2000 computer in the domain. The Active Directory Connector Management console is shown in Figure 1.3. Active Directory is described in more detail in Chapter 2. FIGURE 1.3

The Active Directory Connector Management console lets you create and configure connector agreements between Active Directory and Exchange 5.5.


www.sybex.com

20

Chapter 1


The ADC can synchronize data from Windows 2000 to Exchange, from Exchange to Windows 2000, or in both directions. If you are synchronizing in both directions or from Windows 2000 to Exchange, you will have the option to create a mailbox when you create a new user account. If your network is using a messaging server besides Exchange that uses a directory service similar to Active Directory, you can expect to see a connector that will link your messaging server into Active Directory like the ADC does for Exchange.

Line of Business Applications Line of business (LOB) applications are typically problematic during upgrades because they are usually highly customized and often poorly documented. LOB applications are usually programs that support a particular industry and are very important to the day-to-day operations of the organization. They include databases, incident tracking, monitoring, and other applications essential to a business. Often they are highly customized for a particular industry or even one business. Obviously, these aren’t applications you will want to take chances with! Proper testing of these programs on Windows 2000 is imperative prior to performing the upgrade. Check with the ISV to see if there are any known issues with running the application on Windows 2000. Be prepared to hear that the program isn’t supported at all on Windows 2000, and have a contingency plan for this situation. Check Microsoft’s Windows 2000 compatibility Web site to see if there are any necessary updates for the program. Line of business applications are a great justification for a test lab prior to rolling out Windows 2000. Allocate several computers (if possible) and try to duplicate as much as you can from the production environment. Run tests on the programs to verify basic functionality. If possible, get a group of users to perform their normal work on the test servers to verify that there are no hidden bugs in the system. Only after testing has been fully completed should you begin upgrading the servers running these applications to Windows 2000. A gradual upgrade process is a good idea with LOB applications. Depending on the architecture of the application, it is often possible to roll out the systems in parallel, one new system operating beside one old system. As they come up successfully, upgrade the remaining servers to Windows 2000. Make certain that there are current backups at every step, so that the LOB servers can be reinstalled under their previous operating system if things go wrong.


www.sybex.com


21

Deploying Software in Windows 2000 Windows 2000 uses the new Windows Installer program to install application software. Windows Installer not only installs programs, but also maintains applications by automatically replacing damaged or missing files. Finally, the Windows Installer helps to ensure the clean removal of applications that are no longer being used. The main interface to the Windows Installer is the Add/Remove Software applet in Control Panel, as shown in Figure 1.4. FIGURE 1.4

The Add/Remove Software applet in Control Panel helps you manage applications in Windows 2000.

Windows 2000 makes it easier to deploy new applications by utilizing the Software Installation and Maintenance technology to roll out software to computers on your network. Software Installation and Maintenance uses a new file type for installation packages, the Windows Installer package (a file with an .MSI extension). This file contains the information needed to tell the Windows Installer which files are needed and where to locate them. The .MSI file actually replaces the functionality of the setup.exe program for an application.


www.sybex.com

22

Chapter 1


Using this .MSI file, or package, an administrator can deploy the application using Group Policy Objects (GPOs). GPOs allow the administrator the flexibility to assign or publish applications to an entire domain or forest or just a single department. Properly planning the domain and OU structure allows administrators to control which users get which applications on a very granular level. Using Windows Installer packages, administrators can deploy software through the use of GPOs in two common ways: Publishing If an application is published, it is advertised to affected users on the network through Add/Remove Programs in Control Panel. If users want to install the application, they simply find the application they want and double-click it. Published applications can also be organized into functional categories to make administration easier. Applications can be published only to users, not to computers. Assigning You can also deploy applications by assigning them to users or computers. If an application is assigned to a user, an icon for the application will appear in the user’s Start menu. When the user clicks the icon to launch the application, Windows Installer will begin the installation. Once the installation is complete, the application will function. If the application is assigned to the computer, it will automatically install the first time the computer is booted after the GPO is applied. The application will be available for all users of that computer. If you are going to deploy applications for a large number of users (as in everyone), assign the apps to computers, not the users. EXERCISE 1.1

Deploying an Application To deploy a new application, use the following steps: 1. Open Active Directory Users And Computers, and right-click the Organizational Unit (OU). See Chapter 2 for more information on OUs.

2. In the Properties dialog box, click the Group Policy tab to open the list of currently configured policies.


www.sybex.com


EXERCISE 1.1 (continued)

3. Select a policy and click the Edit button as shown below. You can also click the New button if you want to define a new policy.

4. In the Group Policy window, expand the New Group Policy Object Computer Configuration Software Settings console tree to display the Software Installation object.

5. Right-click the Software Installation object and select New Package to bring up the Open dialog shown below.


www.sybex.com

23

24

Chapter 1



6. Browse for the package (.MSI file) that you want to distribute, then click the file to select it. Click the Open button to bring up the Deploy Software dialog shown below.

7. Select the distribution method you want to use for the package: Published, Assigned, or Advanced Published Or Assigned.

Using Deployments You can use two basic types of deployments with applications (or operating systems, for that matter): the bridgehead and gradual deployment type or the type a former colleague of mine called eye of the needle. The first method is called a bridgehead because you are essentially using military strategy to establish a single presence in new territory by installing the application to a small group of test users. Once this small installation works successfully, you would roll out the software to a larger group. Finally, moving in groups, you would install to the entire organization in a gradual deployment. The second type, the eye-of-the-needle method, refers to the idea of a complete rollout in a very short period of time. While this method has the drawback of requiring intensive planning and administrative effort, it has the benefit of being over in a relatively short period of time. Ideally, you would use this concept to roll out an application to your organization while everyone is away at training for the new application. This way, when they return to their desks with the training fresh in their minds, they have the new software to work with. You can accomplish this method in two ways with Windows 2000 Server: publishing the application or assigning the application.


www.sybex.com


25

Assessing Upgrade Implications for Network Services When deciding to upgrade, you should ask yourself and your IT team a couple of key questions: What kind of implications will your network face by upgrading? And why are you upgrading your servers to Windows 2000? Is it simply because it’s the latest and greatest? Or are you perhaps looking to take advantage of the improvements Microsoft has made in networking? The improved network support is one of the biggest areas of impact for an upgrade to Windows 2000. The networking in Windows 2000 is significantly improved from NT 4, which is a good thing, right? Maybe. One of the big problems that you may face in upgrading your network to Windows 2000 is struggling with a mixture of administrative tools. Many of the Windows 2000 tools won’t administer NT 4 servers, and vice versa. Therefore, you need to spend a considerable amount of time evaluating how an upgrade will change your existing network services.



Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

The best approach to evaluating the impact on your network services is to break them down one by one. Examine the configurations of your servers to discover what services they are running. Make an inventory list of these services and determine how they are being used in your network. You may find that some services can be disabled because no one is actually using them. Or you may find that you could benefit from installing a new service to handle a particular need. Let’s take a closer look at some of the primary NT services you might be using.

Domain Name System The Domain Name System (DNS) is required for Active Directory installation. Domain functions and naming are built upon DNS. One of the new additions with DNS in Windows 2000 is the ability to make dynamic updates to the DNS servers. Because of this, DNS can be used to resolve the


www.sybex.com

26

Chapter 1


names of every client on the network with little administrative overhead. Windows 2000 client computers can automatically provide the DNS server with their hostname and IP address when they become active on the network. Down-level clients, like Windows NT and 98, do not support dynamic DNS updates in their client-side TCP/IP stack. In their case, the DHCP server notifies the Windows 2000 DNS server when it gives out an address lease and updates the DNS server’s tables with the new host and address information. DNS resolves hostnames to IP addresses. In the past with NT, this helped only when you were using commands that used sockets to communicate. Windows NT name resolution and resource location was based on NetBIOS naming standards instead of sockets. With Windows 2000, however, DNS is the primary method of resolving names to connect to other Windows 2000 computers. Windows 2000 doesn’t require NetBIOS support to communicate, and the NetBIOS interface can be disabled on Windows 2000 computers. Although Active Directory requires the use of DNS, it doesn’t require the use of Microsoft’s DNS server to operate. However, it is recommended. Active Directory does require support for Dynamic DNS (DDNS) updates using RFC 2136-compliant methods and the use of SRV (Service) records. You can successfully use BIND version 8.1.2 or higher on a Unix system to provide Dynamic DNS support. One large network that I work with on occasion is doing just that, using a Unix system running BIND to provide all of the DNS support for their network, even though they are migrating to Windows 2000. DNS support for your Windows 2000 network also requires the use of SRV records to identify the servers providing well-known services. An important example of this would be the Kerberos servers providing the network logon authentication. This is the mechanism used in an Active Directory domain to locate domain controllers and services. If you are planning to use non-Microsoft DNS servers, BIND versions 4.9.6 and newer support SRV records. Even though Windows NT implementations of DNS most closely resemble BIND version 4.9.6, they do not support the use of SRV records. They also do not support DDNS. This is not to say that you cannot use Windows NT DNS servers in your Windows 2000 Active Directory domain. You can, but the authoritative DNS server for the Windows 2000 Active Directory domain must support both dynamic updates and the use of SRV records. So what do you do with your old Windows NT DNS servers? You have a couple of options. First, you can leave the DNS service installed on them and just make them secondary servers to your Windows 2000 or BIND 8.1.2


www.sybex.com


27

DNS server. You could also reinstall or upgrade the operating system and continue to run DNS. If neither of these options is appealing, donate the computer to a local school; it’s a great tax write-off.

Windows Internet Name Service The Windows Internet Name Service (WINS) provides NetBIOS name resolution in a dynamically assigned IP environment. This can be a very important function in a network that assigns client IP addresses through the use of the Dynamic Host Configuration Protocol (DHCP). The problem with WINS is that it has proven to be somewhat unreliable and often can be difficult to configure correctly. If you have one WINS server, it’s simple to install. Add the service and it starts working. In a larger environment, you need to have more than one WINS server and that requires replication, which can introduce new hassles. Basically, WINS was a great idea, but its implementation has left many professionals frustrated. WINS may not be necessary on your network anymore. WINS provides the ability to resolve NetBIOS names to IP addresses, but in a Windows 2000 network everything is based on DNS names. If you will be running a mixed environment of Windows 2000 and NT or Windows 9x clients, consider running the WINS server service on one or more of your Windows 2000 Servers. However, if the network will consist of only Windows 2000 Servers and clients, leave out WINS and reduce the associated NetBIOS traffic on your network. On a network running only Windows 2000, Microsoft recommends disabling the NetBIOS interface on all computers to further reduce network traffic. WINS is useful for supporting legacy clients or applications that require NetBIOS naming. This is something you should determine during your design and testing phase when planning for a deployment. If at all possible, try to eliminate the need for NetBIOS-based services.

Dynamic Host Configuration Protocol Many TCP/IP network administrators often consider Dynamic Host Configuration Protocol (DHCP) to be the best thing since sliced bread, since it relieves them of the burden of individually configuring each workstation. DHCP is based on the Bootstrap Protocol (BootP) and can be used to deliver


www.sybex.com

28

Chapter 1


the entire TCP/IP configuration a host will need in order to access the network.


Develop a domain upgrade strategy. Configure networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

DHCP in Windows 2000 becomes more important as it works closely with the Dynamic DNS service. When the DHCP service in Windows 2000 has issued a lease to a client computer, it then notifies the DNS server of the lease and updates the database. Now any client using that DNS server can obtain the name resolution for that dynamically addressed client. One significant change with DHCP in Windows 2000 is the requirement to authorize a server before it can begin to assign addresses. This may help to prevent the appearance of rogue DHCP servers in a large network. I was once both horrified and amused to learn after delivering a class on Windows NT Server that one of my students had gone back to his desk and installed a DHCP server with a scope of bogus addresses. Horrified because of what this does to a functional network (you may never see a more efficient way of creating address conflicts) and amused because I now had proof that he wasn’t really paying attention in class. The point is, under NT 4 you could do this easily. Windows 2000 requires that an administrator authorize the DHCP server before it will actually issue any addresses. This should help avoid the situation I mentioned above. EXERCISE 1.2

Authorizing a DHCP Server To authorize the DHCP server, follow these steps:

1. Log on to the server (it’s usually best to log on at the server to be authorized) using an account with sufficient permissions to authorize the service. Authorization requires an Enterprise Administrator, unless the permission has been delegated.


www.sybex.com


29


2. After installing DHCP on your Windows 2000 Server, open the DHCP console by choosing Start Programs Administrative Tools DHCP.

3. Expand the console tree to view the server name. Highlight the server to be authorized and select Authorize from the Action menu.

Windows 2000 will detect and, wherever possible, disable an unauthorized DHCP server on the network in an Active Directory environment. Your server must be either a member server or a domain controller before it can be authorized to act as a DHCP server in an Active Directory domain. Stand-alone servers will not be recognized for the DHCP service, as they have no status in the Directory. The DHCP service in Windows 2000 uses the DHCPINFORM message to query any other DHCP servers on the local network. It does this first by broadcasting this special message type. A DHCP client sends the DHCPINFORM message when it already has an address but is trying to discover more information about the server. This message type is new with Windows 2000. The DHCP server sending the message collects the data from the other servers it discovers, including such items as the root of the domain or forest and the presence of Active Directory services. If it finds these services, it will query the Directory to see if the DHCP server is listed in the authorized DHCP server list. If so, the service initializes and begins serving addresses to DHCP clients. If the entry is not found in the Directory, the DHCP service is stopped on the server that is making the query.

Remote Access Service Your Windows NT Server may be installed to provide dial-up access for users working from home, and upgrading to Windows 2000 may impact the type and scope of services you can provide. Remote Access Service (RAS) has been replaced with Routing and Remote Access Service (RRAS) in Windows 2000. It offers improved performance for dial-up clients and superior routing capabilities when compared to NT 4. RRAS provides some new protocols to add security to the network: Extensible Authentication Protocol (EAP) Enables the client and server to negotiate the best way to process authentication. Possibilities include generic token cards, Message Digest 5 Challenge Handshake


www.sybex.com

30

Chapter 1


Authentication Protocol (MD5-CHAP), and Transport Layer Security (TLS). EAP is defined in RFC 2284. Remote Authentication Dial-in User Service (RADIUS) RADIUS is typically used in an environment where many users are dialing into the network and security is required, such as an Internet Service Provider. The dial-up server would act as a RADIUS client to query another server (the RADIUS server) to provide secure authentication for the client. The Internet Authentication Service (IAS) in Windows 2000 can act as a RADIUS server. RADIUS is defined in RFCs 2138 and 2139. Internet Protocol Security (IPSec) IPSec provides protection against internal and external IP attacks and is fairly easy to set up and configure. IPSec can be implemented in Windows 2000 as IPSec Policies, which can then be applied to users, groups, or computers. IPSec is described in RFC 1825. Layer 2 Tunneling Protocol (L2TP) The Point to Point Tunneling Protocol (PPTP) gained a lot of use in NT 4 but had some serious security limitations, such as non-secure authentication to establish the tunnel. L2TP provides some advancements that go a long way toward plugging these holes. L2TP can be used with IPSec to provide a very secure tunnel across an IP internetwork, or it can use ATM, X.25, or Frame Relay to provide the IP network. At the time of this writing, L2TP was still in draft phase; you can find it at http://ds.internic.net/internet-drafts/. Bandwidth Allocation Protocol (BAP) Despite sounding like it belongs in a comic book, BAP provides some very cool capabilities for enhancing the use of PPP Multilink. Multilink enables clients to dial up to a server using multiple phone lines to create a single network connection. BAP will sense when some of the phone lines are relatively idle and drop the session on them in order to re-allocate them for other clients. This protocol can dynamically add or remove lines according to where the greatest need is currently. BAP can even trigger a callback to establish an additional line for an existing session. Multilink is described in RFC 1990, and BAP is defined in RFC 2125. Windows 2000 RRAS can provide extensible dial-up services for your network and enhanced security. It also supports the use of PPTP or L2TP to create and manage Virtual Private Networks (VPNs) natively. All of the RRAS functions are managed through the Routing and Remote Access console shown in Figure 1.5.


www.sybex.com

Developing an Upgrade Procedure

FIGURE 1.5

31

The Routing and Remote Access console lets you manage all of your dial-up and routing configurations.


Y

ou’re probably thinking, “I thought we have been developing an upgrade procedure.” In reality, we’ve been looking at all of the points that you will need to consider in your deployment plan, but now you need to consider the actual procedure that should be followed during the deployment. This procedure is also an item that must be planned for and tested before performing the real rollout.


Develop a domain upgrade strategy.


www.sybex.com

32

Chapter 1


Before you begin planning, take a moment to remember your upgrade goals. Most of the time, goals center on either business needs or technology needs. You likely decided to upgrade for a specific reason, not just because it sounded like fun. In this planning, always focus on the goals and how to most easily achieve them. Here are some business-related goals that you might want to consider during migration planning, along with features of Windows 2000 that support your goals: Better manageability Windows 2000 provides many enhanced features to ensure that manageability is not an issue. In Windows NT, you had to maintain trust relationships among multiple domains. Windows 2000 provides these trusts automatically among all domains in a forest. Windows 2000 allows you to structure your domain to reflect the physical organization of your company. This, along with the extended ability to nest different groups, allows you more granular control of all resources on your network. The Microsoft Management Console (MMC) provides one interface for administration. This will save you the time of needing to learn multiple interfaces for administration. Greater scalability Windows 2000 Server allows access to up to 4GB of physical memory. Also, Windows 2000 no longer lives by the NT limitation of a 40MB Security Accounts Manager (SAM) database. Active Directory can literally store millions of objects without trouble. Improved security Through the use of Group Policy, administrators can assign very specific restrictions to users, groups, and computers. Windows 2000 also comes with a Security Configuration and Analysis tool to analyze the security policy on a computer and reapply settings if necessary. Microsoft refers to this as a “define once, apply many times” approach to security. Upgrading your network to Windows 2000 is supposed to increase productivity and decrease administrative overhead in the long run. While planning to perform this migration, keep in mind some implications for the migration itself: Minimize disruption to the production environment User access to applications and resources should not be sacrificed. Ideally, there will be no down time during the migration, where users will not be able to access


www.sybex.com


33

resources they need to perform their jobs. You should also be able to maintain users’ environments during and after migration. Minimize administrative overhead Migrating user accounts, user account settings (passwords), and permissions should not require disruption of resource access. Plan ahead to keep migrations as seamless as possible. New features When migrating to Windows 2000, try to activate the new features as quickly as possible. Also, don’t compromise any security settings or policies during the migration.

Order of Migration In order to make the migration as smooth as possible, it is advisable to perform the following steps in the proper order. You will also want to be sure to carry out the upgrade in a test environment before performing the actual procedure.

Pre-upgrade The ideal situation would be for you to be able to use your current domain controllers as domain controllers for the Windows 2000 domain. In some cases, this may not be possible due to insufficient hardware. The first step, assuming that you want to continue to use the current domain controllers, is to verify that the current hardware is capable of supporting Windows 2000 as a domain controller. Take an inventory of all current domain controllers, and make a computer assignment table. List which computers can be upgraded and which cannot. If needed, purchase additional hardware that meets the requirements of Windows 2000. Once you have validated the existing hardware, you need to secure the domain data. Do this by backing up the PDC as well as at least one BDC. Make sure before you back up the BDC that it has been synchronized with the PDC. You will also want to remove a synchronized BDC from the network and store it. If the migration fails for any reason, you now have a backout machine with which to restore the old domain.


www.sybex.com

34

Chapter 1


Finally, install a Windows 2000 Server into the existing Windows NT domain, and install the DNS service. This DNS service is required for Active Directory. EXERCISE 1.3

Upgrade Procedures Once you have completed all pre-upgrade procedures, you can start the actual migration:

1. Configure a remaining BDC as an LMRepl export server for logon scripts (if needed). This is because the PDC will no longer be able to play the role of export server if you are using replication in the domain. Ideally, this machine you make the export server will be the last domain controller promoted to Windows.

2. Upgrade the PDC to Windows 2000. 3. Verify the DNS configuration on the Windows 2000 member server you installed in the NT domain.

4. Promote the former PDC to a Windows 2000 domain controller as a new domain controller in a root domain.

5. Test the new Windows 2000 environment by creating a user and logging on.

6. Promote the Windows 2000 member server to a domain controller. You want to ensure that there is not one point of failure for your new domain. The quickest way to accomplish this is to promote your existing Windows 2000 member server to a domain controller.

7. Upgrade the Windows NT BDCs to Windows 2000. Just because you upgrade them does not mean they have to be domain controllers in the new domain. That is a decision you need to make here.

8. Switch to native mode once all the domain controllers are migrated.

9. Upgrade the member servers.


www.sybex.com


35


10. Upgrade the client computers. 11. Migrate the global groups, local groups, and users. Once again, it is strongly recommended to attempt the migration in a test environment before performing the actual upgrade.

Upgrading Complex Windows NT Domain Structures Not all of us are lucky enough to have a single-domain NT model currently in place. When upgrading more complex domain models, the process as outlined above generally stays the same. The first question is “In what order do I migrate my domains?” Once I have determined that, I ask, “What type of Windows 2000 domain structure am I going to want to have?” First, migrate the accounts domain as a parent domain in a new forest. Administration will be easier, and it provides for more control of the new Windows 2000 domain structure than if you migrate resource domains first. Once your accounts domain has been migrated, you can then migrate your resource domains. When migrating resource domains, you have a few choices. One choice is to create child domains of the existing parent domain. The other is to restructure and consolidate all domains into one. Before deciding on a plan, consider a few reasons why the resource domains existed:

The limitation of the domain SAM database size

To provide local administrators with administrative capabilities while not affecting other domains

Windows 2000 has eliminated both of these excuses for having resource domains separate from the accounts domain. There is no longer a limit on the SAM database size. The ability to delegate control of resources to specific user accounts on specific containers allows for desired administrative control. As part of your upgrade plan, you may want to consider restructuring your resource domains as organizational units (OUs) within your new Windows 2000 domain. Since Windows 2000 no longer has a limit on the SAM database size, you will want to strongly consider migrating all user accounts to one domain if you were previously running a master domain model.


www.sybex.com

36

Chapter 1


When upgrading resource domains, it may be difficult to decide which domain to upgrade first. Use these guidelines to assist in your decision:

Choose domains in which new applications will require Active Directory features. Applications like Microsoft Exchange Server 2000 require Active Directory. These applications are often mission-critical, so it is imperative to get them operational as soon as possible.

Choose domains with more clients over domains with fewer clients.

Choose domains that are targets for restructure.

To the list of upgrade steps, I will add one more: a debriefing phase where you and your team examine the things that went well and the things that didn’t. One of the constants in our industry is change. You can bet that your network will be going through another deployment somewhere down the road. Your current experience will benefit whoever is tasked with that job in the future.

Identifying Upgrade Paths

W

hile performing clean installations of Windows 2000 would be the preferred method of upgrading your network, there will likely be times when you will want or need to upgrade an earlier version of NT and keep all of your user settings. For those times, keep in mind the available upgrade paths for Windows 2000. Table 1.5 shows the possible combinations of NT and Windows 2000.


Develop an operating system upgrade path. Considerations may include operating system version and service packs.


www.sybex.com

Identifying Upgrade Paths

TABLE 1.5

37

The Upgrade Options from NT to Windows 2000 Operating System

Can Upgrade To

Can Become

Windows NT Workstation 3.51 - 4.0

Windows 2000 Professional

User workstation

Windows NT Server 3.51 - 4.0

Windows 2000 Server

Stand-alone server, member server, domain controller

Windows NT 4.0 Enterprise Edition

Windows 2000 Advanced Server, Windows 2000 Datacenter Server

Stand-alone server, member server, domain controller

Windows 95 or 98

Windows 2000 Professional

The ability to upgrade from Windows 9x is new to Windows 2000. With NT you could install a dual boot, or you could format and start over on a computer. Windows 2000 supports FAT32, which makes dual booting easy with either version of Windows, and the Windows 2000 Setup program knows how to upgrade the Windows Registry. Notice in Table 1.5 that versions of NT earlier than 3.51 are not supported for direct upgrades. The following operating systems require a fresh install of Windows 2000:

Windows NT Server 3.1

Windows NT Advanced Server 3.1

Windows NT Workstation 3.5

Windows NT Server 3.5

Windows NT Small Business Server

Windows NT Server with Citrix WinFrame installed

Windows 3.1

Even though the above operating systems cannot be directly upgraded to Windows 2000, they can be upgraded in a roundabout way. First, upgrade the operating system to one it can be upgraded to. Examples would be


www.sybex.com

38

Chapter 1


upgrading Windows 3.1 to Windows 98 or upgrading NT 3.1 to NT 3.51 or NT 4. Once that upgrade is completed, upgrade the new operating system to Windows 2000. This upgrade path may seem to be a bit of a reach. However, the major advantage of doing it this way is that all user account information and security information is maintained. This will save you the headache of having to re-create all users and groups, as well as reassigning permissions to all resources.

Summary

In this chapter, you learned about the hardware requirements of Windows 2000. You learned to assess the security implications of upgrading to Windows 2000 on your network, and you learned to evaluate application compatibility. You were introduced to the impact of an upgrade on common NT network services, including RAS, DHCP, and DNS. You learned how to authorize a Windows 2000 DHCP server so that it can issue IP addresses in an Active Directory domain. Finally, we discussed how to develop a procedure for deploying Windows 2000 on your network, and we considered the available upgrade paths. Many of the upgrade issues referred to specifics of planning and installing Active Directory, which will be covered in greater depth in Chapter 2.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: domain forest gradual deployment host mixed mode recommended schema


www.sybex.com

Review Questions

39

Review Questions 1. What is the minimum CPU speed and type supported by Win-

dows 2000? A. 66 MHz 80486 B. 400 MHz Pentium II C. 133 MHz Pentium D. 500 MHz Alpha 2. Your network currently uses DNS services provided by BIND version 4

running on a Linux server. Can your Active Directory network use this DNS service? A. Yes B. No 3. What Windows 2000 network service provides dynamic resolution of

TCP/IP hostnames? A. DHCP B. DNS C. RRAS D. NetBIOS 4. You have just deployed Windows 2000 on your network and have

implemented Active Directory. What component must you now install to combine administration of Active Directory and Exchange 5.5? A. DNS B. WINS C. Outlook 2000 D. ADC


www.sybex.com

40

Chapter 1


5. Which new protocol in RRAS enables you to create secure Virtual Pri-

vate Networks? A. PPTP B. L2TP C. IPSec D. BAP 6. When deploying Windows 2000 to a series of line of business appli-

cation servers, it is best to: A. Upgrade them in parallel, leaving one old system in place while

they are tested. B. Upgrade them all at once. C. Don’t upgrade them because Microsoft Line of Business version 4

isn’t compatible with Windows 2000. D. Take the line of business servers offline until the upgrade is com-

plete, then restore them on the network. 7. A user on your network has installed the DHCP server service on their

Windows 2000 computer and configured a scope of addresses that are incorrect for your network. How will this affect your network? A. It won’t affect the network because the DHCP server isn’t autho-

rized on the domain. B. It will cause clients to receive incorrect address leases and thus be

unable to connect to the rest of the network. C. It won’t affect the network because the user authorized the DHCP

service and the clients can safely get addresses from the server. D. Nothing will happen because DHCP doesn’t run on Windows 2000.


www.sybex.com

Review Questions

41

8. What must you do to a computer running Windows 3.1 before you

can upgrade it to Windows 2000 Professional? A. Insert the CD-ROM and start the setup. B. Upgrade to either Windows 95 or Windows 98 first, then upgrade

to Windows 2000. C. You have to install Windows NT 3.1 because the upgrade.exe

program can only be run from NT. D. You must install Service Pack 3 for Windows before you can run

the upgrade. 9. Which tool is used to authorize the DHCP service? A. The DHCPCFG.exe command-line utility B. The DHCP console C. The Active Directory Users and Computers console D. The Computer Management console 10. Any user can run the winnt32.exe program in Windows NT 4 to

upgrade to Windows 2000. A. True B. False 11. You are considering installing Windows 2000 Professional on your

computer, but you are unsure whether your video card is supported. How can you find out if the card is supported during setup? A. You can’t, but it’s OK because Windows 2000 looks better in VGA

anyway. B. Consult the HCL for Windows 98 because it uses the same drivers. C. Run the Readiness Analyzer to detect possible issues with hard-

ware or software support. D. If it runs in NT 4, it will work with Windows 2000.


www.sybex.com

42

Chapter 1


12. The Windows Internet Name Service (WINS) is required to enable

domain controllers running Active Directory to locate one another on a Windows 2000 network. A. True B. False 13. Windows 2000 can deploy user applications using Group Policy

Objects (GPOs). Which file is used to create the distribution? A. The sms.ini file B. The .MSI file for the application C. The autoexec.bat file D. The install.cmd file 14. You want to install Windows 2000 Advanced Server on your com-

puter. What is the maximum number of supported CPUs that Advanced Server supports? A. 2 B. 16 C. 8 D. 32 15. Which type of resource record must your DNS server support in order

to support Windows 2000 network using Active Directory? A. WINS B. CNAME C. SRV D. HOST


www.sybex.com

Review Questions

43

16. You have a Windows NT 4 Terminal Server in your network that you

want to upgrade to Windows 2000 Advanced Server. The server also has MetaFrame from Citrix installed. How will this affect the planned upgrade? A. It will have no effect whatsoever. Citrix products are fully sup-

ported by Windows 2000. B. You cannot upgrade a server running MetaFrame to Windows 2000. C. You must first disable the MetaFrame service, then perform the

upgrade. D. You must first install Service Pack 4 for MetaFrame, then perform

the upgrade. 17. Your company is considering the purchase of a new server that has

8GB of RAM and 32 processors. Which version of Windows 2000 will support this configuration? A. Windows 2000 Professional B. Windows 2000 Server C. Windows 2000 Advanced Server D. Windows 2000 Datacenter Server 18. Which new protocol in RRAS manages the use of multiple phone lines

in a Multilink connection to add or remove lines? A. IPSec B. BAP C. L2TP D. PPP


www.sybex.com

44

Chapter 1


19. You are planning to deploy applications using Group Policy but are

concerned about the level of Windows 2000 support from the software vendor. Which of the following certification levels would ensure that the application will run on Windows 2000? A. Certified B. Ready C. Planned D. Caution 20. You have been asked to plan the domain namespace for the new

Active Directory domain in your company. You have five domains in a complete trust model. Your company is connected to the Internet and runs its own e-commerce site. What should you use for the Active Directory name? A. The Internet domain name for your company B. Whichever domain has the most political power C. The domain name where your boss’s account resides D. Bob, because you really like the name


www.sybex.com

Answers to Review Questions

45

Answers to Review Questions 1. C. Windows 2000 will install and run on a minimum of a 133 MHz

Pentium processor, although a faster processor will yield better performance. 2. B. BIND DNS servers can be used to provide DNS services to Win-

dows 2000 but they must be BIND version 8.1.2 or higher. 3. B. The Domain Name System service provided in Windows 2000

supports dynamic updates. 4. D. The Active Directory Connector (ADC) provides a connection

between the directory used in Exchange 5.5 and Active Directory, enabling you to administer both from a single tool. 5. B. The Layer 2 Tunneling Protocol provides secure authentication for

creating tunnels and can be used with IPSec to encrypt all data transmitted through the tunnel. 6. A. By definition, line of business servers are critical to the daily oper-

ations of a business. Upgrading them in parallel enables you to test the applications on Windows 2000 thoroughly before completing the upgrade. 7. A. All DHCP servers must be listed in Active Directory as being

authorized. If not, the DHCP service will stop, preventing harm to the network. 8. B. There is no direct supported upgrade path from Windows 3.1 to

Windows 2000. You must upgrade Windows 3.1 to Windows 9x or Windows NT 4.0 first. 9. B. You perform all management tasks for the DHCP server service

through the DHCP console in Administrative Tools. 10. B. Only an administrator can start the winnt32.exe Setup program

within Windows NT 4.


www.sybex.com

46

Chapter 1


11. C. The Readiness Analyzer reports on the compatibility of detected

hardware and software prior to running setup. In addition to being included in the Microsoft software, it can also be downloaded separately from Microsoft and run on NT 4 or Windows 9x. 12. B. WINS provides NetBIOS name resolution. Active Directory does

not use NetBIOS to locate domain controllers. 13. B. The Windows Installer package file format contains all of the files

necessary to install the application and can easily be distributed through GPOs as Published or Assigned applications. 14. C. Windows 2000 Advanced Server supports up to eight processors. 15. C. The new SRV resource record is required by Windows 2000 and is

used to locate domain-level services such as Kerberos and LDAP. 16. B. Windows 2000 doesn’t support upgrading over Citrix WinFrame

or MetaFrame products. 17. D. Windows 2000 Datacenter Server supports up to 32 processors

and 64GB of RAM. 18. B. The Bandwidth Allocation Protocol helps RRAS to manage multiple

lines for Multilink sessions, dynamically adding or removing lines for efficient use of available bandwidth. 19. A or B. Certified means that Microsoft has tested the application for

Windows 2000 compatibility. Ready means that the software vendor has tested the application for Windows 2000 compatibility. 20. A. Because Active Directory is integrated with DNS, it makes the most

sense to use the existing Internet domain name for your company as the name of the root domain in Active Directory. Bob is a nice name, though.


www.sybex.com

Chapter

2

Planning for Active Directory MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Select the migration type. Types consist of domain upgrade and restructure, domain upgrade only, and domain restructure only. Plan migration.

Select domains and establish proper order for migrating them.

Select destination of migrated objects.

Plan for incremental object migrations as appropriate.

Create and configure a pristine environment.


www.sybex.com

B

efore you begin to implement anything, in any project, planning must take place. Former California Governor Jerry Brown once said, “The reason that everybody likes planning is that nobody has to do anything.” While he has a point (just ask your project manager), planning is the first critical step to a successful implementation. It may not be “doing” anything, but it’s really doing the most important long-term part. When it comes to Active Directory, a lot of options may be new to you— this is, after all, a new technology. You may already have an NT domain. A lot of configuration planning has hopefully been done. But now what? What needs to be done to accomplish what we need done, and what new things can we deploy? Be familiar with the new technology and the new structures possible. Once you are familiar with the technology, brainstorm to figure out how to best apply it to your situation. Every network implementation will be different. So learn, plan, and plan some more.

Understanding Active Directory

A

ctive Directory is arguably the most exciting new feature in Windows 2000. It can also have the largest learning curve when starting out. Basically, Microsoft is replacing the Security Accounts Manager (SAM) database with a new database with much greater capabilities. I still remember how excited I got when I read the first white paper on Active Directory. I knew that the SAM has a performance limit of 40MB, or roughly 40,000


www.sybex.com


49

objects. Now I was reading that the new database behind Active Directory had been tested with several million objects and that they really hadn’t found a limit yet. Very cool, I thought. But the coolest feature is probably the fault tolerance of Active Directory. In the new model, every domain controller maintains an equal copy of the directory database, and each of them can receive updates to the database. This means no more primary or backup domain controllers, only domain controllers. Since all of them are equal, they can all log you on to the domain, create and modify user accounts, and handle the replication of the accounts to their peers. This type of replication model is called a multiple master replication. All of the domain controllers have master copies of the database, and they are equally responsible for replicating any changes in the accounts to the other domain controllers. This means that if a domain controller goes offline for any reason, you have plenty of time to restore it to working order since all of the other domain controllers have equal, working copies of the directory database. Many of you may be thinking that Active Directory sounds a lot like the NetWare Directory Services (NDS) in NetWare 4 or 5. It is a lot like NDS, yes, and actually will integrate with NDS in mixed environments. In fact, Active Directory can be integrated with any directory database system that uses the Lightweight Directory Access Protocol (LDAP) for directory queries. All you will need is a software agent that understands both directories and that can perform the translation between them.

Understanding the Structure of Active Directory This is where we get into the real meat of the matter. Active Directory is built on a logical hierarchy of objects. Wow, sounds technical already, doesn’t it? Active Directory holds two basic types of objects: container objects that, well, contain other objects and settings, and leaf objects. Container objects are things like group accounts, which may hold a number of user accounts within them. A leaf object is an object that cannot contain another object. An example of a leaf object would be a user account. The basic objects in Active Directory include: Forest A forest is the top-level organizational object in Active Directory. Forests are collections of multiple trees and describe an organization or even a group of organizations that are cooperating in their network designs. When you first create a domain tree, you also create a forest.


www.sybex.com

50

Chapter 2

Planning for Active Directory

Microsoft typically refers to a forest as a collection of trees that do not share a contiguous namespace. As an example, Microsoft.com and Sybex.com have completely different namespaces. If we were to combine both trees into one logical network, that would constitute a forest. Tree A tree is a group of domains with a single root domain and one or more child domains under it. Trees describe the organizational structure of a company rather well, since there is usually one domain that forms the root (like the corporate headquarters, for example) and other domains that are subordinate to the root (like branch offices). An example would be the Sybex.com domain. Sybex.com would be the root (or parent), and domains like sales.Sybex.com and marketing.Sybex.com would be child domains. They all have the same root domain name of Sybex.com. Trees are often organized departmentally or geographically. Organizational Unit Organizational units (OU) form the basic hierarchy within a domain. If your company uses separate domains for physical locations, but there are several different administrative units at each location, you would create an OU for each administrative unit in a location. You can delegate administrative permissions and rights to a single user or group to manage the OU. This account would then have administrative rights for that OU, but not for any other sections of the tree. Objects In Active Directory terms, an object is something with attributes. In human terms, an object could be a user, a group, a printer, or even an application that has been published to the directory. Actually, to Active Directory, everything is an object. In Active Directory, an object is at the bottom of the hierarchy and is something that doesn’t contain something else. Now, in order to put some of these objects together to form an Active Directory, let’s start with a single domain. I’ll use a fictitious company called Coolcompany for our practice, and I’ll apologize if that name’s already in use. (Have you tried lately to come up with a company name that’s not in use?) Coolcompany has three locations around the country. They currently have a single master domain model, as shown in Figure 2.1.


www.sybex.com


FIGURE 2.1

51

The current domain structure for Coolcompany

Account Domain

Resource Domain 1

Resource Domain 2

When asked to design a migration plan for the Coolcompany network, you will be faced with decisions such as whether you will use separate domains for each location, as the company has done under NT 4, or you will combine them into one domain. If you choose to combine them into a single domain, will you maintain centralized administration, or will you choose to delegate authority to local administrators in OUs? In order to make the best decisions when preparing for your migration, you’ll have to be well informed and fully understand Active Directory roles. We’ll return to Coolcompany throughout this chapter for our examples.

Understanding Active Directory Roles Active Directory defines five Flexible Single Masters of Operations (FSMO) roles for domain controllers. Microsoft also refers to these server roles as Operations Masters. These roles play an important part in Windows 2000 domain operations and by default are on the first domain controller installed in a domain. These roles can place an extra load upon the server, so be sure to provide enough hardware for the first domain controller, or even better, create a couple more domain controllers and distribute the load. FSMOs are said to be flexible because the roles can be assigned to other domain controllers within the same domain. This way, you can distribute the load and avoid overloading the first domain controller. One of the shortcomings of Windows NT was the PDC/BDC structure. You always relied on the primary domain controller for all security changes on the network, such as adding users or modifying group memberships. If the PDC failed, many network services were stopped. In Windows 2000, we are not reliant on one


www.sybex.com

52

Chapter 2


particular machine to provide PDC-type functionality. There are five FSMO roles. Two roles apply to the entire forest. That is, only one computer in each forest can assume the roles. They are: Schema Master The schema is a description of the objects and their attributes that are found within Active Directory. If you wanted to create additional properties for your user accounts, such as attaching a Visio diagram showing the location of their office, you would modify the schema for the domain to include a place for that diagram. The Schema Master is the only computer that can make updates to the schema for a domain. When changes are made to the schema, the Schema Master is responsible for replicating the changes to other domain controllers. Domain Naming Master The Domain Naming Master is the only computer that can add or remove domains from the Directory or create, modify, or remove cross-references to other directory services on the network. When a new domain is added to the forest, the Domain Naming Master ensures no other domains have the proposed name. Within each domain, at least one domain controller must fulfill each of the following Operations Master roles: Primary Domain Controller Emulator Master The PDC Emulator is important if you have any Windows clients other than Windows 2000, as they will need a PDC for operations such as changing passwords. The PDC Emulator functions just like a PDC in an environment with NT 4 domain controllers. In native-mode domains, the PDC Emulator Master functions as the default domain controller for processing logon authentication requests. It also receives preferential treatment when domain security changes are made. Relative Identifier Master The Relative Identifier (RID) Master generates unique Security Identifiers (SIDs) and distributes them to objects within its domain. The SID for each object has two parts: a domain identifier and a relative identifier. The domain identifier for all objects in a domain is, as you might guess, the same. The relative identifier distinguishes that object from other objects. In addition, only the RID Master can move objects out of its domain. It will contact the RID Master for the other domain, which will re-evaluate the SID of the object to be moved.


www.sybex.com


53

Infrastructure Master The Infrastructure Master is responsible for notifying other domain controllers whenever a user is added or removed from a group in the domain. Its only purpose is to ensure that group membership information stays synchronized within a domain. When you are creating a new domain to begin your Active Directory network, the first domain controller has all five of the Operations Master roles by default. It is a very good idea to install at least two more domain controllers and distribute some of the roles to take the burden off of that first server. Proper placement of Operations Master servers helps decrease network traffic. You will want to place the servers where the concentration of users is the greatest or in the physical location where most of the administrative work will take place. Operations Master roles can be assigned by opening the Active Directory Users and Computers console, right-clicking the domain name you want to change FSMOs for, and selecting Properties. This displays the Operations Master dialog box shown in Figure 2.2. The Properties sheets show the current master for three of the roles (the only three that are set at the domain level). To change the server for any of these roles, click the Change button on the appropriate tab and enter the full name of the server to be the new master. FIGURE 2.2

Changing the FSMO roles for a domain


www.sybex.com

54

Chapter 2


There is one other server role that is important to the Active Directory domain: the Global Catalog Server. There can and should be many Global Catalog Servers in a forest. These servers are domain controllers specializing in maintaining a subset of the attributes for every object in the Directory. They’re used when a user browses the Directory looking for an object such as a printer or shared folder. If you are running a domain in native mode, GC servers also contain all information on universal group membership. It’s a very good idea to have a Global Catalog Server in every physical location in your network to cut down on WAN traffic.

In the event of failure to one of the FSMO computers, an administrator can make another domain controller seize its role. If this should happen, the failed computer should not be brought back online.

Choosing the Type of Migration

Well, now you’ve had a look at Active Directory, and it’s time to start applying this information to planning a migration of existing domains to Active Directory. There are several different scenarios to examine when considering the type of migration you are going to have. Most of the time, your migration decision will be based on your current network structure. There are two major concepts to consider when migrating to Windows 2000. First, what machines will be upgraded? Second, what type of restructuring will be involved, if any?

Upgrade Upgrading from Windows NT to Windows 2000 is a fairly common migration scenario. It involves the least amount of risk, and it is easy in the sense that most of your NT system settings and preferences will be retained. Even though you are upgrading the network, you do not need to upgrade all machines on your network. Windows 2000 supports mixed clients (Windows 9x and NT) without problems. However, you should consider upgrading all machines to Windows 2000, as this type of network allows you to use all features of the Windows 2000 operating system.


www.sybex.com


55

The most critical step in any upgrade or migration is planning. Proper planning will save the most headaches in the future and will also reduce the amount of real work you need to do during the migration. Microsoft also strongly recommends implementing all new network structures in a test environment that parallels your existing network. This allows you to check functionality and work out any issues you might encounter before implementing a production environment.

Beginning the Upgrade To upgrade your existing domain, upgrade the PDC in the current Windows NT domain to Windows 2000 first, followed by any desired BDCs and member servers. Before upgrading domain controllers, make sure they are all synchronized. When you install Windows 2000 onto your NT PDC, the Windows Installation program will detect the server’s role and automatically prompt you to begin the installation of Active Directory. This will give you the option of creating the first tree in a new forest, installing a new tree in an existing forest, creating a replica in an existing domain, or installing a child domain. If this is the first Windows 2000 network for your company, then you will want to create a new tree in a new forest. The other options will be discussed later in this chapter. A couple of questions come to mind. First, do I need to keep my current PDC as a domain controller for my Windows 2000 network? Also, do I need to run the Active Directory Installation Wizard? To answer the first one, no, you don’t need to keep the current PDC as a domain controller. Other options will be discussed later in this chapter. Secondly, yes you do need to run the Active Directory Installation Wizard. Remember, that’s how Windows 2000 promotes domain controllers. You need to have domain controllers to have a domain.

Upgrading the PDC As mentioned in the last section, installing Windows 2000 on an NT PDC will cause the Active Directory Installation Wizard to begin. The Active Directory installation process will automatically copy the entire contents of the Windows NT Security Accounts Manager (SAM) database into Active Directory. Windows 2000 refers to these objects (users, groups, computers) as security principals.


www.sybex.com

56

Chapter 2


When the Active Directory installation is complete, the domain is running in mixed mode. This means all features of Windows 2000 are not yet available. However, we must continue to run in mixed mode until all domain controllers for our domain are running Windows 2000. At this point, the former PDC is playing the Operations Master role of PDC Emulator Master. It will use Active Directory to store objects but will remain backward compatible with the Windows NT BDCs. This provides us with a couple of additional features:

The PDC Emulator Master looks like a Windows 2000 domain controller to Windows 2000 computers and an NT PDC to down-level computers.

New objects can be created on the Windows 2000 domain controller and replicated to Windows NT BDCs.

Windows NT and 9x client machines can use the PDC Emulator Master as a logon server.

If the PDC Emulator Master becomes unavailable (crashes), you can promote an NT BDC to PDC for the original NT domain.

Continuing the Upgrade Once your PDC is upgraded to Windows 2000, it’s time to start migrating other computers in the domain to 2000 as well. The next computers that make logical sense are the backup domain controllers. One of your immediate goals in migrating from Windows NT to Windows 2000 should be to get the domain running in native mode as quickly as possible. Only native mode allows the full functionality of Windows 2000. In order to switch to native mode, you cannot have or plan to have any Windows NT BDCs as part of the domain.

Changing from mixed mode to native mode is a one-way process. You cannot switch from native mode to mixed mode.

Switching to native mode causes several things to happen:

All domain controllers begin using multimaster replication.

You can no longer add Windows NT BDCs to the domain.

New features, such as universal groups, domain local groups, and advanced group nesting, are enabled.


www.sybex.com


57

In some cases, you may want to stay running in mixed mode. Mixed mode is the only mode that provides the best in backward compatibility with older network operating systems. There are generally only a few specific reasons to remain running in mixed mode. First, if the BDCs do not have the hardware to support Windows 2000, an upgrade is not possible. Second, if the BDCs are running applications that are not supported by Windows 2000, an upgrade is not possible. Third, if there is a need to be able to fall back on Windows NT for any reason, mixed mode is the only way. You should always have a fallback plan or recovery plan, but there will be a point where you need to let go of the old environment. When referring to mixed mode, the term really only applies to the authentication infrastructure in the domain. A domain running Windows 2000 domain controllers in native mode, along with down-level clients, is referred to as a mixed environment. Native-mode mixed environments allow full functionality of Windows 2000 domain controllers. After upgrading your Windows NT domains, you may want to restructure your network. Restructuring requires additional planning as compared to a simple upgrade. If a structural change is one of your main reasons for migrating, you may want to consider planning a restructure during the migration.

Upgrade and Restructure Performing an upgrade and restructure can take many different forms. This type of migration is typically available only if you currently have more than one domain. While it is possible to take one existing domain and migrate and restructure to multiple domains, it’s probably not a good idea. The reasons for having multiple domains in Windows NT have been addressed in Windows 2000. There is no longer the limitation of size on the SAM database, and delegation of administrative controls can be applied to OUs within a domain. When considering an upgrade and restructure, there are a few different options:

Restructure NT to Windows 2000

Restructure Windows 2000 to Windows 2000


www.sybex.com

58

Chapter 2



Inter-Forest Migrations

Intra-Forest Migrations

Select the migration type. Types consist of domain upgrade and restructure, domain upgrade only, and domain restructure only.

The first thing to consider is the existing structure of your network. Is it a Windows NT network? If it isn’t, then some of these decisions will be much easier, since you should be building a parallel network structure and then converting your computers to Windows 2000, as shown in Figure 2.3. But most scenarios will involve upgrading an existing NT 4 network to use Active Directory. FIGURE 2.3

Migrating to Windows 2000 often requires building a parallel domain structure.

Existing Network

Parallel Network

In order to plan the kind of domain restructure that your network needs, you must consider the requirements of the organization, its physical structure, and any projected growth. Is there an existing domain structure that will be maintained? Or will you be performing a complete restructure as part of your migration? If you are planning to restructure, where are the administrative units? And where is the administrative staff for the network? All of these factors will weigh in your decision process for restructuring.


www.sybex.com


59

Restructure NT to Windows 2000 If you have an NT network, then this type is for you. Restructuring can mean we are taking multiple NT domains and consolidating them into one Windows 2000 domain, or it can mean we are going to restructure our existing NT domain controllers when performing our migration. Let’s take the case of restructuring domain controllers first. The easiest way to upgrade your NT domain to a Windows 2000 Active Directory domain is to upgrade the PDC, followed by the BDCs and member servers as desired. But what if your PDC cannot be upgraded? If that’s the case, install a new BDC in your existing NT domain. This machine will become the new domain controller for our Windows 2000 domain. Once it’s installed on the NT domain, promote it to the PDC. This process will take the existing PDC and automatically demote it to a BDC. Once this promotion/demotion takes place, install Windows 2000 onto your new PDC. Restructuring of domains usually takes place in one of three situations: post-upgrade, instead of upgrade, and post-migration. Post-upgrade restructuring is used to eliminate network complexity once the initial Windows 2000 domain has been established. If your current Windows NT network is considered unsalvageable, you may just want to scrap the whole thing and install a new Windows 2000 network. Hopefully this is not the case. Restructuring may also take place many years down the road, after the migration is ancient history. Restructuring Multiple NT Domains If you are running a Master Domain model, Multiple Master Domain model, Complete Chaos model, or anything in between, you will want to consider upgrading all existing domains on your network to one Windows 2000 domain. The two main reasons we used these domain models were the limit on SAM database size (40MB) and local administration of resources. Windows 2000 does not have a limit on its security database size. Also, we can now delegate administrative responsibilities to users on organizational units. There are few reasons to need multiple domains. Consider a few advantages of migrating multiple NT domains into one Windows 2000 domain. First, all administration is centralized. Even though you may think this is a disadvantage (after all, more work for the central administrators), it’s nice that the central IT group can administer all resources if necessary. Second, no trust relationships are needed. These were a pain to administrate in Windows NT. Granted, Windows 2000 creates two-way transitive trusts for you between domains, but why deal with them if you don’t


www.sybex.com

60

Chapter 2


need to? Third, departmental control over resources can still be granted to administrators in individual departments through delegation of control. Lastly, if users are trying to locate resources, they are all in one domain and easier to find. Okay, now that you’re convinced you want to consolidate domains as part of your migration strategy, what’s next? First, migrate your accounts (master) domain. If you have multiple masters, pick the one with the most users first. That new domain will become the root of your Windows 2000 forest. Then, migrate other accounts domains, followed by the resource domains. Within all domains, move the domain controllers first, then member servers, then client computers. When choosing which resource domains to upgrade first into the new restructured domain, there are a few guidelines to follow. First, migrate domains that have mission-critical applications. If the customer service SQL database is not available, that could seriously impact business. Second, migrate the domains with the largest numbers of computers.

Restructure Windows 2000 to Windows 2000 Huh? I just installed a new Windows 2000 domain, and now you want me to do more work? Well, sort of. Windows 2000 restructuring could take place in a variety of settings. Maybe you completed the migration and forgot some things. Maybe you completed the migration and now want to restructure your domains. There could be a number of reasons why you would want to restructure within Windows 2000, and we will look at the two major types: inter-forest restructuring and intra-forest restructuring. Since Windows NT cannot be considered a Windows 2000 domain, and inter-forest migrations literally refer to “between different forests,” we can consider a migration from NT to 2000 an inter-forest migration. Inter-forest Migrations Microsoft has identified two major inter-forest migration scenarios that should meet most businesses requirements. These scenarios will work with either a Windows NT domain or an existing Windows 2000 domain as a source domain and a Windows 2000 domain as a target domain. This is the primary migration scenario when migrating a Windows NT domain to a Windows 2000 domain without simply upgrading. One of your major goals during a migration should be to minimize interruptions to resource access on the network. Ideally, you could perform a migration during off-hours. Ideally, every lottery ticket you buy would be a


www.sybex.com


61

winner, too. An implication of maintaining resource access during the migration is that the production environment cannot be too drastically changed until the migration is complete. To ensure this, you will create a second network, or parallel network, to facilitate proper migration. There are advantages and disadvantages to using inter-forest migrations. Advantages include staged migrations, parallel environments, and fallback security. You can migrate groups of users at a time, test the migration in the old and new environments, and if anything goes wrong, abandon the operation with the old structure still in place. Some disadvantages to using inter-forest migrations include


Cloned users will retain their SID from the previous domain, an attribute called SIDHistory, which could theoretically cause security breaches.

Microsoft cloning tools do not provide for the copying of passwords between forests.

Cloned objects do not have their original GUIDs preserved. This is only an issue when the source domain is Windows 2000.

Create and configure a pristine environment.

When migrating from one forest to another, there are two main classes of objects we need to move: users and resources. The steps to migrate users are as follows: Create the pristine Windows 2000 forest. Create a new Windows 2000 forest using standard procedures. Make sure the new domain meets all current network requirements and future plans for functionality and expansion. You will create all domains needed and run all domains in native mode. Establish trusts to maintain resource access. Using either the Active Directory Migration Tool (ADMT) or NETDOM, find out what trusts currently exist between the target and source domains. Create trusts as necessary. The target and source domains should have a two-way trust established.


www.sybex.com

62

Chapter 2


Migration tools, such as ADMT, NETDOM, and ClonePrincipal, are discussed in detail in Chapter 7, “Migrations Tools.”

Clone all source global groups in the target domain. Once the trusts have been established, clone all global groups. Global groups typically contain users, who need access. This will ensure that we can assign permissions in the new domain while maintaining access in the old domain. You can clone groups using ADMT or ClonePrincipal. Identify and clone sets of users. Once the global groups have been cloned, you can start cloning users. Once again, you can use ADMT or ClonePrincipal for this process. Most of the time you will want to clone users incrementally and test resource access in the new domain before migrating more users. This will eliminate resource access problems once the migration is complete. Decommission the source domain. After all users and groups have been cloned, the final task is to decommission the source domain. This means powering off all BDCs, followed by the PDC. If these machines are to be Windows 2000 Servers, install Windows 2000 now and run the Active Directory Installation Wizard as needed. Each step in the migration process should be tested. Both user logon and resource access should be tested in the new domain before the old domain is decommissioned. If errors occur at any stage, the old domain still exists and production work can continue. Migrating users is not the only process in migrating domains; we must also consider a process for migrating resources. In a domain model where resources are spread among multiple domains, trust relationships are required, and it can be difficult to locate the resource you’re looking for. As part of the resource migration scenario, application servers will become member servers in the target domain. It is assumed that the application servers will be using shared local groups for resource access, and the domain may already contain member servers and workstations. The scenario is as follows: Establish required trusts from the target domain to account domains outside the forest. This step assumes that the resource domains are migrating and that the accounts domain is not—at least not now. The point of


www.sybex.com


63

this step is to ensure that the accounts have access to the resource after it is moved. When dealing with multiple domains, the only way to accomplish this is through trusts. Clone all shared local groups. This will ensure that resource access is maintained while domain controllers and resources may be split. Demote application servers to member servers. Windows NT does not support the demotion of BDCs to member servers. The easiest way to accomplish this is to have previously upgraded the PDC of the resource domain. There are two approaches:

Upgrade the PDC of the resource domain to Windows 2000, and run the domain in mixed mode. Upgrade the desired BDC. During the Active Directory Installation Wizard, you will be given the choice of making the BDC a domain controller or a member server in the Windows 2000 domain. Choose member server, and your mission is accomplished.

Take the BDC offline in the old domain. Promote it to a PDC. Upgrade the machine to Windows 2000, which will effectively make the offline domain controller a clone to the new mixed-mode Windows 2000 domain. Once the original PDC is upgraded or taken offline, you can run the Active Directory Installation Wizard, make the new Windows 2000 machine a member server, and join the target domain.

Move member servers and workstations. Simple enough—move member servers (including former BDCs) from the source domain to the target domain. Decommission the source domain. Finally, the old domain gets the boot. Remove all remaining BDCs first, then the PDC for the original domain. If desired, upgrade the machines to Windows 2000 as either member servers or domain controllers. Intra-forest Migration If a migration takes place between domains in the same Windows 2000 forest, it is an intra-forest migration. Since Windows NT domains cannot be members of a Windows 2000 forest, this migration type involves only Windows 2000.


www.sybex.com

64

Chapter 2


Like inter-forest migrations, intra-forest migrations have advantages and disadvantages. This migration scenario is typically used after customers have upgraded their domains to Windows 2000 and now want to ease administration by combining the network locations of resources. Advantages of intra-forest migrations include the following: Password preservation Windows 2000 can copy user passwords from one domain to another domain within the same forest. If this security configuration is required, then you must perform an intra-forest migration. GUID preservation If the object is moved intra-forest, the object’s Globally Unique Identifier (GUID) will be retained. This is useful if you have applications that establish user identity by using GUIDs. Like everything else, this type of migration is not for everyone. Disadvantages of intra-forest migrations include the following: Destructive operation When moving objects via intra-forest migrations, the source object is destroyed. Therefore, it is not possible to attempt staged or parallel migrations like you could with inter-forest migrations. Closed sets In order to maintain group membership rules, users and their global groups must be moved together. Since intra-forest migrations are destructive operations, this often means you must move an entire domain. For all their faults, intra-forest migrations have their place. The most important reason to use one is if passwords need to be maintained for users, as to avoid security breaches. In this case, you may want to upgrade your Windows NT domains to Windows 2000 domains in the same forest, then perform an intra-forest migration to consolidate domains. While this may be more work, security concerns are quite relevant.

Selecting the Domains to Restructure Once you’ve decided what type of migration you will perform on your network, you must decide where to start. It is critical that you establish which domains you plan to restructure and the order in which they will be converted. If your current network is implemented as a single domain, then you have an easy job ahead of you. But consider a network that has more than


www.sybex.com


65

one domain, such as our example company, Coolcompany, with three different locations, each maintaining its own domain under NT 4. In this case, you will have to decide which domain will be the first to migrate.

Microsoft exam objective:

Plan migration.

Select domains and establish proper order for migrating them.

Select destination of migrated objects.

Plan for incremental object migrations as appropriate.

The selection of the first domain has some far-reaching implications for your Active Directory environment. Most important, this first domain will be the root of your forest. All other domains will take their names relative to this root domain. For example, if the root domain will be coolcompany .local, then the Boston location of coolcompany.local would likely be called boston.coolcompany.local. Do you feel a little like you’re looking at the DNS naming scheme for these domains? You are. Active Directory bases its naming on the Domain Name System’s namespace. A major consideration when choosing the new root domain name is whether or not the resources will be available on the Internet. Choosing a name like coolcompany.local may reflect the company’s name and image, but will the resources in that domain be available on the Internet? No. If you want network resources to be available on the Internet, you must choose a root domain name that is supported by the Internet’s root name servers, like .com, .net, .org, or others. If you want to ensure that resources are not available on the Internet, then choosing a .local (or .whateveryouwant) extension is appropriate. Along with choosing a name, remember that Internet names must be unique and registered. Does someone already have coolcompany.com? If so, you must choose another name. It is also possible to host both internal and external names for the same network. An example would be having the domain be both coolcompany.local (internal) and coolcompany.com (external). This causes some additional headaches, like requiring multiple instances of DNS (internal vs. external) and multiple e-mail addresses for users (once again, internal vs. external). Sticking with one name is good practice.


www.sybex.com

66

Chapter 2


The first domain in your Active Directory network should be the root domain of your organization. All child domains and objects will take their names from the name of the root domain. If there is already a domain in your organization that would be a logical choice for this root domain, use it. In most companies, this would be the domain at the company’s headquarters. But what if the three domains in Coolcompany’s network are all fairly autonomous? If they maintain their own administration and operate separately from one another, you may be stepping into a complex political situation trying to decide which domain will be the root. In a case where there are several equally valid choices for the root domain, it may be politically safer (and wiser) to create a new empty domain for the sole purpose of hosting the root of the forest. Figure 2.4 shows a possible migration path for Coolcompany in a scenario like this. In this scenario, the network designer has chosen to create a new root domain and make the Seattle, Dallas, and Boston domains child domains of that new root. This way the domains are all equal in their roles, and no feelings get bruised. FIGURE 2.4

Migrating Coolcompany to a forest with a new root domain

Coolcompany.local

Seattle

Dallas

Boston

Existing Network

Seattle

Dallas

Boston

Parallel Network

Now, in more traditional NT domain models, the migration is more clearcut. Of course, the easiest by far is the single domain model, as you would simply upgrade your domain controllers to Windows 2000 in mixed mode. Once everything is running smoothly on Windows 2000, convert the domain over to native mode and enjoy the full benefits of Active Directory. To migrate a Single Master Domain model to Active Directory, you would typically want to use the master domain as the root domain for the tree and use the resource domains as the child domains. Figure 2.5 shows how this might be accomplished. An alternative is to migrate the master


www.sybex.com


67

domain first as the root domain and consolidate the resource domains into the new root. If resources still need to be controlled by local administrators, migrate the resource domains as their own OUs within the new domain, and delegate control to the appropriate people. FIGURE 2.5

Migrating a Single Master Domain model to Active Directory

Root Domain

Account Domain

Resource Domain 1

Resource Domain 2

Child Domain

Child Domain

Migrating a Multiple Master Domain model can be somewhat more complicated. In this model, there are two or more master account domains and multiple resource domains. You have some alternatives here. First, you could use the master domains as roots of their own trees and combine them into a single forest, as shown in Figure 2.6. FIGURE 2.6

Migrating a Multiple Master Domain model to a single forest with multiple trees

Forest MAD1

MAD2 MAD1 MAD2

R1

R2

R3

R1

R2 R3

Another option is to create a new domain to be the root and add the master domains and their resource domains as child domains beneath the new root. Figure 2.7 shows this option.


www.sybex.com

68

Chapter 2


FIGURE 2.7

Creating a new root domain to migrate a Multiple Master Domain model

Root MAD1

MAD2 MAD2

MAD1

R1

R2

R3

R1

R2

R3

The other options involve combining domains. One such choice would be to combine the master domains into one root domain containing the users and upgrade the resource domains as child domains. Another choice would be to upgrade all domains into one domain, with the old resource domains as OUs in the domain. As you can see, with the Multiple Master Domain model, the choices are almost limitless. The best decision will be based on the needs (political and technological) of the company. On the exam, the case study questions will often present you with choices for which domain should be upgraded first and which domains can have a partial or incremental upgrade. When there is a clear choice for the root domain of the new structure, the choice is easy. But many of the questions aren’t so clear. For these other questions, you must consider the information you have been given as part of the case study. What are the company’s priorities for the migration? Pay particular attention to the information about which computers and/or domains cannot tolerate any disruption. This will guide you in your decisions. If a domain can be upgraded incrementally, this will give you a more structured approach to the migration. You can begin with the domain controllers and immediately switch the domain to Active Directory and nativemode operations. Then you can follow by upgrading the member servers and finally the clients. Incremental domain upgrades are more useful in situations where the servers cannot tolerate very much time offline. This approach gives you the ability to upgrade the domain controllers and the clients without touching the member servers providing line of business (LOB) applications. Your priority for the specific order of machines to upgrade will depend on the business goals of the migration. The only real requirement for upgrading a domain is that the domain controllers be upgraded. The other computers can easily be a mixture of Windows 2000 and Windows 9x or NT.


www.sybex.com


69

Last tip: When designing a new domain structure, keep the number of parent and child domains to a minimum if possible. You could create a root domain, a child for the physical location, a child for the building, a child for the department, and so on. However, object names start getting ridiculous. Imagine locating an object with the unique name of jsmith.marketing.bldg25 .boston.coolcompany.local. Keep things simpler than that. Keep your life easier than that.

Implementing Organizational Units Organizational units (OUs) are valuable in network design planning. They allow you to create structure within a domain and map your company’s logical network to mirror its physical structure. This enables you to delegate control over smaller sections of your network, like departments, and distribute the administrative burden. One of the buzzwords you’ll come to recognize for Windows 2000 is granularity, which basically means that you can break down a process into as many segments as needed or review something in the most minute detail to ensure clarity and understanding on the user’s part. Windows 2000 enables you (the administrator) to get as granular as you want with permissions and rights. In the case of OUs, you can designate a user to be a local administrator for their department, giving them full control of their OU, but control of nothing beyond that OU. This brings up what I think is an interesting point in domain planning. Remember that example earlier of Coolcompany’s issue with three physical locations and three separate domains? Using OUs, you could consolidate the entire network into one single domain with Active Directory, then implement an OU for each physical location. Delegate administrative rights and permissions to the local administrator team at each location, and you have the best of all worlds! These local admins can now administer everything in their location, but you still retain centralized administration over the entire network using the Enterprise Admins group at the domain level. OUs can be used in many ways, from departments to physical locations. The right way will be different for every network you plan. I’ve found that a solid approach to this process is to decide whether the administration will be centralized or distributed. This decision will be the basis for inheritance. Inheritance refers to the flow of permissions and rights down from the root through all OUs and child domains. The default configuration allows inheritance to flow downward from parent structures to all child containers and objects.


www.sybex.com

70

Chapter 2


If you decide to centralize your administration, you will have very little left to do because the default provides centralized administration. But if you decide that you want to distribute all or part of the administrative load, you will need to configure some OUs or child domains to block inheritance from the root. Of course, the built-in administrators group for the domain can override the authority of an OU’s administrator, and an enterprise administrator can override the authority of any down-level administrator. Three basic tools control the administration of an object in Active Directory: Delegation of Control Wizard This wizard walks you through the necessary steps in delegating the administrative control of an object. Here, object indicates a container in Active Directory such as an OU, or it could be a printer, user, or group.

Security tab of an object’s Properties sheet On the Security tab of almost any object’s Properties sheet, you will find the access to the object’s permissions that you need in order to restrict or grant access to that object. Dsacls.exe This Resource Kit utility gives you control of an Active Directory object’s Access Control List (ACL) from the command prompt. The utility has the ability to manage the ACLs of any object or branch of the Active Directory tree. Used together, these tools will grant you all the granular control you need. See? There’s that buzzword again, but it’s true. Windows 2000 does give you very granular control of all of its objects, both local to the computer and across the network.


www.sybex.com

Case Study: SmartSoft, Inc.

71

Take about 10 minutes to look over the information presented and then answer the questions at the end. In the testing room, you will have a limited amount of time; it is important that you learn to pick out the important information and ignore the “fluff.”

Background SmartSoft, Inc. has decided to upgrade their Windows NT 4.0 network to Window 2000. You have been hired to design the domain structure of the new Active Directory environment. SmartSoft, Inc. has two major divisions–one that sells server-based anti-virus software and another that sells server-based firewall software. Both product lines have an established Internet presence on individual Web sites and have developed good reputations in their market segment. Your research includes the following interview comments: Director of IT Services We are set up in a traditional NT Multiple Master Domain model. We have two master domains, one for each of our product lines, and a series of resource domains, each dedicated to one of the masters. We have about 1500 users in each master domain. Director of Marketing Each of our two main products, SS AntiVirus and SS BrickWall, has its own Web site. We do most of our customer support through those Web sites. We have also spent the money needed to ensure that our names come up first on many Web search engines. Director of Research and Development Because we have a constantly changing environment (due to test servers going up and down) and a need for high security, we manage our own resources here in R&D. We would like to continue to be a part of, but not controlled by, the central IS department in both product lines.


www.sybex.com

CASE STUDY


CASE STUDY

72

Chapter 2


Questions 1. Which of the following will best support the needs of the Research and

Development department? A. Roll the R&D domains into their parent domains and mix the

resources with all of the other domains’ resources. Use Windows 2000 and AD security to protect confidential information. B. Roll the R&D domains into their parent domains. Place the R&D

resources in a separate OU to enhance security. C. Keep the R&D domains as child domains. Give the R&D personnel

administrative privileges in their domain. D. Do not upgrade the R&D domains to Windows 2000. Make their

IT personnel responsible for securing their environment. 2. Which of the following is the best migration strategy for SmartSoft, Inc.? A. Create a new Windows 2000 domain named SmartSoft.com, and

place the two master domains under it as child domains. Maintain the same resource domains, with the same relationship to their parent domains. B. Maintain the same domain structure, making one of the two mas-

ter domains the new root domain. C. Make each of the master domains the root of a new AD tree. Tie

them together in a single forest. Maintain all of the resource domains without change. D. Create one new Windows 2000 domain named SmartSoft.com,

and place all resources within it.


www.sybex.com


73

dows NT 4.0 domain and trust structure. For each domain, decide if it will be a root domain, be a child domain, or be absorbed into its parent during the migration. Root Domain Child Domain Anti Virus

Brick Wall Absorbed

Acct

R&D

Acct

Sales


R&D

Sales

www.sybex.com

CASE STUDY

3. Drop and connect: The following graphic shows the current Win-

CASE STUDY ANSWERS

74

Chapter 2


Answers 1. C. An argument could be made for answer B, but the best security will

be to keep the R&D resources in a separate Windows 2000 domain within the SmartSoft forest. 2. C. Since each of the two product lines (AntiVirus and BrickWall)

has an established presence on the Internet, you will want to maintain two separate namespaces. All names start with the root domain, so you will need two trees (and two root domains) in this environment. 3. Root Domain

Root Domain

Anti Virus

Brick Wall

Acct

R&D

Acct

R&D

Absorbed

Child

Absorbed

Child

Sales

Sales

Absorbed

Absorbed

Given the need to maintain two namespaces, SmartSoft will require two AD trees in a forest configuration. Since each tree supports only 1500 users, many of the existing domains will not be necessary after the migration. The only exception is the R&D domains, which will remain to enhance security.


www.sybex.com

Summary

75

Summary

In this chapter, you learned how to choose the type of migration, including upgrades, restructures, inter-forest restructures, and intra-forest restructures. You saw how to plan the domain restructure, from selecting the domain to be migrated first to knowing when to use an incremental migration. We discussed the basics of Active Directory and showed how this will relate to your planning for organizational units. You can expect to see this material on the exam, so you should pay special attention to the different migration scenarios and strategies.

Key Terms Before you take the exam, be sure you are familiar with the following terms: attributes child container objects forest granularity inheritance multiple master replication organizational unit (OU) schema


www.sybex.com

76

Chapter 2


Review Questions 1. You have been asked to plan the migration from NT 4 to Windows 2000

for your company’s network. There are three domains in a complete trust model. Which model(s) could you use for the target domain structure? A. Build a complete trust model using three domains. B. Create a single tree with one domain as the root and the other two

as child domains. C. Create three trees in a single forest. D. Create a new empty domain to be the root of the forest, then add

the three existing domains as child domains of the root. 2. Which one of the FSMO roles is responsible for modifying the struc-

ture of the data contained within the Active Directory? A. The Domain Operations Master B. The RID Master C. The Key Master D. The Schema Master 3. What type of migration would include upgrading the domain control-

lers to Windows 2000 and then moving them to new domains within Active Directory? A. Restructure Windows 2000 to Windows 2000 B. Upgrade and restructure C. You can’t do that without formatting and reinstalling. D. Restructure NT to Windows 2000


www.sybex.com

Review Questions

77

4. You have been tasked with planning your company’s migration to Win-

dows 2000. Your network currently has a Multiple Master Domain model. There are nine master domains and twelve resource domains. How many forests must you create to hold this organization? A. Nine B. One C. Twenty-one D. Two 5. Which wizard will assist you in decentralizing your network adminis-

tration by giving control of an OU to another administrator? A. Delegation of Control Wizard B. Decentralization Wizard C. ADMT D. Dsacls.exe 6. You are planning the migration of your network from NT 4 to Win-

dows 2000. Your company has only one physical location, but there are seven different departments that insist on keeping their own administration. How can you provide this while still maintaining some control over the entire organization? A. Create seven different domains and establish a complete trust

model. B. Create a single Windows 2000 domain and use an OU for each of

the seven departments. Delegate control of the OUs to a member of each department. C. You can’t do this with Windows 2000; you should leave them

on NT 4. D. Create a separate tree for each department.


www.sybex.com

78

Chapter 2


7. You have recently migrated to Active Directory in your network. You

have noticed that browsing the Directory for servers is a bit slow across your WAN links. What type of server should you create to help with this problem? A. Primary domain controller B. RID Master C. Global Catalog Server D. Backup domain controller 8. You are migrating your network to Windows 2000 and have success-

fully upgraded all of your domain controllers in each domain to Windows 2000. Now you are reorganizing the domains into a more logical Active Directory structure. What type of migration does this represent? A. Upgrade and restructure B. Inter-forest restructure C. Intra-forest restructure D. Restructure NT to Windows 2000 9. Which Operations Master role is responsible for adding new domains

to the Active Directory forest? A. Schema Master B. RID Master C. PDC Emulator Master D. Domain Naming Master


www.sybex.com

Review Questions

79

10. You are designing a migration plan for a Windows NT Master

Domain model network. The network has three resource domains: Acct, Sales, and Eng. Corp is the accounts domain. All domains have approximately the same number of client computers. The Eng domain contains the company’s research database hosted on a SQL server. Which resource domain should you upgrade first? A. Corp B. Eng C. Sales D. Acct 11. Your Windows NT network is going to be upgraded to Windows 2000.

You currently have two domains, and there is a two-way trust established between them. Management’s primary concern during the migration is security. After the migration is complete, there will be only one domain. How should you migrate the network? A. Combine the NT domains using the NT Resource Kit. After they

are combined, perform a Windows 2000 upgrade. B. Upgrade the existing domains to Windows 2000 domains in dif-

ferent forests. Use an inter-forest migration to consolidate the domains. C. Upgrade the existing domains to Windows 2000 domains in the

same forest. Use an intra-forest migration to consolidate the domains. D. Upgrade the existing domains to Windows 2000 domains in the

same forest. Use an inter-forest migration to consolidate the domains. 12. Which Operations Master role is required in mixed-mode Windows 2000

domains? A. Schema Master B. RID Master C. PDC Emulator Master D. Domain Naming Master


www.sybex.com

80

Chapter 2


13. What types of migration are best suited for networks in which a

back-out plan is necessary in case the migration fails? A. Upgrade B. Restructure C. Inter-forest migration D. Intra-forest migration 14. You are migrating your Windows NT Multiple Master Domain model

to Windows 2000. It is decided that there will be five domains once the migration is complete. In this new structure, how many Infrastructure Master servers will be on the network? A. One B. Five C. Ten D. Cannot be determined 15. Your Windows NT domain was just upgraded to Windows 2000.

Originally, it was decided that resources would not be available on the Internet. Management recently changed their minds, and now resources must be publicly available. The current domain is named coolcompany.local. One administrator suggests changing the name to coolcompany.local.com. What do you say? A. Sure! Make the change. B. That will work, but we need to change our DNS servers. C. That will work, but we need to change our DNS servers and

update all machines on our network with the new domain name. D. That will not work.


www.sybex.com

Review Questions

81

16. Your company is upgrading its network and wants to host the com-

pany Web site from the corporate location. Much discussion has been made about what to call the new domain. You have the registered Internet name of coolcompany.com. Which of the following names are valid for your company’s Web server on the Internet? A. www.coolcompany.local B. today.coolcompany.com C. www.products.coolcompany.com D. www.coolcompany.local.com 17. Which Operations Master role is responsible for ensuring that all

objects within an domain are properly identified with a unique identifier number? A. Schema Master B. RID Master C. Domain Naming Master D. PDC Emulator Master 18. How many domains are required to create a forest? A. Zero B. One C. Two D. More than two 19. How many root domains should you have in a forest? A. One B. Two C. Three D. Cannot determine


www.sybex.com

82

Chapter 2


20. You are restructuring and upgrading your Windows NT Master

Domain model network to Windows 2000. Currently, your domain has five domains: one master domain and four resource domains. All employees work at the central office in Nashville. When trying to determine an appropriate model for your network, you must take the following into consideration: You need to have overriding administrative control over the whole network, administrators for each department need to be able to create users and administrate resources, and certain security settings will apply to all users. Which structure would be best for your network? A. Create a new forest, with Nashville as the root domain. Create

child domains for each department. Assign administrators from each department to the Domain Admins group for their respective areas. B. Create a new forest for each department, with Nashville as the root

forest. Assign administrators from each department to the Enterprise Admins group for their respective areas. C. Create a single domain. Place all users and resources in the

domain. Delegate control of users and resources to the specific administrators who need the control. Allow administrators to create objects within Active Directory. D. Create a single domain. Create organizational units for each

department within the domain. Place all users and resources within the proper OU. Delegate control of the OUs to the proper administrators.


www.sybex.com


83

Answers to Review Questions 1. B, C, D. Any of these three methods could be used. You could establish

a new tree for each of the domains, and if they are in the same forest, users will still be able to communicate. The best model would be either B or D. The simplest method would be to pick one domain to be the root as in answer B. Answer D would be a good solution in a politically sensitive situation, where choosing a root domain would be difficult. 2. D. The schema for Active Directory defines the structure of the data

stored within the Directory. If you wanted to change the definition of an object, or add another type of attribute to an object, you would use the Schema Master to modify the schema for the entire forest. 3. B. An upgrade-and-restructure migration would require that you

upgrade the domain controllers to Windows 2000 and then move them to new domains or OUs within the forest. 4. B. You would need to create only one forest to hold this entire orga-

nization. The master domains could become child domains of a new root domain, or they could each become the root of a separate tree. But there would still be one forest. 5. A. The Delegation of Control Wizard can be used to delegate admin-

istrative rights to a user or group account. 6. B. Creating OUs for the departments would be the easiest approach

since only one domain would be required. You could use answer D, but that would be unnecessarily complicated and might make it more difficult to centrally administer the entire network. 7. C. The Global Catalog Server maintains a copy of the Directory that has

a subset of attributes for every object in the entire Directory. This catalog is used when browsing the Directory for resources. Creating another Global Catalog Server would help clients to find the resources without having to cross the WAN link to find another Global Catalog Server.


www.sybex.com

84

Chapter 2


8. A or C. A would be the best answer here, since the upgrade-and-

restructure migration requires that you upgrade existing domains to Windows 2000, then restructure them into Active Directory. Answer C is also correct but would require the additional step of converting the new Windows 2000 domains to native mode prior to restructuring. 9. D. When domains are added to a forest, the Domain Naming Master is

consulted to make sure the proposed name is unique within the forest. 10. B. The Corp domain should be upgraded first, but that’s not what the

question asked. Among the resource domains, the only one that stands out is the Eng domain because it is hosting a database. Since the database is probably mission-critical, its resource domain should be upgraded first. 11. C. The only way to preserve password information when performing

a Windows 2000 migration is to use an intra-forest migration. Interforest migrations do not provide password-replication services. Intra-forest migrations imply that all domains are part of the same forest. 12. C. The PDC Emulator Master is required in mixed-mode domains to

serve as a PDC to Windows NT domain controllers and act as a possible authentication server for clients in the domain. 13. A and C. In an upgrade, you upgrade the PDC first. If there are prob-

lems, you should have a BDC in the old domain, which you can promote to a PDC. Inter-forest migrations allow you to set up a parallel network, leaving the existing structure in place in the event of a failure. 14. B. There will be one Infrastructure Master per domain. Since there

will be five domains, this means five servers will play this role. 15. D. That will not work unless you own the registered Internet name

local.com. Chances are, that name is already taken. You might want to see if coolcompany.com is taken, and if not, grab it. This change will involve more re-installation. Management should have planned this better.


www.sybex.com


85

16. B and C. Only the names with coolcompany.com at the end are valid

for your company on the Internet. Anything with a .local extension is valid for DNS servers, but DNS servers on the Internet are not configured to search for .local names. The last one is invalid because of how the name is structured—it would require you to have the name local.com reserved on the Internet as well. 17. B. The Relative Identifier (RID) Master dispenses unique identifiers for

all objects created within its own domain. It then ensures that all domain controllers are aware of the objects and their corresponding identifiers. 18. B. When you create the first domain in a Windows 2000 network, you

automatically create a tree and a forest as well. Even though forests are typically considered as having multiple trees (domains with a contiguous namespace), one domain (and one tree) is still a forest. 19. A. A forest will always have one domain that is considered the root

domain of the forest. While other domains may have been roots of their respective trees before joining the forest, there will still be only one forest root. 20. D. There are a few points that make the decision of a single domain

clear. First, you need to maintain administrative control. While this is possible in a forest, it’s best to leave it as a single domain. Second, all users will need to be affected by the same policy settings. This is also most easily accomplished by creating a single domain and then applying Group Policy to the domain. Local administrators can still create users and manage resources within OUs if you delegate control to them in the OU.


www.sybex.com

Chapter

3

Preparing for the Migration MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Plan migration.

Develop a pilot migration strategy.

Install the Windows 2000 DNS service or configure the existing DNS implementation as appropriate. Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service. Perform test deployments of domain upgrades. Perform post-migration tasks. Verify functionality of network services.


www.sybex.com

I

n the last couple of chapters, you learned how to plan for your migration. Now you will see some of the things you will need to consider when preparing for the migration. Do you feel like we’re spending a lot of time talking about planning? Do you think that might indicate that planning is very important for the success of a migration to Windows 2000? You’re right on both counts. Your success in the planning phases will determine your success in the actual migration. Now we’re going to learn about the things to do to get your systems and network ready for the migration. In this chapter, you will learn how to prepare for a migration. In the first portion of the chapter, you’ll learn how to create a test strategy to aid in your planning and then execute a pilot migration to see if your plan works on a small scale. Then you’ll learn how to take steps to prepare your network for readiness remediation. In the second portion of the chapter, you will learn how to install or upgrade the Domain Name System (DNS) service in your network. We’ll talk about why this service is so vital to the success of your Windows 2000 network. In the last section of the chapter, you will explore the steps necessary to protect your network in case things go wrong with the rollout. How will you restore the network services? How will you restore the accounts to working order so that your users can log on to the network and continue with their lives?


www.sybex.com

Planning for Pre-Migration Tasks

89


Okay, this is where we get down to business with the migration…almost. You still need to plan for getting your network ready for the actual rollout of Windows 2000 by performing a series of pre-migration steps. These steps range from setting up a test lab to see if your setup procedures will really work to planning for restoring your current network services if the migration needs to be rolled back for any reason. I will admit to being a flying-by-theseat-of-the-pants type when it comes to installing software on my own computers, but when performing upgrades for clients I am very cautious and ever aware that they depend on these systems to do their jobs.


Plan migration.

I suggest a two-phase approach to pre-migration strategy: preparation and recovery planning. In the preparation phase, you would create a test environment to simulate your deployment of Windows 2000 and to test the configurations necessary to support your individual network’s needs. In the second phase, you will take steps to create backups of network service information and user accounts, so the environment can be re-created with a minimum of disruption to your users.

Creating a Test Environment A test environment is something you may already have if you push any software out to users on your network. After all, deploying applications is very much like deploying an operating system. They’re only different in scale. If you don’t currently have a test lab, you should set one up if at all possible. This doesn’t have to be elaborate; just three to five computers that are capable of running the versions of software you plan to deploy should do it in most


www.sybex.com

90

Chapter 3

Preparing for the Migration

cases. I always prefer to use computers just like the servers that I’m going to deploy on to test for hardware issues as well as anticipated software problems.


Plan migration. Develop a pilot migration strategy.

Even though you can get by with just a few computers for testing, there are some guidelines to keep in mind:

Complexity of the planned deployment

Your available budget

What kind of physical space is available for the test lab

Structure of your team, number of testers, and their locations

Services and components that you will be testing

Whether the test lab will be used after the deployment is complete

Other points to consider will reflect the nature of the testing, such as network cabling to be used, routers, and similarity of the test equipment to the planned production equipment. As I said earlier, it is a good idea to use the new production servers for the test phase if it is practical. In many cases, you will be purchasing new servers for the migration, and a small number of them can be purchased early to use for the testing. Remember that you have to walk a fine line when planning the test environment. You need to allocate enough resources to get an accurate view of the deployment, yet you don’t want to spend so much money that the entire project appears too costly to pursue. A software test lab is often viewed as a risk-management facility, that is, it can often identify the problems in a plan when there is still plenty of time to find a solution. Using a test lab to proactively identify the sources of potential issues means that you can also experiment with different solutions and test their effectiveness before the time becomes too short during the deployment. The lab is the proper place to design your recovery process and to test that recovery plan to verify that it will work before you actually need it.


www.sybex.com


91

The test lab is also a good place for your IT staff to learn about Windows 2000 and to practice new skills that will be needed during and after the deployment. This phase will often show weak points in your deployment plan and give you an opportunity to refine the plan. Remember that one of your primary goals is to cause the least amount of disruption to the existing network environment while migrating to Windows 2000. If your testing reveals weaknesses in the migration plan, take the time to reexamine the plan, taking the new information into account. For example, you may find that your plan fails to consider resource access. This would be a good time to develop some alternative ideas to correct the situation. EXERCISE 3.1

Designing a Test Lab The process to build a test lab is fairly complex, but planning will make the process livable. Use these steps as a guideline when designing your test lab:

1. Select a test lab strategy. Decide early on in this process whether you will be keeping this lab for use after the migration, or if this is meant to be a temporary lab to test this deployment only.

2. Obtain necessary approval and funding. Get the buy-in of your superiors along with the visible transfer of power that comes from a public announcement by the superiors that you are in charge of the project. This approval eliminates later problems.

3. Create a temporary lab. This temporary setup will help you to do the necessary planning and design for the real test lab.

4. Determine the supported software and hardware. Spend some time examining the compatibility lists for software and hardware on Windows 2000 to help you select the appropriate configurations.

5. Plan the logical design. Decide what the domain structure will look like in the lab, then decide which network services you will run.

6. Plan the physical design. Decide what the physical network layout will be. This design should include any new technologies your network might be adopting as part of the migration.


www.sybex.com

92

Chapter 3



7. Document your planned design. Create a document that describes the process of building the lab, the parts involved, the people involved, and the estimated time needed to complete the construction of the lab.

8. Acquire the pieces. Gather all of the needed hardware, software, and people resources you will need to assemble the lab.

9. Build and test the physical network. This step includes everything needed to lay out the network, from running cable to connecting hubs and routers. Remember to thoroughly test the network with known good equipment to ensure that it works correctly before proceeding.

10. Build the servers. It was a surprise to me when I worked in my first data center that brand-new servers need to be assembled. Having only really worked with desktop or portable computers prior to that job, I expected that the new server would come out of the box ready to plug in and turn on. Not so! Servers usually need to have their components installed and tested before they can be put into service. This is also a great time to install the operating system and other necessary software.

11. Build the client computers. These may or may not need to be assembled, but you will need to get them into place and properly connected. Make certain that they have the correct software installed to represent your real environment.

12. Test the lab. This is my favorite part, playing with the new equipment. But seriously, try to test as much as possible the connectivity between the clients and the servers. Determine whether or not this lab now represents the real environment accurately. If not, what needs to be changed? If you have completed these steps successfully, then you can congratulate yourself! Your lab is complete!


www.sybex.com


93

The testing itself is another area where you can spend a lot of time planning how things will work. Create test plans for each phase of your migration separately, then in combination. As the plans gain in complexity, they should approach the reality of the migration. That is, when you are at the end of your testing phase, you should be running a full simulation of the deployment in the test lab. EXERCISE 3.2

Planning a Test Scenario Your company has four domains in a master domain model. You are in charge of planning the migration to Windows 2000 for the entire domain model. You have created a vision plan for the migration that states the following points:

The migration must yield the benefits of Windows 2000 and Active Directory as soon as possible.

There must be no disruption of daily business due to the migration.

The migration will include an upgrade to the existing network from 10BaseT to 100BaseT.

With these points in mind, what can you determine about the test lab that would be necessary for this migration plan?

1. What will you need to provide for the physical network? 2. What is the minimum number of servers you will need to provide? 3. How many client computers should you provide?

In Exercise 3.1, I mentioned the need for a temporary lab. This is really to provide you with as much time as possible to begin learning the new skills that relate to Windows 2000 and Active Directory. If your testing strategy calls for designing a lab that will become a permanent fixture in your network environment, then the temporary lab will just be enough to get you started with the learning phase while you are selecting and ordering the equipment that will be used for the real lab. An interim lab could easily consist of one to three servers and a couple of client computers to test the network services. This equipment would be enough to establish some basic information that will shape your approach to later testing.


www.sybex.com

94

Chapter 3


Justifying the Lab So how do you plan to explain the need for this lab to your project sponsor? If you could simply tell him or her that this book recommends a test lab and get the money, I might want to accept a job with your company. Most managers will need to carefully examine your business case for the test lab before committing themselves to the budget to fund your little kingdom. This is where thoughts of return on investment will pay off. You need to develop a business case document that explains how a proper test environment can detect flaws in a migration plan that would otherwise not be found until it was too late to prevent them. When these issues arise, they can cause severe delays in the migration, along with all of the costs accompanying those delays. Having a test lab means that you have the opportunity to test each step of the deployment plan. The more complete the test environment, the better the job it will do in enabling you to test your plans. When the costs of the lab are compared to the potential costs over time of additional support and administrative overhead, the lab should look like a good investment. You can also point out that an economy of scale might be possible by incorporating the test lab space into a single lab facility. There are likely other projects in your company that would benefit from a test environment. If you can build a lab that is adequate for everyone’s needs, you may be able to save the company money.

Life Span of a Test Lab Your test lab may only be used for this migration, but even so it will be used in nearly every phase. However, it may be used for other areas besides the migration itself. Let’s look at some possibilities: Initial Windows 2000 training This may be an organized training presentation for key staff or simply an opportunity for self-study. Evaluating new features and technologies Reading about the new products in Windows 2000 is one thing, but to really understand how these new features will help your environment, you will need some hands-on time with the products. Prototyping your deployment As you build your migration plan, test the individual steps to reveal potential issues.


www.sybex.com


95

Testing network compatibility Test your network services and applications to decide how well they’ll be supported on Windows 2000. Testing the deployment tools Get some experience with the deployment tools prior to using them in the production environment. Testing your rollout procedure As you build your detailed plan for deploying Windows 2000, try it out in the lab to be certain it works as planned. Testing your support procedures Don’t be one of those people who think about the support personnel only after the deployment is complete. Many organizations do, and their only solution then is to hand the help desk staff an instruction manual and tell them the phone is already ringing. Train the help desk staff ahead of time, and let them use the lab for additional experience before the migration. Analyzing any problems and finding solutions Your testing will no doubt reveal some potential issues, which gives you the opportunity to find the solutions as well. Use it wisely. A test lab may have a very long life span. Many companies maintain a test lab for the purpose of testing new software and hardware configurations even when they aren’t going through a migration.

Change Management and the Test Lab For a network infrastructure to be successful, someone must manage the effects of change in the organization. Change management is often overlooked in many IT organizations, but it is a vital part of a successful operation. I have had personal experience watching unmanaged changes being applied to a production server and then seeing that server go down because the person making the change didn’t know about some other conflicting detail. The problem can be software-related, often because of the content being loaded onto a server, or it can be hardware-related. For an environment to be truly stable over a long period of time, there must be a procedure for monitoring what changes are being made to the server configurations and testing these changes for their real impact on the server before they enter the production network. I’ll give you one of the hard truths I’ve learned in data center management: The more people who have access to the servers, the less reliable those servers will be. I recently had the good fortune


www.sybex.com

96

Chapter 3


to manage a residency-training program hosted in a very large data center. Through the course of my program, I heard many examples of this situation. Software developers or content developers would load new content onto a production server (because they could), and this new content caused the server to crash. It really becomes ugly when that new content also takes down an entire cluster of servers, which can happen. This is when you begin to suffer major downtime and the associated costs. To avoid this problem, the Data Center Management team implemented a team dedicated to monitoring any change that was made to any part of that data center. This Change Management team was the control point for nearly every process in place within that operation. If you wanted a new IP address for your server, you asked Change Management. If you wanted to upgrade your server to Windows 2000, you asked Change Management. And so on. This process worked wonders in the reliability and total uptime of the servers the teams were managing. I highly recommend that a solid change-management policy be implemented in your organization. The benefits of reduced support costs and increased server reliability are well worth the bruised feelings someone may get when they are told their change would cause some problems.

Other Test Lab Considerations Now that you’ve decided what you need a test lab for, and presumably you have the approval and the necessary budget, where are you going to put the lab? If your network stretches across WAN links, you might want to place parts of your test lab in separate locations so that you can also test the feasibility of your rollout plans across those WAN links. Another point to consider along that vein: Where is the test staff located? Do you have enough IT staff at one location to host a successful test lab? How about the one point that causes the most concern for many growing companies: Where do we put that lab? Do you have the real estate to spare for a test lab? How large will it be? A small company might get by with a half-dozen computers in a spare cubicle somewhere, but a larger company with greater resources might want to dedicate a section of an existing data center to the test facility. Some companies may find that their networks are scattered across many geographical areas, and it makes a lot of sense to acquire another location to use for testing because it would also make a perfect disaster recovery site.


www.sybex.com


97

After all, you’re going to be making an environment that can simulate the real production environment, right? So take it a little further and combine that simulation capability with the off-site tape storage, and you have a good model for disaster recovery. The absolute best place to put your lab is in a mirrored environment with the existing network. This way, all issues can be worked out with a practice run of the migration before the real thing. Ideally, this means purchasing systems comparable to the ones currently running on the network and installing identical services on those machines. Attempt to simulate the production environment as closely as possible.

Preparing Your Environment for the Rollout Okay, so you’ve done your testing and written your project plans and associated documents. Ready to do some real work? The last step you’ll take before the real full-scale deployment is to conduct a pilot deployment. A pilot deployment presents the opportunity to test your understanding of the migration process by moving a small number of computers and users over to the new system. In your pilot program, you will want to select a number of users in your organization who are fairly competent to move to Windows 2000. You will be upgrading at least some of your servers to provide network services for them and upgrading their workstations to Windows 2000. The pilot gives these users a chance to learn the new features of Windows 2000 and to give you feedback on how these features work for them in their daily environment. This feedback will either confirm your decision to proceed with the full deployment or warn you to back off until you have resolved any conflicts that have been found. In my opinion, pilots are a great idea for one reason: The real environment is never completely simulated in the test lab. It seems that no matter how hard we try, we can never quite get the feel of the production environment. One of the major causes for this is the mixture of software on the users’ computers. Even in companies that tightly control what software can be installed on a workstation, people still manage to slip in some shareware that they’ve


www.sybex.com

98

Chapter 3


downloaded from the Internet or some personal software that they’ve brought in from home. EXERCISE 3.3

Planning a Pilot Program When you are ready to plan your pilot program, here are some steps to keep in mind:

1. Create your plan. Document your intentions in as much detail as possible prior to beginning the pilot program. This will provide some guidance for your staff and some additional buy-in from your sponsors.

2. Select users and locations. Determine who will participate in the rollout and where they will be located. It is a really good idea to include your IT staff in the rollout so that they have more time to become acquainted with the technology. Users selected for the pilot should be able to reap tangible benefits from their use of Windows 2000 while playing a non-critical role in daily operations.

3. Prepare the users and locations. This is a great time to provide initial training for your staff who will be participating in the pilot. Also take this opportunity to upgrade any hardware that doesn’t meet the minimum requirements for the new software.

4. Deploy the pilot. Install the software on the computers you have selected for the program and have the selected users begin using Windows 2000 in their daily tasks.

5. Monitor the pilot program. Begin gathering feedback from the participants and track this information carefully. Resolve any issues that are encountered and document the solutions for later use.

6. Evaluate the results. Carefully weigh the feedback from your pilot participants and from your deployment staff. Determine from this information whether your deployment is on track or if there are issues that will require you to reevaluate your plans.


www.sybex.com


99

The users you select for the pilot should be enthusiastic about the Windows 2000 deployment. Such users will help your project’s success in the long term because they will share their experiences with others in the organization who are not yet using Windows 2000. If the pilot is going well (or if not, if you are on top of the issues), these people will be your greatest advocates. These pilot users should also be representative of the typical end users in your organization if possible. They should be performing tasks that will normally be performed with Windows 2000 in the future. Yet, there is also a balance to be struck here: They should be able to absorb some downtime if things go wrong. It’s probably not a good idea to roll over your line of business (LOB) servers as part of the pilot program. Pilots are a great way to prepare for a migration, but they’re not the only step you need to take to prepare your network for migration. You’ll need to prepare the network for the migration in terms of network services and disaster recovery planning. Make sure that you have current backups of all servers prior to performing the migration. This is not to imply any lack of confidence in Windows 2000—I’m just trying to express a cautious approach to migration. The data on your servers tends to be very important to your organization. It’s probably important enough that you don’t want to lose it if something did happen to go wrong. Other points to consider for preparation include user awareness of the migration, status of network services, and training of your systems staff (the ones who will be performing the migration). Your users need to be aware of the migration timetable so that they understand the potential interruptions of service they may encounter. Network services need to be in place to support the migration (here I’m really thinking about DHCP and DNS, but there are others that may help, such as Systems Management Server). The following sections discuss some of the issues surrounding network services. Your staff must be trained and experienced prior to the migration if the deployment is to go smoothly. Ideally, each member of the migration team has spent sufficient time in the test lab trying the procedure. If this is true, then each team member should have a clear idea of what can go wrong and what can be done to recover.


www.sybex.com

100

Chapter 3


Testing Your Deployment

So you think you’re ready for a successful upgrade to Windows 2000, but how can you be sure? There are a number of tools that you can use to test and verify a migration to Windows 2000. Before you begin your upgrade, you will need to test your deployment to be certain that every element has been implemented successfully. You will have to go through and test each of the following areas separately to ensure that they will be deployed properly.


Perform test deployments of domain upgrades.

To fully test the implications of your deployment, you must simulate your production environment as closely as possible in your testing. Decide which elements of your deployment to test first, and set up that configuration to begin your testing. I find that focusing on the highest priority portions of the deployment first is a good way to begin. This may vary according to the project goals, but for me that means testing the domain migration first.

The Domain Level You should begin your deployment testing at the domain level. It is important to start here because this is the basic structure of your new network. Testing this area is critical because it will tell you if there are domain-wide issues that must be resolved before they affect your users. EXERCISE 3.4

Testing at the Domain Level To test an upgrade at the domain level, follow these steps:

1. After installing Active Directory in your test environment, check the dcpromo.log file located in %SystemRoot%\Debug to verify that there were no errors.


www.sybex.com


101


2. Use the listdcs.vbs script that is provided with the Windows 2000 Server Resource Kit. This script checks the domain and lists all of the domain controllers. From the command prompt, you can execute the script with a /? switch to get a list of the valid switches.

3. Use the listdomains.vbs script from the Windows 2000 Resource Kit. This script displays a list of all the domain-naming contexts found through LDAP. Note that the commands for this script are case-sensitive. From the command prompt, you can execute the script with a /? switch to get a list of the valid switches.

The Visual Basic scripts used in this section can be executed by the Windows Scripting Host (CScript for the command prompt, or WScript for the GUI version). To change your default scripting program to CScript, type CScript // H:CScript //S and press Enter.

User and Group Accounts The next area of your network where you need to test your deployment plan is your user and group accounts. It is critical to be certain that they will be upgraded successfully because no migration is considered successful if the process adversely affects the users. You are migrating to Windows 2000 in order to provide your users with better services and enhanced capabilities, not to cause them grief.


Perform post-migration tasks.

Verify functionality of network services.


www.sybex.com

102

Chapter 3


EXERCISE 3.5

Testing User and Group Accounts To test and verify an upgrade for user and group accounts, follow this process:

1. Verify that existing users can still log on to the domain by picking some random user account to test. If you can successfully log on using this account, then you can feel more secure that the rest have been migrated correctly.

2. Compare the list of users and groups that existed in the NT SAM with the users and groups that exist in Active Directory to verify that they were all migrated successfully. If you find discrepancies, then you will need to recover any missing accounts or delete any duplicate accounts.

3. Verify that all commands in the logon scripts are run correctly. When a user account logs on to the domain, all commands in the script should work. Turn off any commands that hide the process and watch the output of the logon script to make certain it is not reporting any errors.

System Polices Finally, you will need to transition your System Policies to Group Policy Objects in Windows 2000. Group Policy can be applied at the site, domain, or OU level in Active Directory. It controls security options for nearly every aspect of Windows 2000 and is much more granular than System Policy in NT. EXERCISE 3.6

Testing System Policies To test and verify the upgrade in terms of your System Policies, follow these steps:

1. Create Group Policy that mirrors the settings used in your System Policy. You would do this by comparing the policy settings in the System Policy Editor in NT to the settings being applied in Group Policy. This ensures that users will receive the same settings whether an NT domain controller or one running Windows 2000 validates them.


www.sybex.com


103


2. Log on as different users that have different System Policy settings. 3. Check Event Viewer for warnings. There may be incompatibilities that show up with various hardware. Your hardware inventory during the planning phase should have found all of these, but some may still slip through. Also check the Device Manager to look for warnings or errors regarding Plug-and-Play hardware.

Once the migration has been completed, the best test of all is to watch the user calls to the help desk. If the trouble tickets being cut indicate issues with the upgrade, you will need to take steps immediately to correct the problems.

Cleaning Up Afterwards If your upgrade went well, there shouldn’t be much left to do afterwards. But there will be some tasks, such as reallocating hardware. You might have discovered in your planning that you will have too many domain controllers after the migration. These servers can be reused elsewhere in your network as file or applications servers.



After you have successfully completed the upgrade of a single domain, you may be finished, or you may be just beginning a longer migration plan. In the latter case, you will need to repeat this upgrade process in other domains and perhaps then restructure your domains into a more efficient Active Directory model. You can expect to spend a fair amount of time performing post-migration tasks. If your upgrade was not successful, then you will need to troubleshoot the individual issues. The resolutions will depend upon the issues encountered, but if you prepared for the migration by taking one or more backup domain controllers offline, you could always recover the environment by bringing these servers back online and promoting them to primary domain controllers


www.sybex.com

104

Chapter 3


for their respective domain. You’ll know that the upgrade wasn’t successful if accounts are lost, users cannot log on to the domain, or if they report other similar catastrophic issues. Most often, the reported issues will be minor and easily resolved without rolling back the migration. One task that you should very definitely spend time on after your upgrade is documenting the process. Run your migration team through a debriefing to gather as much information as possible about what went well and what went wrong. Sooner or later, someone at your company will go through this again. The knowledge you have gained will save those other people a lot of planning and implementation time if they can learn from your experience. Who knows, it may even be you next time.

Preparing DNS The Domain Name System (DNS) is a server-based method of resolving hostnames to IP addresses and is required for Active Directory. A hostname is a human-friendly name assigned to an IP host. A host can be virtually anything that can be assigned an IP address, but we usually think of hosts as being computers. Windows 2000 offers a very good DNS server service. In fact, the service is so useful in a Windows 2000 environment that you might as well consider it required for normal operations. Although you can use BIND 8.1.2 or higher, the benefits of Microsoft’s DNS server justify using it.


Install the Windows 2000 DNS service or configure the existing DNS implementation as appropriate.

The DNS server in Windows 2000 supports all of the Internet standards for DNS and implements a few new features as well, such as dynamic updates and Service (SRV) records. These features in particular are useful to the Windows 2000 network. The dynamic update capability means that as a client receives its Dynamic Host Configuration Protocol (DHCP) lease, it can notify the DNS server of the IP address and hostname of the client. The DHCP server notifies the DNS server of the reverse lookup record information, and the client itself registers the forward lookup information. The


www.sybex.com


105

information is added to the DNS tables, and then any computer in the network can resolve that client’s address using DNS. The new features of DNS in Windows 2000 include the following: Support for Active Directory The Windows 2000 DNS service can integrate its records with Active Directory to provide greater fault tolerance and security. All zones that are integrated with Active Directory are automatically replicated to all domain controllers in the forest. The new DNS service also acts as a locator service for Windows 2000 domain controllers, so that Windows 2000 clients can locate the domain controllers for logon or other services. Support for dynamic updates With this feature enabled, Windows 2000 clients can notify the DNS server of their hostname and IP address. Dynamic updates eliminate the need for a Windows Internet Name Service (WINS) server to provide name resolution for dynamically addressed clients. Record aging and scavenging This feature prevents the presence of outdated records in the tables. It is especially useful in the case of dynamic updates, when the client computer is unable to un-register its name and address, such as when it is improperly shut down. Secure updates in Active Directory integrated zones If the DNS zone is integrated into Active Directory, then the zone can be configured to accept updates only from an authorized user account. Administration through the Management Console The DNS service in Windows 2000 is fully integrated into the Microsoft Management Console (MMC) for easier administration. There were some interface issues with the DNS Manager tool in NT 4, where using the Tab key took you to new and unexpected places. The interface in Windows 2000 works quite well using the keyboard or mouse. Command-line administration Windows 2000 provides a commandline interface to the DNS server, dnscmd.exe, which can be used to administer to the DNS server directly or be included in batch files for automated administration. Incremental zone transfers In addition to the traditional full zone transfers, the Windows 2000 DNS server can execute partial zone transfers that contain only the changed records. This can help to reduce network traffic generated by DNS zone transfers.


www.sybex.com

106

Chapter 3


Support for third-party DNS servers Microsoft has designed the Windows 2000 DNS service to more closely resemble industry standards. Therefore, Windows 2000 DNS servers do a good job when interoperating with other DNS implementations. In order for third-party DNS servers to function as an authoritative DNS server in a Windows 2000 environment, they must support dynamic updates, the use of SRV records, and underscore characters in the name. BIND versions 4.9.6 and newer support SRV records, and BIND versions 8.1.2 and newer support dynamic updates. The newest BIND versions support underscore characters as options, but this is not yet a standard. In NT 4 and earlier Microsoft network operating systems, all computers were identified by their NetBIOS computer name. In Windows 2000, this has changed. Now all computers in a Windows 2000 network will use DNS by default to resolve computer names to IP addresses. In fact, the Windows 2000 domain names are usually DNS domain names that describe the exact location of the domain within the DNS namespace. When designing your Active Directory structure, take care to implement your naming correctly, and then you can use DNS to resolve network names throughout your forest. Windows 2000 creates a NetBIOS name based on the hostname to support legacy applications. However, this should not deter you from using DNS as the primary name-resolution method. Windows 2000 computers use Fully Qualified Domain Names (FQDNs) to communicate. An FQDN is the combination of the hostname with the full domain name. Now there is one other thing you need to know about FQDNs: Always put a dot (.) at the end of the name. This was something of a pain to me when I was first learning TCP/IP that I’d like to spare you. That trailing dot represents the root of the Internet. Figure 3.1 shows a representation of an FQDN. FIGURE 3.1

How a Fully Qualified Domain Name relates to the Internet namespace

coolhost.cooldomain.com

Hostname

Domain name


First tier domain

www.sybex.com

Internet root


107

Installing DNS If you have not installed DNS during Windows 2000 installation, you can install it through Control Panel Add/Remove Programs Add/Remove Windows Components (or install it as part of the Active Directory installation). Double-click Networking Services and select Domain Name System (DNS) from the list, as shown in Figure 3.2. Click OK, and then click Next to install the DNS service. FIGURE 3.2


Select Domain Name System from the Networking Services dialog to install DNS.

Install the Windows 2000 DNS service or configure the existing DNS implementation as appropriate.


www.sybex.com

108

Chapter 3


When you first install DNS, no zone files will be configured. That’s the first thing you need to complete before your DNS server will do anyone any good. When you open the DNS console for the first time and expand the entry for your server, you will receive a message instructing you to configure the server, as shown in Figure 3.3. FIGURE 3.3

The DNS console warns you to configure the server before proceeding.

Configuring the server in this case means using a wizard to create a new zone for the server. Click the Action menu for the console and select Configure The Server. The Configure DNS Server Wizard shown in Figure 3.4 opens and walks you through the necessary steps to configure a new zone.


www.sybex.com


FIGURE 3.4

The Configure DNS Server Wizard

EXERCISE 3.7

Configuring a DNS Server Use the following steps to configure your DNS server.

1. Click Next on the opening page of the wizard to open the page shown in the graphic below.


www.sybex.com

109

110

Chapter 3



2. This page asks whether you want to configure a forward lookup zone. Click Yes, Create A Forward Lookup Zone, and then click Next to proceed. A forward lookup zone is the file that will resolve FQDNs to IP addresses.

3. The Zone Type page asks—you got it—what type of zone to create. Your available choices will be determined by what role your computer plays in the network. If it is a domain controller, you have the option to create an Active Directory-Integrated zone, which means that the zone files will be stored in Active Directory. If your computer is anything other than a domain controller, you will have only the options to create a Standard Primary or Standard Secondary zone. The Standard Primary zone will contain the resource records in a file stored on this computer. The Standard Secondary zone means that this DNS server will receive its information from a DNS master server. The Zone Type page is shown in the following graphic. Click Next to continue.


www.sybex.com



4. The Zone Name page asks you to enter your DNS domain name. There may be more than one domain managed by this DNS server, so just enter the DNS domain name you are trying to configure and leave the rest for later. When you have typed in the name, including the dot at the end, click Next to continue.

5. The Zone File page asks where the zone information should be stored. This will be shown if you are creating a Standard Primary zone; the other types will already know where to obtain the zone information. A default entry will already be filled in, comprised of your DNS domain name with a .dns file extension. I highly recommend that you accept this default. It just seems to work more reliably that way. This page is shown below. Click Next to proceed.

6. Next, the wizard wants to know if you would like to create a reverse lookup zone. A reverse lookup zone enables your DNS server to provide resolutions from IP address to hostname. Select Yes, and click Next to continue.


www.sybex.com

111

112

Chapter 3



7. Next, you see the Zone Type page again, this time for the reverse lookup zone. The same guidelines apply here as in step 3 above.

8. The next page is the Reverse Lookup Zone page, which asks you to provide the network identification for the zone. The easiest way to determine your network address is to look at your subnet mask. If the subnet mask blocks out the first two octets (that is to say your mask is 255.255.0.0), then the first two octets of your IP address are your network identification, and the rest of your IP address is the host identification. Enter your network address, and fill the other remaining spaces with zeros. Click Next.

9. The Zone File page will ask you to confirm the name of the zone information file. Confirm the default name provided and click Next.


www.sybex.com


113


10. The Completing the Configure DNS Server Wizard page summarizes your selections. Click the Finish button when you are satisfied with your choices, and the wizard will complete the creation of the zones.

This wizard will provide you with the basic zone files, but it’s up to you to populate them with resource records for your various servers. You can do this is a couple of ways. First, you could use the traditional manual entry of each host record. Second, you could enable dynamic updates for the new zone. EXERCISE 3.8

Enabling Dynamic Updates To enable dynamic updates for your new zone, follow these steps:

1. Open the DNS console and expand the console tree for your DNS server. Open the branch for Forward Lookup Zones.


www.sybex.com

114

Chapter 3



2. Right-click the zone that you want to switch over to dynamic updates and choose Properties. This opens the dialog shown below.

3. On the General tab, under Allow Dynamic Updates, select Yes from the drop-down list box.


www.sybex.com


115


4. Click the Aging button to open the dialog shown below.

5. Check the box beside Scavenge Stale Resource Records to enable record scavenging. This will help to ensure that the records in your DNS server will always be accurate.

6. Click OK, and OK again to save the settings.

If you already have DNS installed on your NT servers when the upgrade is performed, that information will be carried forward and the DNS service upgraded. You will want to enable the dynamic updates, though, and set the aging rules for scavenging the database for outdated records. One thing to consider when configuring your DNS server is the type of names that are used in your organization. DNS normally uses only naming conventions that comply with the standards listed in Request for Comments (RFC) 1123. The Windows 2000 DNS service supports strict RFC name


www.sybex.com

116

Chapter 3


checking for compliant name schemes. If you want to use non-standard naming, then you will need to modify this setting in the Advanced Properties for the DNS server to use either the Non-RFC name checking or the Multibyte name checking, which uses the Unicode Transformation Format (UTF-8) feature of Windows 2000 to convert characters that require two bytes to a single-byte format compatible with DNS. There are four separate options for name checking in Windows 2000 DNS: Strict RFC In the Strict RFC name checking, all names stored in the DNS tables must conform to standards-based DNS naming. This means that the names used can contain multiple periods and dashes as well as numbers and letters. All naming must follow the standards outlined in RFC 1123. Non RFC Non RFC name checking permits the use of non-standard name characters such as underscores within fully qualified domain names. This is an option that many people may want to enable when migrating from NetBIOS-based networks where underscores are a common addition to the naming scheme. Multibyte (UTF8) This naming option permits the recognition of characters that use more than eight bytes, such as Unicode characters. Multibyte uses the Unicode Transformation Format feature of Windows 2000 to map the Unicode characters to single-byte representations that can appear in DNS. All Names The final option for DNS naming is to permit all name combinations in the server. Essentially, this option just disables the bad data checking within the DNS service.

What If the Migration Goes Wrong? This is the question you really don’t want to hear, but it’s also one that you need to ask yourself. What will you do to recover from a failed migration? Now, I’m not implying that you will have problems with your deployment of Windows 2000. I’m just recommending that you include this possibility in your deployment planning to be safe. How you plan for all possible scenarios


www.sybex.com


117

in a deployment often determines just how well that deployment will go and what your customers think of your ability afterwards.


Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service.

So what is your goal in recovery planning? Recovery planning should enable you to restore the original environment as quickly as possible with no lost data. This is why we normally use a pilot migration to test our planning in the real production environment. Nearly every deployment I’ve been a part of has encountered problems when we entered the pilot phase because the production environment always seems to be just a little different than we thought. With a migration from NT to Windows 2000, there are some preventive measures that can be taken that will ensure that you have a safe recovery path. One of the key measures is to update a backup domain controller (BDC) with current copies of all the major network services, then take it offline until the migration is complete. Once everything has migrated successfully, you can then decide what to do with the BDC.

Recovering the Security Accounts Manager Database The easiest way to recover the Security Accounts Manager (SAM) database is to never lose it in the first place. I know this sounds trite, but there really is a good way to do this. Just before you upgrade the domain controllers, select one backup domain controller (BDC) to be your recovery path. Synchronize it with the primary domain controller (PDC) to make certain it has the most recent account information. Once this is complete, shut down the BDC and take it offline. This will become your safety hatch if you need to recover the SAM. If the worst does happen, and you need to quickly move back to your previous network configuration, bring the BDC back online and promote it to primary domain controller. This new PDC will have account information that is current as of the last synchronization prior to the migration. The next


www.sybex.com

118

Chapter 3


step will be to reinstall Windows NT on your other domain controllers and install them as backup domain controllers to the new (old) domain. It will take some time to perform all of the reinstallations, but no account information will be lost. The exam covers this technique in many of the case study questions. You will have to decide which backup domain controller would be best to synchronize and take offline in order to prepare for disaster recovery during the migration. Select a BDC in a site or location where the absence of a domain controller will have the least impact on the migration. For instance, if you have BDCs in several sites that will be part of a migration, use the BDC in the smallest site for recovery. That way, the other sites with more users will have access to a domain controller for migrating users and processing logons.

Recovering DNS If the BDC that forms the core of your recovery plan is also a DNS server with current zone information on it, you can use the same approach to disaster recovery. Luckily, with the DNS service the information is easier to recover since the zones are stored in simple text files. The DNS server would actually be easy to recover just by copying these files to the BDC before taking it offline. The recovery path would then be used to restore the BDC, promote it, and then install the DNS server on it. Instead of re-creating the zone files, simply create new zones with exactly the same names as the old zones and point them to the existing zone files. The DNS server will come up with the old information intact.

Recovering DHCP This one takes a little more effort to protect the information. You most likely won’t want to back up the actual Dynamic Host Configuration Protocol (DHCP) database with all of its current leases, but you definitely should create copies of the scopes. In terms of DHCP, a scope is a group of addresses. The scope is defined by a starting address and an ending address, a subnet mask, and any excluded addresses within the range. The scope creates a pool of available IP addresses that the DHCP server can issue for that subnet. One method you could use would be to install the DHCP service on the BDC that will be held offline as a backup and create scopes that are exactly like the current scopes prior to the migration. Do not activate these scopes!


www.sybex.com


119

You really don’t want to be handing out duplicate leases on your network. It’s amazing, but users rarely have a good sense of humor about these things. In a recovery situation, bring the BDC online and start the DHCP service if it hasn’t already started automatically. Activate the scopes, and verify that the service is running correctly. Make certain that the other DHCP servers are offline and their scopes are deactivated. Every client will need to release and renew their IP lease to prevent conflicts. On the exam, Microsoft seems to like the approach of having the DHCP database backed up on tape. The tape can then be restored if the domain needs to be recovered. In most cases, this approach makes the most sense. You will very likely be recovering a domain that has several domain controllers. It is wise to perform a thorough backup of all of the servers prior to your migration anyway, so the information should be available from those backups. The Windows 2000 version of DHCP has a new feature that Windows NT did not possess. After restoration of a DHCP backup, the DHCP scope information will be out of date. Therefore, the server goes into “safe mode of operations” for a period of one-half the IP lease duration set in the scope. In this mode, DHCP broadcasts on the network to verify that the address it is about to assign is not currently being used. Although this reduces the chance of having address conflicts, it severely reduces network and server performance and should be halted immediately after the one-half-lease duration period has expired.

DHCP will only go into safe mode when it is recovered from a backup. If you have the service installed on another machine with overlapping scopes, there is no way to ensure that address conflicts will not happen.

Recovering WINS You could approach this in a couple of different ways. Personally I don’t really think it’s worth trying to back up the Windows Internet Naming Service (WINS) database. Entries in the WINS database are made dynamically when WINS-enabled clients boot onto the network and enter their registrations in the database. Perhaps the greater issue is re-enabling WINS on the client computers so that they can once again make use of the service. As they reboot, they will make new registrations in the database, and the information will be reconstructed.


www.sybex.com

120

Chapter 3


Recovering the ability to use WINS will be very important when returning to the native NT 4 environment, since this is the primary method clients use to locate the domain controllers for their services. If your current network uses WINS extensively, you may have to recover the WINS replication partnerships to fully restore the service across an enterprise level. You would complete this process by adding the WINS server IP addresses to the WINS Manager utility and then using these addresses to establish replication partnerships. If you are using WINS replication, immediately initiate a replication between servers after restoring the WINS database. Microsoft again seems to like the approach of restoring the WINS database from tape when restoring a domain after a failed migration. This is a wise course of action if there are a number of static entries in the database. Bear in mind, though, that the WINS database will regenerate when the client computers make new registrations as they reboot. Restoring the previous database from tape may help to reduce confusion for the client computers when they reboot, but more likely it will just cause additional work.

Protecting Data Backup. Backup. Backup. Beyond that, you could always run tape backups to protect your data. Sorry for the joking tone here, but running regular backups is so critical to your network stability that I sometimes feel it’s silly to have to mention it at all. Please ensure that your backups are very current and that the data can be recovered safely from those tapes. Remember that a backup is not considered good until you have successfully recovered data from the tapes. The widespread availability of recordable CDs (CD-R) and rewritable CDs (CD-RW) is very promising for securely backing up valuable data. These formats are generally used for storing important data where media integrity is important. The only problem with these methods is that you are limited to a mere 650MB per disk. This may present a problem when your valuable data exceeds multiple gigabytes in size. Tape is quite adequate from the standpoint of size; however, many tape formats are susceptible to spontaneously going bad and losing their data if not stored carefully. Back up the data on every server that will be migrated. This does not express any lack of faith in Windows 2000. It is simple prudence. How much is your company worth to you? Having the data safely backed up gives you many options for recovery in the case of a failed migration.


www.sybex.com

Summary

121

Summary

In this chapter, you learned how to perform some of the final steps to be taken prior to performing your migration to Windows 2000. You learned how to establish a test lab for testing your plans and learning new technologies in Windows 2000. You also learned how to develop a testing strategy to be used in the lab and how to test the deployment. We examined how to install and configure the new DNS service in Windows 2000 and explained how to enable the dynamic update feature. We closed the chapter by discussing the ways in which you can ensure the safety of your network by planning for recovery options.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Domain Name System (DNS) hostname dynamic update Security Accounts Manager (SAM) backup domain controller (BDC) primary domain controller (PDC) Dynamic Host Configuration Protocol (DHCP) Windows Internet Naming Service (WINS)


www.sybex.com

122

Chapter 3


Review Questions 1. Which of the following is a new feature of DNS in Windows 2000? A. SRV records to identify common services B. Integration into the management console C. Dynamic update capability D. All of the above 2. A test lab must always be located in a single physical location. A. True B. False 3. You are in charge of the migration from NT 4 to Windows 2000 for

your company. You are concerned about preparing for all possible scenarios and want to have a way to fall back to the original network if things go wrong. What is the best way to prepare for the recovery of the SAM database? A. Restore from tape. B. Dump all of the accounts to a text file. Use the text file to perform

a bulk import back into the PDC. C. You can’t. Once it’s gone, it’s gone. D. Synchronize a BDC and take it offline until after the migration is

complete. 4. You are in charge of planning the migration to Windows 2000. At

what point in the planning should you provide training to your help desk staff? A. At phase 4 of the migration phase. The first three phases your team

should be concentrating on developing the test lab. B. As soon as you establish a test lab. C. After the test lab has proven that the migration will work perfectly. D. Training is not necessary at this level.


www.sybex.com

Review Questions

123

5. When you are selecting staff to participate in a pilot program for Win-

dows 2000, which of the following criteria make sense? A. The participants should be in a different location from your IT

staff. B. They should be power users who have proven themselves as users

who can expertly work through computer problems. C. They should be engaged in mission-critical projects that would

benefit most from the support Windows 2000 will provide. D. They should be a mixture of average users and IT staff at a location

where you can monitor them and provide support during the pilot. 6. Why is it important to implement a pilot program for your migration? A. It’s a great way to test your plans in a real production environment

without causing disruption to too many people. B. It’s an opportunity to evaluate costs for your department before

the migration. C. It will give you the opportunity to decide before you actually

migrate whether it is the best plan for your company. D. It provides a backup for the production environment. 7. Why is the Domain Name System (DNS) so important to Win-

dows 2000 networks? A. It provides a method to locate the proxy server for access to the

Internet. B. It provides NetBIOS name resolution for all of the services running

NetBEUI on Windows 2000. C. It provides a method of locating domain controllers and other nec-

essary server resources. D. Because without it, we wouldn’t be able to update information

from intranet resources.


www.sybex.com

124

Chapter 3


8. You are responsible for administering a Windows 2000 DNS server. You

would like to automate the process of adding 100 new server records to your 25 DNS servers throughout the enterprise and have decided a script would be the best solution. Which utility would enable you to do this from a script file? A. Dnsbatch.exe B. Dnscmd.exe C. Dnscmd.bat D. There is no command-line utility for DNS. 9. Your boss is concerned about the amount of network traffic gener-

ated by the zone transfers between the DNS servers running on Windows 2000. What could you tell him that would ease his concerns? A. That the DNS server on Windows 2000 uses incremental zone

transfers, sending only the records that have changed. B. That there really isn’t that much traffic anyway. C. That there really isn’t any replication happening between the serv-

ers, because only Unix servers have DNS replication. D. That DNS servers never communicate between themselves, so

there won’t be any network traffic. 10. You are planning the migration to Windows 2000 for your network. You

are concerned about the possibility of someone on the network making changes to the DNS tables on the domain controllers. How can you ensure that only authorized users can update the DNS records? A. Change the primary zone files to Active Directory-integrated zone

files. B. Lock up the domain controllers to secure physical access to them. C. Use WINS instead of DNS because it is more secure. D. Set the file attributes on the zone files to read only.


www.sybex.com

Review Questions

125

11. You are entering the final stages of migration planning and are con-

cerned about the possibility of a migration failure. How can you protect your network’s recovery in terms of the DHCP service? A. Establish DHCP server replication to distribute the lease tables

among different servers. B. Save the dhcp.mdb file onto a floppy disk and lock it in your desk. C. Create a duplicate set of DHCP scopes on the reserved BDC and

activate them if needed. D. DHCP is only available on Windows 2000, so it won’t matter if

you have to restore to NT 4. 12. You can easily use three servers to create a test lab for a migration that

will span 10 domains and 16 sites. A. True B. False 13. You are in charge of a domain migration to Windows 2000. There

have been several incidents of people altering the configuration of servers without telling anyone else, and the changes caused problems for your testing. How can you prevent this from happening in the future? A. Implement a change-management policy that controls everyone’s

access to the servers. B. Disable the servers from all public access. C. That’s just part of the normal way of doing things because it’s vir-

tually impossible to safeguard your servers against this kind of thing. D. Get your superiors to make a policy statement that prevents people

from doing this again in the future.


www.sybex.com

126

Chapter 3


14. You are in charge of the migration from NT 4 to Windows 2000 for

your company. You are concerned about preparing for all possible scenarios and want to have a way to fall back to the original network if things go wrong. What is the best way to prepare for the recovery of the WINS database? (Choose all that apply.) A. Install the WINS service on the reserve BDC and replicate the latest

records to it prior to taking it offline. B. It doesn’t matter; the database will be re-created automatically

once clients are configured to use the WINS server. C. Restore from tape backups. D. Replicate the current information from Windows 2000 to the

NT 4 BDC before restoring the old configurations. 15. The Domain Name System resolves what kind of names to IP

addresses? A. Hostnames B. Domain names C. NetBIOS names D. Computer names 16. What is the primary method that clients use to locate the domain con-

trollers for their services? A. WINS B. DNS C. IIS D. Broadcast


www.sybex.com

Review Questions

127

17. In the event of having to re-enable WINS, when should your client

computers expect to see their information reconstructed? A. 15 minutes later B. 12 minutes later C. When the domain controller reboots D. When the client computer reboots 18. Where is DNS service information stored? A. Text files B. Active Directory C. The Registry D. SQL Server 19. You have just completed the migration of your NT network to Win-

dows 2000. You are trying to decide whether or not to dismantle your test lab. Why should you choose to keep your test lab? (Choose all that apply.) A. Because a test lab is a very costly endeavor, the space should be

maintained as training center for future migrations. B. You may have to restructure the network. C. It would make a good place to test software deployment strategies

before rolling out new programs for your users. D. It provides fault tolerance for the domain controllers.


www.sybex.com

128

Chapter 3


20. You have successfully completed your Windows 2000 migration, and

the network has been running fine for some time. Lately, you have noticed that there seems to be a rise in the occurrences of IP address conflicts on your network. What can you do to prevent this? A. Implement DHCP as the only means of assigning IP addresses for

all computers. B. Station security personnel near the DHCP servers to prevent unau-

thorized access. C. Create a Group Policy Object to prevent people from setting IP

addresses. D. Implement a change-management policy and assign a team

of people to monitor any requested changes to the network environment.


www.sybex.com


129

Answers to Review Questions 1. D. All of these are new features of the DNS service in Windows 2000. 2. B. Test labs can be distributed across multiple sites in your organization. 3. D. If you need to recover the SAM database after a failed migration,

the best way is to have a BDC that can be promoted to become the new PDC of the original domain, then reinstall the other domain controllers as BDCs in the domain. 4. B. It’s best to provide hands-on training as soon as you possibly can,

but having the test lab makes it much easier. 5. D. It makes the most sense to have the participants where you can get

the most benefit from monitoring their use of Windows 2000 and where you can provide support for their problems. 6. A. Because it’s so difficult to fully simulate the real production envi-

ronment, a pilot program lets you test your configurations in the real network without causing too many problems for the people doing the business-critical work. 7. C. Windows 2000 networks use DNS to provide name resolution and

to locate server resources. It is also valuable as the primary method of locating the domain controller for logon authentication. 8. B. The command-line utility Dnscmd.exe enables you to perform

basic administration of the Windows 2000 DNS server from a script or from the command prompt. 9. A. The new DNS service on Windows 2000 has implemented incremen-

tal zone transfers to speed replication and decrease network traffic. 10. A. Active Directory-integrated zones can use domain security to prevent

unauthorized access to the DNS tables. 11. C. The best way to restore DHCP services if necessary is to create

duplicate scopes on the reserved BDC and activate them only if needed after a failed migration.


www.sybex.com

130

Chapter 3


12. B. The test lab should be able to accurately reflect the nature of the

network being migrated. If there are multiple domains, there should be the capability of creating a lab with multiple domains to simulate the production environment. 13. A. Change management is a necessary part of controlling your net-

work environment. Create a policy that requires a central authority to approve any proposed changes to the network. 14. A, B, or C. Answers A, B, or C would actually work. The best answer

for most situations would be A. I have a preference for answer B and would count that as a correct answer too. 15. A. The most correct answer is A. DNS resolves hostnames to IP

addresses. Saying computer names is a bit too non-specific as hostnames and NetBIOS names are both computer names. 16. B. Windows 2000 uses DNS extensively to locate network services.

The DNS server in Windows 2000 accomplishes this through the use of the SRV record type. 17. D. Client computers (and servers) register their network services dur-

ing the boot process. Rebooting the client computers should re-create the WINS database. 18. A or B. Normally, the zone files for a DNS server are stored as simple

ASCII text files on the hard disk of the DNS server. If you have chosen to create Active Directory Integrated zones, then the information is stored in Active Directory. 19. B or C. Having a test lab in available in your organization is extremely

useful for testing software deployment packages prior to rolling them out to the users. It can also be used for planning a domain restructure or for testing service packs and other system updates for the domain controllers. 20. D. Implementing a change-management policy and team ensures that

these types of changes won’t be a problem in the future. If all requested changes go through a centralized authority, there is a single point of control for managing the network.


www.sybex.com

Chapter

4

Upgrading Domains MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Upgrade the PDC, BDCs, application servers, DNS servers, and RRAS servers. Implement Group Policies. Implement file replication bridges. Convert domains to native mode.


www.sybex.com

I

n this chapter, you will learn how to upgrade your domain to Windows 2000 and Active Directory. This assumes that you have already done the planning and testing necessary to know what’s going to happen during the deployment phase—or at least have a good idea what will happen. This chapter discusses some of the “nuts and bolts” topics in upgrading your domain from NT 4 to Windows 2000 and will help you understand the necessary steps.

Upgrading Domain Controllers to Windows 2000

S

o now it’s time to upgrade the primary and backup domain controllers to begin the migration to Windows 2000. Most of your servers will be easy to upgrade, with little or no actual preparation required. Application servers, DNS servers, and Remote Access servers (RAS) will be covered in following sections, but we’ll begin with domain controllers.

Upgrade Paths and Required Hardware Before you get started, you will need to consider some of the basic points of an operating system upgrade, such as the possible upgrade paths and the required hardware, just to be sure that your domain controllers can be


www.sybex.com


133

upgraded. Table 4.1 shows the possible upgrade paths from NT to Windows 2000 for domain controllers. TABLE 4.1

Upgrade Paths for Domain Controllers Upgrade From

Upgrade To

PDC or BDC running NT Server 3.51 or 4

Domain controller running Windows 2000 Server or Advanced Server.

Member server running NT Server 3.51 or 4

Member server running Windows 2000. After the upgrade, the member server can be changed to a domain controller using dcpromo.exe if you choose.

Any computer running Windows NT Advanced Server 3.1 or NT Server 3.5

Must be upgraded to Windows NT Server 3.51 or 4 first, then can be upgraded to either Windows 2000 Server or Advanced Server. Then use dcpromo.exe to promote the server to a domain controller.

Many servers running earlier versions of Windows NT won’t have the necessary hardware resources to run Windows 2000 successfully. Be sure to check that they have the required hardware before attempting to perform an upgrade.

You should keep in mind that all domain controllers in a Windows 2000 environment are equal in their roles and responsibilities. There won’t be any distinction between primary and backup domain controllers after you’ve performed the upgrade. This really has no impact on how your network functions, but it may cause some confusion for administrators who are learning Windows 2000. Having an accurate inventory of computer hardware is especially important when upgrading older domain controllers from NT 3.51 or 4 because the hardware requirements were significantly lower for both of those operating systems. You may find that the first step in upgrading your domain


www.sybex.com

134

Chapter 4

Upgrading Domains

controllers is actually to upgrade the hardware installed in them. Table 4.2 shows the required hardware for Windows 2000 domain controllers. TABLE 4.2

Hardware Requirements for Windows 2000 Domain Controllers Hardware Type

Requirements

Processor

Intel (or compatible) Pentium 166MHz or higher

Memory

64MB minimum 128MB or more recommended

Hard disk

1.2GB of free space on the boot partition 6MB of free space on the system partition

Display

VGA or better

Optional components

CD-ROM or DVD-ROM drive for local installation

Network

Network interface card (NIC) and necessary cables

Other components

Keyboard Mouse or other pointing device

Upgrading Your Domains and Servers Now that you’ve considered these two basic points regarding paths and hardware, you’re ready to begin the upgrade. This is usually the point where I want to tear off the shrink-wrap, slap the CD-ROM into the drive, and shout, “Let the upgrade commence!” My enthusiasm has actually been a problem at times, since I’m bound to forget some key point. Let’s take this in a reasonable order so you don’t encounter any problems.


Upgrade the PDC, BDCs, application servers, DNS servers, and RRAS servers.


www.sybex.com


135

In this section, we are going to focus on upgrading your primary and backup domain controllers as well as your application, DNS, and RAS servers. This is a very involved process that takes quite a few steps to implement. A key component in a successful upgrade is organization. To make it more manageable, I’ve broken down the process into a logical order.

Create Fault Tolerance One of the most critical elements in the upgrade process is recovery. In order to be certain of recovery, you must create a balance of fault tolerance. Fault tolerance means the ability to continue normal operation in spite of minor failures. In the case of upgrading your domain controllers to Windows 2000, this means having a path to recover your domain information in case the upgrade fails. This is fairly easy to do simply by reserving one of the backup domain controllers (BDCs). Pick one of your BDCs to be the reserve computer and ensure that it is fully synchronized with the primary domain controller. Take this fully synchronized BDC off the network until the upgrade has been completed for all of the other domain controllers. Once everything is operating normally under Windows 2000, you can upgrade this last domain controller. This strategy also works for preserving other network services, as we discussed in Chapter 3, “Preparing for the Migration.” EXERCISE 4.1

Preparing the Domain Controllers There are a few steps to be taken in preparation for the upgrade. Before you initiate the setup program for Windows 2000 on your domain controller, do the following:

1. Disable virus protection. Anti-virus programs wreak havoc on operating system installations. Some of these programs are sophisticated enough to recognize that you’re installing an operating system and they won’t interfere, but don’t take any chances. Disable all of these programs prior to upgrading. Another reason why this is important is that many programs written specifically for NT 4 won’t run correctly on Windows 2000. It would be a real shame to finish the upgrade only to discover that the domain controller now bluescreens every time it boots. To disable your virus protection, follow the manufacturer’s instructions. These programs usually have a monitoring icon that appears in the System Tray. If so, you can rightclick the icon and select Disable from the context menu.


www.sybex.com

136

Chapter 4

Upgrading Domains


2. Disable third-party services. Any system or network services running on the computer that are not part of NT should be temporarily disabled to prevent conflicts during setup. A good example of this would be if you had Client32 from Novell installed on the server to enable it to communicate with NetWare servers. To disable these services, use the Services applet in Control Panel to set the Startup value to Disabled, and stop the service.

3. Disconnect the serial cable from either the UPS or the computer, whichever is easier to reach. Uninterruptible power supplies (UPS) can become confused by the hardware detection that Windows 2000 will perform during installation. Play it safe and disconnect the serial interface during setup, then configure the UPS support later when the installation is complete.

4. Reserve hardware resources for ISA cards. If your domain controllers have any Industry Standard Architecture (ISA) adapters installed, it’s best if you use the computer’s BIOS to reserve the Interrupt Request (IRQ) and Direct Memory Access (DMA) resources prior to installing Windows 2000. You do this by adjusting the settings in the BIOS of the computer. Consult the manufacturer’s instructions for help. This will help to avoid any problems during hardware detection. Honestly, though, I haven’t yet encountered any problems detecting hardware with Windows 2000.

Performing the Domain Controller Upgrade Now that you’ve taken these steps to prepare for upgrading your domain controllers, it’s time to put the CD-ROM into the drive and start the setup. Of course, you can also perform the upgrade across the network from an installation share on another server using the winnt32.exe program. The primary domain controller will be the first domain controller to be upgraded in a domain. When you run the setup program, the current domain information will be maintained along with any local computer settings. When setup completes, the computer will restart automatically and log on as Administrator so that the Active Directory Installation Wizard can run. After Active Directory has been completely installed, you have two options: further


www.sybex.com


137

configure the domain or upgrade some of the BDCs. Although it may be tempting to keep the migration flowing, it’s good advice to test what you have already accomplished before going on. Try logging on as a user and accessing a resource as an example. When you insert the Windows 2000 Server CD-ROM in an NT 4 computer, the autorun program will display the options seen in Figure 4.1. This screen lets you start the setup program or explore the disk. The upgrade process will save all of the pertinent information from your current domain controller configuration to use with Windows 2000. The upgrade will complete without any further input from you, except for possibly a CD Key. FIGURE 4.1

The autorun program asks if you would like to install Windows 2000, install add-on components, or browse the disk.

Upgrading Application Servers Application servers will be upgraded using almost the same process as the domain controllers but with a few differences. Prepare the server in the same way by disabling any anti-virus programs and third-party services, disconnecting the UPS interface, and reserving hardware resources for ISA cards. After you’ve completed all of the necessary preparations, it’s time to begin the upgrade.


www.sybex.com

138

Chapter 4

Upgrading Domains

App servers can cause the most problems during upgrades, especially when dealing with third-party apps. Research the application, and make sure it is fully compatible with Windows 2000.

When you insert the Windows 2000 CD-ROM, you will be presented with the same options seen in Figure 4.1. If you choose to upgrade your server to Windows 2000, the upgrade will proceed without any input from you and will maintain the server’s entire configuration. If you are upgrading an NT 3.51 server, you won’t receive the autorun notice to perform an upgrade as you would in NT 4. Instead, you would run setup.exe in the root folder of the CD-ROM. When you do this, you will receive the same window presented in Figure 4.1. The main difference between upgrading member servers and upgrading domain controllers is the function that they will have when the upgrade is complete. It’s possible that you may decide that you need more domain controllers in your Windows 2000 domain. Base your decision mostly on the efficiency of logons and authentication for clients. If you need faster logon access in a particular subnet, you might decide to promote a member server to be a domain controller. If this is the case, you can run dcpromo.exe to promote the member server to become a domain controller. If the member server is running the Dynamic Host Configuration Protocol (DHCP), the service must be authorized in Active Directory immediately after the upgrade. If the DHCP server is not authorized in Active Directory, it will not be allowed to offer leases to client computers. If the member server is running the DNS service, the zones will be available immediately after the upgrade with no further action from you. You may want to convert the zone files from standard primary files to Active Directory Integrated zone files to take advantage of the secure updates feature. RAS servers will also upgrade with little or no input from you; however, there is some configuration that must be completed after the upgrade. The default RAS permission in Windows 2000 is to deny access to everyone. In order for your RAS users to connect to the server once the upgrade has been completed, you will need to reset the permissions to allow them to connect.


www.sybex.com

Group Policy

139

Group Policy

Administrators of Windows NT domains frequently use System Policy to control the actions of users. System Policy works by applying templates to the Registry of a computer to enforce user, group, or computer settings. In the past, these settings were effective for most NT administrators but often led to additional issues because they could not be reliably removed from the Registry. I remember proving a point to a student using System Policy to lock his computer down so that the only thing he could do was run Notepad. The problem was that even after removing the policy, the changes couldn’t be undone. I even went so far as to make changes to his Registry remotely, but to no avail. We finally had to reinstall his computer so he could continue the rest of the course. Now this was an extreme case, but the issue with being unable to remove System Policy is real. The problem just seldom gets this bad. Another footnote to consider is that while Group Policy on Windows 2000 is great, older Windows clients cannot use it. The old System Policy can still be used in Windows 2000 for legacy clients by placing the config.pol or ntconfig.pol file in the netlogon share of a W2K domain controller.

Understanding Group Policy


Implement Group Policies.

In Windows 2000, Microsoft has introduced Group Policy to replace the old System Policy. Group Policy is much more extensive than System Policy. It combines the use of Registry templates with scripts for various events and has an automatic refresh capability. Group Policy is implemented in the following ways: Administrative Templates These templates are essentially the System Policies from NT 4, but with more granularity. They can be defined by an administrator and then applied to any user, group, computer, or Organizational Unit (OU). Administrative Templates can be modified to more


www.sybex.com

140

Chapter 4

Upgrading Domains

closely coincide with your past System Policy settings by using your old .adm policy templates to provide the definitions for the Windows 2000 Administrative Templates. However, you should be aware that using the old template files might cause undesirable effects in the Registry, including the annoying old behavior of NT policies where they cannot be removed from the Registry. Security Similar to the file security available in the NT file system (NTFS), these security settings can be applied to local resources just as they could in NT 4, but also to network, computer, and domain security objects. Software Installation The software installation capabilities in Windows 2000 are quite good, if somewhat limited in scope. This function of Group Policy lets you define the software installation parameters for a program and then assign those parameters to a Group Policy Object (GPO). Scripts The scripts in Windows 2000 go beyond the traditional logon scripts. There are now separate scripts for startup, logon, logoff, and shutdown events. Folder Redirection This feature of Group Policy enables you, the administrator, to redirect a group of user folders to a network share. Certain folders can be stored on a network share point and then be accessible from anywhere on the network. In Windows 2000, when you create a new GPO you are creating a virtual storage container for all of the settings that make up that Group Policy. The GPO is made up of a Group Policy Container, which is an Active Directory object that stores the GPO’s attributes and has sub-containers that describe the individual policies that apply to computers, users, or groups. The Group Policy Container holds the following: Version Information Helps to synchronize the current GPO with the Group Policy Template. Status Information Indicates whether the GPO is activated or deactivated. List of Components Contains extensions to the GPO, such as scripts or Registry templates that make up the GPO.


www.sybex.com

Group Policy

141

The other component of a GPO is the Group Policy Template (GPT), which is actually a folder hierarchy in the Sysvol folder on every domain controller. The GPT is the container for all of the Group Policy information. The GPTs are stored by the Globally Unique Identifier (GUID) that was assigned to them when they were created.

Group Policy Inheritance GPOs are assigned at various levels in Active Directory. They can be assigned at the local computer, site, domain, or OU levels. When you assign Group Policy, be aware that by default the GPO’s settings will be inherited by the containers below it in Active Directory. This means that when you assign Group Policy at the domain level, the GPO applies to the domain, but also to any OU within that domain, any OUs within those OUs, and so on. If your Group Policy is simple and will be applied to everyone equally across the domain, then assign the GPO at the domain level and allow it to be inherited by all OUs within the domain. But few organizations will use Group Policy that is this simple. More commonly, Group Policy will be defined for several different levels. But then, how do you prevent a change made at the domain level from overwriting your GPO at the OU level? I’m glad you asked that question. You can force inheritance and also block inheritance at any level in Active Directory. If you decide that you need to prevent GPO settings from flowing down through inheritance to your OU, you can set the OU to Block Policy Inheritance. This setting will prevent the OU from accepting any GPO from higher in Active Directory. As an administrator, you might feel that this is a bad thing and so decide to use a No Override setting on your GPO so that administrators lower in the Active Directory hierarchy cannot block the inheritance of your GPO. Inheritance can be set at any level, and you can use whichever method you choose, though you should try to keep it as simple as possible for easy maintenance and troubleshooting later. If Block Policy Inheritance and No Override are both set, No Override will, well, override. There is a problem with inheritance at the site level. If you set a GPO for a site that contains more than one domain, the GPO applies to all of the domains within that site. The GPO, however, is stored in only one domain. This means that all computers in all of the domains within that site must contact one of the domain controllers where the GPO is stored. Take this into consideration when planning for your GPO structure and your network capacity.


www.sybex.com

142

Chapter 4

Upgrading Domains

You want to be careful not to apply excessive Group Policies on the network. The more Group Policies linked to the domains and OUs, the longer it will take users to log on. Try to apply Group Policies somewhat sparingly without compromising network security.

Processing Group Policy Because Group Policy is composed of so many different parts in Windows 2000, you’ll need to understand which part is applied first. A GPO may contain scripts, Registry settings, and security settings, or any combinations of these. If you ever find yourself having to troubleshoot these combinations, you’ll want to be familiar with the order of precedence among the components of a GPO. EXERCISE 4.2

Processing Group Policy Group Policy is processed in this order:

1. When the computer starts, the following occur: a. Settings for computers are processed first. These are performed synchronously by default. You can speed the execution of the policy by changing it to asynchronous processing. b. Startup scripts are processed. These too are processed synchronously by default. Each script must complete or fail before the next script can process. Here again, your performance may benefit from asynchronous processing. c. All GPOs that affect the computer must be processed before the logon screen can be displayed.

2. When the user logs on, the following occur: a. Group Policy settings for the user are processed. This too is done synchronously by default. b. Logon scripts are run. The logon script associated with that particular user is run after all other user-level scripts have completed. This time, the processing is asynchronous by default.


www.sybex.com

Group Policy

143


3. When the user logs off, the logoff scripts are processed. These are processed synchronously by default.

4. As the computer shuts down, the shutdown scripts are run.

One of the points that I like the most about Group Policy in Windows 2000 is that you won’t have to wait for a user to log off and log on again to see the effects of a policy change. Windows 2000 can automatically refresh the Group Policy on every client computer every 90 minutes and refresh the policies on domain controllers every five minutes. This is a great feature, especially when you are changing a policy for security reasons. You can protect your environment and still cause minimal disruption to the users on your network. If 90 minutes is too long for you, you can adjust the refresh time through a Group Policy setting. You can also force a refresh of Group Policy at any time. Setting the refresh rate too high can cause superfluous network traffic.

Creating Group Policy I hope that by now you’re sold on Group Policy being useful in your network environment. Let’s take a look at how the GPOs will be created and managed. But before you can do anything with Group Policy, you’ll want to load the Group Policy snap-in in an MMC (Microsoft Management Console). EXERCISE 4.3

Loading the Group Policy Snap-in To load the Group Policy snap-in, follow these steps:

1. Click the Start button and select Run from the Start menu. 2. Type mmc /a to open the MMC in Author mode.


www.sybex.com

144

Chapter 4

Upgrading Domains


3. Select Add/Remove Snap-in from the Console menu to open the Add/Remove Snap-In dialog shown below.

4. Press the Add button to open the Add Standalone Snap-in dialog shown below.


www.sybex.com

Group Policy


5. Browse the list for the Group Policy snap-in. Highlight Group Policy and click the Add button. Click Close.

6. The Select Group Policy Object Wizard opens, as shown below. This wizard asks you to define which Group Policy Object you want to focus on. By default, the wizard will be set to focus on the local computer. This will be fine if you are managing the policy for the local computer. However, if you are setting Group Policy for a domain or a site, select the appropriate object by pressing the Browse button. Check the box to allow the focus to be changed when starting from the command prompt, and you will be able to change the focus of the snap-in any time you want to work with other Group Policy Objects.

7. Click Finish to close the wizard and return to the Add Standalone Snap-in dialog. Click Close to close the dialog.

8. Click the Close button to close the Add/Remove Snap-in dialog and return to your console window.


www.sybex.com

145

146

Chapter 4

Upgrading Domains

Now you have an MMC console with the Group Policy snap-in installed. You may want to save this console so that you can easily get back to it again. To save it, click the Console menu and select Save. You will be asked for a name for the saved console and the location to save it. The Save dialog will default to Administrative Tools to save the new console. I personally like to create a customized console with all of the snap-ins I use the most and save it on my Desktop. Experiment a little until you find what works best for you. The new console with the Group Policy snap-in expanded is shown in Figure 4.2. FIGURE 4.2

The Group Policy snap-in


www.sybex.com

Group Policy

147

This console you’ve created can be used to manage individual GPOs at any level, but it only works with the specific GPO you linked it to in step 6 by default. EXERCISE 4.4

Creating New Group Policy To create new Group Policy, use the Active Directory Users and Computers console, following these steps:

1. Open Active Directory Users and Computers and expand the console tree to the container to which you want to apply a GPO.

2. Right-click the container you want to apply policy to, and select Properties from the context menu.

3. On the Group Policy tab of the Properties dialog, shown below, click the New button to create a new GPO.

4. Give the new GPO a name to identify it from the others.


www.sybex.com

148

Chapter 4

Upgrading Domains

Once you have created the new GPO for a specific container, use the steps listed earlier in this section to create a Group Policy snap-in to manage that new GPO. It’s a good idea to create a custom MMC with snap-ins for each of the GPOs that you are responsible for managing, just to have a convenient way to get to all of them. Another step to use with GPOs is to link an existing GPO to an Active Directory container. When you link a GPO to a container, you are creating an association between the two objects, basically telling Windows 2000 to use this GPO for that container. The steps to link an existing GPO with a container are the same as those for creating a new GPO, except that on the Group Policy tab of the container’s Properties sheet you would browse for the existing GPO and click it to highlight it. When you click the Add button, a link is created. If you want to create or link a GPO for a site object, the process is the same except that you would use the Active Directory Sites and Services console to create it. By default, a GPO defined for a site is stored in the root domain of the forest, but you can define another location when you create the GPO.

Setting Permissions for Group Policy Objects Once you have created a GPO, you can delegate administrative control of the object by setting the appropriate permissions on it. In order for users to be affected by Group Policy settings, they must be granted Read and Apply Group Policy permissions. When you create a new GPO, the default permissions are as follows: Authenticated Users By default, this group has the Read and Apply Group Policy permissions. System This account has the Read, Write, Create All Child Objects, and Delete All Child Objects permissions. Domain Admins This account has the Read, Write, Create All Child Objects, and Delete All Child Objects permissions. Enterprise Admins This account has the Read, Write, Create All Child Objects, and Delete All Child Objects permissions. The individual permissions are set just as they would be for files or other objects in Windows 2000. However, it’s best to use the Allow setting for


www.sybex.com

Group Policy

149

each permission you grant, instead of the Deny setting. Doing so can avoid some complications later when someone who is supposed to be an administrator for a GPO can’t get into that object. If you set the Deny option for a group, the person you want to administer that GPO may be a member of that group. If so, they will be unable to access that GPO. A specific Deny will override a specific Allow. When you decide to delegate control of a GPO to a user or group of users in an OU, they must be given at least Read and Write permissions to the GPO. Anyone with both Read and Write permissions for a GPO can control every aspect of managing the GPO, except to give permissions to someone else, of course. So what do you do in a situation where you have two distinct groups of employees in a single OU and you want to use Group Policy for both of them? Actually, this is surprisingly easy once you understand the permissions on GPOs. Create one GPO and apply it to the OU. Next, create two different security groups, one for each of the employee types, and add the appropriate users to each group. Now apply the Read and Apply Group Policy permissions to each group so that the users in the group can access the GPO. Different permissions can be assigned to different groups on the same GPO. For example, say you have regular employees and contractors in the same OU. Let’s call that OU Training. You want to apply Group Policy to the Training OU such that the contractors are prevented from installing software, and the regular employees have preconfigured links in their Favorites folder for Internet Explorer. You don’t want the regular employees to be restricted by the GPO for the contractors, and vice versa. Create one GPO that restricts software installation. Set permissions on the GPO so that the contractors group has Read and Apply Group Policy permissions. Don’t bother setting permissions on the GPO for regular employees, and you’re finished! If you’re worried that some regular employees are part of the contractors group, you can set permissions for regular employees to Deny Apply Group Policy, just in case. Remember, a specific Deny overrides a specific Allow.

Managing Group Policy Flow Group Policy flows down through Active Directory by default, but it may not give you the control you need if you let it do that. Luckily you can decide


www.sybex.com

150

Chapter 4

Upgrading Domains

whether or not to allow the flow of policy through inheritance. There are three basic ways to control the flow of inheritance for Group Policy: No Override This setting, when applied to a Group Policy Object, tells other GPOs not to override the settings within this policy. It is set on the GPO. Block Policy Inheritance This setting prevents a container from accepting the policies of its parent container. That is to say, if you set the Block Policy Inheritance option for an OU within a domain, the policies of the domain will not be applied to the OU. Processing Order This isn’t a setting like the previous options. Instead, this describes the situation where there is more than one GPO linked to a Container object. When you view the Group Policy tab of the container’s Properties sheet, the GPOs will be listed. The processing order is topdown in that list. The first GPO on the list is the first to be applied. You can rearrange the order of the GPOs in the list to change the order in which they are applied. In addition to changing the inheritance and processing order, you have yet another way to control the use of Group Policy. You may find over time that there are parts of your Group Policy that you no longer need. In this case, you can select a portion of a GPO that you want to disable. You can disable the computer settings, the user settings, or the entire GPO. You can also choose to delete a GPO from a container to either unlink it or permanently remove it. To do this, open the Properties sheet for the container, and click the Group Policy tab. Highlight the GPO you want to remove, and click the Delete button. You will be prompted by the dialog shown below to determine whether this GPO should be unlinked or deleted entirely. Disabling parts of the GPO causes logons to process faster, because the security manager does not need to read the disabled portions.

If you are applying Group Policies at multiple levels, they process in the following order: local GPO, site GPOs, domain GPOs, and OU GPOs. This effectively applies the GPO “closest” to the level of the object, while giving


www.sybex.com

Group Policy

151

administrators blanket control over computers without worrying about local settings.

Configuring Group Policy You can open a GPO in two ways. The first method was described in the “Creating Group Policy” section earlier in this chapter. The second is to open the Properties sheet for a container in Active Directory, select the GPO on the Group Policy tab, and click the Edit button. Either of these methods will open a console similar to Figure 4.3. FIGURE 4.3

Configuring a Group Policy Object

Group Policy is always focused on the PDC Operations Master, or PDC Emulator in a domain. The PDC Emulator provides the same functions as the PDC in a Windows NT network, though mostly for backward compatibility since Windows 2000 doesn’t really need a PDC. The Group Policy is focused on this computer so that the same domain controller is always used to set policy. If the PDC Emulator is unavailable for any reason when you are modifying Group Policy, you will receive an error that gives you the option of saving the Group Policy on another domain controller. Use this option carefully! If another administrator happens to be modifying the same GPO


www.sybex.com

152

Chapter 4

Upgrading Domains

and uses a different domain controller, your changes might be lost. In the case of such a conflict, the last change written is the one that will be kept.

Administrative Templates Administrative Templates are the new and improved version of System Policy that we had in earlier versions of NT. The templates are groups of Registry settings that can be applied to either users or computers. EXERCISE 4.5

Modifying Administrative Templates Administrative Templates can be modified using these steps:

1. Open the desired GPO in the MMC. Use either of the methods described above to open the GPO for editing.

2. Expand the trees for either User Configuration or Computer Configuration and then expand Administrative Templates.

3. Expand the option that you want to set. An example would be Administrative Templates Network Offline Files Enabled.

4. Double-click the option that you want to set to open a dialog similar to the one below. Notice that you can enable, disable, or choose to not configure the option.


www.sybex.com

Group Policy

153

Another cool new feature of Windows 2000 is the introduction of the Explain tab on the Properties sheet for any Administrative Template. This tab will provide an explanation of what the setting is and how it should be used.

Scripts Scripts are an important part of Group Policy. We’ve had the logon script for years, but now we have some additional scripts for Windows 2000: Startup This script executes when the computer starts up (hence the clever name). It will execute whether or not a user logs on. It can be used to set machine-specific options. Logon The perennial favorite, the logon script can be used to set userspecific options. This script executes when the user logs on to Windows 2000. Logoff This script contains items to “clean up” after a user session. It executes when the user selects an option that ends the session, such as Shutdown The Computer. Shutdown This last script executes after the logoff script and during the shutdown process for the computer. It gives you a chance to clean up after a user session and before rebooting the computer. To define the options for scripts, open the GPO in the Group Policy console and expand the Scripts console tree. Right-click the type of script you want to modify (startup, logon, logoff, shutdown) and select Properties from the context menu. The Scripts settings for logon and logoff are found under the User Configuration branch, shown previously in Figure 4.3. The Scripts settings for startup and shutdown are found under the Computer Configuration branch.

Security Settings Every administrator has heard (or maybe even experienced) stories of security breaches in networks today. These are some of the horror stories of our profession, since they are usually accompanied by details of the problems caused by the intruder. Heard any of the stories about credit card information being stolen from “secure” Web sites? The Security settings in Group Policy can help to secure your network against unauthorized use. Group Policy in Windows 2000 includes the following Security options: Account Policies These are the settings governing things like password length, age, uniqueness, and other options that affect user accounts.


www.sybex.com

154

Chapter 4

Upgrading Domains

Local Policies These include items such as the local user rights, the granting of user permissions, and the local audit policy. Event Log This option controls the size, access permissions, and the retention period for each of the Event logs. Since the audit information is reported through the Security log, this is a fairly important part of your security settings. Restricted Group This option enables you to control the membership of the built-in group accounts like Administrators and Power Users. System Services This is one that I often don’t associate with security, but many services do run under a user context, and many of those services have the ability to access restricted portions of the operating system. The settings here control the startup options for the service and the user context under which the service will run. Registry This setting enables you to control access to the Registry and configure the security on individual keys. Public Key Policies This option enables you to configure the settings for public key encryption. The Encrypted File System in Windows 2000 makes use of public key encryption. These settings determine where the certificate that is used to establish the public key comes from and, most important, who can act as a recovery agent to recover files that have been encrypted. IP Security (IPSec) This setting controls the various aspects of network security in Windows 2000.

Folder Redirection Folder Redirection enables your users to store some of their data on a network share transparently. That is, they don’t need to know where their share is or even be aware that their data is being redirected. This also serves to make their data available from any computer on the network. The data is not downloaded to the computer they are logging on to, so it doesn’t create any additional logon network traffic. Sounds cool, huh? The only problem I see is training some users to use their My Documents folder to store documents. Many people really prefer to store their data in a folder hierarchy they create on their hard disk. Folder Redirection in Windows 2000 can be used to redirect these folders to a network share:

Application Data


www.sybex.com

Group Policy

Desktop

My Documents

My Pictures

Start Menu

EXERCISE 4.6

Redirecting Folders To redirect folders for users, you will need to apply the settings through the use of a GPO. To apply Folder Redirection, follow these steps:

1. Open the Group Policy console and expand User Configuration Windows Settings Folder Redirection.

2. Right-click the folder you want to redirect and select Properties from the context menu to open the dialog shown below.


www.sybex.com

155

156

Chapter 4

Upgrading Domains


3. Select the setting for the folder redirection. Possible settings include No Administrative Policy Specified, Basic, and Advanced. Basic enables redirection for all users to the same server location. Advanced enables you to set the target path according to the GPO.

4. Specify the target path. Notice in the graphic above that you can use the system variable %username%, which will replace the variable with the individual user’s name and create a specific folder for that user. This option is recommended because in addition to creating the folder automatically, Windows 2000 will also set the appropriate permissions to enable only that user to access the folder.

5. Use the Settings tab to specify the behavior of the redirected folder when it is created and when the policy is removed. The Settings tab is shown below.


www.sybex.com

Using Replication Bridges

157

Converting System Policy Now that we’ve seen what Group Policies are capable of, let’s take a look at how to get our Windows NT System Policy settings into these Group Policies. Windows 2000 allows you to use the migpol.exe tool to migrate System Policy settings to Windows 2000 Group Policies. However, it is strongly recommended that you start over and apply desired settings within Group Policy without trying to migrate old System Policies. This is because some settings in NT’s System Policy do not have equivalent settings in Windows 2000, and migrating these policies can cause unexpected results. Microsoft does not provide specific procedures for migrating System Policy settings. My theory is simple: If Microsoft strongly recommends not doing something and doesn’t provide procedures, don’t bother doing it.


W

indows 2000 Server uses the File Replication Service (FRS) to replicate System Policies and logon scripts stored in the server’s System Volume (Sysvol) share. This Sysvol share is used by clients to locate and process policies and scripts. Because these policy and script settings are necessary to ensure security, it’s critical that all domain controllers have the same information. FRS can also be used to replicate Distributed File System (Dfs) data. FRS is a multithreaded replication engine that replaces the LMRepl service used by Windows NT. Being multithreaded allows FRS to replicate files to different computers simultaneously. Note that FRS is a replication service, not a synchronization service. FRS replicates only whole files and does not guarantee the order in which files will arrive. Because it replicates only whole files, it will replicate an entire file even if only one character is changed. FRS is installed automatically on Windows 2000 domain controllers and is configured to start automatically. On Windows 2000 member servers, it is installed but must be manually started. There is no administrative console for FRS, as Sysvol replication happens automatically. Some features of FRS are

Multimaster replication of files and folders. This allows for servers to independently update files as necessary.


www.sybex.com

158

Chapter 4

Upgrading Domains

Automatic replication of file and folder attributes, including ACL information.

Configurable replication schedules for Sysvol and Dfs replication between sites.

Sysvol The Windows 2000 System Volume is built during promotion of the domain controller using the Active Directory Installation Wizard or DCPROMO. It is a tree of files and folders that need to be synchronized between domain controllers, including

Sysvol share

Netlogon share

Windows 95, 98, and NT System Policies

Windows 2000 Group Policies

User logon and logoff scripts

Even though FRS acts independently of other Active Directory replication, it uses the same replication mechanisms. Therefore, it uses the same replication schedule for inter-site replication as ADS. However, unlike Active Directory, replication content between sites is not compressed. FRS works with Windows 2000 only because it counts on NTFS 5 to maintain a persistent logged record of file changes on member computers. When performing replication, it will always use the most current file.

Upgrading LMRepl to FRS Okay, now that we know what FRS is and what it does, what does all this mean to you? First of all, FRS was not supported and is not supported by any operating system except Windows 2000. Since we’re talking about migrating, mixed environments could run into problems with the idea of needing FRS. If you upgrade a Windows NT machine to Windows 2000, the LMRepl service will be replaced with FRS. But what about the domain controllers that are still running NT?


www.sybex.com


159

One major fundamental difference between the two replication mechanisms is how they decide what should be replicated. LMRepl used an export folder and import folder mechanism. This means that the administrator had to designate which computers would be export computers and which would import. All changes to files that needed to be replicated had to be made on the export computer, or they would be overwritten when replication occurred. FRS, on the other hand, uses multimaster replication, much like Active Directory-integrated DNS zones. Changes can be made to any member computer (member of FRS, not necessarily member server) and replicated to any other member computer.

Maintaining a Mixed Environment You’re in the process of migrating from NT to 2000. You need to make sure your NT logon scripts and System Policies are properly replicated. What do you do? NT does not support FRS, and 2000 does not support LMRepl. Is it hopeless? Fortunately, no.


Implement file replication bridges.

To provide support while upgrading your domain, you need to create a replication bridge between LMRepl and FRS so that both services can operate autonomously. Select one Windows 2000 domain controller, and have it copy files to the Windows NT export server’s export directory. The easiest way to accomplish this is by running a regularly scheduled script. To maintain availability of LMRepl during an upgrade, make sure that the server hosting the export directory is upgraded only after all the other servers hosting import directories have been upgraded. If the server hosting the export directory is the PDC, you should select a new server to host the export directory and then reconfigure LMRepl. Once the migration is complete, replication is no longer an issue.


www.sybex.com

160

Chapter 4

Upgrading Domains

Mixed Mode versus Native Mode

During the migration of your network from NT to Windows 2000, there will no doubt be a time when you have a mixture of domain controllers. In Windows 2000 terms, this is a mixed-mode network. Mixed mode refers to having a mixture of NT and Windows 2000 domain controllers. You can easily have NT 3.51 or 4 member servers in a Windows 2000 domain and still be set to what Microsoft calls native mode. At the time of migration, you will have to decide when the most appropriate time to switch to native mode would be. Native mode, as you can probably guess right about now, occurs when you no longer have any NT domain controllers and Active Directory has been set to function as the exclusive security model. When you have determined that all domain controllers are running Windows 2000 and that none of your network applications require the presence of an NT domain controller, it would be appropriate to switch the network to native mode. Windows 2000 is quite able to function in mixed mode, but there are some considerations to keep in mind if you choose to keep your network in mixed mode. Basically, you need to consider these four areas if you decide to stay in mixed mode:

Logon services

Replication

Remote Access Service

Security

The first area concerns the different logon services provided by NT and Windows 2000. A Windows 2000 client computer will first attempt to use DNS to locate a Windows 2000 domain controller. If it is unsuccessful, it will fall back to the NT-LAN Manager (NTLM) logon protocol and try to contact an NT domain controller. If this is the case, your client computer will not use the Group Policy defined for the network or have the benefit of Windows 2000 scripts. Another consideration is that the File Replication Service used in Windows 2000 is incompatible with the Directory Replication used in NT 4. Directory replication was used primarily for logon scripts and policy files. FRS handles these tasks, among others, in Windows 2000. As a result, you


www.sybex.com


161

will need to migrate this service to FRS as soon as possible after the migration or set up parallel replication folders under the two different services. The third consideration in mixed mode is the Remote Access Service (RAS). In NT, RAS logs users on as a special system account called LocalSystem. When a user would log on to the RAS server during a dial-up session, he would use LocalSystem with NULL credentials to establish the session and then log on using NT credentials. Windows 2000 won’t allow anyone with NULL credentials to query the Active Directory properties, so this won’t work. It can work, however, if one of the following happens: The RAS server is an NT BDC. If the RAS server is an NT BDC, it will have local access to the Security Accounts Manager (SAM) database. In this case, authentication is possible. The RAS server contacts an NT BDC. This scenario is very unpredictable but possible. If the RAS server just happens to find an NT BDC for the authentication, then this scenario will work. Security is weakened. An option during the installation of Active Directory is to weaken the security on certain objects in Active Directory in order for them to be compatible with NT. What happens is that the Everyone group is granted Read permission to any user object. This permits the NULL credentials logon to read the user’s information in Active Directory. Security in a mixed-mode environment is the fourth concern. The trust relationships between NT domains were nontransitive. Trust relationships in Windows 2000 are transitive. This means that you must carefully define explicit one-way trust relationships between mixed-mode domains to mimic the transitive relationships of Windows 2000. Failure to do so means that users won’t be able to log on to another domain from a local computer if they are validated by an NT BDC. The Security Accounts Manager (SAM) database is our last cause for concern. In NT, the SAM is limited to approximately 40,000 objects (the real performance limit is the 40MB size of the database when it reaches approximately 40,000 objects). When you install Active Directory on the upgraded PDC, the SAM is migrated to Active Directory. In mixed mode, the PDC Emulator still needs to replicate Directory information to NT BDCs in a way that imitates the former PDC’s synchronization of the SAM. Because of this, Active Directory will be limited to approximately 40,000 objects.


www.sybex.com

162

Chapter 4

Upgrading Domains

Choosing between Mixed and Native Modes So when should you switch your domain to native mode? Remember that native mode requires that all domain controllers be running Windows 2000. There can be no NT domain controllers added now or later if you choose native mode. But running in native mode is the only way to take advantage of some of Windows 2000’s best features. Table 4.3 should help you decide when the time is right to move your domain to native mode.


TABLE 4.3

Convert domains to native mode.

Mixed Mode versus Native Mode Windows 2000 Feature

Mixed Mode

Native Mode

Multi-master replication

Yes, among the Windows 2000 domain controllers. PDC Emulator provides single-master replication for NT domain controllers.

Yes

Group types supported

Global, Local

Universal, Global, Domain Local, Local

Nested groups

No

Yes

Cross-domain administration

Limited

Full

Queries of Active Directory using Desktop (My Network Places)

Only on Windows 2000 clients

Yes


www.sybex.com


TABLE 4.3

163

Mixed Mode versus Native Mode (continued) Windows 2000 Feature

Mixed Mode

Native Mode

Transitive trust relationships

No

Yes

Change/configuration management

Only on Windows 2000 computers

Yes

Password filters

Only if installed on each domain controller individually

Yes, installed automatically on all domain controllers

It’s possible that you would want to keep your domain running in mixed mode if you have an application that must be run on an NT domain controller and it absolutely won’t run on Windows 2000. But that’s kind of a long shot. Most networks should move over to native mode as soon as possible to take advantage of all of the new features and enhanced security. Most often, an application that is running on an NT domain controller requires a specific version of NT, not the presence of an NT domain controller. If this is true of an application in your network, then you have a couple of options to choose from. You could, of course, leave the network in mixed mode and keep that NT domain controller to support your application. Or you could off-load the application to a member server running NT. This would keep the application on a computer that provides the necessary software support and still permit you to switch your domain to native mode. In my honest opinion, although I really love working with Windows 2000 and it has quickly become my preferred operating system, if you’re not going to use native mode to take advantage of the full features of Windows 2000 and Active Directory, why upgrade at all? Most organizations I have been in contact with over the last year or so have stated that Active Directory was the only real driving force to upgrade the network to Windows 2000. Otherwise, why go through the expense and hassle? You could easily choose to upgrade your NT Workstation computers to Windows 2000 Professional and leave it at that.


www.sybex.com

CASE STUDY

164

Chapter 4

Upgrading Domains

Case Study: Think Tank, Inc.


Background Think Tank, Inc. is a company that specializes in creating new procedures for manufacturing companies. One recent client, for instance, needed a way to decrease the cost of moving inventory from one plant to another. The Think Tank personnel looked at the business processes of the company and determined that costs could be reduced by 45 percent through the use of on-time ordering from vendors. Think Tank then acted as the project lead in developing software and vendor relationships to facilitate this goal. Your research includes the following interview comment: CEO Since our major products are intellectual in nature, as opposed to physical, security is paramount to success! We look at an issue with a new perspective and come up with new ways to accomplish old tasks. We provide an invaluable service to our customers—we reduce costs through creating new, more efficient methods for their workplace.

Current Environment Think Tank has a Microsoft Windows NT 4.0 network spread across two locations: Minneapolis and Madison. The Minneapolis location acts as the home to the Research and Development department. The Madison office houses the administrative personnel, the IT staff, and the Accounting department. Both locations have a sales staff on site. All personnel in both the Sales and R&D departments work off-site on a regular basis. There is an NT-based RAS server in both facilities.

Problem Statement Think Tank is currently analyzing the need to upgrade to Windows 2000. You have been assigned the task of designing a series of Group Policy Objects to secure their environment.


www.sybex.com


165

Think Tank has decided to use a single domain environment. They will control WAN traffic between their sites through the use of Active Directory site objects. All employees are required to change their passwords on a regular basis, use the company logo as the wallpaper on their computers, and have an intruder warning posted on their computer upon bootup. The R&D staff manages its own resources. The central IT staff provides them with technical support as needed. (IT should have access to R&D resources.) The Sales staff must be locked down tight. In the past, they have been known for installing illegal software, games, and other non business-related files on the network. While they comprise only 22 percent of the staff, they generate over 70 percent of the trouble calls received by the IT department.

Questions 1. Given the project specifications of one domain, how many OUs would

you create for Think Tank? A. one B. two C. three D. four E. five or more 2. Create a Tree: In the following graphic, build the OU structure that

you would implement for Think Tank, Inc. Domain Level

ThinkTank.com

Domain

IT

Top

R&D

2nd

Sales

3rd

Admin


www.sybex.com

CASE STUDY

Project Requirements

CASE STUDY

166

Chapter 4

Upgrading Domains

3. Create a tree: You have created the following GPOs for Think Tank:

All_GPO, which mandates password policies, sets the required wallpaper, and publishes applications.

Lock_GPO, which denies access to all system-configuration and registry-editing tools.

Support_GPO, which allows all actions.

On the following graphic, place each GPO next to the AD object with which you would associate it. AD Object

GPO

Domain

All_GPO

Site

Lock_GPO

OU=R&D

Support_GPO

OU=Sales OU=Admin OU=IT 4. Create a tree: Given the scenario in question 4, is there any place in the

structure where you would choose the No Override or Block Policy Inheritance options for a GPO? If so, place the option next to the appropriate container in the table. AD Object: GPO

Option

Domain: All_GPO

No override

OU=Sales: Lock_GPO

Block Policy Inheritance

OU=IT: Support_GPO


www.sybex.com


167

1. D. The number of OUs would, of course, depend upon your overall

design strategy. With what we’ve been presented here, though, we would need at least one OU for each of the four departments—R&D, Sales, Admin, and IT. This would give us the opportunity to fine-tune the environment based upon departmental needs. 2.

Domain ThinkTank.com Top IT R&D Sales Admin 2nd 3rd The Think Tank, Inc. AD tree does not have to be complex—they really just need a little separation to provide granularity of management. Stay with a domain of ThinkTank.com and place each of the OUs within it.


www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

168

Chapter 4

Upgrading Domains

3.

AD Object Domain All_GPO Site OU=R&D OU=Sales Lock_GPO OU=Admin OU=IT Support_GPO The All_GPO is assigned to the domain level so that all users and computers will execute it. The Lock_GPO is assigned to the Sales OU to prevent those users from making changes to their systems. The Support_GPO is assigned to the IT OU to ensure that users within the IT department are not affected by GPOs placed higher in the structure. 4.

AD Object: GPO Domain: All_GPO OU=Sales: Lock_GPO OU=IT: Support_GPO Block Policy Inheritance The only place where you would want to control the flow of GPOs would be in the IT organizational unit. On the Support_GPO, choose the Block Policy Inheritance option to prevent the domain GPO (ALL_GPO) from affecting IT users.


www.sybex.com

Summary

169

Summary

In this chapter, you learned how to prepare for upgrading a domain to Windows 2000. You learned the available upgrade paths for various domain controller configurations and the recommended strategy to use for upgrading the whole domain. You then learned how Group Policy is implemented through components such as scripts, Administrative Templates, permissions, and Group Policy Objects. You learned how to apply GPOs to containers within Active Directory so that you can control users or groups within different levels of the Directory. You learned how to enable Folder Redirection through Group Policy and how a user’s data can be stored transparently on network shares. You then saw how Sysvol replication is accomplished in Windows 2000. Replication is handled through FRS, which uses the same replication mechanism as Active Directory. If you are running a mixed-mode network, you need to create a bridge between FRS and NT’s LMRepl to ensure that logon scripts and System Policies are properly replicated.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Block Inheritance bridges cost fault tolerance Group Policy inherited link mixed mode multimaster native mode No Override PDC Emulator replication System Policy


www.sybex.com

170

Chapter 4

Upgrading Domains

Review Questions 1. Your boss has asked you to upgrade a Windows NT 3.51 domain con-

troller to Windows 2000. The server has a Pentium 200 processor and 64MB of memory. What will you need to do to perform the upgrade? A. Upgrade the memory to 128MB. B. Upgrade to Windows NT 4 first, then upgrade to Windows 2000. C. Add a faster processor. D. Do nothing. 2. One of your colleagues is planning to upgrade an NT 4 member server

to become a Windows 2000 domain controller. Will your colleague’s plan work? A. It won’t work because you can’t upgrade a member server to a

domain controller. B. It will work if he then runs dcpromo.exe to promote the server to

a domain controller. C. Only computers that have been freshly installed with Windows 2000

can be domain controllers. D. It won’t work because you can’t upgrade an NT Workstation to be

a domain controller. 3. You are planning to upgrade your NT 4 domain to Windows 2000.

Your boss is concerned about the loss of user accounts if the upgrade fails. How can you perform the upgrade and still prepare for the worst if the upgrade fails? A. Synchronize one BDC and take it offline as a recovery path. B. Make sure your resume is in order. C. Make a tape backup before the upgrade. D. You can always use the uninstall program to roll back to NT.


www.sybex.com

Review Questions

171

4. You have prepared to perform an upgrade of NT 4 to Windows 2000

by inserting the CD-ROM into the drive and running the winnt32.exe program to begin setup. The file copy begins normally, but you receive an error about a virus trying to modify the boot sector. What should you do? A. Immediately turn off the computer because you have a boot-sector

virus. B. Ignore the warning; it probably won’t interfere with the upgrade. C. Disable your anti-virus program before running setup, as Win-

dows 2000 must modify the boot sector during setup. D. Repartition and format your disk. It’s already too late. 5. You are running Windows NT 4 Server with the Client32 software

from Novell installed to give you access to the NetWare 5 server on your network. What should you do to prepare for the installation of Windows 2000? A. Temporarily disable the Client32 software and any other third-

party services. B. Synchronize your NT and NetWare passwords and permissions. C. Windows 2000 won’t run with NetWare. D. Remove the Client32 software and use the Client Services for Net-

Ware instead. 6. You are in charge of planning the upgrade of your domain from NT 4

to Windows 2000. You have completed your rollout plan for everything and are now trying to decide where to actually start the upgrade of your domain controllers. Which computer(s) should be upgraded first? A. Upgrade one of the BDCs and take it offline. B. The PDC should be the first to be upgraded. C. Upgrade the application servers first, then the domain controllers. D. The order really does not matter; you should be able to choose any

of them.


www.sybex.com

172

Chapter 4

Upgrading Domains

7. Your network is currently running Windows NT. The primary

domain controller is running Windows NT Advanced Server 3.1 on a Pentium 166 with 64MB of memory. What must you do to upgrade this computer to Windows 2000? A. Install more memory. B. Upgrade it to NT 3.51 or 4 first. C. Install a second processor. D. Run the winnt32.exe program to begin setup. 8. You would like to find a way to help your users store their important

data on a network server. The problem is that many users seem unwilling to cooperate by placing their data on the server. They continue to store their data in the My Documents folder on their own computer. How can Windows 2000 solve this problem? A. Use Group Policy to lock their My Documents folder to force them

to use the network share. B. Use Group Policy to enable Folder Redirection to store their My

Documents folder on a network share. C. Use NTFS permissions to prevent users from accessing their My

Documents folder. D. Use a roaming user profile to redirect their files to a network share. 9. You administer a Windows 2000 network. You would like to clean up

a user’s network sessions by disconnecting the mapped drives whenever the user logs off of Windows 2000. How can you do this? A. Use Group Policy to prevent the user from mapping any drives. B. Use Group Policy to enforce Registry settings through Administra-

tive Templates. C. Use Group Policy to specify a logoff script that disconnects the

user’s mapped drives. D. You cannot do this.


www.sybex.com

Review Questions

173

10. You are the administrator for an Organizational Unit in a Windows 2000

domain. The domain administrators have created a Group Policy Object that interferes with the settings in a GPO that you have created for your own OU. How can you prevent the conflict between the two GPOs? A. Set the option on your OU to block inheritance so that your OU

never receives the offending GPO. B. Set the No Override option on your GPO. C. Create a second GPO that undoes everything the domain

GPO does. D. You cannot prevent it because you don’t have permission. 11. You need to apply a GPO to your OU to manage some security set-

tings for your users. A colleague of yours, who administers another OU in your domain, has already created a GPO with all the necessary settings. How can you create a GPO to apply to your OU with the minimum of administrative effort? A. Create a link to your colleague’s existing GPO for your OU. B. Use the File Copy command from Group Policy to create a copy of

the existing GPO. C. Use the Group Policy snap-in to create an IPO for your OU, using

your colleague’s GPO. D. Delete your colleague’s GPO and create one just like it. 12. You have been administering a Windows NT network for some

time. You commonly use System Policy to secure the computers on your network. Recently, you began to test Windows 2000 for deployment on your network. You are unable to locate System Policy in Windows 2000. What is the replacement for System Policy? A. System Policy - the Next Generation. B. System Policy Professional. C. Administrative Templates. D. Windows 2000 doesn’t need System Policy.


www.sybex.com

174

Chapter 4

Upgrading Domains

13. You have implemented Active Directory in your organization and

have created two sites for the two physical locations of your company. There are domain controllers for one of the domains in both sites. When implementing inter-site replication, which transport(s) can you use for this network? A. NetBEUI B. SMB over TCP/IP C. SMTP D. RPC over TCP/IP 14. You are the administrator for an NT 4 network with one PDC and

seven BDCs. You have upgraded your primary domain controller to Windows 2000 and now want to make use of the new ability to nest security groups. But no matter where you look, you can’t find any way to do this. Why can’t you nest groups? A. Because Windows 2000 doesn’t permit group nesting. B. Because your domain is still running in mixed mode. C. Because you haven’t upgraded all of your computers to

Windows 2000. D. Because you were probably trying to place a local group inside a

global group. 15. You have upgraded your domain to Windows 2000. During the pro-

cess, you promoted a member server to a domain controller. You suspect that something failed during the promotion. Where can you check for more information regarding the promotion? A. Dcpromo.txt B. Promo.log C. Dcpromo.log D. Eventlog.txt


www.sybex.com

Review Questions

175

16. You are planning to upgrade to Windows 2000. You are currently

running NT 3.51 on your domain controllers. How can you upgrade one of the domain controllers to a Windows 2000 member server? A. You cannot do this without formatting and installing from scratch. B. Upgrade the domain controller to Windows 2000 and do nothing else. C. Upgrade the domain controller to Windows 2000, then un-install

the Domain Server Service. D. Upgrade the domain controller to Windows 2000, then run

dcpromo.exe to demote the domain controller to a member server. 17. You are trying to upgrade your Windows NT 4 domain controller to

Windows 2000, but the setup tells you there isn’t enough disk space. You have over 5GB free on the Boot partition, but the System partition has only 5MB free. Why won’t the installation run? A. You must have at least 6GB free on the Boot partition. B. You must have at least 6GB free on the System partition. C. You must have at least 6MB free on the System partition. D. You must have at least 6MB free on the Boot partition. 18. You have just completed upgrading all of the Windows NT Servers in

your network to Windows 2000. However, your client computers are unable to get DHCP leases. You verify that the computer running the DHCP service is available on the network. What could be wrong? A. You need to install a WINS server. B. You need to authorize the DHCP server in Active Directory. C. You need to authorize the WINS server in Active Directory so it

can begin resolving the name of the DHCP server. D. DHCP can be installed only on a freshly installed Windows 2000

computer; it isn’t supported on an upgraded computer.


www.sybex.com

176

Chapter 4

Upgrading Domains

19. You are implementing Group Policy in your Windows 2000 domain.

Your boss is concerned that one of the users on the network might change the policy settings in one of the GPOs. What could you tell your boss to ease her concerns? A. The GPO will be encrypted, and you are the only one who can

decrypt it. B. Access to a GPO is controlled by security settings similar to NTFS

file permissions. C. You will change the default permissions of System Policy Editor to

block any changes. D. GPOs are stored on domain controllers, and no one but an admin-

istrator can access a domain controller. 20. You have implemented some changes to Group Policy in your Win-

dows 2000 domain. The new settings will restrict the user’s ability to access some features of the Desktop. How can you get the new settings to take effect for your users? A. Do nothing. The settings will go into effect at the next refresh

cycle. B. The users must log off and log on again before the settings will be

effective. C. Use the shutgui.exe utility in the Resource Kit to force the

remote computers to shut down and restart. D. Reboot all of the domain controllers in your domain.


www.sybex.com


177

Answers to Review Questions 1. D. The hardware in this server meets the minimum requirements. 2. B. NT Server computers that are installed as member servers can be

upgraded to Windows 2000 member servers. You can then run dcpromo.exe to promote the member server to become a domain controller. 3. A. The easiest way to preserve account information for the domain is

to have a fully synchronized BDC held in reserve. If you need to perform a recovery of the NT account information after a failed upgrade of the domain, all you need to do is bring the BDC online and promote it to PDC. 4. C. Windows 2000 must make modifications to the boot sector dur-

ing setup so that the computer can safely boot into Windows 2000 instead of the previous operating system after installation. Disable the anti-virus program to prevent it from interfering with setup. 5. A. It is always a good idea to disable third-party services prior to an

upgrade. Usually this is just a temporary measure, as the service will run fine with the new operating system, but occasionally the service is written for a very specific version of the operating system and will cause the new version to crash. 6. B. The primary domain controller should be the first to be upgraded

so that the SAM database is properly migrated to Active Directory. 7. B. Windows NT Advanced Server 3.1 must be upgraded to either

NT 3.51 or 4 before it can be upgraded to Windows 2000. 8. B. Folder Redirection is a part of Group Policy in Windows 2000 that

enables you to redirect certain folders, like My Documents, to a specified network share. The redirection is transparent to the user, and the folder can be accessed from any computer on the network. 9. C. Group Policy in Windows 2000 introduces the concept of a logoff

script, which could be used to disconnect mapped drives, among other things.


www.sybex.com

178

Chapter 4

Upgrading Domains

10. A. You can block inheritance so that the Group Policy Objects from

higher levels in Active Directory never flow down to your OU. 11. A. Once a GPO is established in Active Directory, it can be linked to

another OU and its policy applied to the OU. 12. C. Administrative Templates apply a set of Registry settings to a com-

puter or a user just like System Policy did in NT 4. 13. D. SMTP is the normal method for replication between sites, but it can

be used only when the sites contain different domains. If there are domain controllers for the same domain in both sites, the only available transport is RPC over TCP/IP. 14. B. The ability to nest security groups is available only in a Windows 2000

network running in native mode. 15. C. The dcpromo.exe program writes information to the dcpromo.log

file during the promotion process. If there were any errors, they would be recorded here. 16. D. The dcpromo.exe utility can be used to either promote a member

server to a domain controller or to demote a domain controller to a member server. 17. C. There must be at least 6MB free on the System partition (where the

files are installed to boot the computer) for Windows 2000 to install its boot files. 18. B. You must authorize a DHCP server in Active Directory before it will

be permitted to serve clients on a Windows 2000 network. 19. B. Security settings are part of Group Policy, and they define the per-

missions for the authenticated users. Only a user with Read and Write permissions for a GPO can alter its settings. 20. A. One of the features of Group Policy in Windows 2000 is the ability

to automatically refresh the policy settings. If the refresh policy is enabled, then all Windows 2000 clients will refresh their Group Policy settings every 90 minutes. Domain controllers refresh their settings every five minutes.


www.sybex.com

Chapter

5

Restructuring Your Network MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Evaluate the current environment.


Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.


Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager Replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

Perform test deployments of domain upgrades. Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service. Develop a domain restructure strategy.


www.sybex.com

O

ne of the most compelling reasons to upgrade a domain to Windows 2000 is the opportunity to restructure the existing network into something that is more efficient. Restructuring domains in Active Directory is a topic that is emphasized on the exam and is in high demand for consulting jobs. In short, this is a topic you should care about learning. In this chapter, you will learn how to plan your network restructure. This will include examining some planning issues for Active Directory, reallocating hardware resources, and looking at how the restructure will affect your network. These topics will be important because there’s more to restructuring than just moving things around in the Directory. You must carefully plan for the movement of network services or your network may lose functionality. You will also learn about the potential security risks involved with a domain restructure. We will also review the strategies for creating a recovery path in a domain restructure. In earlier chapters of this book, you learned about domain upgrades and recovery. This chapter focuses on the concepts for a successful domain restructure in a new Active Directory environment.

Planning Your Restructure

Why would you want to restructure a domain? This is a question you should ask yourself before going any further with your planning. What do you hope to get out of the restructure process? Many organizations will decide to keep their existing domain structure and just convert it to Active


www.sybex.com


181

Directory. Others will view the migration to Active Directory as an opportunity to correct issues with their structure, or perhaps just to make the structure more efficient.



Bear in mind that a domain restructure is not a requirement for transitioning to Active Directory. It is possible to simply upgrade your existing structure. But if you feel that your network would benefit from a new structure, then restructuring is for you. Restructuring can be accomplished over a long period of time, unlike the original migration that takes a relatively short period of time. You can decide to restructure at any pace you choose, making it easier to avoid unnecessary downtime. There are three basic types of restructure to consider: the post-upgrade restructure, the restructure instead of upgrade, and the post-migration restructure. Let’s look at each of them: Post-upgrade restructure This is a very common time to perform a restructure. The first phase of the migration, upgrading the domains to Windows 2000, has been completed, and now the second phase of the migration, performing a domain restructure, is to begin. The upgrade takes care of moving the groups and users into Active Directory so that the restructure can be accomplished in a pure Windows 2000 environment. If you decide to restructure after the upgrade, your goals most likely are to either rework the current domain structure into something more efficient or to bring resource domains that have limited-rights administrators into your Windows 2000 domains in a secure way. Restructure instead of upgrade There are two fundamental reasons to select this method: First, you cannot salvage your current domain structure; second, your environment cannot tolerate any disruption during the migration process. Either way, this method determines that you will create a pristine forest to be the target for the restructured domains. This means that you are creating an ideal forest structure for your organization that is isolated from the production environment. Over time, as more accounts are moved to the pilot network, the pilot network becomes the production environment.


www.sybex.com

182

Chapter 5

Restructuring Your Network

Post-migration restructure This type of restructure happens after the migration to Windows 2000 is complete, sometimes months or even years later. Usually this method will be selected because of a significant change in the network structure, such as a merger or acquisition. The basic decision of deciding between an upgrade or restructure (or both) depends on your network situation. If you feel that your existing structure is ideal, then simply upgrade. Upgrades are possibly the safest scenario. Restructuring offers advantages if you are unhappy with the way your current network works. Both situations allow for back-out plans in case something goes wrong. Generally, restructuring requires additional hardware, but you wanted to upgrade your servers anyway, right?

Reasons to Restructure A number of reasons exist why an organization might want to restructure its domain environment. Perhaps your company has just acquired another company and you need to merge the two networks into a single cohesive namespace. Or, possibly, you have upgraded your WAN links and now have the available bandwidth to combine two remote sites into a single domain. The list goes on and on, but there are three reasons to consider that you might see on the exam: greater scalability, delegation of administration, and granularity of administration. Greater scalability If you have a very large environment, you may have designed your previous domain structure around the performance limitation of 40,000 objects in the Security Accounts Manager (SAM) database. With Active Directory, you have the opportunity to collapse those domains into a single domain or a more streamlined domain structure. Delegation of administration Most NT domain structures require that administration be done in a centralized location, or at least by a small group of administrators. Windows 2000 and Active Directory enable you to distribute the administrative load as far as you want. You can easily delegate authority for a resource to a user or group of users. Granularity of administration Windows 2000 enables you to use Organizational Units (OUs) instead of separate domains to achieve logical separations for administrative units. Consider a network that has grown through the process of acquisition. Such a network could consolidate its administrative units as OUs within a single domain instead of using separate domains with a high number of trust relationships.


www.sybex.com


183

So far, none of these examples requires that you have actually completed an upgrade to Windows 2000. You could be using a domain restructure as a way of migrating to Active Directory. In this situation, you could simply migrate all of the users and groups to a new Active Directory structure without upgrading the original domain. Then, when the migration of resources is complete, you could decommission the old domain controllers and reassign them to the new domains.

Developing a Procedure There are two basic scenarios for restructuring domains. More complicated environments would still use these methods, only on a larger scale. The first involves migrating users from an NT environment to a new Windows 2000 structure. The second involves consolidating Windows 2000 domains into OUs. If you are using the first scenario, your network may be Windows NT 3.51 or 4, or it may have already been migrated to Windows 2000. Either situation will work. If the network is NT, this method will solve your migration needs as well as your restructuring needs.


Develop a domain restructure strategy.

It’s important to devise a procedure for restructuring because this will be some of the most common work done with Windows 2000 in existing networks. Many companies will purchase Windows 2000 just for this purpose, to condense or restructure their old domains into something more efficient. EXERCISE 5.1

Developing a Domain Restructure Strategy As a rule of thumb, when migrating domains to Windows 2000, use the following procedure:

1. Perform preliminary tasks. (These specific tasks are covered in Chapter 1, “Planning a Deployment.”)

2. Perform a dry run of the migration.


www.sybex.com

184

Chapter 5



3. Migrate accounts domains. 4. Migrate resource domains. The order of migrating accounts and resource domains is covered in Chapter 2, “Planning for Active Directory.”

Migrating Users to a New Domain When you decide to restructure your domains, you are choosing to move users, groups, and computers from an existing domain to a new Windows 2000 domain. A number of new configurations for the old network are possible, so let’s take a look at a few of them. EXERCISE 5.2

Restructuring a Resource Domain The restructure of a resource domain into a Windows 2000 domain follows these basic steps:

1. Establish the trust relationships needed to maintain access to your network resources. You will need trusts from the target domain to any external account domains in order to preserve resource access for your network users during the restructure. You can use NETDOM to query the existing domains to determine their trusts. NETDOM is discussed in Chapter 7, “Migration Tools.”

2. Clone shared local groups. These are the local groups created on the domain controllers for the old domain. Use ClonePrincipal to clone the local groups to ensure that resource access is maintained during the restructure. ClonePrincipal is also discussed in Chapter 7.


www.sybex.com


185


3. Demote old domain controllers to member servers. In this step, you would first upgrade the primary domain controller (PDC) to Windows 2000 and then upgrade each backup domain controller (BDC) that will be moved to the new domain. Leave the domain running in mixed mode for the time being. After you’ve upgraded the BDCs, demote them to member servers and move them to the new domain and/or OU. Essentially, this will leave you with a parallel domain running in mixed mode with only a single domain controller.

4. Move member servers and client computers to new domain or OU. During the transition, use NETDOM to create computer accounts for the computers in the destination domain.

5. Decommission the old domain and reallocate the servers. By now, the only computer that should be left in the old domain would be the former PDC. You can demote this computer and move it to a new location in the new domain structure.

This plan would accomplish a move from a resource domain to an Active Directory domain, but what about moving an account domain to the new Active Directory domain? EXERCISE 5.3

Moving an Account Domain To move an account domain to a new location in a Windows 2000 domain, follow these steps:

1. Create a new Windows 2000 environment. This may be a single domain or a new forest. Either way, the new environment should be completely new, not created by upgrading the existing domains.


www.sybex.com

186

Chapter 5



2. Establish the trust relationships needed to maintain access to your network resources. You will need trusts from the source domain to any resource domains to preserve resource access for your network users during the restructure. You can use NETDOM to query the existing domains to determine their trusts.

3. Clone all global groups in the source domain. Since typical administrative practice is to access resources through global groups that are added to local groups, make certain that these groups get moved to the target domain. The easiest way is to use ClonePrincipal to move the global groups to the new domain.

4. Select and clone sets of users. In most cases, you will want to move users to the new domain in batches, so you must identify the sets of users you will move and use ClonePrincipal to copy them to the new domain.

5. Decommission the source domain. When all of the accounts and resources have been moved to the new domain, you’ll need to demote all of the domain controllers and reassign them to new roles elsewhere in the network.

Assessing Hardware When you are considering the restructure of your network, you will need to evaluate all of the hardware currently in use for its suitability in a Windows 2000 domain. Essentially, you will be using the same hardware requirements for Windows 2000 that were covered in Chapter 1, “Planning for Deployment.”





www.sybex.com


187

One difference between assessing hardware for the deployment of Windows 2000 and assessing hardware for the restructure of your domains is that the old servers don’t necessarily have to run Windows 2000. That is, you could be migrating away from NT 4 to Windows 2000 and be planning to replace the old servers with newer technology. If this is the case, then the primary concern for the old servers is their ability to run NT rather than Windows 2000. Your assessment of current hardware should be based upon the restructure method you have chosen. If you are performing a post-upgrade restructure, then your hardware must be able to run Windows 2000 successfully since you will be upgrading and then restructuring. If you are simply restructuring, then you are essentially performing a migration from your existing NT environment to the new Windows 2000 structure. EXERCISE 5.4

Assessing Hardware for Restructure Assume that your company has a standard image for its domain controllers as follows:

Dual Pentium II 400MHz processors

256MB of memory

9.1GB of hard disk storage

Based on this information, which type(s) of domain restructure will be available to you?

Keep in mind that the domain controllers for the pilot network must be able to bear the full burden of the planned Active Directory structure. The first domain controller will have all of the Flexible Single Master Operations (FSMO) roles by default. To alleviate this situation, install the other domain controllers for that forest as soon as possible and before executing the restructure. Distribute the FSMO roles among several servers for better performance.


www.sybex.com

188

Chapter 5


Planning for Security Security is one area that will be greatly affected by a restructure. Because Windows 2000 makes it possible to move security principals from one domain to another, you need to assess how the restructure will impact your users, groups, and domain controllers.


Evaluate the current environment. Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.

This section will examine the impact on the following areas of security:

Moving security principals, including domain controllers, users and global groups, member servers, and client computers

Establishing trust relationships

Cloning security principals

Moving Security Principals A security principal is a Windows 2000 entity that is assigned a security identifier (SID). This can be a computer, a user, or a group. One of the greatest benefits implemented as a result of Active Directory is the ability to move security principals from one domain to another or even from one forest to another. You must consider several areas when assessing the security implications of moving security principals:

Effect on SIDs

Effect on global group membership

Effect on Access Control Lists referencing the user


www.sybex.com


189

Effect on SIDs The security identifier for a user, group, or computer is highly specific to the domain in which it is created. When you move an account to a new domain, a new SID must be assigned to that account. This presents some problems for maintaining resource access during a restructure. In NT’s security model, access to a resource is controlled by the entries in the Access Control List (ACL). The SID of the account trying to access the resource is compared to the list of SIDs stored in the ACL. If the SID matches an entry in the ACL, then access is granted. Under this model, if you move an account to a new domain, you would be creating a new account in the new domain with the same name and properties as the old account. Then you would have to assign permissions for the new account on every resource so that the account would have the same access as before the move. Sounds like a pain, doesn’t it? To illustrate this procedure, let’s use the example company we used earlier in the book, coolcompany.local. Coolcompany.local has three domains in a Single Master Domain model, as shown in Figure 5.1. FIGURE 5.1

The domain model of coolcompany.local

Account Domain

Resource Domain 1

Resource Domain 2

Let’s say there is a user named BobR who uses a database application located on a server in the Resource Domain 2. Typically, you would create a global group in the Acct_Dom domain called DB_Users and add BobR’s account to that group. Then you would create a local group on the server that hosts the database (we’ll call it DB_Local). To give BobR the proper access to the database, you would add his account to the global DB_Users account, then add the DB_Users account to the local DB_Local account and assign permissions to DB_Local. Figure 5.2 shows this process.


www.sybex.com

190

Chapter 5


FIGURE 5.2

Granting access to a user Global Group Local Group

BobR

Permissions DB_Users

DB_Local

Now consider the issues surrounding moving BobR’s account to a new Active Directory location. If you move the account to the new location using any of the migration tools for Windows 2000, a new SID will have to be created for the account to identify it uniquely in the new domain. So when you move BobR to the new domain, Windows 2000 creates and assigns a new SID to his account. At this point, BobR cannot access the database using the new account, because the new SID isn’t in the ACL for the database. BobR is just out of luck until we find a solution for him. Luckily, this won’t be much of an issue for Windows 2000 because it implements a new security feature called SIDHistory. Briefly, the SIDHistory field preserves the account’s old SID alongside the new SID. We’ll discuss SIDHistory in more depth later in this chapter. Effect on Global Groups Global groups have much the same problem as I described above. When you move BobR’s account to the new domain, you’ll be removing him from any global group he belongs to in the Acct_Dom domain. Global groups can contain only user accounts from the group’s domain, so when you move BobR’s account, his new account cannot be a member of any global group in Acct_Dom. To solve this problem, you might create a new global group in the target domain to parallel the old global group, but you would have to assign permissions again for all of the resources to which the old global group had access. This sounds like a lot of work to me. Another possible solution would be to use Windows 2000’s ability to move security principals to relocate the existing global group to the target domain. This would require that you move everyone who belongs to the group to the new target domain, but this solution still has a problem. This time, the SID for the global group would have changed when we moved it to the new domain, requiring you to reassign permissions at all of the resources for the global group. Still a lot of work.


www.sybex.com


191

Effect on ACLs Referencing the User If you had assigned any permissions directly to BobR’s account in the past, you will now have the same problem again. When you move his account to the target domain, the account will receive a new SID. Since the ACLs list the user account by its SID, BobR will no longer be able to access the resource using his relocated user account unless you reassign permissions at each resource for the new account. SIDHistory The above scenarios all have similar issues with a change in the SID assigned to an account. Windows 2000 introduces the concept of the SIDHistory. The SIDHistory is a method to store the previous SID for a security principal that has been moved from one location to another. This new feature could solve each of the above scenarios by tracking the previous SID. When using the SIDHistory feature, it is important to always use Windows 2000 utilities to move the security principals. The management utilities that Microsoft provided for Active Directory understand how to update the SIDHistory when you move a security principal and thus avoid the issues of reassigning permissions. During the logon process, Windows NT creates a security token containing the user’s SID and the SIDs for any groups the user belongs to. Windows 2000 takes this one step further by also adding the SIDHistory to the access token. This has the effect of authenticating the user for resource access based on his or her current SID, the SIDs of any groups the user belongs to, and their previous SIDs. The SIDHistory feature makes it possible to easily move a security principal from one location to another in Active Directory without losing any resource access. Windows NT 4 systems should use the security token generated by the Windows 2000 domain controllers without any problems. There is a problem, however, with the way that NT 3.51 systems use this feature. When NT 3.51 builds the security token, it uses only SIDs that are relative to the user’s account domain and the local computer. The upshot of this is that NT 3.51 computers won’t recognize any group SIDs for universal groups or global groups from another domain in your Active Directory structure. Any users attempting access from another domain will receive an access-denied message even if they should have access.


www.sybex.com

192

Chapter 5


Establishing Trust Relationships During your restructure, you may have sets of users in both the source domain and the target domain requiring access to existing resources on your network. To accomplish this access, you will need to establish trust relationships between the existing resource domains and the target domain so that user and group accounts that have been moved to the new target domain can still access the resources they need in the resource domains. You can use the NETDOM tool to enumerate the trust relationships in your current network and establish new trusts where needed, as well as for a variety of tasks in managing domains. NETDOM will be discussed in detail in Chapter 7. Windows 2000 automatically creates two-way transitive trust relationships between all domains in a forest. However, during your migration, you will have a hodgepodge of domains, both Windows 2000 and NT. Before migrating any users or resources to Windows 2000 domains, it is necessary to make sure that trust relationships are in place for resource access. A good rule to remember is that the resource needs to trust the user. As an example, if I trust you with my resource (my car), I will give you my car keys. Does this mean that I can drive your car? Of course not. But you can drive mine. Once the migration is complete, and all users and resources are migrated to Windows 2000, you can remove the trust relationships you created. It’s not a good idea to remove the trusts between Windows 2000 domains in the same forest: Active Directory has created those for a reason.

Cloning Security Principals So far, I’ve described restructuring mostly in terms of moving security principals from one domain to another. But there is another alternative that should be considered: cloning security principals. Cloning offers some great benefits, such as greater reliability during the restructure. Because you are copying the accounts to the target domain, you are leaving the original production environment intact. This gives you a better recovery path since the original domain is still there with all accounts and permissions intact. To clone security principals, you need to use the ClonePrincipal tool, which is made up of a number of Microsoft Visual Basic scripts for cloning accounts. Included in the set are scripts that will migrate user accounts, local group accounts, and global group accounts. ClonePrincipal doesn’t do anything to the source domain, which is a good thing. It simply copies information out of the SAM database and imports it into the Active Directory in the target domain. ClonePrincipal is discussed in detail in Chapter 7.


www.sybex.com


193

Whichever strategy you select to restructure your domains, Windows 2000 has a tool for the job. I think that there will likely be more tools coming in the near future from third-party vendors to assist with the migration or restructure of domains. But of course, the exam will be testing your knowledge of the Microsoft tools. If you choose to restructure during a migration, you will be moving security principals from the old source domain to the new target domain. If you are restructuring over time, you will most likely be using ClonePrincipal to move your security principals while maintaining their accounts in the source domain until everything has been verified to work in the new location.

Verify Application Compatibility Application compatibility is something we discussed in detail in Chapter 1. In light of restructuring, application compatibility has some other wrinkles to bear in mind. Some of the features of the application that Microsoft has listed in the exam objective directly relate to new features of a Windows 2000 network that will either enhance usability or just make it possible for the network to function at all.




There are three major areas to consider when assessing application compatibility: Web services, Microsoft BackOffice including Exchange Server, and line of business (LOB) applications. Next, we will discuss each of them in greater detail.

Web Services Windows 2000 comes with Internet Information Services (IIS) version 5 right out of the box. Notice that the name has changed slightly, Services instead of Server. IIS 5 does provide backward compatibility for Web services running on earlier versions of IIS, including full support for common


www.sybex.com

194

Chapter 5


Internet standards as well as Microsoft extensions. Windows 2000 will use IIS to enhance replication of Active Directory between sites. Specifically, Windows 2000 will use the SMTP service for asynchronous replication between sites comprising a different domain. If you plan to implement sites and want to use SMTP for the transport, you must install IIS and the SMTP service. IIS 5 includes support for Web-related network services such as these: HyperText Transfer Protocol (HTTP) This service provides the basic Web services for IIS, enabling you to serve Web pages and files through HTTP. File Transfer Protocol (FTP) IIS 5 provides a full FTP server for serving files over the Internet or the local intranet. Network News Transport Protocol (NNTP) NNTP support is included if your Windows 2000 Server will participate in routing Internet News messages. Simple Message Transport Protocol (SMTP) This service provides support for an Internet e-mail server under Windows 2000. This service is very important to inter-site replication using the SMTP protocol. Windows 2000 will use the SMTP service in IIS by default for the replication messages between sites. Visual Interdev RAD Remote Deployment Support This service enables you to use your IIS server to distribute applications through a Web interface.

Exchange Server In Chapter 1, we discussed the use of the Active Directory Connector with Exchange Server 5.5 to unify the administration of your Windows 2000 environment and your Exchange Directory. This application offers many benefits to administrators and will help mostly while you are waiting for Exchange 2000, which is fully integrated with Active Directory. Until you choose to migrate to Exchange 2000, you will need to maintain full functionality in your current Exchange structure. Exchange Server is a server application that requires the use of a dedicated service account in order for its various services to start and communicate with the other Exchange Servers in your enterprise. Service accounts will have many of the same issues with SIDs changing when the account is moved to another domain, and they will have the same solutions to the problem.


www.sybex.com


195

To support Exchange Server on Windows 2000, there are some restrictions to keep in mind. Only Exchange Server versions 5.5 and 2000 are supported on Windows 2000 at the moment. Older versions of Exchange will need to be upgraded prior to installing Windows 2000. In addition, Exchange Server 5.5 requires Service Pack 3 in order to run on Windows 2000. Service Accounts A service account is a user account that has been created for the sole purpose of supporting a service running on NT or Windows 2000. Many server applications designed for Windows NT/2000 use service accounts to log on to the local server or to communicate with other servers across the network. Special care must be taken to ensure that your service accounts are migrated correctly to the new environment. After all, the one network service everyone wants is e-mail. If the service account for your Exchange Server is broken or lost during the migration, no one will be getting any e-mail through Exchange. Fortunately, the Active Directory Migration Tool has a wizard designed to migrate service accounts from your source domain to the target domain. The Service Account Migration Wizard, shown in Figure 5.3, will help you to identify and migrate your service accounts to the target domain. FIGURE 5.3

The opening page of the Service Account Migration Wizard


www.sybex.com

196

Chapter 5


This wizard looks very much like the other wizards we’ve used except that it must collect information regarding your specific service accounts. The wizard prompts you to provide the names of the computers that will provide the service account information and then dispatches an agent to each computer to gather the information. It can take some time to perform an analysis, but it’s worth the wait. Be careful not to cancel the agent process before it has completed, or you won’t be able to complete the migration successfully. When the information has been collected from the source domain, the wizard will then perform the migration.

Exchange and the Active Directory Connector I know it seems strange to be reading a book about Windows 2000 and suddenly find a section devoted to Exchange Server, but there is a method to my madness. Some migration issues surrounding Exchange will appear on the exam, including using the Active Directory Connector (ADC) to map migrated user accounts to existing mailboxes. Believe me, you do not want to be the person responsible for the migration when it causes the Exchange Server to fail or people to not be able to retrieve their e-mail. The ADC is a Windows 2000 service that forms a replication bridge between Active Directory and the Exchange Directory. There are some distinct advantages to using the ADC: Single source administration Using the ADC, administration of both Active Directory and the Exchange Directory can be combined into a single tool. If you are more familiar with the Microsoft Management Console (MMC), you can set up the ADC to replicate all information from Active Directory to Exchange, or if you are more familiar with the Exchange Administrator, you can replicate from Exchange to Active Directory. Granular administration and delegation control Windows 2000 provides delegation of administrative control that is granular to the attribute level. In plain English, you can delegate administrative authority down to an attribute of an object, like the phone number associated with an account. Using the ADC, you can extend this granularity to Exchange. Interoperability Exchange Server is able to synchronize directory information with other messaging servers. You can set up your ADC connections so that Exchange Server synchronizes with a third-party messaging server, then replicates that information back to Active Directory.


www.sybex.com


197

Setup Requirements for the Active Directory Connector The hardware requirements for the ADC are simple: You must be able to run Windows 2000 or Exchange Server 5.x on the computer. There are no other special requirements, though you will want to have plenty of RAM for processing the replication information. The software requirements are also pretty straightforward:

You need at least one Windows 2000 Server.

You must have at least one Exchange Server 5.x with Service Pack 1 or higher installed.

The only other suggestion I can make for your setup is that the server running the ADC, the Windows 2000 domain controller, and the Exchange Server computer should all be on the same segment of the Local Area Network (LAN). This will prevent the replication from impacting other segments of the network and increase the efficiency and reliability of the connection. The security requirements are mostly for the initial installation of the ADC. For the first ADC installation in a forest, the account you use for the process must be a member of the Schema Admins group, since the Schema will be modified for the entire forest with information from the Exchange Server schema. EXERCISE 5.5

Installing the Active Directory Connector The ADC is provided on the Windows 2000 Server CD-ROM, in the folder \ValueAdd\MSFT\MGMT\ADC. Use these steps to install the Active Directory Connector:

1. Browse to the ADC folder on your Windows 2000 Server CD-ROM and double-click Setup.exe. This will start the Active Directory Connector Setup Wizard. Click Next.


www.sybex.com

198

Chapter 5



2. The Component Selection page prompts you to decide which ADC components you will be installing on the local computer. ADC can be installed on a domain controller or a member server, but it should be on a Windows 2000 Server. The page shown in the following graphic asks whether you want to install the service, the management tools, or both. Click Next once you make your choice.

3. The Install Location page asks you to select a location in which to install ADC. The full space requirement for ADC is approximately 9MB. Click Next.

4. The wizard then asks you to specify which service account the ADC will use to log on to the servers. Enter the name of the service account you have chosen, then click Next.

5. Now the Setup Wizard begins copying files and configuring the system to run the ADC. Once the file copy is complete, you will be prompted to click Finish to exit the Setup Wizard.


www.sybex.com


199

Configuring the Active Directory Connector The functionality of the ADC depends on Connection Agreements between the Active Directory and the Exchange Directory. Connection Agreements define a connection between the two directory architectures in a network. Typically, you will be picking one domain controller and one Exchange Server to act as Bridgehead Servers, that is, the initial points of replication between the two directories. The Connection Agreement then sets the properties for the communication between these two servers. The Active Directory Connector Management console is installed in the Administrative Tools group on the Start menu. When you open the console, there is only a single node displayed for the Active Directory Connector <ServerName>, where ServerName is the name of the Windows 2000 Server where the ADC is installed. Right-click this node and select New Connection Agreement. This will open the Properties sheets for a new Connection Agreement. Figure 5.4 shows the General tab of the Properties sheets. FIGURE 5.4

The General tab of the Connection Agreement Properties


www.sybex.com

200

Chapter 5


On the General tab, you need to assign a name for the connection and then decide in which direction the replication will occur. If you will be replicating directory information to the Exchange Directory, the service account you specify on the next tab must have the ability to write to the Directory. The Connections tab specifies the servers that will become the bridgeheads for the replication. You will be specifying the name of the server and the service account to use for logons. When you click the Modify button for the account, you will be prompted for the account name (which you can browse for) and the password. The Connections tab is shown in Figure 5.5. FIGURE 5.5

The Connections tab defines the servers and account names used for the connection.

The Schedule tab determines when the Connection Agreement is available for replication. You can click Never, Always, or Selected Times for the availability. If you choose the last option, you will need to select the times for availability in the day and time grid. This tab also provides you with a checkbox that will force the replication of the entire Directory on the next


www.sybex.com


201

replication event. This ability can be useful if you have a corrupted Directory and need to re-populate it manually. The Schedule tab is shown in Figure 5.6. FIGURE 5.6

The Schedule tab determines the availability of the connection.

Next you have two tabs that are nearly identical: the From Exchange tab and the From Windows tab. These tabs ask you to define the directory containers and attributes that will be replicated across the connection. On the From Exchange tab, you need to define the location (expressed as a DN) of the Recipients container that will be replicated. Click the Browse button to make this task easier. Then you must select the default location in which to place the replicated information. The From Windows tab asks you to define the OU(s) that will be replicated to Exchange. Again, you need to define the default destination for the replicated information once it reaches the Exchange Directory. The From Windows tab is shown in Figure 5.7.


www.sybex.com

202

Chapter 5


FIGURE 5.7

The From Windows tab

The Deletion tab defines the default behavior to use when an account is deleted from either directory. The default behavior is to save the deleted information in a temporary file so that the deleted objects can be retrieved if something goes wrong. You can also click the radio button to delete the object immediately, defining this option separately for Exchange and for Windows 2000. The final tab in the set of Properties sheets is the Advanced tab. On the Advanced tab, you can define how many replication entries will be sent per page. A page is a unit of replication containing a set number of objects. Larger pages mean that fewer replication frames will be sent across the network, but they also mean that the ADC computer must work harder and use more memory to process the pages. You will then need to determine whether this agreement will be a primary Connection Agreement for Windows or Exchange or both. A primary Connection Agreement means that the server will be enabled to make changes to the Directory for which it is responsible. If the Exchange side of the Connection Agreement is primary, then that Exchange Server will be able to enter new account information that it receives from Windows 2000.


www.sybex.com


203

The final setting on the Advanced tab determines what will happen when you replicate mailbox information for an account that does not exist in Active Directory. The default behavior is to create a Windows Contact entry for the mailbox recipient. You may want to define other behaviors based on your administrative plans for the ADC. If you will be performing your administration primarily from the Exchange Administrator console, then select Create A New Windows User Account from the list box. This will automatically create a Windows 2000 user account and enable it for use in the forest. The other option you’ll find in the pull-down menu is Create A Disabled Windows User Account. If chosen, it will create the account but leave it disabled until the Administrator enables it. The Advanced tab is shown in Figure 5.8. FIGURE 5.8

The Advanced tab of the Connection Properties

In closing, use the Active Directory Connector to simplify your directory administration if you have both Exchange Server and Windows 2000 in your environment. ADC gives you the ability to manage either directory structure from a single administration tool based on your preference.


www.sybex.com

204

Chapter 5


Line of Business Applications The compatibility issues for line of business (LOB) applications are mostly centered on the service accounts and resource access for users. In a restructure, you must maintain access to the resources used on a daily basis by your users. LOB applications certainly fall into the category of daily use and by their definition are important to the normal functioning of the organization. Think of LOB applications as any program that is critical to maintain dayto-day operations of your company. Customer service databases are a good example. Because the function of these applications is so critical, little or no downtime can be tolerated. Migration to the new environment, then, can be difficult. In many cases, you can create a new copy of the application in the target domain and replicate any data the application uses to the new copy of the program. This is a simple scenario but is actually one that you won’t see very often. Most LOB applications use live data of some kind. If you replicate an image of the data to the target domain, the data will be out of date by the time the users move to the new domain. Typically, you will have to move the LOB applications last in the migration. This means maintaining resource access for your users to the LOB applications while performing the restructure. It is good to upgrade the servers running the LOB applications to Windows 2000 if possible, as this makes moving them to the new domain easier. If the applications won’t run on Windows 2000, you have the opportunity to move the server by joining the new domain if the LOB applications are running on a member server. In this case, you could simply move the server to the new domain with minimal downtime for the applications. If your LOB application is not supported by Windows 2000, Microsoft recommends contacting the vendor to see if an upgrade or workaround is available. If one is, go with it. If not, the worstcase scenario is that you will need an older server running in your mixed Windows 2000 environment.

Assessing the Impact on Network Services If you have any experience administering SQL Server or Exchange Server, you’ll shudder at the thought of moving service accounts around. This is an area where a restructure can get very interesting. Service accounts are used


www.sybex.com


205

by, well, services to log on to both the local server and a remote server for any transactions that need to be made between them.



Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager Replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

Restructuring service accounts is very sensitive because in order to ensure a high success rate, you must assess all of the implications that your restructure will have on your network services.

Remote Access Service Some of the concern with RAS in a Windows 2000 restructure is the default permission. In mixed mode, the default permission is to allow all authenticated users to access the RAS server; in native mode, the default is to deny that access. When you move users from an NT domain over to the nativemode Windows 2000 domain, you will need to reset the permissions for their accounts to permit dial-up access. You may also run into some SID issues as the accounts are transferred from the source domain into the target domain, but here again the SIDHistory feature should come to the rescue with the previous SID in hand.

Network Protocols Windows 2000 supports all of the network protocols that NT does, and in fact includes newer versions with enhanced functionality. But the main concern in terms of network protocols is that you must use TCP/IP if you want to use Active Directory. Native Windows 2000 networks require TCP/IP for many of the new features in the operating system. But perhaps the greatest reason most companies will have for migrating to Windows 2000 is to use Active Directory to streamline their domains. This whole discussion of restructuring domains in Windows 2000 depends on having TCP/IP. OK, are you getting the point that TCP/IP will be important for your network? Good.


www.sybex.com

206

Chapter 5


If you have applications or other network clients or servers that require other protocols, you may need to keep a mixed-protocol environment. But since most, if not all, network operating systems support TCP/IP today, this shouldn’t be too much of an issue.

Dynamic Host Configuration Protocol The Dynamic Host Configuration Protocol (DHCP) provides dynamic IP addressing for clients that are configured to use the service. DHCP becomes more important in Windows 2000 since it works closely with the DNS server. When the DHCP service in Windows 2000 issues a lease to a client computer, it then enters the reverse lookup information for the client in the reverse lookup zone on the DNS server. The client will update its own DNS record with the DNS server. Now any client using that DNS server can obtain the name resolution for that dynamically addressed client.

The DHCP server can be configured to update both A and PTR records, which can be beneficial to networks having Windows computers that do not support Dynamic Update.

One significant change with DHCP in Windows 2000 is the requirement to “authorize” a server before it can begin to assign addresses. This requirement may help to prevent the appearance of rogue DHCP servers in a large network. Windows 2000 requires that an administrator authorize the DHCP service before it will actually issue any addresses. EXERCISE 5.6

Authorizing the DHCP Service To authorize the DHCP service, follow these steps:

1. Log on to the server (it’s usually best to log on at the server to be authorized) using an account with sufficient permissions to authorize the service, i.e., an Enterprise Administrator, unless the permission has been delegated.


www.sybex.com


207


2. After installing DHCP on your Windows 2000 Server, open the DHCP console by clicking Start Programs Administrative Tools DHCP.

3. Expand the console tree to view the server name. Highlight the server to be authorized and select Authorize from the Action menu.

Windows 2000 will detect and, wherever possible, disable an unauthorized DHCP server on the network in an Active Directory environment. Your server must be either a member server or a domain controller before it can be authorized to act as a DHCP server in an Active Directory domain. Stand-alone servers will not be recognized for the DHCP service, as they have no status in the Directory. The DHCP service in Windows 2000 uses the DHCPINFORM message to query any other DHCP servers on the local network. This special message type is new with Windows 2000. A DHCP client sends the DHCPINFORM message when it already has an address but is trying to discover more information about the server. The DHCP server sending the message collects the data from the other servers it discovers, including such items as the root of the domain or forest and the presence of Active Directory services. If the DHCP server finds these services, it will query the Directory to see if it is listed in the authorized DHCP server list. If so, the service initializes and begins serving addresses to DHCP clients. If the entry for Active Directory services is not found in the Directory, the DHCP service is stopped on the server that is making the query. During a restructure of the network, you may also change the physical subnets. In this case, you will need to update the scopes in your DHCP servers to reflect the new distribution of addresses.

LAN Manager Replication This area will be a concern during the restructure since Windows 2000 doesn’t use the LAN Manager replication (LMRepl) service. We used to call this “Directory Replication” in NT 4, but Windows 2000 is changing all of the terms around, so we can’t use that name anymore. Windows 2000 uses the File Replication Service (FRS) to move logon scripts and policy files between domain controllers and also to assist in the Active Directory replication.


www.sybex.com

208

Chapter 5


You will very likely have to set up parallel replication systems between the domain controllers of the source domain and the domain controllers of the target domain to ensure that your users will have their files. Windows 2000 does not support LMRepl in native or mixed mode. Therefore, you need to set up a strategy for replication between the new FRS and LMRepl. The major difference between LMRepl and FRS is how they initiate replication. LMRepl uses one computer as an export server, with others acting as import computers. FRS uses the same replication mechanism as Active Directory, which allows for the use of multimaster replication. In order to continue replication in a mixed environment, designate one Windows 2000 Server as an export computer and import its replication information (scripts and policies) to the export NT computer. This is known as a “replication bridge.” Then the NT computer will export the desired information to other NT domain controllers. To achieve this 2000-to-NT replication, create a batch file that schedules the necessary copying. Microsoft has a sample batch file available for this purpose.

Windows Internet Name Service The Windows Internet Name Service (WINS) provides NetBIOS name resolution in a dynamically assigned IP environment. This can be a very important function in a network that assigns client IP addresses through the use of the Dynamic Host Configuration Protocol (DHCP). The problem with WINS is that it has proven to be somewhat unreliable and often can be difficult to configure correctly. If you have one WINS server, it’s simple to install. Add the service and it starts working. In a larger environment, you need to have more than one WINS server, and that requires replication, which can introduce new hassles. Basically, WINS was a great idea, but its implementation left many professionals frustrated. Remember that a pure Windows 2000 environment doesn’t need WINS, since it doesn’t use NetBIOS naming. But if you will be running a mixed environment of Windows 2000 and NT or Windows 9x clients, you should consider running WINS on one or more of your Windows 2000 Servers. If the network will consist of only Windows 2000 Servers and clients, leave out WINS and reduce the associated NetBIOS traffic on your network. During the restructure of your network, you will likely still be using WINS to resolve NetBIOS names for your network clients. During the restructure, the WINS database will contain entries for all of the existing domains. If you configure the domain controllers of the target domain to use


www.sybex.com


209

the WINS servers, then the new domains will begin to appear in the database as well, making it easier for users to find the new domain.

NetBIOS NetBIOS is not required in a native-mode Windows 2000 network, though you may still need its services if you have applications that require it. Possibly you will have older network computers that still require NetBIOS, especially if any NT or Windows 9x computers are left on the network after the migration to Windows 2000. Client computers that are still using NetBIOS must have WINS present to provide NetBIOS-name-to-IP-address resolution, or they will have to be configured with an LMHosts file to provide that resolution.

Domain Name System The Domain Name System (DNS) is absolutely required for a native Windows 2000 network to function. The domain functions and naming are built upon DNS. One of the new additions with DNS in Windows 2000 is the ability to make dynamic updates to the DNS servers. Because of this, name resolution using DNS can encompass every client in the network that receives its address through the Dynamic Host Configuration Protocol (DHCP). DHCP notifies the Windows 2000 DNS server to update the reverse lookup zone when it gives out an address lease, and the DNS server places the host and address information into its tables. The client computer is normally responsible for updating the forward lookup zone with its DHCP information. DNS resolves hostnames to IP addresses. In the past with NT, this helped only when you were using commands that used sockets to communicate. With Windows 2000, however, DNS will be the primary method of resolving names to connect to other Windows 2000 computers. In addition, Windows 2000 doesn’t require NetBIOS support to communicate. DNS support for your Windows 2000 network also requires the presence of the new SRV (Service) record to identify the servers providing well-known services. An example of this would be the Kerberos servers providing the network logon authentication. This is the mechanism used in an Active Directory domain to locate domain servers and services. The latest versions of BIND (version 8.1.2 and later) also support the SRV record type as it is defined in RFC 2052. Microsoft recommends the use of BIND 8.2.2 if you decide to maintain Unix-based DNS solutions, as 8.2.2 is the current version and supports all of the necessary features for Active Directory. For the exam,


www.sybex.com

210

Chapter 5


you may face questions in which the version of BIND is important information. Use the following information to assist with your planning decisions:

BIND 4.9.6 added support for the SRV record type. SRV records are required by Windows 2000 to locate LDAP and Kerberos services used during logon to a domain.

BIND 8.1.2 added support for dynamic zone updates. Active Directory does not require this feature, but it does help your Windows 2000 domains to work more smoothly.

BIND 8.2.1 added support for incremental zone transfers (IXFR). This means that instead of replicating the entire zone database to a secondary server, only the changed records are transferred. This lowers the impact on network traffic due to zone transfers.

The DNS service in Windows 2000 includes support for all of these features. And while it is true that you can integrate Windows 2000 domains with existing non-Microsoft DNS solutions, Microsoft does seem to prefer that you implement their version of DNS instead. In many cases, I would agree that this would give you a better solution, but integrating with BIND does work just fine. BIND is a product of the Internet Software Consortium, and more information about integrating BIND and Windows 2000 can be found at their Web site at http://www.isc.org/products/BIND/. In a restructure, you may need to redefine your network’s DNS structure. This is especially true if the restructure is due to a merger or acquisition of another company with its own namespace. This is also true if you plan to use a different namespace within your organization—that is, if your Internet presence has a different namespace than your internal organization.

Testing the Restructure

T

esting the deployment, or in the case of this chapter, the restructure, will involve the activities of your users.


Evaluate the current environment. Perform test deployments of domain upgrades.


www.sybex.com

Planning for Recovery

211

As the restructure progresses, pay attention to any difficulties reported by the pilot users who have already been moved to the new environment. They are the ones who will most likely experience problems. At each step of the restructure, you should perform tests to determine whether the security principals that are being moved to the target environment still have resource access. If these accounts can access everything they need without problems, then you’re probably doing all right. On the other hand, if they run into access-denied messages when trying to access the resources they need to do their jobs, then you must reexamine the trust relationships from the old resource domains to the new account domain. NETDOM will be a valuable tool during this phase of testing since it can be used within scripts to automate the process. NETDOM can examine the status of the trust relationships and help you to map them out to ensure that they meet the needs of your organization during the restructure.

Planning for Recovery

T

he same recovery planning you did for a migration will work for a restructure. Having a backup domain controller (BDC) held offline during the process gives you a way out if things go wrong.


Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service.

Your recovery plans will vary based on the restructure type that you’ve chosen: Post-upgrade restructure This type of restructure will require that some of the BDCs be held offline to provide a recovery path, since you are actually moving security principals from the source domain to the target domain. Restructure instead of upgrade This is the easiest type to plan a recovery for, since the original production environment is left largely intact throughout the restructure. You are using a parallel domain structure in this method and cloning security principals from one to the other.


www.sybex.com

212

Chapter 5


Post-migration restructure This type of restructure happens after the migration to Windows 2000 is complete, sometimes months or even years after. In this method, you will need to keep a domain controller offline during the restructure for a recovery path. In a restructure from an NT environment to Windows 2000, the offline BDC will contain a current copy of the SAM database containing all of the user and group accounts. If you need to recover your network, bring this BDC back online and promote it to PDC, which will recover the accounts for that domain. If this BDC is also a WINS, DHCP, and DNS server, it will provide recovery paths for these services, too. Really, though, the DNS server is the only one of those three that I would care about recovering. The WINS server will regenerate its information as client computers log on to the network and register their services in WINS. The DHCP scopes are important to protect, but the database isn’t since you could require all clients on the network to reboot and acquire new leases from DHCP. See Chapter 3, “Preparing for the Migration,” for more information on recovery plans.


www.sybex.com

Case Study: Widgets, Inc.

213


Background Widgets, Inc. has decided to make the move to Windows 2000. Due to the critical nature of the network (and the fact that much of the current hardware is out of date), the design team decided to create a pristine Windows 2000 environment and move users from the current NT network to the new one at a slower pace. You have been given the assignment of planning those moves.

Current Environment The current network supports 2700 users spread out over five locations. The domain structure follows the multimaster model, with two master domains and five resource domains. Widgets, Inc. has facilities in Orlando, Tampa, Ft. Lauderdale, Ft. Meyers, the corporate headquarters in Jacksonville, and a large sales office in Dallas. The two master domains are named M_Jack and M_Dallas. Each site is represented by a resource domain named with the following standard: R_<Site name>. The M_Jack domain has approximately 1500 user accounts, with the remainder defined in M_Dallas.

Pristine Environment Based upon research and testing, Widgets, Inc. has decided to go with a twodomain design. The root domain is named Widgets.com (to match their registered Internet name), and the only child is named Dallas (for a full name of Dallas.Widgets.com). All resource domains will be absorbed into the two remaining domains.


www.sybex.com

CASE STUDY


CASE STUDY

214

Chapter 5


Questions 1. Which of the existing domains do you suggest be migrated first? A. M_Jack B. M_Dallas C. R_Jack D. R_Dallas 2. Build a list: You have been given the task of creating a generic proce-

dure for migrating an NT master domain into a Windows 2000 domain. On the following graphic, place the steps in the correct order. Task

Task Clone shared local groups. Move member servers. Establish trusts. Demote domain controllers. Decommission remaining servers.

3. Build a list: You have been given the task of creating a generic proce-

dure for migrating an NT resource domain into a Windows 2000 domain. On the following graphic, place the steps in the correct order. Task

Task Decommission old domain. Clone global groups. Establish trusts. Create Windows 2000 domain. Clone users.


www.sybex.com


215

1. A. M_Jack contains the bulk of the user accounts for the Widget envi-

ronment. Moving those users to the pristine environment first will get the majority of your users into the Windows 2000 system, allowing you to use the new features and benefits as quickly as possible. 2.

Task Establish trusts. Clone shared local groups. Demote domain controllers. Move member servers. Decommission remaining servers. 1. Establish Trusts. Trusts are needed to maintain access to network

resources during the migration. 2. Clone shared local groups. Use ClonePrincipal to ensure that

resource access is maintained. 3. Demote domain controllers to member servers. Upgrade each

domain controller in the old domain to Windows 2000 and demote them to prepare for the next step. 4. Move member servers. Move the member servers to the new

domain. 5. Decommission remaining servers. All that should be left in the old

domain are the remaining PDC and any servers that will not be making the move. For more details, see the text of Chapter 5.


www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

216

Chapter 5


3.

Task Create Windows 2000 domain. Establish trusts. Clone global groups. Clone users. Decommission old domain. 1. Create a new Windows 2000 domain. This domain is the target

for resources. 2. Establish trusts. Trusts between the sources and target domain

will ensure resource access during the process. 3. Clone global groups. Use ClonePrincipal to ensure that resource

access is maintained. 4. Clone users. Use ClonePrincipal to move users to the new domain. 5. Decommission old domain. Demote the old domain controllers

and reallocate them. For more details, see the text of Chapter 5.


www.sybex.com

Summary

217

Summary

In this chapter, you learned how to perform a restructure of a network using Active Directory. You learned about planning for a network restructure in terms of current hardware, security, application compatibility, and network services. You saw how NETDOM and ClonePrincipal can be used in the restructure process to preserve account information. You also learned about the role that the new SIDHistory feature plays in preserving resource access during a restructure.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Access Control List (ACL) Active Directory Connector (ADC) Bridgehead Servers Connection Agreements delegation of administration granularity of administration greater scalability post-migration restructure post-upgrade restructure restructure instead of upgrade security identifier (SID) service account SIDHistory


www.sybex.com

218

Chapter 5


Review Questions 1. Your company has recently agreed to acquire another company. The new

company has its own Internet namespace being used for its Windows 2000 network. Your company has recently migrated to Windows 2000 and is using its Internet name as the namespace for the forest. How can you integrate the two networks into one forest? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure 2. You are planning to restructure your domains as part of your migra-

tion to Windows 2000, but your management is concerned about the downtime required to do this. They have set a goal of no downtime for the restructure phase. How can you perform the restructure, yet still provide an assurance of uptime for your management? A. Use a post-upgrade restructure, and create a new Active Directory

structure in parallel for the new domains. B. Use a post-migration restructure, and create a new Active Direc-

tory structure in parallel for the new domains. C. Connect your domains in series using trust relationships, then per-

form the restructure. D. There is no way to guarantee that there won’t be any downtime,

since you must reboot all of the servers at once to complete the restructure. 3. You are preparing to complete a restructure instead of upgrade of

your Windows NT 4 network while moving to Windows 2000. Using this method, which migration tool would let you move security principals without disturbing the original domain? A. NETDOM B. ClonePrincipal C. CloneVB D. ADMT


www.sybex.com

Review Questions

219

4. You are preparing to complete a restructure instead of upgrade of

your Windows NT 4 network while moving to Windows 2000. Using this method, which migration tool would let you enumerate the existing trust relationships in your NT 4 network? A. NETDOM B. ClonePrincipal C. CloneVB D. ADMT 5. While you are planning your domain restructure, you decide to imple-

ment an empty root domain for your forest where you want to move all of the other domains. You are planning to install a Pentium II computer with 128MB of memory as the first domain controller in the root domain and then start the restructure. Why isn’t this a good idea? A. Intel processors aren’t able to properly handle the load of a root

domain controller. Use an AMD processor instead. B. The first domain controller will have all five of the FSMO roles. C. This configuration would actually be fine for the root domain

controller. D. The first domain controller should have at least 256MB of

memory. 6. During the logon process on a Windows NT 3.51 computer, how are

the SIDs evaluated for a user? A. All SIDs for the user and every group the user belongs to are com-

bined into the access token that grants the user access to resources. B. Only the SIDs relative to the user, the user’s account domain, and

local groups on the domain controller performing the logon are processed. C. Only the user’s SID is placed into the access token. D. Only the user’s SID and the SID for the local groups on the com-

puter performing the authentication are included in the access token.


www.sybex.com

220

Chapter 5


7. When you move a security principal to a new domain during a restruc-

ture, a new security identifier is assigned to the account in its new location. What new feature of Windows 2000 makes it possible to maintain access to resources with this account even though the SID has been changed? A. Active Directory B. Microsoft Management Console C. SIDHistory D. ACLhistory 8. You are restructuring your Windows NT 4 domain to a Windows 2000

Active Directory environment. Today, you moved a set of 100 user accounts from the source domain to the target domain by exporting the accounts to a text file, then doing a bulk import of the accounts into the new domain. Later in the day, you receive phone calls from upset users telling you that they cannot access their resources. SIDHistory should have preserved their ability to access the files. Why did the access fail? A. You did not use a Windows 2000 migration tool to move the

accounts. B. You did not reset their SIDHistory variable in the import process. C. The import file was most likely corrupted during the transfer of the

accounts. D. You should have exported the accounts into a binary file, not a

text file.


www.sybex.com

Review Questions

221

9. You are performing a restructure of your NT 4 domain and have just

completed moving a set of user accounts to the target domain. You test the success of the move and discover that none of the accounts can access resources in the old resource domain. What should you have done prior to moving the accounts to ensure that they would still have access to the resources? A. You should have used a Windows 2000 migration tool. B. You did not reset their SIDHistory variable in the import process. C. You should have created the appropriate trust relationships

between the resource domains and the new target domain. D. You should have migrated the Primary Domain Controller of the

resource domain prior to moving the user accounts. 10. You are attempting to determine the nature and number of trusts in

your current domain. You want to use NETDOM for this task. If the domain name is Acct_Dom, the user name for the query is Administrator, and you want to be prompted for a password, what would you type at the command prompt? A. NETDOM /Domain:Acct_Dom /Username:Administrator /

PasswordD:* B. NETDOM /Domain:Acct_Dom /UserD:Administrator /

PasswordD:* C. NETDOM /Domain:Acct_Dom /Username:Administrator /

Password:* D. NETDOM /Domain:Acct_Dom /UserD:Administrator /

PasswordD:prompt 11. You are planning to restructure your Windows 2000 domains into a

single domain. Your network is operating a time-critical application that will not allow for any downtime during the restructure. Which migration tool would be best suited to help with this restructure? A. ADMT B. Move Tree C. ClonePrincipal D. NETDOM


www.sybex.com

222

Chapter 5


12. You have just completed your migration to Windows 2000. Your net-

work is deployed across three different physical locations, each with its own domain, and these domains have been implemented as Active Directory sites. You are planning to use a third-party Web server and have just removed Internet Information Services from all of your domain controllers. Your sites can no longer replicate. Why not? A. Active Directory depends on the presence of IIS to operate. B. Intra-site replication depends on the HTTP service for transport. C. Active Directory replication uses the FTP service in IIS for replication. D. Inter-site replication depends on the SMTP service for transport. 13. You have recently completed the upgrade of your domain to Win-

dows 2000. Your domain is running IPX/SPX as its exclusive network protocol. You want to install Active Directory, but the Install Wizard refuses to run. What is the problem? A. You need to install the NetBEUI protocol. B. You need to install the AppleLink protocol. C. You need to install TCP/IP. D. You need to install NetBIOS. 14. You are planning to migrate your Windows NT 4 network to Win-

dows 2000. Your network currently uses a complete trust model with over 20 domains for the 10 physical locations in your company. There are nearly 5000 users on the network, and there is a newly established administration team in the main office. Management would like to have the administrator take centralized control of the network. Which type of migration should you choose? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure


www.sybex.com

Review Questions

223

15. You work for a company with over 100,000 employees in a central-

ized campus. You currently have a Windows NT 4 network using a Multiple Master Domain model. Your proposed plan calls for streamlining this structure as much as possible. Which type of migration should you choose? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure 16. You are in the process of restructuring your network after upgrading

to Windows 2000. Which tool would you use to create new computer accounts in the target domain? A. ADMT B. Move Tree C. ClonePrincipal D. NETDOM 17. You are planning to migrate from Windows NT 4 to Windows 2000

using a restructure instead of upgrade method. What are the hardware requirements for the domain controllers in the source domain? A. Pentium 166, 64MB RAM B. 486DX, 16MB RAM C. Pentium II, 128MB RAM D. Dual AMD Athlon, 256MB RAM


www.sybex.com

224

Chapter 5


18. On which computer should you install the Active Directory Connector? A. The Exchange Server B. The Windows 2000 Schema Master C. Any Windows 2000 Server computer D. The Windows 2000 PDC Emulator 19. What is the relationship between replication partners called in

the ADC? A. Replication Agreement B. Connection Agreement C. Replication Set D. Connection Set 20. What are the servers called that define the endpoints of a Connection

Agreement? A. Replication Partners B. Connection Endpoints C. Bridgehead Servers D. Primary Connectors


www.sybex.com


225

Answers to Review Questions 1. C. In this scenario, the two networks are already using Windows 2000.

You can easily restructure by creating an empty root and moving the security principals to the new forest. 2. A. In a post-upgrade restructure, the restructure is part of the migra-

tion to Windows 2000 but is completed after the domains have been completely upgraded to Windows 2000 and switched to native mode. Using an empty target domain lets you move security principals by cloning them, leaving the production environment untouched until all accounts are ready to switch over to the new domain. 3. B. ClonePrincipal is a set of Visual Basic scripts that enable you to

copy security principals from an NT or Windows 2000 domain to a Windows 2000 domain without disturbing the original environment. 4. A. NETDOM can be used to enumerate the existing trusts in an NT or

Windows 2000 domain environment. 5. B. The first domain controller installed in a forest will have all five of

the Flexible Single Master Operations roles by default. You should install at least two other domain controllers with this one and distribute the FSMO roles among them in order to even the load. 6. B. The SIDs relative to the user and global groups from their account

domain, as well as any local groups from the computer performing the authentication, are included in the SID. This means that an NT 3.51 computer will not recognize any universal groups or global groups from other domains. 7. C. SIDHistory is a new feature of Active Directory that enables an

access token to carry not only the user’s current SID but also the previous SID assigned to the user. This permits resource access even though the SID has changed. 8. A. The migration tools provided with Windows 2000 or in the

Resource Kit understand the SIDHistory feature and maintain the original SID during the transfer to a new location in the target domain.


www.sybex.com

226

Chapter 5


9. C. Establishing trust relationships between the resource domains and

the new account domain will maintain the user’s ability to access the resources. 10. B. NETDOM can be used to enumerate trusts for a given domain. To

do this, use the /Domain switch to specify the domain to query, the /UserD switch to specify the user name, and the /PasswordD switch to specify the password. Placing an asterisk after the /PasswordD switch tells NETDOM to prompt you for the password. 11. C. ClonePrincipal enables you to clone security principals to a new

location without disrupting the original environment. 12. D. Inter-site replication between sites comprising different domains

uses the SMTP service for its transport protocol. 13. C. Active Directory requires TCP/IP as its primary network protocol. 14. B. I would recommend using the restructure instead of upgrade

method because the complete trust model is too ungainly for centralized administration. In addition, there aren’t enough users to require more than one domain. Even if you decide to use one domain per location, you could still accomplish this using a single tree. It would be more efficient to build a parallel structure to migrate to and then decommission the old network. 15. A. First upgrade the existing domains to Windows 2000. Then

restructure the network into a single domain. 16. D. NETDOM can do many things besides enumerating trusts. You

can use this tool to create new computer accounts in the target domain. 17. B. In this scenario, your domain controllers in the source domain must

be capable of running Windows NT 4. Answer B has the minimum hardware requirements for NT 4. 18. C. The Active Directory Connector can be installed on any Win-

dows 2000 Server on the network.


www.sybex.com


19. B. The Active Directory Connector uses Connection Agreements to

define the relationships between Exchange and Windows 2000. 20. C. Bridgehead Servers are the primary routes for replication traffic

between Exchange and Windows 2000. Bridgehead Servers are defined by the properties of the Connection Agreement.


www.sybex.com

227

Chapter

6

Using Target Domains for Migration MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Create or configure the Windows 2000 target domain or domains.

Create appropriate trusts.

Create organizational units (OUs).

Implement a given site design.

Implement group policies. Configure remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.


www.sybex.com

N

ow you’re ready to examine some hands-on methods for performing your migration. One of the tasks that I’ve referred to throughout this book has been the use of a target domain to aid in the migration. Let’s take a look at what this really means. In this chapter, you will learn about creating a target domain for your migration. You’ll learn how to establish trust relationships to maintain current resource access patterns for your users. We’ll discuss how to create an appropriate structure within the target domain to hold your objects. You’ll learn how to reapply policies to maintain your domain security during the migration. Finally, you will see how to reconfigure domain network services to provide connectivity during the migration.

Creating a Target Domain

T

arget domains are useful for migrations because they give you a chance to create a sensible domain structure. Earlier chapters in this book describe ways that target domains can be used for migrating to Windows 2000 or restructuring your existing domains after the migration. Essentially, a target domain is simply a place to move your security principals to when migrating or restructuring. When you look at it this way, it hardly seems like a big deal. However, there are a number of things that you will need to do to implement a target domain successfully.


Create or configure the Windows 2000 target domain or domains.


www.sybex.com


231

To create a target domain, you will need at least one computer to become a domain controller. When you decide to use a target domain, make certain you have planned your namespace and migration strategy carefully. Do I really need to say it again? Planning will save you a lot of time and effort in the long run. Make sure you know what the namespace should be for the target domain. Will this be a new root domain? Or will it be added to an existing forest? In a perfect world, you should install several domain controllers to distribute the load for the target domain. In the real world, you may not have the available servers until you are at least partially through your migration. It is a good idea to make sure that the first domain controller has lots of memory and processor power, as it will be handling all of the Operations Master roles. Windows 2000 in native mode uses Multiple Master replication, but for some functions to work there must be a single authority. This functionality is provided by the Operations Master roles. The Operations Masters are server roles that help an Active Directory network function. For example, the PDC Emulator (one of the roles) provides the services of a Primary Domain Controller to Windows NT domain controllers or applications that require communication with an NT PDC. Placing all roles upon the first domain controller in the forest can be a burden, so if possible install a couple more domain controllers and distribute the roles among them. Many companies view a migration as the perfect time to add additional servers to their network or to upgrade the type of servers being used. If this is true in your situation, then you will most likely have some extra servers to work with. EXERCISE 6.1

Creating a Target Domain Follow these basic steps to create a target domain:

1. Install Windows 2000 Server on a suitable computer. 2. Use the Active Directory Wizard to install Active Directory and make the server the first domain controller in a new domain. Your migration plan will determine whether this domain is a new forest, tree, or new domain in an existing forest.

3. Switch the target domain to native mode.


www.sybex.com

232

Chapter 6

Using Target Domains for Migration


4. Install additional servers if possible. 5. Create an appropriate Active Directory structure within the target domain. If you will need more than one target domain to establish your new network (such as when restructuring), you may need to duplicate these steps to create the full target environment.

6. Install the Windows Internet Name Service (WINS) in the target domain to assist computers in resolving NetBIOS names during the migration.

7. Establish trust relationships between the new domain and the existing resource domains so that as client computers are migrated to the target domain they will continue to have proper resource access.

8. Reestablish your System Policies using Group Policy Objects to maintain security after the move.

Following these steps will create a target domain. Creating a full target environment just involves repeating these steps with each new domain, though instead of creating a new forest or tree when installing Active Directory, you will be joining the existing target environment.

Using Trusts Trust relationships were always one of my least favorite areas when learning Windows NT. Now, however, years of experience have made them second nature. With Windows 2000, trusts are changing from what we’ve become comfortable with in the past. Fortunately for those of us who’ve had trouble with trusts in the past, Windows 2000 handles trusts within a forest automatically. But what about trusts between your existing network and the


www.sybex.com


233

target domain? This is an area where you will need to manually establish trust relationships with Windows 2000.



Create appropriate trusts.

A trust is a secure channel of communication between domains. Without these lines of communication in an NT network, you wouldn’t be able to scale the network beyond the 40,000-account limitation of Windows NT. Trusts let you assign permissions to accounts from another domain so those accounts can access resources in your domain. Logically, it’s as if the account is traveling across the trust. In reality this doesn’t happen, but it’s still a useful image. If your existing network is using either a Single Master or Multiple Master Domain model, your users are most likely using resources located on servers in the resource domains. During your migration or restructure, you will need to ensure that the users still have this access. The solution is to create trust relationships from the existing resource domains to the new root domain (assuming that the user accounts will be moving to the root domain). If the accounts will be moving to a domain other than the root, create the trusts from the resource domains to that new domain (where the accounts will be located). Figure 6.1 describes this process. FIGURE 6.1

Establishing new trusts

Acct_Dom

Sprockets.local

Target Domain Resource1

Resource2


www.sybex.com

234

Chapter 6


To create trusts in Windows 2000, you have a couple of options. You can use the NETDOM utility from the command prompt, or you can use the Active Directory Domains and Trusts console. We’ll explore NETDOM more fully in Chapter 7, “Migration Tools,” but for now let’s take a look at how to create trust relationships with Active Directory Domains and Trusts. ADDT provides a nice graphical user interface (GUI) for the creation of trusts. EXERCISE 6.2

Creating a Trust Using the Active Directory Domains and Trusts Console To create a trust using the Active Directory Domains and Trusts console, follow these steps:

1. Open the Active Directory Domains and Trusts console by clicking Start Run and typing in mmc /a. Click the Console menu and use the Add/Remove Snap-In command to add Active Directory Domains and Trusts. The window should look like the following graphic.


www.sybex.com



2. Expand the console tree for Active Directory Domains and Trusts to display the domains in your Active Directory structure.

3. Right-click the target domain and select Properties from the context menu.

4. Click the Trusts tab. It should look something like the following graphic.

5. Click the Add button beside the Domains That Trust This Domain list, and type in the domain name of the resource domain. You can also specify a password for additional security.

6. Click OK to apply this change. You can add more than one trust at a time using the same steps.

7. In the NT resource domain, open User Manager for Domains and click the Policies menu.


www.sybex.com

235

236

Chapter 6



8. Click Trust Relationships. 9. Click the Add button beside Trusted Domains and type in the name of the target domain. If you provided a password in step 5, enter it again. Click OK to attempt to complete the trust.

When creating trusts between NT and Windows 2000, the NT domain must have a method of resolving the NetBIOS name of the target domain. This may be an entry in the LMHosts file or a static entry in the WINS server’s database.

Now let’s see how to customize the Microsoft Management Console (MMC). EXERCISE 6.3

Customizing the Microsoft Management Console In this exercise, you will add the Active Directory Domains and Trusts snap-in to an empty MMC console. You can use this technique to create a customized administration tool that includes all of the tools you most commonly use.

1. Click Start Run, and type in mmc /a. This opens an empty MMC in author mode (meaning that you can change it).

2. Click the Console menu, and select Add/Remove Snap-In. 3. The Add/Remove Snap-In dialog contains a list of the currently installed snap-ins for this MMC. Click the Add button.

4. The Add Standalone Snap-In dialog opens. This dialog contains a list of all of the available snap-ins on the computer. Scroll down the list and select Active Directory Domains And Trusts. Click Add, and then click the Close button.


www.sybex.com


237


5. Click OK to close the Add/Remove Snap-Ins dialog. You can repeat these procedures to add as many snap-ins as you want to your custom console. When you are satisfied with the console, click the Console menu and select Save to save your customized MMC. You may choose to save it to your Desktop, so that all you have to do to open this console is double-click its icon on your Desktop.

Creating Organizational Units Your target domain may be used in the restructuring process, as outlined in Chapter 5, “Restructuring Your Network.” If this is the case, then you might be planning to collapse a large domain model into a single target domain with multiple organizational units (OUs). An OU is a sub-container of a domain and can be used to create an administrative hierarchy within a single domain. OUs enable you to apply a logical structure within your target domain to receive users, groups, and computers.



Create organizational units (OUs).

As an example, our fictitious company, Coolcompany Inc., is restructuring from a Master Domain model to a single Windows 2000 domain. Your company wants to maintain the current administration units within the new network. To accomplish this, you have already established the target domain, which is the root and only domain in the coolcompany.local namespace, and now you need to create OUs to map the existing domains to. Figure 6.2 shows your plan.


www.sybex.com

238

Chapter 6


FIGURE 6.2

Planning to restructure into a single Windows 2000 domain

IT

IT OU

Sales

Accounting

Original Domain

Accounting OU

Sales OU

Target Domain

When you perform your restructure, you will be using one of the methods described in Chapter 5 to move security principals from their existing locations to the appropriate OU in the target domain. Alternatively, you could simply move all of the security principals to the default containers in the target domain and then after the move divide them into OUs. EXERCISE 6.4

Creating an Organizational Unit in a Target Domain To create an organizational unit in your target domain, use the following steps:

1. Open Active Directory Users and Computers by clicking Start Programs Administrative Tools Active Directory Users And Computers.

2. Expand the console tree for your target domain.


www.sybex.com


239


3. Right-click your target domain and select New Organizational Unit from the context menu. This opens the following graphic.

4. Type in the name of the new OU, and click OK to save it and return to the Active Directory Users and Computers console.

Creating OUs is actually very simple. It’s the planning portion that is more difficult. You can create single OUs off the root of your domain, or you can nest them within other OUs, whichever seems most appropriate for your network’s needs. You can create an OU only inside a valid container, which can be a domain or an OU. If you plan on nesting OUs, Microsoft recommends going no more than four layers deep. Notice in Figure 6.3 that the Users container has a different icon than the Domain Controllers container. This is because the Domain Controllers container is an OU, and the Users container is not. Typically, you will always create your OUs off the root of the domain and not within the built-in containers, so this shouldn’t become an issue.


www.sybex.com

240

Chapter 6


FIGURE 6.3

The Active Directory Users and Computers console contains both OUs and built-in containers.

As an illustration of these points, let’s look again at our fictitious company, Coolcompany Inc. For this example, let’s say it has three physical locations—Boston, Seattle, and Dallas—with a domain in each. We’ll make Seattle the headquarters, and Boston and Dallas are each semi-autonomous operations. Where the physical locations are roughly equal in importance, it might be politically unwise to pick one of them to be the root domain and the others to be child domains. With this in mind, you decide to create a single Windows 2000 domain and will create separate OUs for each of the physical locations. Using this plan, you create a single domain, coolcompany.local and create a Seattle OU to contain the Seattle accounts, a Boston OU for the Boston accounts, and a Dallas OU for the Dallas accounts. You could then use either ClonePrincipal or the Active Directory Migration Tools to move the user accounts to the appropriate OU, and there you are. These tools are covered in depth in Chapter 7.


www.sybex.com


241

Creating Sites Many companies today operate across multiple physical locations with wide area network (WAN) links to connect the locations. In this scenario, it might be useful to create Active Directory sites to help optimize the traffic across those WAN links. In Active Directory terms, a site is one or more well-connected TCP/IP subnets organized for security and replication topology. In this definition, well-connected means fast and reliable connections. A dial-up modem link would not be considered well-connected, but a T1 would.



Implement a given site design.

It’s easy to create sites in Active Directory, but there are some planning issues to consider first. Sites are often used to assist in building a more efficient replication topology. Remember that all domain controllers must replicate with each other, and if the replication would have to go across WAN links, that could cause problems. With sites, the replication will occur locally, and then you can schedule when replication will happen across the WAN link. The transport protocols available for inter-site replication include Remote Procedure Calls (RPCs) over TCP/IP and the Simple Mail Transport Protocol (SMTP). RPCs enable fast, synchronous replication, while SMTP provides asynchronous replication that is often more efficient across slow or unreliable connections. Replication links can be scheduled, and the interval at which replication occurs between sites can be configured. But in order to use SMTP for the replication transport, you must have certificates enabled. SMTP is an inherently insecure protocol.


www.sybex.com

242

Chapter 6


On the exam, Microsoft typically refers to RPCs over TCP/IP as simply “IP replication.” They assume that you know what they mean.

EXERCISE 6.5

Creating a Site To create a new site for your forest, follow these steps:

1. Open Active Directory Sites and Services by clicking Start Programs Administrative Tools Active Directory Sites And Services. The console shown in the following graphic opens.


www.sybex.com


243


2. Expand the console tree to display the Sites container. Right-click the Sites container and select New Site from the context menu. The dialog shown in the following graphic opens.

3. Type in the name of the new site, and click OK to apply the new site.

So, now you’ve created a new site. That was easy, but there is one other thing we really should take care of while you’re in this console. Active Directory enables you to assign specific IP subnets to your sites. If you do this, any new computers installed in Active Directory will automatically become members of a site based on their IP address. For example, if SiteA has the assigned subnet of 10.5.0.0/16, and you create a new server with the IP address of 10.5.0.36, that server will automatically be made a member of SiteA.


www.sybex.com

244

Chapter 6


Windows 2000 uses a different format for describing IP addresses. Instead of the IP address and the explicit subnet mask, you will now see the IP address followed by the number of bits to be used for the mask. For example, instead of writing 10.1.0.0 with a mask of 255.255.0.0, you would write this subnet address as 10.1.0.0/16. This is a format used by most Unix systems including Linux, and it marks Microsoft’s effort to become more standardized in its IP networking. Get used to this format, as all of the Windows 2000 exams use it.

Going back to the example I made earlier with coolcompany.local and the three locations in Seattle, Boston, and Dallas, we could take the solution a little further by creating sites for each of the physical locations. You could then assign the IP subnets for the sites so that any computers installed will automatically be assigned to the correct site based on the IP address they are configured with. The user accounts are organized into OUs and are still available at any one of the sites.

Reapplying Policies and Rights If your NT network has been using System Policy and logon scripts for assigning security to your users, you will need to maintain this functionality during and after the migration to Windows 2000. This includes creating the same effect in your target domain. Windows 2000 uses Group Policy Objects (GPOs) to assign security to objects in the Active Directory. To maintain your network security during a migration or restructure, you will need to properly assign GPOs to the target domain or OUs.



Implement group policies.


www.sybex.com


245

I found when I started working with Windows 2000 Server that the best way for me to learn Group Policy was to experiment. The online Help for Windows 2000 Server has a lot of valuable information for Group Policy and will be a good resource to study before taking the exam. As I stated in the opening of this section, Group Policy is assigned through the use of a GPO. This object contains all of the policy settings that you define. The GPO is then linked to a specific container. GPOs can be used for distributing software and controlling the change management of that software, they can be used for assigning user rights, and they take the place of the System Policy from NT. Group Policy is an improvement over System Policy in that System Policy could be difficult (or impossible) to undo when you wanted to change the settings. Group Policy can be easily assigned, changed, even removed from the Registry. In Windows 2000, when you remove or change an existing policy, the settings are actually removed from the Registry correctly, as opposed to the method that NT used. NT was notorious for leaving System Policy settings in the Registry after they had been removed. As an example of two policies that should be implemented in your network with System Policy, let’s use the policy to not display the last logged on user name and the policy to display a logon banner in the following exercise. In System Policy Editor in NT 4, you would set these policies under the Default Computer Policy Windows NT System options, and you would check Logon Banner and Do Not Display Last Logged On User Name. For the Logon Banner settings, you would also define the text to display for both the title bar and the content of the banner window. EXERCISE 6.6

Implementing Group Policies To accomplish the same policies on Windows 2000 in your target domain, do the following:

1. Open Active Directory Users and Computers by clicking Start Programs Administrative Tools Active Directory Users And Computers.


www.sybex.com

246

Chapter 6



2. Right-click the container for which you want to create a GPO. This can be a domain, a site, or an OU. Select Properties from the context menu.

3. Click the Group Policy tab. 4. Click the New button to create a new GPO. Type in the name for the new GPO and press Enter. The dialog should now look something like the following graphic.


www.sybex.com



5. Highlight the new GPO and click the Edit button. This will open a new Group Policy console, as shown in the next graphic.

6. To edit the policies used for our example, expand Computer Configuration Windows Settings Security Settings Local Policies Security Options.

7. Double-click Do Not Display Last User Name In Logon Screen to open the Security Policy Setting dialog, and place a check mark in the Define This Policy Setting checkbox. Click the Enabled radio button, and then click OK to return to the Group Policy console. The Security Policy Setting dialog can be seen in the following graphic.


www.sybex.com

247

248

Chapter 6



8. Double-click Message Text For Users Attempting To Log On to open the Security Policy Setting dialog for this setting. Check the Define This Policy Setting checkbox and enter the message you want to display in the text box provided. Click OK when you are satisfied with the message.

9. Repeat the last step for the Message Title For Users Attempting To Logon policy setting, and enter the text you want to appear in the title bar of the logon banner window. Click OK to save the setting.

10. Close the Group Policy console to return to the Group Policy tab of the container Properties dialog. Highlight the new GPO and click the Add button.

11. Click the Links tab. Use the drop-down list box to display the name of the target domain, and then click Find Now. This will display the list of containers to which you can link this GPO. Highlight the container that you want to link this GPO to, and then click OK.

12. Click Close on the container’s Properties dialog. You’ve just assigned a GPO to a container in your target domain!

Configuring Network Services

R

emember that when you’re using a target domain, you are trying to maintain users’ access abilities during the migration and/or restructure. To accomplish this, you must configure some of your network services to provide access for users who are being transitioned from their old domain to the target


www.sybex.com


249

environment. In the following sections, we will examine these requirements for each of the major network services that will be affected by the move.



Configure remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

The network services affected by a migration or restructure will vary from network to network, but these sections cover the principal issues that will be covered on the exam.

Configuring RAS In Windows NT, the only permissions you could set on the Remote Access Service (RAS) was to grant or deny dial-up permission through User Manager for Domains or the RAS Administration Tool. Windows 2000 has this ability but also adds Remote Access Policies for additional security control. RAS gives you the ability to provide dial-up service to your remote clients and provides only basic security. RAS depends on the operating system to provide security. That’s where the Remote Access Policies come in. Windows 2000 provides sophisticated security for RAS through the use of Remote Access Policies, which can define a person’s ability to access the RAS server and the network beyond. RAS policies are available only when running in native mode. Both the Routing and Remote Access Service (RRAS) and the Internet Authentication Service use Remote Access Policies to determine whether they should accept connection attempts. Remote Access Policies are used to authenticate connections on a per-call basis. In order for a user to be granted dial-up access to a Windows 2000 Server, they must first have the dial-up permission granted in their user account, and then they must meet at least one of the Remote Access Policies defined for that RRAS server. If these conditions are met, the user will be granted access.


www.sybex.com

250

Chapter 6


Remote Access Policies are always stored locally on the RRAS server and not elsewhere in the domain or in Active Directory. EXERCISE 6.7

Creating or Modifying Remote Access Policies To create or modify Remote Access Policies, use these steps:

1. Open Routing and Remote Access by clicking Start Programs Administrative Tools Routing And Remote Access.

2. If this is the first time you’ve opened this console, you will need to activate RRAS. To do this, right-click your server name in the left pane of Routing and Remote Access, and select Configure And Enable Routing And Remote Access. If a domain controller is present on the network, RRAS will attempt to register itself in the Active Directory. The window should look like the following graphic.


www.sybex.com



3. Click Remote Access Policies to view the currently installed policies. By default, there is only one policy defined, and that is Allow Access If Dial-in Permission Is Enabled.

4. Double-click the policy to open the Settings dialog for this policy. Notice that the default schedule is to allow 24x7 access, but that the default action is to deny access. This configuration means that even if your account has been granted dial-in permission, you will be denied access by default. The Settings dialog is shown in the following graphic. Note that this is different than Windows NT, which gave users dial-in permissions once their account was granted access. Windows 2000 provides this additional step as an increased security measure.

5. For the purpose of your target domain, you will most likely want to change the radio button to Grant Remote Access Permission if you still want to control RAS access through the account permissions as users are moved to the target environment.


www.sybex.com

251

252

Chapter 6


Take a look at the other possible settings while you’re examining the Remote Access Policies. You can set policies to control individual user access through RRAS, control the time of day that they can log on, and even set the amount of time that they can be connected. During the migration or restructure, the most important aspect of RAS is to continue to provide the same level of access that users currently have.

Configuring Protocols Network protocols are somewhat simpler in Windows 2000: You must have the Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is the industry-standard suite of protocols that powers the Internet and is the most widely adopted set of protocols in networking today. If you are going to use Active Directory, you need to install and configure TCP/IP, as all of the services supporting Active Directory require TCP/IP to communicate. Of course, you can still use other protocols on your servers and client computers if you wish, but the servers need TCP/IP. Most networks that I have worked with in the last couple of years have been running TCP/IP exclusively, but this may not be the case on your network. If not, then you will want to either convert the entire network to TCP/IP or install it on the servers alone. When configuring TCP/IP, consider things like subnetting, routing, and Internet access. Will you be taking advantage of the new features of TCP/IP networking in Windows 2000, such as IPSec? If so, then you will need to have a plan of action for the implementation.

Configuring DHCP The Dynamic Host Configuration Protocol (DHCP) is an important part of your network services in most networks. DHCP can be implemented on an NT Server, Windows 2000 Server, other operating system server such as Linux or Unix, or even a router. Whichever method you choose, you should implement a DHCP server that supports the Dynamic DNS Update functions. The Domain Name System (DNS) resolves Internet host and domain names to IP addresses. Windows 2000 uses DNS almost exclusively for name resolution. DHCP plays a part in supporting the Dynamic DNS service found on Windows 2000 by reporting the inverse lookup (PTR) record for a client computer to the DNS server when the client obtains its address lease. The client will then notify the DNS server (if the client understands Dynamic


www.sybex.com


253

DNS Update) of its forward lookup information. If the client operating system doesn’t support Dynamic DNS Update, then the DHCP server should be configured to inform the DNS server of both the forward and reverse lookup information. EXERCISE 6.8

Configuring DHCP to Support Dynamic DNS Updates To enable the Windows 2000 DHCP server to support Dynamic DNS updates for all clients, use these steps:

1. Open the DHCP console by clicking Start Programs Administrative Tools DHCP.

2. Right-click the entry for your DHCP server name in the right pane, and select Properties from the context menu.

3. Click the DNS tab to open the dialog shown in the graphic below.

4. The default setting of Automatically Update DHCP Client Information In DNS should be checked. Click the second radio button under it to Always Update DNS.


www.sybex.com

254

Chapter 6



5. Place a check in the box for Enable Updates For DNS Clients That Do Not Support Dynamic Update. This will cause the DHCP server to provide all dynamic information to the DNS server for every client that gets an address from it.

6. Click the OK button to apply the changes and exit the Properties dialog.

The other major consideration for Microsoft DHCP servers is that they must be authorized in Active Directory before they can issue any client addresses leases. Windows 2000 uses the DHCP_INFORM packet to query DHCP servers for information. If the server is not listed in Active Directory, the local Windows 2000 Server will tell that DHCP service to stop. What this means is that if you fail to authorize your DHCP servers, no one will get addresses from it. To authorize your Microsoft Windows 2000 DHCP server, right-click the server name in the left pane of the DHCP console, and select Authorize from the context menu.

Configuring Directory Replication Windows 2000 does not support the Directory Replication service in NT, also known as LAN Manager Replication. Windows 2000 uses a service called the File Replication Service (FRS) to accomplish all replication. Every Windows 2000 domain controller has a folder called Sysvol, for System Volume. The Sysvol contains replicated information that is shared among all domain controllers. Unlike NT’s LAN Manager Replication, in which any NT computer could act as an import computer, only domain controllers can participate in FRS. Because the two services are incompatible, you will need to plan a way to support both during the move to the target environment. Your target domain is most likely going to be a native-mode Windows 2000 environment, and if so you will be using the FRS exclusively. If this is the case, then you need to use the appropriate scripts to convert your logon scripts from NT to Windows 2000 capabilities through the use of Group Policy. But if your replication is being used to move data files from one location to another, or if


www.sybex.com


255

you need to maintain a mixed environment of Windows 2000 and NT computers participating in replication, then you need to form a replication bridge. To assist with this process, Microsoft recommends creating a batch file called L-bridge.cmd to copy the contents of one folder to another, which can then be scheduled to run at regular intervals. First of all, determine which NT Server is the export server and which Windows 2000 domain controller will push files to that server. You would then use a batch file containing something similar to the following: Xcopy \\coolcompany.local\SYSVOL\coolcompany.local\scripts \\Server5\Export\Scripts /s /D The /s switch tells Xcopy to copy all subfolders unless they are empty, and the /D switch tells it to copy only new files. This helps to create a current image and to optimize the process by copying only new files and not overwriting existing files. A sample of an L-bridge.cmd file is included on the Windows 2000 Server Resource Kit CD-ROM.

As an alternative to Xcopy, Microsoft has provided a utility called ROBOCOPY. ROBOCOPY’s biggest asset is its ability to synchronize folders automatically.

Microsoft recommends that you disable the Directory Replication service prior to upgrading a server to Windows 2000, so that there won’t be any legacy services once the upgrade is complete.

Configuring WINS and NetBIOS One of the things I’ve been looking forward to most with Windows 2000 has been the opportunity to remove NetBIOS services from my network. Windows 2000 requires NetBIOS only for its clustering service. NetBIOS isn’t needed at all for a pure Windows 2000 environment, though you should carefully check to see if you are using any network applications that require the presence of NetBIOS. Also be aware that if you wish to restrict users to specific workstations, you will be required to keep the NetBIOS service. The Windows Internet Name Service (WINS) provides a method of NetBIOS-name-to-IP-address resolution for client computers that have been dynamically addressed through DHCP. WINS also helps clients to browse a multiple-segment network by storing browse information for different domains. These services are most likely in use on your current NT network,


www.sybex.com

256

Chapter 6


especially if you have Windows 9x clients. WINS also serves one more purpose that Dynamic DNS doesn’t—WINS prevents duplicate computer names on the network. DDNS doesn’t care if two computers with the same name are on the same network. When configuring your target environment, you should still be using NetBIOS and WINS to support client computers and users who are being moved to the new domain. WINS in particular will assist network clients to access existing resources in NT domains. NT networks use NetBIOS names to communicate with each other. Maintaining that support is easy in Windows 2000 and will help your users make a smoother transition. When everyone has been migrated to the target environment, and all services and applications are running fine, you can consider disabling NetBIOS and WINS in your network. There is also another possibility for reducing the use of NetBIOS over your Windows 2000 network: The DHCP server in Windows 2000 provides the advanced option to disable NetBIOS services for all Windows 2000 computers that receive an IP address from that DHCP server. You would find this option under the properties for the Server Options in the DHCP console.

Configuring Third-Party DNS Many organizations are using Unix servers to provide their DNS services and plan to continue doing so after they migrate to Windows 2000. While there are definite benefits to using the DNS server in Windows 2000, there is absolutely nothing wrong with using a third-party DNS server. Remember, though, that Active Directory really wants to have the dynamic update capability (defined in RFC 2136) in DNS and requires support for the new SRV record type for services. Fortunately for you Unix fans out there, the latest versions of BIND (versions 8.1.2 and higher) are capable of supporting dynamic updates and the SRV record type. This means that you can successfully integrate Unix computers running BIND into your Windows 2000 environment.

For test purposes, BIND version 8.1.2 is sufficient to support a Windows 2000 domain. However, you should strongly consider using the most current BIND version available.


www.sybex.com


257

The only difficulty I have encountered with this plan is supporting the special sub-domains that Windows 2000 uses for Active Directory. The problem arises from the use of the underscore (_) character in the name of the subdomain. The sub-domains are named as follows: _msdcs Contains information to assist Active Directory servers in locating other domain controllers. _sites Contains sub-domains for each site in Active Directory. _tcp Maintains SRV records for TCP-specific services. _udp Contains, you guessed it, SRV records for UDP-specific services. Together these sub-domains support the DNS functions of Active Directory and are crucial to its successful operation. The Internet Software Consortium (ISC) maintains all development for BIND and has a wonderful set of documentation discussing the configuration of BIND on their Web site. The Frequently Asked Questions (FAQ) pages in particular are useful in resolving this issue with Windows 2000. ISC recommends that these subdomains that are required by Active Directory be created as separate zones and that the default name-checking value be set to ignore the name of the zone. To accomplish this, you can place code similar to the following in your /etc/named.conf file: zone "_msdcs.sprockets.local" { type master; file "_msdcs.sprockets.db"; check-names ignore; allow-update { localnets; }; }; This code identifies the name of the new zone as _msdcs.sprockets .local and that it is a master (primary) zone. The file statement identifies the actual file containing the zone information as _msdcs.sprockets.db. Check-names ignore turns off the default name-checking behavior for this zone, and allow-update tells the server to accept dynamic updates for this zone. For more information, consult ISC’s Web site at http:// www.isc.org/products/BIND/. To migrate your third-party DNS servers to Windows 2000 DNS servers, install Windows 2000 and configure the DNS server service with a secondary zone. Once the zone has been transferred, you can reconfigure the secondary zone as a primary zone and redistribute DNS replication as needed.


www.sybex.com

258

Chapter 6


Migration Strategy You work for a large network integration firm. Your internal design consultants have determined that the best way to upgrade to Windows 2000 is to create a pristine environment and then move users and resources into it in an orderly manner. You have been given the task of creating a checklist for field technicians that they can use to ensure that all necessary steps have been taken. Things to consider:

What hardware is necessary for the first Windows 2000 domain controller?

Should additional domain controllers be mandated in the pristine environment?

What trusts need to be established during the migration period?

Is WINS necessary and, if so, how should it be configured?

Is the client using Windows 2000–based DNS, and if not, is their current DNS service adequate?

Summary

I

n this chapter, you learned how to create and configure a target domain for use in migrating or restructuring to Windows 2000. You then learned about trusts and how to create organizational units and sites in Active Directory to give your target environment structure. Later in the chapter, we discussed how to convert System Policies from NT to Group Policy in Windows 2000. Last, we examined how to configure your network protocols and services for the target environment. Those services include RAS, DHCP, Replication, WINS, and DNS.


www.sybex.com

Summary

259

Key Terms Before you take the exam, be sure you’re familiar with the following terms: File Replication Service Group Policy Objects L-bridge.cmd linked organizational unit (OU) Remote Access Policies Remote Access Service Remote Procedure Calls Simple Mail Transport Protocol sites target domains Transmission Control Protocol/Internet Protocol trust relationships wide area network (WAN)


www.sybex.com

260

Chapter 6


Review Questions 1. When is it useful to create a target domain? (Choose all that apply.) A. For use in restructuring a network B. When changing the name of a Windows 2000 network C. When migrating to Windows 2000 D. To support your Unix servers 2. Why is it a good idea to install additional domain controllers in the

target domain before migrating/restructuring? A. To distribute the WINS load. B. To distribute the FSMO roles. C. It’s always a good idea to have backup domain controllers in a

domain. D. To establish Active Directory replication. 3. Your network currently uses Unix servers running BIND version 4.9.7.

You are planning to migrate to Windows 2000 and are concerned about compatibility. What must you do to support Windows 2000? (Choose all that apply.) A. Reinstall all of those Unix servers with Windows 2000. B. Upgrade to BIND version 8.1.2 or higher. C. Use the Unix servers as secondary or caching DNS servers. D. Place all of the Unix servers on their own subnet.


www.sybex.com

Review Questions

261

4. You are creating a target domain for use while migrating your net-

work from NT 4 to Windows 2000. You are concerned about maintaining resource access for your users. What should you do to ensure that migrated users would have proper resource access during the migration to the target domain? A. Create explicit trusts from the resource domains to the target

domain. B. Create explicit trusts from the target domain to the resource

domains. C. Create implicit trusts from the root domain to the target domain. D. Create a transitive trust between the target domain and the NT 4

account domain. 5. You are migrating your network from NT 4 to Windows 2000. You

want to implement dial-in policies for users that are accessing the network remotely. What must you do to enable Remote Access Policies on your network? A. Grant users dial-in access. B. Enable Remote Access Policies in Active Directory Users and

Computers. C. Convert the domain to native mode. D. Convert the domain to mixed mode. 6. What service does Windows 2000 use to replicate files and Active

Directory information between servers? A. LMRepl B. EFS C. Dfs D. FRS


www.sybex.com

262

Chapter 6


7. You are upgrading your Windows NT domain to Windows 2000.

The security specialist at your company is concerned that the security policies applied in Windows NT will not be carried over to Windows 2000. What can you say to make the security specialist less concerned? A. Nothing. Windows 2000 does not provide the same level of secur-

ity through policies as Windows NT did. B. You can convert your Windows NT System Policies to Win-

dows 2000 Group Policies through the use of POLEDIT. C. Windows 2000 provides Group Policies that can enforce the

desired security settings. D. Windows 2000 provides System Policies as well, which can enforce

the desired security settings. 8. You are tired of opening and closing all of the different Active Direc-

tory consoles to administer your Windows 2000 domain. You would like to customize the Microsoft Management Console to hold all of the snap-ins that you commonly use. What command will enable you to do this? A. mmc /change B. mmc /custom C. mmc /c D. mmc /a 9. You are trying to create a Group Policy Object for the Users container

in Active Directory Users and Computers. When you open the Properties for the Users container, there is no Group Policy tab. Why not? A. The Users container is not an OU. B. The Users container must first be set to author mode. C. You don’t have permission to create a GPO. D. You should be using the Active Directory Group Policy console

instead.


www.sybex.com

Review Questions

263

10. You are migrating from NT 4 to Windows 2000. You have a number

of users with dial-up permission that allows them to access a RAS server from home. When you migrate to Windows 2000, what will their default RAS access be? A. They will be set to Access Controlled by Remote Access Policies. B. They will be set to Deny Access. C. They will be granted access by default. D. The users with dial-up permission in their user accounts will have

access, but no one else will. 11. You are planning to migrate your network to Windows 2000. Your

network is currently using the NetBEUI protocol. What must you do before you can install Windows 2000? A. Install TCP/IP. B. Remove NetBEUI. C. Install a routable protocol. D. Do nothing. 12. You are planning to migrate your network to Windows 2000. Your

network is currently using the NetBEUI protocol. What must you do before you can install Active Directory? A. Install TCP/IP. B. Remove NetBEUI. C. Install a routable protocol. D. Do nothing. 13. Windows 2000 Active Directory requires the presence of what type of

resource record in a DNS server? A. SERV B. CNAME C. SRV D. DYNAMIC


www.sybex.com

264

Chapter 6


14. You have created three sites for your single domain network. You are

trying to configure inter-site replication to use asynchronous SMTP transports for replication, but you cannot. Why not? A. You should be using POP3 instead. B. You don’t have the Internet Information Services installed to pro-

vide SMTP. C. SMTP is used only for intra-site replication. D. You have domain controllers for a single domain in all of the sites. 15. You have just upgraded your primary domain controller to Win-

dows 2000. The PDC was configured to be an export server for Directory Replication. You notice that since the upgrade was completed, the logon scripts aren’t being replicated. Why not? A. Windows 2000 can only be an import server for Directory

Replication. B. The Directory Replication service is not supported on Win-

dows 2000. C. Directory Replication must first be authorized in Active Directory. D. You must restart the Directory Replication service after the

upgrade. 16. When a client receives an address lease from DHCP in Windows 2000,

how is the DNS server updated? (Choose all that apply.) A. The client updates the forward lookup zone. B. The client updates the inverse lookup zone. C. The DHCP server updates the forward lookup zone. D. The DHCP server updates the inverse lookup zone.


www.sybex.com

Review Questions

265

17. You are migrating from NT to Windows 2000 and are trying to create

a process to help Directory Replication and FRS coexist. What file should you use to assist with this process? A. LM-bridge.bat B. L-bridge.bat C. L-bridge.cmd D. LM-bridge.cmd 18. What purpose does the Windows Internet Name Service (WINS) play

in Active Directory? A. It resolves the NetBIOS names of the domain controllers for

replication. B. None at all. C. It provides hostname resolution for domain controllers. D. It enables client computers to find the domain controllers. 19. Which administrative tool should you use to create an OU in your tar-

get domain? A. Active Directory Sites and Services B. Active Directory Organizational Units C. Active Directory Users and Computers D. Active Directory Domains and Trusts 20. Why is it useful to assign IP subnets to your sites? A. It helps to be more organized. B. Sites can only contain a single subnet. C. Any new computer you install will automatically be assigned to a

site based on its IP address. D. If you assign the subnets to a site, you will be able to use SMTP for

inter-site replication.


www.sybex.com

266

Chapter 6


Answers to Review Questions 1. A and C. Target domains are useful for either restructuring or migrat-

ing to Windows 2000, as they give you a place to move your security principals to. 2. B. By default, the first Windows 2000 domain controller in an Active

Directory network will have all five of the Operations Master roles. It’s a good idea to distribute this load for better performance during the restructure or migration. 3. B or C. Upgrading to BIND 8.1.2 or later would be the preferred

alternative for most organizations, though you could easily delegate these servers to a secondary or caching server role. 4. A. Creating trust relationships so that the resource domains trust the

target domain will ensure that any security principal moved to the target domain will still be able to access resources in the resource domains. 5. C. Remote Access Policies are available only in domains running in

native mode. 6. D. LMRepl is the replication service used by Windows NT and is not

supported by Windows 2000. EFS and Dfs, while supported by Windows 2000, do not specifically deal with Active Directory replication. The only correct answer is FRS, or the File Replication Service. 7. C. Windows 2000 replaced the antiquated System Policy structure

with Group Policies. Group Policies are more easily applied and removed than System Policies and offer a wider variety of security options. 8. D. mmc /a will open an empty console in author mode, which will

enable you to add and remove snap-ins to create a customized console tool. 9. A. GPOs can only be assigned to domains, sites, or OUs. The Users

container is not one of these.


www.sybex.com


267

10. B. The default combination of permissions in Remote Access Policy is

to permit 24x7 access, but also to deny access. The effective permission is Deny Access by default for all users. 11. D. In this case, doing nothing is correct. You can install Windows 2000

on a network that is using NetBEUI. 12. A. Active Directory requires the presence of the TCP/IP protocol suite

in order to install or function. 13. C. The SRV resource record is a service locator and is used by Win-

dows 2000 to locate various network services such as Kerberos. 14. D. You must have IIS installed to make SMTP available for replication

in your domain. 15. B. The Directory Replication service has been replaced by the File

Replication Service and is not supported on Windows 2000. 16. A and D. The dynamic update process default behavior is for the

DHCP server to update the inverse lookup zone and the client to update the forward lookup zone. 17. C. Microsoft recommends the use of a script by the name of

L-bridge.cmd for the purpose of copying files from the Sysvol folder on the Windows 2000 domain controller to the Export folder on the NT computer. 18. B. Windows 2000 doesn’t require the presence of NetBIOS and does

not use WINS for name resolution. 19. C. You would use Active Directory Users and Computers to create

OUs within a domain. 20. C. When IP subnets are assigned to specific sites, new computers will

be automatically placed in the sites based on their IP address.


www.sybex.com

Chapter

7

Migration Tools MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Select and configure tools, including ADMT, ClonePrincipal, MoveTree, NETDOM, and the Windows 2000 Resource Kit tools. Migrate global groups and user accounts. Migrate local groups and computer accounts. Troubleshoot tool issues for domain restructures. Considerations include ADMT, ClonePrincipal, NETDOM, MoveTree, and Windows 2000 Resource Kit tools. Perform post-migration tasks.

Verify success of object migrations.


www.sybex.com

S

o after all this talk about planning for your migration, you’re probably still wondering how to use some of those neat tools. Fret no longer! This is the chapter you’ve been waiting for. In this chapter, you will learn how to install and configure the migration tools for Windows 2000. You will also learn how to troubleshoot problems that may arise while using these tools. The migration tools play a vital part in your migration—and in some cases, even restructuring your network. You will need to be very familiar with them before using them in a production environment. You will also need to be familiar with them to pass the exam.

Selecting the Right Tools for the Job

You could choose a number of tools for the job of migrating your network to Windows 2000, but then again, you knew I’d say that. Microsoft has provided some tools with the Windows 2000 CD-ROM, and more are available on Microsoft’s Web site for free download. There will also likely be many more tools available from third-party software vendors over the coming months that will enhance the planning and testing of your domain migration, so watch for those. For the exam, Microsoft wants you to be aware of some of the key tools that they provide, such as Active Directory Migration Tool, ClonePrincipal, MoveTree, and NETDOM. In this chapter, we’ll take a closer look at these tools and show how they can be used to migrate to Active Directory.


www.sybex.com

Configuring Your Migration Tools

271


In an effort to get you better acquainted with the tools, we will review their specifications one by one, discuss how to use them alone as well as in different settings, and then move into the last section and tackle troubleshooting.


Select and configure tools, including ADMT, ClonePrincipal, MoveTree, NETDOM, and the Windows 2000 Resource Kit tools.

While reviewing this next section, it’s important to pay attention not only to how to configure these tools but also to all of their components. It’s critical that you know the tools as well as how to configure them. Passing the exam is only the first step to real-life application and migration.

Active Directory Migration Tool (ADMT) Heads up! This topic may be one that causes a lot of problems on the exam. The exam objectives call for knowledge about Active Directory Migration Tool (ADMT), but the normal courseware and self-study guides offered by Microsoft don’t cover the tool. ADMT is a Microsoft Management Console (MMC) composed of several wizards to help you migrate information from an NT 4 or earlier domain to your Windows 2000 Active Directory domain. The opening window of ADMT is shown in Figure 7.1. This tool can be a great help in a complex move, but it has some difficulties of its own. The online help for ADMT is fairly complete, but I found that I had to read between the lines in order to solve some of the problems that I encountered when using the tool for the first time.


www.sybex.com

272

Chapter 7

Migration Tools

FIGURE 7.1

The Active Directory Migration Tool

The ADMT wizards perform most of the work associated with the actual migration from your source domain to the new Windows 2000 environment. The wizards include the following: User Migration Wizard This wizard migrates user accounts from the source domain to the target domain. It can move a single account or a large number of accounts at once. The User Migration Wizard includes options to rename accounts for easy identification after the migration or to assist with preventing name conflicts. Group Migration Wizard As the name implies, this wizard migrates groups from the source domain to the target domain. Note that it will not migrate the built-in group accounts, since this would cause a Security Identifier (SID) conflict. Built-in accounts have the same SID on all domains, so the ADMT wizards will ignore these accounts. Computer Migration Wizard This wizard moves the existing NT computer accounts from the source domain to the target domain. Security Translation Wizard This wizard translates the existing security policies for the source domain into the format used by Windows 2000 and migrates them to the target domain.


www.sybex.com


273

Reporting Wizard The Reporting Wizard includes several options for creating reports that aid in planning the real migration. Options include a report on potential name conflicts, expired computer accounts, and accounts that can be safely migrated. Service Account Migration Wizard This wizard migrates any accounts used for services. An example of this would be the user account that SQL Server uses to communicate with other SQL Servers for replication. Exchange Directory Migration Wizard This wizard aids in bringing accounts from Exchange Server into Active Directory. The Exchange Directory can be used to populate your Active Directory if you so desire, though this may not be the best way to fill your Directory since the Exchange Directory won’t have the same properties for the accounts. Undo Wizard This is great! It’s like an eraser for a migration. The Undo Wizard will attempt to undo a migration action. If it can, it will move accounts back to the source domain. Retry Tasks Wizard So you accidentally exited out of a wizard before it had a chance to complete its work? This wizard will attempt to complete the tasks that were cancelled. If this doesn’t work, perhaps you will want to consider the Undo Wizard. Trust Migration Wizard This wizard migrates existing trusts to the target domain. This is really useful when migrating an NT 4 domain to a Windows 2000 target domain. When complete, the target domain will have the same trust relationships that the source domain had, thereby preventing any failed permissions issues across the trusts. Group Mapping and Migration Wizard This wizard helps you prepare your existing group accounts in the source domain for the migration to the target domain. It helps prevent name conflicts by merging two groups with the same name. The first step in preparing to use ADMT is to create a target domain structure, where all of your existing domains will be migrated. Be sure to pick computers that have enough hardware resources to handle the load of being the first domain controllers in the target domain. Remember that the first domain controller in a domain will have all five of the FSMO roles by default. You can read more about ADMT at http://www.microsoft.com/ WINDOWS2000/guide/server/solutions/admt.asp.


www.sybex.com

274

Chapter 7

Migration Tools

Installing ADMT The next step is to install Active Directory Migration Tool. ADMT must be installed on a domain controller in the target domain. You must ensure that the domain controller has at least the following minimum hardware requirements to run ADMT:

Pentium II or later CPU

Adequate memory for the migration process: minimum of 10MB of available RAM for the process and 4KB per user to be migrated

At least 35MB of free disk space for the tool itself (around 7MB) and for the data and log files

To install the ADMT software on your target domain controller, execute the self-extracting file ADMT.exe and answer the prompts. About the only real decision you will be asked to make (aside from accepting the license agreement) concerns the folder location to install to. This Setup Wizard is really very simple. You can just accept all of the defaults and be very happy with the results in most cases. ADMT works by transmitting an Agent to the old domain controller. The Agent is initiated by your logged-on user credentials (which must have administrator rights on the local and source domains), and then it is sent to the source domain. The Agent will run there as a system process, then write data back to the target domain. The ADMT Agent can run on the following operating systems:

Windows NT 3.51 with Service Pack 5 (Intel and Alpha platforms)

Windows NT 4 with Service Pack 4 or higher (Intel and Alpha platforms)

Windows 2000

Just to be very clear, and to help you avoid a problem that caused me grief for a while, you need to establish a two-way trust between the source and target domains and then add yourself to the built-in local administrators group on the source domain. That way, when you log on to the computer where you will be running ADMT in the target domain, your account will also have administrative permissions on the source domain. Since the migration process will be run using your user credentials on both domains, your account needs administrative rights on both domains.


www.sybex.com


275

ADMT is not included with the Windows 2000 product. Instead, you will need to download it from Microsoft’s Web site at http://www.microsoft .com/windows2000/downloads/deployment/admt/default.asp. EXERCISE 7.1

Installing Active Directory Migration Tool To perform this exercise, you must first download ADMT from the URL listed above. This exercise will lead you through the necessary steps to install ADMT on your computer. Note the hardware requirements for ADMT listed earlier in this chapter and make sure that your computer meets these requirements. The computer should be a domain controller, but ADMT will install on a member server.

1. Open My Computer and browse to the location where you saved the ADMT.exe self-extracting archive file.

2. Double-click the file to begin the extraction and installation. 3. Click Next on the opening banner page for the Active Directory Migration Tool Setup Wizard. The second page is the license agreement. Click the radio button to accept the license agreement, then click Next.

4. Select an installation path for the program. The default is to install it in your Program Files folder. Click Next to proceed.

5. Click Next to begin the installation. The files will now be copied to your hard disk. When Setup completes, click Finish to exit the Setup Wizard. Now that you have installed ADMT, let’s verify that it is working on your computer.

6. Open Start Programs Administrative Tools Active Directory Migration Tool. You will most likely find this at the bottom of the Administrative Tools Group menu.


www.sybex.com

276

Chapter 7

Migration Tools


7. Click the Reports icon in the console tree. If you now see a set of instructions in the right pane of the Migrator console describing the Reports Wizard, you have correctly installed ADMT.

Configuring ADMT Once you’ve installed the ADMT software on a domain controller in the target domain, you are ready to configure the software to work with the source domain. Again, remember that you need to establish a two-way trust between the source and target domains. Also, add the Domain Admins global groups from each domain to each other’s local Administrators group to ensure that you have administrative rights on both domains. These are critical steps. Most of the configuration of ADMT falls into the category of preparation. Before attempting any kind of migration, be sure to synchronize the system clocks on all domain controllers. Very likely, you already do this on your network, but if not you can use the following command to synchronize the clock on a computer with a time server (a computer whose time will be used as the guide for all other computers): net time \\computername /set, where computername is the name of the time server. This is a good command to place in your logon scripts for clients and a good command to schedule on your domain controllers. Another interesting pre-migration step for ADMT is to empty the Recycle Bin for all user accounts that are to be migrated before performing the migration. This will prevent the accounts from generating an error that the Recycle Bin is corrupted. The error is generally considered harmless, in that you can simply delete the contents of the Recycle Bin and everything will be fine. But to avoid the errors, simply empty the Recycle Bin prior to performing the migration. To use ADMT successfully, the following items must be configured: The target domain must be in native mode. ADMT requires the use of the SIDHistory feature to correctly migrate security principals from the source domain to the target environment. SIDHistory is available only in native mode.


www.sybex.com


277

The source domain must either be an NT 4 domain or be in the same forest. The source domain can be either an NT 4 or Windows 2000 environment. If it is Windows 2000, it can be in either native or mixed mode, but it must be in the same forest as the target domain. A new local group should be created in the target domain. ADMT will create a group called SourceDomainName$$$ in the source domain if it can, but Microsoft recommends that you create the group manually. The group should be a local group on the domain controller where ADMT is being run. The name is the name of the source domain plus the three dollar signs ($$$), so if the source domain is Boston, the local group name would be Boston$$$. Disconnect any active sessions. There must not be any current drive mappings, browse lists, or anything else that will generate a network session between the source and target domain controllers. If there is a current session, ADMT may fail with a credentials conflict. Edit the Registry on the source PDC. The PDC or PDC Emulator should have an entry added to the Registry to enable Local Security Authority (LSA) to use TCP/IP. The setting is HKLM\System\CurrentControlSet\ Control\LSA. The Value name is TcpipClientSupport, the type is REG_ DWORD, and the data is a hexadecimal 0x1. Enable auditing on the source and target domains. You should enable auditing for the success and failure of user and group management on the source domain. Also enable auditing for the success and failure of audit account management on the target domain in the Default Domain Controllers policy. EXERCISE 7.2

Enabling Auditing To enable auditing on a Windows NT 4 domain, follow these steps:

1. Open User Manager by clicking Start Programs Administrative Tools User Manager For Domains.

2. Click the Policies menu and select Auditing. 3. Click Audit These Events, and then place check marks in the Success and Failure checkboxes beside User And Group Management.


www.sybex.com

278

Chapter 7

Migration Tools


4. Click OK to apply the changes. To enable auditing on a Windows 2000 domain, follow these steps:

5. Click Start Programs Administrative Tools Active Directory Users And Computers.

6. In the console tree in the left pane of the console, right-click the Domain Controllers container and select Properties from the context menu.

7. Click the Group Policy tab. 8. Highlight Default Domain Controller Policy, and then click the Edit button.

9. In the left pane of the Group Policy console, expand the Audit Policies tree.

10. Right-click Audit Account Management and select Security from the context menu.

11. Check the Success And Failure checkbox and then click the OK button. You can wait for the normal replication cycle to replicate this policy to all domain controllers, or you can force the replication using Active Directory Sites and Services.

These settings will handle most of the issues that may arise while using ADMT. You need to keep a few other items in mind for security. For example, you must have administrator rights in the source domain in order to migrate the security principals. You can accomplish this in a couple of ways. First, you can establish a temporary two-way trust between the source and target domains. Second, you can add an administrator account to each and every computer where resources exist that must be migrated. Obviously, adding the Domain Admins group to each local administrators group would be tedious at best. However, if resources on member servers need to be migrated, you need administrative privileges on those machines as well.


www.sybex.com


279

The final steps for configuring ADMT include enabling auditing and verifying that administrative shares exist on all computers to be migrated. You will need to use auditing for User and Group Management (in Windows NT 4) or Account Management (in Windows 2000) for both success and failure events. This enables you to track the progress of the migration and determine when accounts have not migrated successfully. You will need to ensure that the administrative shares (such as C$, Admin$, and so on) are enabled on source computers so that ADMT will have access to resources to be migrated. This can be done through System Policy in NT 4 or Group Policy in Windows 2000. If you are using ADMT to perform an intra-forest migration, there are some additional considerations. When performing an intra-forest migration, ADMT must be in communication with the Relative ID Master (RID Master is one of the FSMO roles). The RID Master assists with creating Security Identifiers (SIDs) in a domain by distributing Relative Identifiers (RIDs) to other domain controllers. RIDs are unique numbers that describe a security principal. The RID is combined with the domain SID to create a unique SID for a security principal that identifies the domain to which the security principal belongs and uniquely identifies the security principal itself. Because ADMT must communicate heavily with the RID Master during a migration to create new SIDs for all of the security principals, it is best to install ADMT on the RID Master. This enables ADMT and the RID Master to communicate without involving network traffic.

Using ADMT Now that you understand just what ADMT is and have it configured properly, you’re ready to begin using ADMT. So let’s get started by opening Active Directory Migration Tool from the Administrative Tools group. The first time you open ADMT, the console is pretty empty. The only entry under the console root is Reports. The Reports branch of the console tree will be populated as you run the various report utilities and migration wizards that make up ADMT. When you click Reports, you will receive some useful information, as shown in Figure 7.2.


www.sybex.com

280

Chapter 7

Migration Tools

FIGURE 7.2

The Reports tree is unpopulated by default but gives you information to get started.

Let’s start with the Reporting Wizard. The Reporting Wizard generates reports that detail the tasks necessary to complete your migration to the target domain. To run the wizard, right-click the Active Directory Migration Tool icon in the left pane of the Migrator console and select Reporting Wizard from the context menu. The second page of the wizard asks you to define the source and target domains, as shown in Figure 7.3.


www.sybex.com


FIGURE 7.3

281

The Reporting Wizard prompts you for the source and target domains.

If everything is configured correctly, ADMT will be able to open information from both the source and the target domains. This is the point at which an error will be generated if there is no trust between the domains or if the account you are using doesn’t have administrative permissions in both domains. You will also receive an error if the target domain isn’t in native mode. Assuming that everything is configured correctly, you will be prompted for the location to store the report information, as shown in Figure 7.4.


www.sybex.com

282

Chapter 7

Migration Tools

FIGURE 7.4

ADMT prompts for a location to store the reports.

The next page presents you with a list of the possible reports the wizard can generate for you, as shown in Figure 7.5. You will need to pick the report(s) you want from the list before proceeding with the next step. The first time you run the wizard, none of the reports have ever been run, and the status under Date/Time Last Created is Not Created. Select all of the reports, and then click Next.


www.sybex.com


FIGURE 7.5

283

The Reporting Wizard gives you a list of possible reports.

The Reporting Wizard then requests your account information for the source domain. You will be prompted to supply a user name, password, and the source domain name, as shown in Figure 7.6. The account you use must have local administrator rights, which should be taken care of by the trust you created in preparation for using ADMT. Hopefully, you remembered to add your global Domain Admins group from the target domain to the local Administrators group on the source domain; if not you’ll want to do that right away.


www.sybex.com

284

Chapter 7

Migration Tools

FIGURE 7.6

Provide user credentials for the source domain.

After your credentials have been verified on the source domain, the Reporting Wizard asks you to identify the computers that have the security principals you wish to move. Typically, you will pick the primary domain controller of the source domain when you reach this page in the wizard, shown in Figure 7.7. Highlight the server that contains the accounts you want to move and click Next.


www.sybex.com


FIGURE 7.7

285

Select the computer that contains the security principals you want to move.

After you have completed these steps, the Reporting Wizard summarizes your choices on the final page of the wizard, shown in Figure 7.8. Once you click Finish on this summary page, the Reporting Wizard will run the reports you specified and return the information to the Migrator console window. FIGURE 7.8

The Reporting Wizard summarizes your choices on the last page.


www.sybex.com

286

Chapter 7

Migration Tools

While the Reporting Wizard is running, you will be able to view the current status in the Active Directory Migration Tool Agent Monitor, shown in Figure 7.9. Most of the other utilities in ADMT will operate in a similar fashion. If the Reporting Wizard can run successfully, then you know that your configuration is correct. I’ve found that no matter how I try to configure my domains ahead of time, I always seem to forget one detail or another. ADMT will prompt you with surprisingly helpful error messages, often telling you specifically how to fix the error condition. FIGURE 7.9

The ADMT Agent Monitor provides current status messages during reporting.

I feel that the Reporting Wizard is the best place to start, as it will provide helpful information about the accounts that are going to be migrated. It also helps you to iron out any bugs you may have in your configuration. Once you have proven that the configuration is solid, you can move on to the other utilities in ADMT. The next step will depend on the type of migration you are performing. Some migration types will require more steps than others— and perhaps even a different order of events.


www.sybex.com


EXERCISE 7.3

Using ADMT in an Inter-Forest Resource Domain Migration The basic steps to use when performing an inter-forest resource domain migration include the following:

1. Use the Trust Migration Wizard to help you to identify and recreate trusts between resource domains and the target domain. The wizard first identifies all of the existing trusts between a given resource domain and its account domains, then gives you the option of creating parallel trusts from the resource domain to the target account domain.

2. Use the Service Account Migration Wizard to identify service accounts used on specific computers in the source resource domain. You will be asked to specify the computers that are using service accounts, and then the wizard will examine those servers for all service accounts. These accounts will then be included when you later migrate user accounts.

3. Use the Computer Migration Wizard. Resource domains frequently hold the computer accounts for user workstations and application servers. The Computer Migration Wizard will migrate the local computer information and account for each of the workstations and member servers in the resource domain. ADMT dispatches an agent to each of the computers to be migrated. At the completion of the agent’s duties, it will force the computer to shut down and restart.

4. Use the Security Translation Wizard to translate the local user profiles on the computers that have been migrated to the target domain from the original SID of the user to the new SID of the user in the target domain. On the Translate Objects page of the wizard, select User Profiles as the object to translate.

5. Use the Group Migration Wizard at this point to migrate shared local groups from the resource domain to the target domain. On the Group Options page, make sure you select Migrate Group SIDs To Target Domain and also Do Not Rename Accounts.


www.sybex.com

287

288

Chapter 7

Migration Tools


6. Use the User Migration Wizard to migrate service accounts to the target domain. Be aware that while the service accounts themselves will be migrated, some applications must be modified to use the new accounts in the target domain. Exchange Server 5.5 is a good example of this. ADMT cannot change the service account settings within Exchange, so you must change the service account manually in the Exchange Administrator console.

7. Use the Security Translation Wizard to update the service account user rights. Be sure to select the domain in which the service account resides and not the domain of the computer on which the service account is being used (if they are different). On the Translate Objects page of the wizard, select Local Groups and User Rights as the options to translate.

After these steps have been completed, you are ready to upgrade the domain controllers to Windows 2000 (if they aren’t already running Windows 2000) and move them into the target domain. ADMT cannot migrate the domain controllers for you using the Computer Migration Wizard as it can the member servers and workstations, but you can use all of the other ADMT tools on them. Once the domain controllers have been migrated, you can successfully decommission the old resource domains. EXERCISE 7.4

Using ADMT in an Inter-Forest Account Domain Migration In this scenario, you will be moving resources from an existing account domain to a new target account domain. To perform an interforest account domain migration using ADMT, you must follow these steps:

1. Create the Windows 2000 Target Domain. Consult Chapter 6, “Using Target Domains for Migration,” for more information on creating a target domain.


www.sybex.com


289


2. Use the Trust Migration Wizard to establish proper trust relationships between the source account domain and the target domain. You can also use NETDOM for this task.

3. Use the Group Migration Wizard to migrate the domain global groups from the source domain to the target account domain. If the global group you are migrating contains a large number of users, it can take quite a while to process all of the members. This will also cause a heavy impact on your network traffic. Consider using the option to migrate the user accounts with the group instead.

4. Use the User Migration Wizard to move the accounts incrementally, using a pilot group first. This enables you to test your migration planning while affecting only a small group of users at one time. If a large number of user accounts are in the source domain, it will take quite a while to build the list of user accounts to migrate, which will cause a heavy impact on network performance.

After these steps have been successfully completed, you can either move on to migrate your resource domains or decommission the source account domain, according to your migration plan. EXERCISE 7.5

Using ADMT in an Intra-Forest Resource Domain Migration This migration type is very similar to the inter-forest resource domain migration, so I will be brief in describing each step. Using the wizard, follow these steps to complete the intra-forest resource domain migration:

1. Use the Service Account Migration Wizard. ADMT cannot determine whether a service account is used by more than one service. You will need to do this yourself. You will be asked to specify the computers that are using service accounts, and then the wizard will examine those servers for all service accounts. These accounts will then be included when you later migrate user accounts.


www.sybex.com

290

Chapter 7

Migration Tools


2. Use the Computer Migration Wizard. Resource domains frequently hold the computer accounts for user workstations and application servers. The Computer Migration Wizard will migrate the local computer information and account for each of the workstations and member servers in the resource domain. ADMT dispatches an agent to each of the computers to be migrated. At the completion of the agent’s duties, it will force the computer to shut down and restart.

3. Use the User Migration Wizard to migrate service accounts to the target domain. Remember that you might have to manually reset some service accounts for applications.

4. Use the Group Migration Wizard at this point to migrate shared local groups from the resource domain to the target domain. On the Group Options page, make sure you select Migrate Group SIDs To Target Domain and also Do Not Rename Accounts.

From here, your steps will be dictated by your migration plan. You will either decommission the resource domain or migrate other domains. EXERCISE 7.6

Using ADMT in an Intra-Forest Account Domain Migration Here again, the process is very similar to the inter-forest account domain migration, so the descriptions will be brief. Because this type of migration is within a forest by definition, you won’t need to establish trust relationships. All domains within a forest have transitive trusts by default. To perform an intra-forest account domain migration, complete the following steps:

1. Use the Group Migration Wizard to migrate the domain global groups from the source domain to the target account domain. If a high number of users are in the global group you are migrating, it can take quite a while to process all of the members. This will also cause a heavy impact on your network traffic. Consider using the option to migrate the user accounts with the group instead.


www.sybex.com


291


2. Use the User Migration Wizard to migrate both user accounts and their roaming user profiles. On the User Options page of the wizard, make sure you check the Translate Roaming Profiles and the Update User Rights checkboxes.

3. Use the Security Translation Wizard at this point to translate the local user profiles on the computers that have been migrated to the target domain from the original SID of the user to the new SID of the user in the target domain. On the Translate Objects page of the wizard, select User Profiles as the object to translate.

After completing these steps, you can manually migrate a domain controller from the source domain to the target domain and decommission the source domain.

Migrating User Accounts with Active Directory Migration Tool ADMT is a great tool for analyzing the progress of your migration. It includes a number of wizards for reporting the account conflicts between the source and target domains, as well as wizards for migrating trusts and security principals.


Migrate global groups and user accounts.

The Microsoft strategy for selecting the “proper” migration tool suggests that you would only copy security principals with ClonePrincipal and migrate them with ADMT. In the course of preparing this chapter, I discovered that like so many other Microsoft tools, ADMT is actually capable of performing both roles. The exam is likely to prefer the official strategy, so if you’re preparing for the test, keep that in mind. In the real world, ADMT is much easier for most of us to use.


www.sybex.com

292

Chapter 7

Migration Tools

To migrate user accounts with ADMT, you will be using the User Account Migration Wizard, as shown in Figure 7.10. FIGURE 7.10

The User Account Migration Wizard

EXERCISE 7.7

Migrating User Accounts To migrate some user accounts from your source domain to the target environment, follow these steps:

1. Open ADMT by clicking Start Programs Administrative Tools Active Directory Migration Tool. Right-click the Active Directory Migration Tool node in the console and select User Account Migration Wizard from the menu. Click Next to start the wizard.


www.sybex.com



2. Decide whether you will migrate users or only perform a test migration. The test migration won’t actually move any accounts; it will only test the possibility. The Test Or Make Changes page is shown in the following graphic. Click Next.

3. Select the source and target domains for the migration, as shown in the following graphic. Click Next when you’re ready to proceed.


www.sybex.com

293

294

Chapter 7

Migration Tools


4. Now you’re ready to select some user accounts for the migration. You may use any criteria you’ve chosen in your migration plan to choose a set of user accounts or migrate all of them at once. The Select Users page is shown here. Click the Add button.


www.sybex.com



5. The Select Users dialog shows the source domain chosen for the Look In field. You should see a list of all the user accounts in the source domain, from which you can select individuals or sets of users. When you have selected the users’ accounts, click the Add button to move their accounts to the bottom text box of the dialog, as shown in the following graphic. When you’re satisfied with your selections, click OK.

6. Now you will verify that the correct user accounts are displayed in the user list. Then click the Next button.


www.sybex.com

295

296

Chapter 7

Migration Tools


7. The Organizational Unit Selection page opens and prompts you to provide the OU in the target domain where the accounts should be created. The entry should be listed by the distinguished name (DN). If you are unsure of the DN for the target OU, click the Browse button to display the dialog shown in the following graphic. Here you can easily browse for the proper OU. Click OK to return to the Organizational Unit Selection page, and then click Next to proceed.


www.sybex.com



8. On the Password Options page, you must determine what the initial password will be for each migrated account. You can select either Complex Passwords or Same As User Name as the password option to assign. Either way, the list of user accounts and the matching passwords will be stored in the local file path specified in the Location To Store Password File list box. The Password Options page is shown here. Click Next when you’re ready to proceed.


www.sybex.com

297

298

Chapter 7

Migration Tools


9. The Account Transition Options page prompts you to decide how to handle the user accounts when they are migrated. Your options include Disable Source Accounts, Disable Target Accounts, and Leave Both Accounts Open. The last option will leave the accounts in both domains active and available for users to log on to. This has the same effect as using ClonePrincipal to clone the user accounts. Check the box for Days Until Source Account Expires to cause the account in the source domain to automatically become unavailable at the end of the specified day. Check the box for Migrate User SIDs To Target Domain to have ADMT copy the current SID to the SIDHistory field of the new account. The Account Transition Options page is shown in the following graphic. Click Next to proceed.

10. If you chose to have the SIDHistory created, the User Account page will prompt you to supply a user account with local Administrator rights on the source domain controller. Enter the appropriate information, then click Next.


www.sybex.com



11. The User Options page, shown here, provides some options governing how user account names should be handled and what information will be migrated with the account. You have three options for related information: Translate Roaming Profiles, Update User Rights, and Migrate Associated User Groups. This last option will migrate any group that the user account belongs to. It has a suboption that lets you update any of the groups that may have already been migrated with this account’s information. The rest of the page is dedicated to the naming of the migrated user accounts: Do Not Rename Accounts, Rename With Prefix, and Rename With Suffix. Click Next when you’re ready to proceed.


www.sybex.com

299

300

Chapter 7

Migration Tools


12. The Naming Conflicts page lets you resolve any duplicate names that might be created by migrated accounts. Built-in accounts won’t be migrated anyway, so don’t worry about those accounts. This page defines how to handle user accounts that have the same name as one that has already been created in the target domain. As shown in the following graphic, you can choose to ignore the conflict, replace the conflicting accounts in the target domain with the account being migrated, or rename the migrated account with either a prefix or a suffix to keep the names unique.


www.sybex.com


301


13. You’ve finally completed the wizard! The last page of the wizard displays a summary of your selections. Click the Finish button when you are satisfied with the options, or click the Back button to go back and change any of the options. When you click the Finish button, the User Account Migration Wizard will run and perform the tasks you selected. During the migration process, you will see the status of the operation displayed in the Migration Progress dialog, as shown in the following graphic.

That’s really all there is to migrating user accounts using ADMT. I’d recommend using the testing option of the wizard until you receive no error messages in the process. I also like the option to leave both accounts open after the migration and copy the current SID to the SIDHistory value of the new account in the target domain. This gives you a way out if there are any serious problems later with the migration. The users will still have the ability to log on to their original accounts if necessary.


www.sybex.com

302

Chapter 7

Migration Tools

Migrating Group Accounts with Active Directory Migration Tool Migrating group accounts is handled very much like we did the user accounts. Here you can use either ClonePrincipal to copy the group accounts or Active Directory Migration Tool to move the accounts to the target domain. If you want to migrate groups from one tree to another within a single forest, try using Move Tree. If you would rather copy the groups into the target domain, then you should be using ClonePrincipal. ADMT can be used to migrate group accounts in addition to user accounts.



EXERCISE 7.8

Migrating Group Accounts To migrate groups using Active Directory Migration Tool, you will be using the Group Account Migration Wizard within ADMT. Let’s walk through the steps required to migrate the global groups from our example Seattle domain to the Seattle OU of coolcompany.local.

1. Open ADMT by clicking Start Programs Administrative Tools Active Directory Migration Tool.


www.sybex.com



2. Right-click the Active Directory Migration Tool node in the console and select Group Migration Wizard from the context menu. This opens the Group Account Migration Wizard shown here.

3. Decide whether you will migrate users or only perform a test migration. The test migration won’t actually move any accounts; it will only test the possibility. Click Next.


www.sybex.com

303

304

Chapter 7

Migration Tools


4. Select the source and target domains for the migration, as shown in the following graphic. Click Next when you’re ready to proceed.


www.sybex.com



5. Now you’re ready to select some group accounts for the migration. You can use any criteria you’ve chosen in your migration plan to choose a set of group accounts, or you can migrate all of them at once. The Group Selection page is shown below. Click the Add button to browse for groups to add, and click OK when you’ve finished. Click Next to proceed.


www.sybex.com

305

306

Chapter 7

Migration Tools


6. The Organizational Unit Selection page opens and prompts you to provide the OU in the target domain where the accounts should be created, as shown in the following graphic. The entry should be listed by the distinguished name (DN). If you are unsure of the DN for the target OU, click the Browse button to display a dialog where you can easily browse for the proper OU. Click OK once you have selected the appropriate OU, and then click Next to proceed.


www.sybex.com



7. On the Group Options page, shown here, you will find some options to control how the groups are migrated. For example, you can copy the group’s SID to the SIDHistory of the new group account in the target domain. You can also choose to copy the members of each group to the new location at the same time the group is migrated. Then click Next to proceed.

8. If you chose to have the SIDHistory created, the User Account page will prompt you to supply a user account with local Administrator rights on the source domain controller. Enter the appropriate information, then click Next.

9. The Naming Conflicts page lets you resolve any duplicate names that might be created by migrated accounts. This page defines how to handle user accounts that have the same name as one that has already been created in the target domain. You can choose to ignore the conflict, replace the conflicting accounts in the target domain with the account being migrated, or rename the migrated account with either a prefix or a suffix to keep the names unique. Click Next to proceed.


www.sybex.com

307

308

Chapter 7

Migration Tools


10. If you chose to have the group members copied to the target domain, you will be prompted to set the password options to decide how a password will be assigned to the new accounts and where the password file will be written. Then you will need to decide whether the accounts will remain active in both domains or disabled in one or the other. The Group Member Options page is shown in the following graphic. Click Next to proceed.

11. Finally, the wizard displays a summary of all the options you selected during the previous steps. When you click Finish, the wizard will run and complete the steps.

You will use these same steps to migrate either global or local accounts from the source domain. The Group Account Migration Wizard will enable you to migrate either type of group account individually or all together. You can mix ’n match to your heart’s content.

Migrating Computer Accounts The best way to accomplish the migration of your computer accounts is to use Active Directory Migration Tool’s Computer Migration Wizard. This wizard


www.sybex.com


309

helps to automate the tasks required to migrate the computer accounts from your source domain to the target Windows 2000 environment.


Migrate local groups and computer accounts. Perform post-migration tasks. Verify success of object migrations.

The process of migrating computer accounts is almost identical to migrating user accounts with ADMT. Instead of selecting user accounts, you will be selecting computer names from the list of all the computers in the source domain. You need to determine the destination to which the computer accounts will be migrated. This is expressed as a distinguished name (DN) and can be determined by browsing for the appropriate container or OU in the target domain. An interesting difference between migrating computer accounts and migrating user accounts is the Translate Objects page, where you decide which properties of the computer will be translated. Translation is the process of mapping the current object’s SID to the SIDHistory of the new account. The objects that can be translated for computers include the following:

Files and folders

Local groups

Printers

Registry

Shares

User profiles

User rights

The SID information for the objects you select on the Translate Objects page will be updated to accept the same user accounts in their new incarnation within the target domain. This is a necessary step if you want the


www.sybex.com

310

Chapter 7

Migration Tools

migration to be as seamless as possible for your users. The translation process provides three different methods for applying the translated security: Replace This option replaces the SID of the source domain security principal with the SID of the equivalent target security principal. Add The Add option adds the SID for the equivalent security principal in the target domain to the Access Control List (ACL) of the object and leaves the SIDs of the original security principals in place. Remove The Remove method adds the new SID information for the target security principals and then deletes the original SID information. Because the migration of a computer account to a new domain requires restarting the computer, this process is included in the Migration Wizard. You must set the number of minutes that the computer will wait after completing the migration before it restarts and uses the new computer account in the target domain. You will also be given the same options for handling the renaming of the computer accounts when they are migrated as you saw when migrating users and groups. You can then determine how any duplicate names will be resolved, and then you will receive a summary of the selected options before the migration tasks are run.

ClonePrincipal The second tool that we will be looking at is ClonePrincipal, which is another of the deployment and migration tools supplied with Windows 2000. Unlike ADMT, which actually moves objects from a source domain into the Active Directory target domain, ClonePrincipal works by creating a copy of the object in the new domain. Essentially, it makes a clone of the original object in the new location. ClonePrincipal is especially useful when you want to incrementally move users from the source domain to the new target domain. The ClonePrincipal tool is a series of Visual Basic script files that perform various migration tasks. Included in the set are scripts that will migrate user accounts, local group accounts, and global group accounts. ClonePrincipal doesn’t make any changes to the source domain, which is a good thing. It simply copies information out of the SAM database and imports it into Active Directory in the target domain.


www.sybex.com


311

Since ClonePrincipal is made up of Visual Basic scripts, the individual scripts can be used easily in migration scripts. This makes it possible to completely script your migration and execute it as a series of phased rollouts. Once the accounts have been cloned and are being used successfully in the target domain, you should delete the original accounts. The scripts that make up ClonePrincipal are installed with the Support Tools from the Windows 2000 Server CD-ROM. The Support Tools are installed from the Support Tools folder on the CD-ROM; simply browse for the folder and then double-click the setup.exe file. Benefits of using ClonePrincipal include the following:

Users can log on to the clone account in the new domain but still have an emergency fallback account in the old domain.

The source domain isn’t disrupted during the migration of accounts to Windows 2000.

You can shift users to the new environment in small groups. If there are problems, fewer people are involved, and you can easily move them back to their original accounts.

You don’t have to modify the Access Control Lists on shared resources in order to preserve the user’s ability to access them. ClonePrincipal will use the SIDHistory feature to maintain both the new and the old SID for a security principal.

You can upgrade a backup domain controller (BDC) to Windows 2000, then use the Active Directory Wizard to demote the server. Once demoted to a member server, the computer can be migrated to the new domain without having to change the local groups or permissions assigned to local resources. This is particularly useful if the server is acting as a resource server for applications or file storage.

Multiple groups from different domains can be merged into a single group in the target domain.

The ClonePrincipal script syntax is fully documented in the clonepr.doc file that is installed in the Support Tools folder under Program Files. This


www.sybex.com

312

Chapter 7

Migration Tools

document contains notes on the use of the tool and examples of how the scripts might be used in a batch file.


Select and configure tools, including ADMT, ClonePrincipal, MoveTree, NETDOM, and the Windows 2000 Resource Kit tools.

EXERCISE 7.9

Installing Support Tools To install the Support Tools, do the following:

1. Insert the Windows 2000 CD-ROM in a drive on your computer. Many of the support tools are designed to be run on a domain controller, so keep that in mind when selecting a computer.

2. Browse the CD-ROM to the Support Tools folder, and double-click the Setup.exe program. The Windows 2000 Support Tools Setup Wizard opens, as shown in the following graphic. Click Next.


www.sybex.com



3. Enter your name and organization, and click Next. 4. Select the type of installation you want to perform, either Typical or Custom, as shown in the following graphic. Click Next.


www.sybex.com

313

314

Chapter 7

Migration Tools


5. If you selected a Custom setup, you will be presented with the page shown in the following graphic. Notice that you can only select to install the whole package or nothing at all. The Custom setup does allow you to choose the install path, however.

6. Click Next to begin the installation. When the setup is complete, you will see the final page in the wizard, summarizing the steps you have completed. Click Finish to close the wizard.

Once the Support Tools are installed, they will be saved to the Program Files\Support Tools folder, and shortcuts are placed on the Start menu. The folder contains a copy of the Deployment Planning Guide from the Windows 2000 Server Resource Kit in electronic Help format, as well as Help files for the tools themselves. To use ClonePrincipal, however, you will work from the command prompt. ClonePrincipal supports some custom development capabilities, though you won’t be tested on this information. ClonePrincipal consists of a dynamic link library, clonepr.dll, which implements a Component Object Model


www.sybex.com


315

(COM) object called DSUtils.ClonePrincipal. This COM object has a single interface, ICloneSecurityPrincipal, which supports these three methods: Connect This method enables you to create secure connections to both the source and target domains. AddSIDHistory This method copies the existing Security Identifier (SID) of a security principal to the SIDHistory value of a new security principal in the target domain. CopyDownLevelUserProperties This method copies all of the properties of an existing NT 4 user account to the new security principal in the target domain. While this information may not be very useful on the exam, it will be very helpful if you decide to customize the use of ClonePrincipal in your own environment.

If your target domain was recently upgraded from NT to Windows 2000, neither ClonePrincipal nor ADMT will properly add the SIDHistory of objects to the destination domain. To resolve this, delete and rebuild the trust relationships between your source and target domains before using ClonePrincipal or ADMT.

ClonePrincipal includes five sample Visual Basic scripts that provide the basic functionality for your migration needs. These scripts can be used to clone accounts from the source domain to the target domain, or they can be used as guides to create your own scripts. The five scripts are: Sidhist.vbs This script copies the SID of a security principal from the source domain to the SIDHistory attribute of an existing security principal in the target domain. Clonepr.vbs This particular script is a sample script that clones a single security principal from the source domain to the target domain. It will create the destination account if it doesn’t already exist and copy the SID to the SIDHistory attribute. If you are cloning a user account or a global group, it will also create the memberships in the target domain. If you are cloning a local group, then it will also clone all of the members to the target domain.


www.sybex.com

316

Chapter 7

Migration Tools

Clonegg.vbs This script clones all of the global groups in a given domain to the target domain. Cloneggu.vbs Rather than cloning from a given domain, this script clones all global groups and user accounts from the source domain to the target domain. Clonelg.vbs This last script clones all of the shared local groups on the domain controllers in the source domain to the target domain.

Preparing to Use ClonePrincipal Now that we’ve installed ClonePrincipal with its support tools and reviewed the various scripts, we’re ready to get started. ClonePrincipal accesses two different domains for some very sensitive work in terms of security. For this reason, you must have administrator permissions in both domains, and trusts must be established between the domains. SIDs must be unique within a forest whether they are the primary SID or the SIDHistory. Because of this, the source domain must be in a different forest than the target domain. The target domain must be in native mode because the SIDHistory attribute is required for the destination accounts. ClonePrincipal must be run on the console (at the command prompt) of a domain controller in the target domain. This should be the PDC Emulator for best results, but it can be any Windows 2000 domain controller. The tool cannot be run on a remote workstation. The PDC of the source domain should be the focus of operations for the source domain. The source PDC must be running Windows NT 4 with Service Pack 4 or later, or it can be running Windows 2000. Again, the PDC Emulator should be chosen if the source domain is Windows 2000 because the auditing will then be generated on only one computer. The PDC or PDC Emulator should have an entry added to the Registry to enable Local Security Authority (LSA) to use TCP/IP. The setting is HKLM\System\CurrentControlSet\Control\LSA. The Value name is TcpipClientSupport, the type is REG_DWORD, and the data is a hexadecimal 0x1. ClonePrincipal requires a group called SourceDomainName$$$ in the source domain. The group should be a local group on the domain controller where ADMT is being run. The name is the name of the source domain plus the three dollar signs ($$$), so if the source domain is Boston, the local group name would be Boston$$$.


www.sybex.com


317

The last step in preparing for ClonePrincipal is absolutely required, and that is to enable auditing in both the source and target domains for account management. You will need to use auditing for User and Group Management (in Windows NT 4) or Account Management (in Windows 2000) for both success and failure events. This enables you to track the progress of the migration and determine when accounts have not migrated successfully. It also gives administrators a way of determining when this procedure has been run on their domain, helping to prevent unauthorized use of ClonePrincipal. EXERCISE 7.10

Configuring an Environment for ClonePrincipal To configure your environment for ClonePrincipal, perform the following steps:

1. Make certain the source domain PDC is running the required operating system level, Windows NT 4 with Service Pack 4 or higher.

2. Establish a trust from the source domain to the target domain. Optionally, use a two-way trust between the two domains.

3. Edit the Registry on the source domain controller to include the value TcpipClientSupport REG_DWORD 0x1 at this location: HKLM\System\CurrentControlSet\Control\LSA. This change enables the use of Remote Procedure Calls over TCP/IP.

4. Create a new local group on the source domain controller named <SourceDomainName$$$> where SourceDomainName is the name of your source domain. This group name is used for the auditing of the ClonePrincipal operations in the NT 4 domain.

5. Enable auditing in both the source and the target domains. Audit for both success and failure of account management events. In NT 4, this would translate to User and Group Management.

6. It is also possible that you would have to register the clonepr.dll file if you installed ClonePrincipal manually. To register the .dll file, execute this command at a command prompt: regsvr32 clonepr.dll.


www.sybex.com

318

Chapter 7

Migration Tools

Using ClonePrincipal You can choose to use ClonePrincipal with the sample scripts provided by Microsoft, or you can write your own scripts. If you decide to write your own scripts, consult the white paper for ClonePrincipal, clonepr.doc, which is provided on the CD-ROM with the tools. Otherwise, if you want to go ahead and use the samples that have been included with the tool, here is some syntax to use: Sidhist.vbs This script copies the current SID of one account to the SIDHistory attribute of one destination account. Its syntax is Cscript sidhist.vbs /srcdc:<source PDC> /srcdom:<source domain> /srcsam: /dstdc: /dstdom: /dstsam: Clonepr.vbs To clone a single account from the source domain into the target domain, use Clonepr.vbs. Its syntax is Cscript clonepr.vbs /srcdc:<source PDC> /srcdom:<source domain> /srcsam:<source account> /dstdc: /dstdom: /dstsam: /dstDN:<destination Distinguished Name> Cloneggu.vbs This script clones all global groups and users from the source domain to the target domain. Its syntax is Cscript cloneggu.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> Clonelg.vbs The task of this script is to clone shared local groups from the source domain controller to the destination domain controller. Its syntax is Cscript clonelg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> Clonegg.vbs This script clones all global groups from the source domain to the target domain. Its syntax is Cscript clonegg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU>


www.sybex.com


319

An example of how to use ClonePrincipal to copy user accounts from the source domain in our fictitious company, Coolcompany Inc., to the target domain of coolcompany.local would be to use cloneggu.vbs to clone all global groups and users from the Seattle domain of Coolcompany Inc. to the coolcompany.local target domain. To accomplish this move, we must have some more information. The source domain name is Seattle, and the PDC of the Seattle domain is Seattle_dc. The target domain is coolcompany.local, but the NetBIOS name of the domain is coolcompany. The target PDC is Cool_dc. We will clone the users and groups into the Seattle OU container within coolcompany.local. The command line for this would be Cscript cloneggu.vbs /srcdc:seattle_dc /srcdom:seattle /dstdc:cool_dc /dstdom:coolcompany /dstOU:OU=Seattle,DC=coolcompany,DC=local This command will clone all of the users and global groups from the Seattle domain to the Seattle OU of coolcompany.local. For this command to work properly, the organizational unit (OU) of Seattle must already exist in the coolcompany.local domain.

Migrating User Accounts With ClonePrincipal If your plan calls for migrating users with minimum impact to the production environment and maximum fault tolerance, you should choose to use ClonePrincipal. If anything goes wrong, the user accounts are still intact in the original source environment. The users can simply log on to their old accounts and continue working while you go about figuring out what went wrong.



ClonePrincipal gives you the opportunity to perform a gradual, controlled migration to Windows 2000 and Active Directory. If your plan calls for migrating small groups of users at one time, with maximum reliability and minimum disruption to the production environment, ClonePrincipal is the tool you should use. Most migration plans describe moving user accounts,


www.sybex.com

320

Chapter 7

Migration Tools

rather than cloning them. If you are going to be moving accounts to the target domain, and you don’t want the added fault tolerance of creating clones of your security principals, then you should be using Active Directory Migration Tool.

The online help for ClonePrincipal and Active Directory Migration Tool both refer to creating a special local group in the source domain to use for the migration with the name DomainName$$$, where DomainName is the name of the source domain. If you receive an error that the specified local group does not exist, verify that this group exists in the source domain.

You can choose to use ClonePrincipal with the sample scripts provided by Microsoft, or you can write your own scripts. If you decide to write your own scripts, consult the white paper for ClonePrincipal, clonepr.doc, which is provided on the CD-ROM with the tools. Otherwise, go ahead and use the samples that have been included with the tool. To clone user accounts from the source domain in our fictitious company, Coolcompany Inc., to the new Active Directory environment, we’ll use the Clonepr.vbs script to copy single accounts across. This could potentially be very slow if you were to type in the script commands for each user that you wanted to clone. Instead, I would suggest creating a batch file that calls this script repeatedly to clone single user accounts. This way, you can clone groups of user accounts in a gradual, controlled fashion. EXERCISE 7.11

Creating a ClonePrincipal Batch File In this exercise, you will create a batch file to clone several user accounts from your source domain to the target domain. If you don’t actually have a test environment set up, you can still create this file using names that you define for the domains and users. The exercise will use the names from the coolcompany example.

1. Open Notepad by clicking Start Programs Accessories Notepad.


www.sybex.com


321

EXERCISE 7.11

2. Beginning at the first line, enter your command line for ClonePrincipal. Repeat the commands for each user that you want to clone, making sure you press Enter after each command line. For example, to clone User1 from the Seattle domain of coolcompany to the Seattle OU of coolcompany.local, use this command: Cscript clonepr.vbs /srcdc:SeattleDC /srcdom:Seattle /srcsam:User1 /dstdc:sea-1 /dstdom:coolcompany.local /dstsam:User1 /dstDN:CN=User1,OU=Seattle,OU=coolcompany,OU=local This command should be entered entirely on one line, with a return at the end of the line so that you can enter the next command. The example assumes that the PDC of the source Seattle domain is named SeattleDC, that the target domain controller is named Sea-1, and that the Seattle OU already exists.

3. Enter the next line for User2. Replace the User1 account in the above example with User2.

4. Repeat for several more users (e.g., User3, User4, User5, etc.). 5. If you have a test environment, execute the batch file in the Support Tools folder of the destination domain controller.

A batch file is a great way to call clonepr.vbs to clone individual user accounts from the source domain to the target domain. Of course, the cloneggu.vbs script would be even better if you wanted to clone all of your global groups and users at the same time.

Migrating Group Accounts with ClonePrincipal Migrating group accounts is handled very much like we did the user accounts. Here again you can use either ClonePrincipal to copy the group accounts or Active Directory Migration Tool to move the accounts to the target domain. If you want to migrate groups from one tree to another within a single forest,


www.sybex.com

322

Chapter 7

Migration Tools

try using Move Tree instead of ClonePrincipal. If you are planning to move the groups into the target domain, then you should be using ADMT.


Migrate local groups and computer accounts.

Migrating groups from the source domain using ClonePrincipal is easier than migrating user accounts. The sample scripts included with ClonePrincipal provide a method to clone all groups of a specific type at one time. For instance, the Clonegg.vbs script will clone all global groups from the source to the target domain, and Clonelg.vbs will do the same for domain local groups. Clonegg.vbs This script clones all global groups from the source domain to the target domain. Its syntax is Cscript clonegg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> Clonelg.vbs This script clones shared local groups from the source domain controller to the destination domain controller. Its syntax is Cscript clonelg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> To use these scripts in our example company’s migration, first we’ll migrate the shared domain local groups using Clonelg.vbs. Consult Table 7.1 for the configuration. TABLE 7.1

Configuration for the Coolcompany Example Configuration Option

Source Domain

Target Domain

Domain name

Seattle

coolcompany.local


www.sybex.com


TABLE 7.1

323

Configuration for the Coolcompany Example (continued) Configuration Option

Source Domain

Target Domain

Domain controller

SeattleDC

Sea-1

Administrator account

Administrator

Administrator

Administrator password

Password

Password

Organizational Unit

N/A

Seattle

So, to clone the domain local groups from the PDC of the Seattle domain to the Seattle OU in the coolcompany.local target domain, you would use this script: Cscript clonelg.vbs /srcdc:SeattleDC /srcdom:Seattle /dstdc:Sea-1 /dstdom:coolcompany.local /dstOU:OU=Seattle,DC=coolcompany,DC=local Notice the use of the distinguished name (DN) for the destination OU. If you don’t use this format, the script will be unable to attach to the correct location in the target Active Directory. The special local group you created when setting up the computers for ClonePrincipal, for this example the group Seattle$$$, will also be cloned when you run this script. As the script runs, you will be able to watch its progress on the screen because it will print out the information for each group as it is cloned. When you use this script, use the earlier example as a guide and modify the necessary parameters for your own environment. To clone your global groups from the source domain, the process is very similar. For our coolcompany example, the command line would look like this: Cscript clonegg.vbs /srcdc:SeattleDC /srcdom:Seattle /dstdc:Sea-1 /dstdom:coolcompany.local /dstOU:OU=Seattle,DC=coolcompany,DC=local Now, there is a “gotcha” involved in running either the Clonegg.vbs or the Cloneggu.vbs script. These scripts, by default, will also attempt to clone the built-in global groups. Windows NT/2000 sees these groups as well-known RIDs, because these groups exist on all NT/2000 domain


www.sybex.com

324

Chapter 7

Migration Tools

controllers and always have the same Relative Identifier. If you intend to clone the source groups onto the existing global groups in your target domain (for instance, to give them access to all resources the original group has through the SIDHistory feature), then the problem is that the built-in groups are not located in the destination OU. You can move the groups temporarily to the destination OU, or you can change the script. Fortunately, this edit in the script is very simple. You will be searching for a block of code near the end of the script that will prevent the script from cloning the well-known RIDs, leaving it free to concentrate on the groups you have created in the source domain. To edit the script, open it either by using the File Open command in Notepad or right-clicking the file and selecting Edit from the context menu. Use the Edit Find command in Notepad (I’d suggest searching for the first line of text only) to locate the following block of code: 'To Stop Cloning Well Known Sids Uncomment 4 lines below ' if HasWellKnownRid(sidString) then ' ShouldCloneObject = False ' exit function ' end if Once you’ve found the code, remove the leading single quotes (') from those lines, then save the file and run the script using the previous example as a guideline. When you run the script in a production environment, change the command syntax to include the names that are appropriate for your network.

Move Tree

T

he Active Directory Object Manager (MoveTree.exe) is a commandline utility for moving objects from one Active Directory domain to another. It can be used to move user accounts or even entire OUs from one domain to another in the same forest. This tool will be most useful once you have begun your migration and have integrated some of the old domains into the new Active Directory structure. Be aware that there are some objects that Move Tree cannot migrate to another domain:

System objects, such as the built-in special groups Everyone, System, or Interactive


www.sybex.com

NETDOM

325

Any objects located in the domain’s special containers: Builtin, ForeignSecurityPrincipal, System, and LostAndFound

Domain controllers or any object whose parent is a domain controller (such as a local account on a domain controller)

Any object that has the same name as an object in the target domain

You might have noticed that Move Tree is described as doing pretty much the same thing as ClonePrincipal. So why did Microsoft give us two tools to do the same thing? They didn’t. While the two tools appear to fulfill the same function, they do have some basic differences:

Move Tree is designed to work within a single forest, whereas ClonePrincipal is exclusively designed to move objects from one forest to another. Move Tree is intraforest and ClonePrincipal is interforest.

Move Tree actually moves the objects it works with. This means that they are copied to the new domain and then destroyed in the original domain. ClonePrincipal copies the object to a new domain and leaves the original intact.

Move Tree maintains the users’ current passwords after the move operation is completed. ClonePrincipal does not keep the users’ passwords.

Move Tree maintains the object’s Globally Unique Identifier (GUID) after the move, while ClonePrincipal does not.

For a complete listing of the command syntax to use with Move Tree, consult the online help file for the Support Tools.

NETDOM

F

inally, let’s spend some time on our last tool, NETDOM. The Windows 2000 Domain Manager, otherwise know as NETDOM, is extremely useful for creating trusts, querying domains for their existing trusts, and adding or removing computers from Windows 2000 domains. Gone are the days when you could create trusts only by getting another administrator on the phone while configuring the trusts from both ends. Using NETDOM, you can easily configure two-way trusts between NT 4 domains and Windows 2000


www.sybex.com

326

Chapter 7

Migration Tools

domains. You can create shortcut trusts between domains in different trees of the same forest to expedite browsing. Being a Windows Icon Mouse Person (WIMP), I prefer to use the graphical user interface tools myself, but I know many NT (and Unix) administrators who believe that the command prompt is the only true form of administration. If you fall into this category, then NETDOM.exe was made for you. There is too much syntax for this command to cover fully here, but I’ll explain the basic commands that you are likely to use during a migration. NETDOM can be used for the following functions: Add Windows 2000 computers to a domain. NETDOM can add Windows 2000 computers to Windows 2000 or NT 4 domains and can be used to specify the destination OU for the computer account in Windows 2000 domains. Establish trust relationships. NETDOM can create one-way or twoway trusts between NT 4 domains and Windows 2000 domains. It can also create transitive trusts between Windows 2000 domains to be used as shortcuts between domains in the same forest for faster browsing of Active Directory. Verify and/or reset the secure channel between computers. This one is a little more arcane. NETDOM can verify or reset the secure channel of communication between either member servers and workstations within a domain or BDCs with the PDC in NT 4 domains. Manage trust relationships. NETDOM can be used to enumerate all trusts that currently exist for a given domain, including indirect trusts within a Windows 2000 forest. NETDOM is installed as part of the Windows 2000 Support Tools. If you followed the steps in the ClonePrincipal section of this chapter to install the Support Tools, then you already have NETDOM installed. To use NETDOM to add a computer to a domain, use this syntax: Netdom ADD /d:<domain name> /OU: If the OU is not specified, then the computer will be added to the Computers container in the domain. If you want to add the computer to an OU other than the default Computers container, you will need to include the /OU switch and specify the full distinguished name for the OU.


www.sybex.com

NETDOM

327

To use NETDOM to join a computer to a domain, use this syntax: Netdom JOIN /d:<domain name> /OU: To remove a computer from a domain using NETDOM, the syntax is very similar to that for adding a computer: Netdom REMOVE /d:<domain name> /ud:<domain\user name> /pd:<password> To move a computer account from one domain to another without having to first remove the account from one domain and then create the same computer account in the new domain, use this syntax: Netdom MOVE /D:<domain name> /OU: /Ud:<destination domain user> /Pd:<destination password> /Uo:<user for the computer to be moved> /Po:<password for computer to be moved> /Reboot When moving a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. Thus, a failure during the operation could leave the computer in a limbo state where it doesn’t belong to any domain. When moving a computer to a new domain, the old computer account in the previous domain is not deleted. If the prior domain is a Windows 2000 domain, the old computer account is disabled. The act of moving a computer to a new domain creates an account for the computer in the target domain, if it does not already exist. To reset the secure channel between a computer and its domain, use this syntax: Netdom RESET /d:<domain name> For the following command, it doesn’t matter which OU the computer is in, as the secure channel is between the computer and the domain itself, not the OU: Netdom QUERY /D:<domain name> /Ud:<user name> /Pd:<password> [/Verify] [/Reset] [/Direct] {WORKSTATION | SERVER | DC | OU | PDC | FSMO | TRUST}


www.sybex.com

328

Chapter 7

Migration Tools

This syntax retrieves membership, trust, and other information from a domain. The WORKSTATION, SERVER, DC, and OU commands query the domain for the lists of, respectively, workstations, servers, domain controllers, or organizational units under which the specified user can create a computer object. PDC, FSMO, and TRUST query the domain for, respectively, the current primary domain controller, list of FSMO owners, or list of its trusts. NETDOM QUERY is a very powerful command. This option will provide you with much of the information you need while planning your migration from NT 4 to Windows 2000. It will very likely appear on the exam in some form. It will certainly be a valuable tool in the real world. To query the trusts for a given domain, use the following command with NETDOM: NETDOM query trust /Domain:<domain name> /UserD:<user name> /PasswordD:<password or *> This command queries the domain named with the /Domain switch to determine the trusts in use. The /UserD switch gives the name of the user to use for the query, which should normally be an administrator account. When you use the /UserD switch, you should accompany it with the /PasswordD switch. With /PasswordD, you can either enter the actual password of the user account or enter an asterisk (*), which tells NETDOM to prompt you for the password in a more secure format. NETDOM can be used to change the time settings of servers within a domain using the following syntax: Netdom TIME /D:<domain name> /Ud:<user name> /Pd:<Password> /Uo:<user name> /Po:<password> [/Verify] [/Reset] [WORKSTATION] [SERVER] The WORKSTATION and SERVER switches verify or reset the time for, respectively, all the workstations or domain controllers in a domain. And of course, I’ve saved the best for last. To use NETDOM to manage and configure trust relationships, use this syntax: Netdom TRUST <trusting domain name> /D:<trusted domain name> /Ud:<user name> /Pd:<password> Uo:<user name> /Po:<password> [/Verify] [/Reset] [/PasswordT: [/Add] [/Remove [/Force]] [/Twoway] [/Kerberos] [/Transitive[:{yes | no}]


www.sybex.com

NETDOM

329

This syntax establishes, verifies, or resets a trust relationship between domains. The /PasswordT switch is used to define a relationship with a new non-Windows Kerberos realm. A realm is an area of authority controlled by a Kerberos server for security. The /Kerberos switch itself is used to specify that Kerberos authentication should be used to establish the trust if one of the domains is not a Windows 2000 domain. Let’s look at an example of NETDOM creating a trust between Resource1 and the root domain of sprockets.local. To create this trust, use the following syntax with the NETDOM command: NETDOM TRUST /d:sprockets resource1 /ADD /Ud:sprockets\administrator /Pd:* /Uo:resource1\administrator /Po:* This command consists of the following parts: TRUST Tells the NETDOM command that you are working with a trust relationship. /d:sprockets This is the name of the target domain in the new Active Directory structure. In the example, the name of the root domain is Sprockets, so that is the name I used. Resource1 This is the name of the resource domain in the old network, or the “trusting” domain. /ADD Tells NETDOM that you want to create a trust between these two domains. /Ud: sprockets\administrator Specifies the user name to use for the target domain end of the trust. /Pd:* Tells NETDOM to prompt for the password for the sprockets\ administrator account. /Uo:resource1\administrator Specifies the user name for the resource domain end of the trust. /Po:* Tells NETDOM to prompt for the password for the resource1\administrator account. The NETDOM TRUST command will establish a one-way trust from Resource1 to sprockets so that user and group accounts in sprockets can


www.sybex.com

330

Chapter 7

Migration Tools

access resources in the resource1 domain. If you want this trust to be bidirectional, add the /TWOWAY switch immediately after the /ADD switch. For more information regarding the specific use and syntax of the NETDOM command, please consult the online Help files for the Windows 2000 Support Tools. EXERCISE 7.12

Migrating Accounts Using the Migration Tools This exercise assumes that you have access to at least two computers capable of running Windows 2000 Server. One may be installed with NT 4 Server as a PDC. The other should have Windows 2000 Server installed as a domain controller of its own domain. The specific instructions for installing and configuring these tools can be found throughout this chapter.

1. Install ADMT on the Windows 2000 domain controller using the directions provided earlier in this chapter.

2. Install the Windows 2000 Support Tools using the directions provided earlier in this chapter.

3. Use NETDOM to create a two-way trust between your two domains.

4. Configure auditing in both domains for Account Management success and failure.

5. Add the special local group on the Windows NT domain controller, domain_name$$$.

6. Create some test user accounts and global groups in the source domain using User Manager for Domains if running NT or Active Directory Users and Computers if running Windows 2000.

7. Use ADMT to run the Reporting Wizard to determine the name conflicts between the domains. The only conflicts should be the built-in groups and accounts.

8. Use ClonePrincipal to copy the global groups and users from the source domain to the target domain using the Cloneggu.vbs script.


www.sybex.com

Troubleshooting the Migration Tools

331


9. Verify that the users were migrated successfully by logging on to the target domain using one of the cloned accounts. Then log on to the source domain using the same accounts to verify that they still work in the source domain.

Troubleshooting the Migration Tools

M

ost of the troubleshooting you will have to use with these migration tools will be related to the configuration required for each tool. For instance, when installing and configuring ADMT, you must install the tool on a domain controller in the target domain. Failure to do so will generate some errors that may be difficult to track down.


Troubleshoot tool issues for domain restructures. Considerations include ADMT, ClonePrincipal, NETDOM, MoveTree, and Windows 2000 Resource Kit tools.

To protect you from errors that could impede migration, let’s look individually at each of the tools introduced in this chapter. The following portion of the chapter is probably just as important as the section on understanding how to configure the tools themselves. More often than not, we find ourselves having to work out glitches to keep projects moving smoothly.

Troubleshooting ADMT Active Directory Migration Tool comes with a fairly thorough Help file, which actually contains a useful Troubleshooting section. There are 22 different troubleshooting scenarios listed in this Help file, and nearly all of them have to do with improper ADMT configuration. This leads me to believe that if you are receiving any kind of error with ADMT, you should spend some time verifying the setup of the tools. You should also check your spelling, as the computer will take your command literally, as computers usually do.


www.sybex.com

332

Chapter 7

Migration Tools

The troubleshooting that I had to do while working with ADMT the first few times always involved authenticating the user accounts I was using for the operations. Please make certain that you have correctly established the trusts to communicate between your domains. You will need to have administrator accounts and/or permissions in both domains. If you have Exchange Server installed in your domain, you will have an additional issue to configure. When ADMT migrates the service account for Exchange, it correctly updates all of the information for the account, including the SIDHistory attribute. But Exchange Server will fail to start after the migration because the service account must also be updated within Exchange Server. Use the Exchange Administrator console to update the service account to the new account within the target domain.

Troubleshooting ClonePrincipal ClonePrincipal won’t be quite as troublesome from one point of view: It works by copying the accounts to a new location. You can always fall back to using the old accounts on the source domain if something goes wrong with the new accounts. But if something does go wrong, you will have two main sources of information. First of all, ClonePrincipal logs all operations. The log file is located in %SystemRoot%\debug and is called clonepr.log. Check this file for more detailed information if and when you have a problem with ClonePrincipal. The other source of information at your disposal is the Security log in Event Viewer. Since one of the configuration requirements is to enable auditing on both the source and target domains, you will have an audit trail of everything that ClonePrincipal did while cloning accounts. ClonePrincipal directs quite a bit of information to stdout, or your monitor screen, while it is running. It is possible, and recommended, to redirect this output to a file for later review in case of problems. You can redirect the output by using cscript script.vbs options > scriptname.txt. The greater-than (>) operator tells the command prompt to also send the output of a command to another location, in this case a text file. Using this method enables you to save any messages that are generated by ClonePrincipal while it is running.


www.sybex.com

Summary

333

Troubleshooting NETDOM The troubleshooting for NETDOM falls under the heading of simple network troubleshooting. Sort of. If you are using NETDOM to manage or create trusts, you will need to verify the configuration requirements for trust relationships. Check that the domain controllers and the domains have unique SIDs and that the PDC and/or PDC Emulators can communicate across the network. Also make sure that they don’t have a current network session established. The only other troubleshooting to be done with NETDOM is to make sure that you entered the correct syntax and user credentials. Accurate typing is vital, especially since you have to deal with potentially long command lines. I find it useful to double-check my spelling and syntax before pressing the Enter key. Spending a little time up front being careful can actually save quite a bit of time in the long run. Consult the online Help for the Support Tools for more detailed descriptions of the syntax for the NETDOM command.

Summary

In this chapter, you learned how to install, configure, and use some of the migration tools for Windows 2000. We started by talking about Active Directory Migration Tool (ADMT), which will probably be one of your most important tools during your migration. We then explained how to use ClonePrincipal for copying security principals from one domain to another, updating the SIDHistory attribute of the accounts while leaving the original accounts intact. You also learned how to migrate user and group accounts from a source domain to a Windows 2000 target domain. You learned how to use ClonePrincipal to copy user and group accounts to the target domain without disrupting the original accounts. Then you learned how to use Active Directory Migration Tool to migrate user and group accounts to the Windows 2000 target domain. We finished the chapter by looking at troubleshooting techniques for the major migration tools.


www.sybex.com

334

Chapter 7

Migration Tools

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Active Directory Migration Tool ClonePrincipal NETDOM realm Relative ID Master Relative Identifier (RID) translation


www.sybex.com

Case Study: Consultants R Us

335


Background You have been given the task of migrating your network from Windows NT 4.0 to Windows 2000 Server. After doing some research, you decide to build a pristine Windows 2000 environment and use ADMT to perform the migration.

Current System Your current network consists of 750 users in three NT domains spread out over three locations. Each location has at least two servers (a PDC and a BDC) that are capable of supporting Windows 2000 Server. The trust relationships follow a complete mesh model.

Goal Your Windows 2000 design calls for merging the three NT domains into one Windows 2000 domain.

Questions 1. You want to confirm and document the trust relationships currently

configured on your network. Which of the following tools would you use? (Choose all that apply.) A. ADMT B. ClonePrincipal C. NETDOM D. Windows NT User Manager for Domains


www.sybex.com

CASE STUDY


CASE STUDY

336

Chapter 7

Migration Tools

2. You have been rather lax in applying service packs to your Win-

dows NT 4.0 Servers. What is the earliest version of the service pack necessary to allow the ADMT agent to run? A. 2 B. 3 C. 4 D. 5 3. Build list and reorder: You have put together a list of tasks that must

be accomplished to prepare for running ADMT. Place them in the order that they should be performed. Task

Task Disconnect any active sessions between domains. Run the Reporting Wizard. Edit the Registry on the source PDC. Place the target domain in native mode. Create <SourceDomainName>$$$ local group in the source domain.


www.sybex.com


337

1. C, D. Which tool you choose is really dependent upon your personal

tastes—NETDOM is a command-line utility and User Manager for Domains is GUI-based. 2. C. ADMT requires Service Pack 4 or greater on NT 4.0 Servers and

Service Pack 5 or higher on NT 3.51 Servers. 3.

Task Place the target domain in native mode. Create <SourceDomainName>$$S local group in the source domain. Edit the Registry on the source PDC. Disconnect any active sessions between domains. Run the Reporting Wizard.


www.sybex.com

CASE STUDY ANSWERS

Answers

338

Chapter 7

Migration Tools

Review Questions 1. You are planning to use Active Directory Migration Tool (ADMT) to

assist with your migration from NT 4 to Windows 2000. Where should you install ADMT? A. On the PDC of the source domain B. On the PDC of the target domain C. On any domain controller in the source domain D. On any domain controller in the target domain 2. You’ve read that it’s important to synchronize the time on your servers

when using ADMT. What happens if you fail to do this? A. The migration will fail. B. The audit records will be inaccurate. C. Directory replication will fail. D. Nothing will happen; operation will continue normally. 3. How does ADMT work with remote systems in the source domains? A. It dispatches SMTP messages that tell the system administrator

what to configure. B. It sends RPCs over TCP/IP to directly edit the Registry on the

remote system. C. It dispatches a software agent to perform the assigned tasks. D. It uses DHCP and DNS to update the system entries in WINS.


www.sybex.com

Review Questions

339

4. Which component of ADMT will enable you to switch the current set-

tings for local profiles to use the new SID of the migrated user account? A. User Migration Wizard B. Security Translation Wizard C. Trust Migration Wizard D. Group Migration Wizard 5. What kind of scripting does ClonePrincipal use by default? A. Java B. ActiveX C. Visual Basic D. Perl 6. Which of the sample scripts provided with ClonePrincipal could you

use to clone just the global groups from a source domain to a target domain? A. Cloneggu.vbs B. Clonepr.vbs C. Clonegg.vbs D. Clonesec.vbs 7. How can NETDOM assist with the migration process? (Choose all

that apply.) A. It can synchronize the system clocks of servers. B. It can enumerate the existing trusts for a given domain. C. It can add or remove trust relationships. D. It can migrate user accounts from NT 3.51 to Windows 2000.


www.sybex.com

340

Chapter 7

Migration Tools

8. You suspect that the secure channel of communication has been bro-

ken between an NT 4 Workstation computer and its Windows 2000 domain controller. Which tool should you use to reset this secure channel? A. ChannelReset B. ClonePrincipal C. NETDOM D. ADMT 9. You have been trying to use ClonePrincipal to copy some user

accounts to your target domain. You suspect that the SIDHistory attribute has not been updated. What could be the reason for this? A. The target domain is not in native mode. B. The source domain is not in native mode. C. The target domain is not in mixed mode. D. The source domain is not in mixed mode. 10. You are using ClonePrincipal and are having random errors during

the processing of some user accounts. Where can you look for greater detail in error reporting for ClonePrincipal? A. The Windows 2000 Resource Kit B. The clonepr.log file C. The System log in Event Viewer D. The online Help file for Windows 2000


www.sybex.com

Review Questions

341

11. You want to move an existing Windows 2000 computer into your

Windows 2000 domain, in an OU created specially to hold your computer accounts in the Research department. Which migration tool could you use to do this? A. NETDOM B. ClonePrincipal C. Move Tree D. ADSIEdit 12. You are planning to perform an intra-forest migration using ADMT.

On which one of the Flexible Single Masters of Operations roles should you install ADMT? A. The PDC Emulator B. The RID Master C. The Infrastructure Master D. The Schema Master 13. You are planning to use ClonePrincipal to assist with your network

migration. Which group should you create to assist with the auditing process during the cloning? A. A global group called target_domain$$$ B. A global group called source_domain$$$ C. A local group called target_domain$$$ D. A local group called source_domain$$$ 14. Which migration tool would you use to create trust relationships

between two Windows NT 4 domains? A. ADMT B. User Manager for Domains C. NETDOM D. ADSIEdit


www.sybex.com

342

Chapter 7

Migration Tools

15. You are attempting to use Active Directory Migration Tool to migrate

some user accounts from the source domain to the new target domain, but something has gone wrong and the migration is interrupted before it can complete. What should you do next? (Choose all that apply.) A. Try using the Undo Wizard to roll back the changes that have

been made. B. Try using the Retry Tasks Wizard to complete the migration. C. There’s no way to recover the accounts; you’ll need to re-create

them in the target domain manually. D. You have tape backups, don’t you? 16. You are planning to migrate your company network to Windows 2000,

but you are concerned about the wisdom of moving the accounts to the new Windows 2000 domain and not providing some kind of fallback position in case the migration fails. Which tool could help to create new accounts in Windows 2000 without destroying the old accounts? A. ADMT B. ClonePrincipal C. Move Tree D. NETDOM 17. You have successfully migrated all of your domains to Windows 2000.

Now you want to collapse some of your network structure into a single domain. Which command-line tool will assist you in collapsing your domain structure? A. ADMT B. ClonePrincipal C. Move Tree D. NETDOM


www.sybex.com

Review Questions

343

18. You are migrating to Active Directory and are trying to move user

accounts used by services to a new Windows 2000 domain. Which tool would safely migrate these accounts to a new domain? A. Move Tree B. Service Account Migration Wizard C. User Migration Wizard D. Exchange Directory Migration Wizard 19. When using Active Directory Migration Tool to migrate user

accounts, how will duplicate accounts be handled? A. That depends on the configuration selected during the wizard. B. All duplicate accounts will be deleted. C. All duplicate accounts will be renamed. D. Windows 2000 permits accounts to have the same names, because

it uses the account’s SID to tell the difference. 20. Which of the following are benefits of using ClonePrincipal to copy

user accounts to a target domain? (Choose all that apply.) A. There is no disruption of the production environment. B. Security access is maintained automatically using the SIDHistory

feature. C. Duplicate accounts are automatically deleted. D. Multiple groups from different domains can be merged into the

same target group.


www.sybex.com

344

Chapter 7

Migration Tools

Answers to Review Questions 1. D. ADMT must be installed on a domain controller in the target domain.

Since Windows 2000 uses multi-master replication, any domain controller will do. 2. B. Auditing is required in both the source and the target domains

when using ADMT. Having the system clocks synchronized helps to ensure that the audit records will be accurate. 3. C. ADMT dispatches an agent to perform various tasks on the remote

system, using the supplied user credentials. 4. B. The Security Translation Wizard will change the SID used by the

local computer profiles to the new SID of the migrated account in the target domain. 5. C. ClonePrincipal uses the Visual Basic Scripting Edition for its

default scripting language. 6. C. The clonegg.vbs script will enable you to clone all of the global

groups from the source domain to the target domain. 7. A, B, C. NETDOM can perform all of the tasks outlined in answers A,

B, and C. 8. C. NETDOM can verify or even reset the secure communication chan-

nel that exists between member servers or workstations and the domain. 9. A. The SIDHistory attribute is supported only in Windows 2000

domains running in native mode. 10. B. ClonePrincipal creates a detailed log file of its operation. The

clonepr.log file is located in %SystemRoot%\debug.


www.sybex.com


345

11. A. NETDOM would enable you to join the computer to the domain

by creating a new computer account and then installing the necessary shared secret so that the computer would assume its new role as a member of your Windows 2000 domain. 12. B. ADMT will have to communicate extensively with the RID Master

while creating new SIDs for migrated accounts. It’s best if you can install ADMT on the RID Master to avoid a heavy impact on network traffic. 13. D. For auditing purposes, you must create a local group in the source

domain with the name of the source domain followed by three dollar signs ($$$). 14. C. NETDOM can also create and manage trust relationships for NT 4

domains. 15. A or B. Answer B would be the best option at this point, as the Retry

Tasks Wizard may be able to safely complete the migration. If this doesn’t work, then answer A would be appropriate—to attempt to roll back the changes. 16. B. ClonePrincipal works by copying the original accounts to a new

Windows 2000 domain, leaving the original accounts intact. 17. C. Move Tree enables you to move sections of an Active Directory tree

to new locations elsewhere in the same tree. This means you could easily move an OU from one domain to another in the same tree, collapsing the structure into a single domain if you wish. 18. B. The Service Account Migration Wizard will move the service

accounts to the new domain without losing the passwords or necessary rights and permissions. 19. A. You must tell the wizard how to handle the duplicate entries.

Options include aborting the migration of those accounts, overwriting the target account, and renaming the new account. 20. A, B, and D. All three of these answers are features of using Clone-

Principal.


www.sybex.com

Chapter

8

Planning for Disaster Recovery MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Perform test deployments of intra-forest migrations and inter-forest migrations. Implement disaster recovery plans.

Restore pre-migration environment.

Roll back implementation to a specific point.


www.sybex.com

I

t’s never much fun thinking about all of the things that can go wrong with a project. But in the case of an operating system migration, you need to have a contingency plan just in case the unthinkable happens. Have you ever found yourself in the position of knowing the hard disk in your computer just failed and wondering how current your backups are? Or maybe you were wondering if you even had backups. This chapter will examine some of the methods you can use in Windows 2000 to prepare for disaster recovery. You will learn how to use the Recovery Console to recover from various problems with your Windows 2000 Servers. You’ll also learn how to prepare a recovery plan for your Windows 2000 migration, including how to give yourself a way to return safely to the original configuration of your network.

Avoiding the Unknown

D

isaster recovery is an interesting specialty in the Information Technology (IT) field. When you are planning for disaster recovery, you are trying to plan for the unknown. You are attempting to think of any possibility for failure in your systems and to find a way to handle the problem just in case it really happens. Consider for a moment just how bad this can get. In this day of .com startups and initial public offerings of stock, these companies frequently have a product that exists solely as a set of data on their server. What if such a company were performing daily tape backups of all of this data, believing this made them safe? When their drives failed in the server


www.sybex.com


349

one day, they’d think, “No problem, we’ll just restore from tape,” only to discover that their tapes were blank.


Implement disaster recovery plans.



No backup is ever good until it has been tested by a trial restore. I actually heard of a company where the previous example happened. In their case, they were diligently performing every necessary step to back up every day. But they never tested the tapes, and when they needed them they lost everything the company had because the tapes didn’t record the data. What would help in this situation, from a disaster-recovery standpoint, would be to ask yourself, “What could go wrong?” Once you’ve thought of everything that could possibly go wrong, try to think of some more things that could happen to interfere with your process. This is merely a “nutshell” description of disaster recovery, since you could easily write whole books devoted to the topic, but it will serve as a starting point to discuss the features in Windows 2000 that can help you recover your network from a failed migration. First, let’s take a look at some areas that will affect your overall migration planning.

Reviewing Your Plans You’ve heard me say it before: Plan things out. When referring to disasters, it’s impossible to plan when or what they will be. However, it is possible— and suggested—to plan as much prevention and recovery as possible. There are two ways to deal with disasters: disaster prevention and disaster recovery. Most of the time, they are very interrelated. Even the best-laid disaster-prevention plans don’t prevent crashes—they just hope to minimize the damage. When reviewing migration plans for disaster prevention and recovery, I find it helpful to break the plan down into four categories: hardware, software, infrastructure, and personnel. Whether this system works for you or not will be a matter of experience. However, I believe that a structured approach to disaster-recovery planning will help you to avoid overlooking some important detail.


www.sybex.com

350

Chapter 8

Planning for Disaster Recovery

Hardware There are numerous ways to protect your systems with hardware, from redundant hardware devices (such as hard disks, fans, and even CPUs), to RAID, to clustering. This is an area that will quickly go beyond the scope of this single book, but a few topics should be introduced here. Most will be highly dependent upon the server hardware you have chosen and will be supplied by the computer vendor. But we do need to discuss Redundant Arrays of Inexpensive Disks (RAID). RAID is oftentimes more proactive (preventive) than reactive (recovery), but it is a valuable part of any network and needs to be considered during migration. RAID has several levels of protection and can be implemented in either hardware or software. The Windows 2000 Server family (Server, Advanced Server, and Datacenter Server) supports software RAID. All versions of Windows 2000 support hardware-based RAID, since the operating system would see the disks only as described by the RAID controller. For the exam, you will need to understand the software implementation of RAID as provided by Windows 2000. Windows 2000 provides RAID levels 0, 1, and 5. Table 8.1 describes some of the properties of the different levels. TABLE 8.1

Properties of RAID Levels Supported by Windows 2000 Property

RAID 0

RAID 1

RAID 5

Fault tolerance

No

Yes

Yes

Minimum number of disks

2

2

3

Maximum number of disks

32

2

32

File systems supported

FAT, FAT32, NTFS

FAT, FAT32, NTFS

FAT, FAT32, NTFS


www.sybex.com


351

RAID 0 is called disk striping. Striping provides very high performance for both reading and writing since the data is layered across multiple physical disks at the same time. Because the layers, or stripes, are distributed across multiple physical disks, Windows 2000 can retrieve multiple pieces of data, one from each physical disk, without having to wait for each request to be fulfilled. Striping gives you the fastest performance of any volume type available in Windows 2000, but it is not fault tolerant. Fault tolerance is the ability to sustain an error (fault) or complete failure of a single disk while still maintaining the data in an accessible form. If you are using RAID 0 and one disk fails, you will lose all of the data on the RAID 0 set. RAID 1 is called mirroring because it uses two physical disks to create mirror images of the data. Mirroring is a good form of fault tolerance because if a single disk fails, the other disk in the mirror set still has the exact same data. You can install and operate Windows 2000 on a mirrored disk. Because of this, mirroring is the only form of software-based fault tolerance available to Windows 2000 system and boot files. You might also see the term disk duplexing. Disk duplexing is the same as mirroring, but instead of the drives being on the same physical controller, they are on different controllers. Windows 2000 does not differentiate between mirroring and duplexing, as they provide essentially the same level of fault tolerance. Just know that if you create a mirror set but the drives are on different controllers, you are really creating a duplex. Many people consider RAID 5 the king of fault tolerance because it combines high performance for disk reads and superior fault tolerance. RAID 5 is called striping with parity because the data is layered across multiple physical disks, just like striping, but each stripe also has a block of error-correction data called parity that can be used to reconstruct the data in the event of a single disk failure. Writing tends to be slower than for other volumes because Windows 2000 must compute the parity information for each stripe that it writes. Read performance is outstanding because RAID 5 reads just like a stripe set and the parity doesn’t matter. If a single disk fails in a stripe set with parity, the remaining data and the parity information combine to re-create


www.sybex.com

352

Chapter 8


the missing data on the fly. If multiple disks fail in a stripe set with parity, you must restore from a backup. EXERCISE 8.1

Creating a Fault-Tolerant Disk Set To create a fault-tolerant disk set in Windows 2000, follow these steps:

1. Open Computer Management by clicking Start Programs Administrative Tools Computer Management.

2. Expand the Storage node in the left pane and click Disk Management. You should see something similar to the following graphic.

3. Right-click an area of unallocated disk space and select Create Volume from the context menu. This will open the Create Volume Wizard. Click Next to proceed.

4. Specify the type of volume to create. Click Next.


www.sybex.com


353


5. Select the disks that will participate in this fault-tolerant set. Windows 2000 will accept any areas of unallocated space to become new volumes, but the number of areas selected will determine the type of volume that can be created.

6. Enter the volume size. This will set the amount of space used on each disk to create the set.

7. Assign a drive letter or a path to the new fault-tolerant set. Windows 2000 will permit you to use a path instead of a drive letter if you wish. To do this, the path must exist on an NTFS volume and point to an empty folder.

8. Format the volume with whichever file system you plan to use for the set. NTFS has the most fault-tolerant properties of the supported file systems and should be used in most cases. Fault-tolerant sets created in Windows 2000 will not be available to any other operating system on the computer.

RAID can also be implemented in hardware, which is by far the better solution. When Windows 2000 is responsible for managing the fault tolerance, it places an additional load on the system. A hardware RAID solution, on the other hand, manages the fault tolerance entirely on the hardware disk controller. A RAID controller typically has a dedicated processor and memory to handle the fault-tolerance operations of reading and writing to the sets. The operating system on a computer with hardware RAID sees only the volumes that the hardware controller has already created and treats each of those sets as a single volume. Why doesn’t everyone use hardware RAID if it’s so much better than software RAID? The answer is simple—hardware is expensive, and the software version is free. Windows 2000 also incorporates new types of partitions, though the changes appear to be mostly semantic at first. Windows 2000 still supports the original partitioning that we’ve used for years but calls those partitions basic disks. On a basic disk, you can have a maximum of four partitions.


www.sybex.com

354

Chapter 8


These partitions can be a mixture of primary and extended partitions, though there can be only one extended partition per disk. The reason for the limitation is that the partition information is stored in the partition table, which is contained in the Master Boot Record (MBR) of the disk. Because the space is limited in the MBR, we have a limitation on the number of partitions allowed. The new types of partitions in Windows 2000 are called dynamic disks. The dynamic disk can support an unlimited number of volumes. A volume is a logical division of a dynamic disk similar to a partition. Dynamic disks can have a larger number of divisions because the partitioning information is stored in a space at the end of the drive. When you convert a basic disk to a dynamic disk, you must leave 1MB of free space at the end of the drive to contain the partition information for the dynamic disk. Another way that Windows 2000 supports unlimited volumes on a dynamic disk is that you are no longer required to use a drive letter for a partition. Windows 2000 enables you to mount a volume on any empty folder on an NTFS volume. This means that what appears to be a folder on your NTFS volume may actually be a RAID 5 array. Windows 2000 supports mirror sets and RAID 5 stripe sets with parity on computers that have been upgraded from NT 4. There are some limitations, however. You can repair, break, or delete mirror sets on a basic disk, but you cannot create a mirror set on a basic disk. The same is true of RAID 5 stripe sets with parity. To create either a mirror volume or a RAID 5 volume, you must create them on a dynamic disk in Windows 2000. If you have upgraded your server from NT 4 to Windows 2000, you can convert your basic disk RAID sets to dynamic disks without losing data. EXERCISE 8.2

Converting a Mirror Set to a Dynamic Disk To convert a mirror set to a dynamic disk, use the following steps:

1. Open Computer Management in the Administrative Tools group.


www.sybex.com



2. In the left pane of the Computer Management screen, expand the Storage node.

3. Click Disk Management. The Computer Management console should look similar to the following graphic.

4. Right-click the disk label beside the disk you want to convert. The disk label is in the right pane to the left of the partition information and contains the information that describes the physical disk. Select Upgrade To Dynamic Disk from the context menu.


www.sybex.com

355

356

Chapter 8



5. The Upgrade to Dynamic Disk dialog box shown in the following graphic opens. Place a check mark beside the basic disks you wish to convert to dynamic disks. Click OK.

6. The Disks to Upgrade dialog opens to ask for confirmation on the actions to be taken. If you are satisfied with the actions that it reports, click OK. Your basic disks will now be converted to dynamic disks.

Windows 2000 can attempt to repair a damaged mirror volume or RAID 5 volume. If a single disk has gone offline, Disk Management will display the offline disk with the status of Missing, Offline, or Online (Errors). If the disk in one of your RAID sets displays any of these messages, right-click the damaged disk and select Reactivate Disk from the context menu. Windows 2000 will attempt to correct any errors on the disk and bring it back online as part of your RAID set. If this doesn’t return the status of the disk to Healthy, you will have to repair the RAID set by replacing the failed disk. If one of the physical disks in a RAID 5 volume fails, replace the physical disk and right-click the RAID 5 volume in Disk Management. Select Repair Volume from the context menu to start a wizard that will enable you to pick a new disk to replace the failed disk. If one of the disks in a mirror volume fails, right-click the failed disk in Disk Management and select Remove Mirror from the context menu. This will break the mirror volume association between the two physical disks. Replace the physical disk that has failed. In Disk Management, right-click the remaining disk from the original mirror set and select Add Mirror from the context menu. This will start a wizard that will enable you to select the new disk to replace the failed disk.


www.sybex.com


357

It is important to remember that mirror volumes and RAID 5 volumes can only be created in Windows 2000 using dynamic disks.

Software Even when implementing fault-tolerant solutions like RAID, you must still take other measures. When we talk about disaster recovery in terms of software, we’re usually talking about backup programs. Windows 2000 contains an improved Backup program. You can start the program by clicking Start Programs Accessories System Tools Backup. The window shown in Figure 8.1 appears, giving you immediate access to the Backup Wizard, the Restore Wizard, and the Emergency Repair Disk. FIGURE 8.1

The Windows Backup opening dialog

This edition of the Backup program in Windows 2000 is actually quite good, with many improvements over the old NT Backup. For instance, you can now back up to any available drive, even network drives and removable media. You can schedule backup operations using the integrated graphical


www.sybex.com

358

Chapter 8


schedule utility. I love that part the most. The ability to back up to removable media means that your rewritable CD is now a valid backup device without additional third-party software. The information that you really need for the exam involves the backup and restore of the system using the Windows Backup program. Backing up data works pretty much the same way that it did in the old NT Backup utility. If you want to perform a manual backup job (as in not using the wizard to set up the job), click the Backup tab, as shown in Figure 8.2. Here you can check the boxes beside any drive you want to back up, or you can expand drives to back up individual files and folders. FIGURE 8.2

The Backup tab of the Windows Backup utility

The checkboxes have three states. That is, they indicate three separate selection types. A white background with no check mark means that nothing is selected. A white background with a check mark means that everything within that drive or folder will be backed up. And a check mark on a gray background means that some of the contents of the drive or folder are selected, but not all of them. You can back up and restore any drive that can be accessed by Windows 2000, including network drives. The most important aspect of backup and restore for servers is a new option to back up or restore the


www.sybex.com


359

System State. The System State is the current configuration of the server, including the following: Active Directory This is the heart of the domain information for a domain controller—or maybe even the entire forest. This database contains all of the objects in the Active Directory: all users, computers, groups, and policies. Boot files These are the files required to boot Windows 2000 and are typically located in the C:\ folder. Specifically, they include NTLDR, NTDETECT.COM, and the BOOT.INI files. COM+ Class Registration Database This database contains the registration information for program components that follow the Component Object Model programming specifications. Registry This database holds configuration information for the local computer and users. It contains all of the information needed to run Windows 2000 on the local computer. Sysvol This shared system folder exists on all Windows 2000 domain controllers. It contains scripts and some of the Group Policy Objects (GPOs) for the domain. The system information must be backed up as a single unit; you cannot back up a single component of the System State. With the System State information safely backed up, you can recover your domain controller from a complete failure. You would have to reinstall Windows 2000 Server on your computer after repairing whatever hardware caused the failure and then use the Backup program to restore the System State information. This will bring the domain controller back to the state it was in when the System State information was backed up. Any system information that was changed after that time will be lost.

Microsoft references show only the items in the previous list as parts of the System State backup. However, when I ran a backup of the System State on my domain controller, I was surprised to discover that it backed up nearly 300MB of system data! It appears to also back up all of the contents of the Winnt folder and subfolders. This is good in that it will provide a more complete restore, but it isn’t described in the reference materials. Be aware of this discrepancy when you take the exam.


www.sybex.com

360

Chapter 8


Restoring data is just as easy as backing up. There is a wizard that will walk you through all of the necessary steps, or you can perform the restore manually. The Restore tab of Windows Backup is shown in Figure 8.3. To select data to be restored, simply check the boxes for the drives or folders that you want to restore. These checkboxes have the same three state functions that the checkboxes on the Backup tab have. FIGURE 8.3

The Restore tab of the Windows Backup utility

The other main feature of the Windows Backup program is the integrated graphical scheduling program. This feature enables you to create a backup job and schedule it to occur once or at recurring intervals. To schedule a job, double-click the date you want the job to run, and the Backup Wizard will open to help you create the backup job. You will have to specify a set of user credentials to use for the backup job in order to schedule it. The Schedule Jobs tab of the Backup utility is shown in Figure 8.4.


www.sybex.com


FIGURE 8.4

361

The Schedule Jobs tab lets you create backup jobs that will run at a later date and time.

Infrastructure Planning for disaster recovery should always include plans for the infrastructure of your server room. Even if you don’t have a real server room, just a couple of servers stuck under someone’s desk, you still should think about the infrastructure support for these machines. Things like power, dust, and most of all heat can affect server performance. For any computer that you want to depend on, you should install some sort of power protection. The more important the computer, the more protection you should provide. An uninterruptible power supply (UPS) is a great idea. A UPS contains enough battery power to help the computer continue until either the main power is restored or the computer can be shut down safely. One of my favorite stories to tell in the classroom involves a server that was going down mysteriously every night around 10:00 P.M. The support staff spent several weeks trying to troubleshoot various possibilities, but to no avail. Finally someone was asked to sit by the computer to see what happened each night. At 10:00, the door opened and the janitor walked in, unplugged the server, and plugged in his vacuum cleaner. If they’d had a suitable UPS, this wouldn’t have been as much of a problem.


www.sybex.com

362

Chapter 8


This does bring up another good point, however. No one should be able to simply walk in and turn off a server. Again, if the server is important to your network, then it’s worth protecting. Physical access to important servers should always be restricted for security and reliability reasons. If you do have a server room, then you’re probably aware that temperature is one of your main concerns. Computers generate a great deal of heat, and they don’t respond well to rises in temperature. In a data center, one of the greatest concerns is how to apply air conditioning to prevent heat buildup. If you have the server stuck under someone’s desk, does it receive proper ventilation? Or does that person pile papers and personal belongings on top of the server until it melts? And as for dust, the big reason for eliminating dust is that it acts like a blanket inside the computer, causing an evergreater increase in temperature.

Personnel In my opinion, the most commonly overlooked area of planning for disaster recovery is personnel. Who will take over the work if your team is suddenly out of the picture? I know this isn’t a pleasant topic. Far from it in fact, but you need to consider it if you are to do a good job at disaster-recovery planning. Disaster recovery in terms of personnel means cross training your staff so that there are no jobs that only one person can do. This is usually a tough battle to fight, since people want to feel that they are valuable and that the company could never afford to let them go. These people will deliberately avoid sharing skills and knowledge with others because they need to feel irreplaceable. I’ve seen this attitude often in well-established teams of people. Maybe that’s why so many high-tech companies have embraced the mantra of “Change is good.” But aside from the gloom of thinking about a valued co-worker not coming back some day, remember that people need to take vacations from time to time. They also get sick. Or their kids get sick. Whatever the cause, you may eventually find yourself short staffed. How will you handle it?

Testing the Deployment We created a test lab for the migration in Chapter 3, “Planning for the Migration.” Your test lab will play a vital part in testing your disaster-recovery


www.sybex.com


363

schemes as well as the deployment itself. It gives you an opportunity to perform some trial backups and restores to test your disaster-recovery plan.


Perform test deployments of intra-forest migrations and inter-forest migrations.

In the case of creating a disaster-recovery plan, remember that no backup should be considered good until it has been tested. Once you have created a plan for backups, try it out in the test lab where you have created an image of the production environment. This will enable you to back up the system states on your domain controllers and practice restoring them from complete failures. Document your experiences here, as they will be valuable if and when it becomes necessary to perform a real recovery of a domain controller. It will also be a good idea to spend some time working on tape storage procedures. It’s been my experience that tape can go bad at the worst possible moment simply because the moon’s at an unfavorable phase. I’ve told my students to be careful not to have impure thoughts while standing within 10 feet of their tape backups or the tape will go bad. Now, I’m joking with this, sort of. Many types of tape media will go bad easily if not stored correctly. However, there are types of tape that are much more resilient than the older formats. All tapes must be treated carefully if they are to be of any use when the need arises. Periodically, even after the migration to Windows 2000 is complete, pull out a set of backup tapes and use one of the servers in the test lab to perform a trial restore. Verify that your procedures work to restore the full image of the server and also that your tape storage methods are working.

Preparing for the Worst Okay, so you’re preparing for a migration of your network to Windows 2000. It will work fine, right? Probably so. But what if something goes wrong? The mark of a true professional is how well he or she prepares for all possible outcomes. If the server goes down and you find a small mushroom cloud rising from the server rack, people will judge you by how well you recover from adversity. Had enough of the soapbox lecture?


www.sybex.com

364

Chapter 8


Here are some recommendations for preparing your environment for possible problems encountered during a migration to Windows 2000: Keep one backup domain controller offline. Pick one of your backup domain controllers to fully synchronize before the PDC is upgraded, then take it offline. This will provide a means of recovery for the domain in case you need to roll back the migration. Perform a full backup of every server before it is upgraded. A full backup preserves not only the system information, but also the data the server may contain. This measure will provide a safe way to restore the original environment. Follow your migration plan. You’ve spent a lot of time preparing documents that detail every step of the process. Makes sense to use them, right? Document any deviation from the migration plan. In some cases, you will find reasons to change the plan. Decide whether this will be a temporary departure from the migration plan or if the plan needs to be modified. Either way, document your changes. Set expectations. Let your users and your management know what to expect during the migration. If problems are encountered, keep them informed of the status as well as when they can expect a resolution. EXERCISE 8.3

Creating a Disaster-Recovery Plan This exercise will be fairly esoteric because we all have different environments to plan for. With that in mind, create a disaster-recovery plan for a single-server upgrade to Windows 2000. Use the following criteria:

You are upgrading a Windows NT 4 primary domain controller. There are two backup domain controllers elsewhere in the building.

There are 500 users in the single domain.

The server has a locally installed tape drive.

The server is located in your office, which is accessible to many people during the day. It is normally locked at night, but the janitorial staff has keys so that they can get in to clean the office.


www.sybex.com

Restoring the Original Environment

365


Create a plan that provides the highest level of preparedness for every possible problem you can foresee. Use the following questions to get started:

1. How can you protect the user accounts from loss during the upgrade?

2. How can you protect the data from loss during the upgrade? 3. How can you protect the server from a power failure?


N

ow we need to consider the unthinkable: what to do when your migration fails. For most of you, this will merely be a thought exercise, since you won’t have any problems at all. But some of you will encounter problems during the migration. Frankly, I’d be very surprised if a migration went perfectly as planned, though I’m always happy when it does.


Implement disaster recovery plans.



This section looks at ways that you can recover a failed server or even a failed network migration. If you have taken steps to provide a way out of a failure during an upgrade or a migration, then you will be in good shape. If not, then this section may also give you some ideas of things to do to recover your server or your network.

Using Disaster-Recovery Tools Earlier in this chapter, you learned about the Backup utility in Windows 2000 and how it can be used for backups. You also learned about preparing for migrations by taking a fully synchronized backup domain controller offline


www.sybex.com

366

Chapter 8


prior to the upgrade. Now you will learn some of the ways that Backup and the Recovery Console can be used to restore a server after a partial or complete failure.

Windows 2000 Backup Windows Backup can be used to restore data, but you already know that. It can also be used to recover deleted objects from the Active Directory. You can use Backup to restore the System State information, restore the entire computer image, or just replace one object that was accidentally deleted from the Active Directory. We’ll examine three basic scenarios in turn: a failed domain controller, a damaged Active Directory database, and an authoritative restore of a single object in the Directory. Restoring a Failed Domain Controller In the event of a partial or total failure of a Windows 2000 domain controller, you must first make sure that the computer is able to run Windows 2000. This may entail reinstalling the operating system, or it may mean repairing some files to get the machine booting again. You may have to replace hard drives or just believe in my favorite saying, “Fdisk is your friend.” (I’ve never met a software problem that couldn’t be solved with Fdisk.) Starting fresh with a new format on the disks is a good idea when recovering a server. This is, of course, assuming that you have a recent backup from which to restore. Once Windows 2000 is reinstalled and running correctly, use Windows Backup to restore the System State and all data. Doing so will restore the domain controller to the state it was in when the last backup was run. After the restore has completed, Windows 2000 will perform a couple of tasks when it is rebooted: Consistency check Windows 2000 will perform a consistency check on the Active Directory database. The database will be verified and re-indexed. Replication The Active Directory services will replicate with the replication partners in the domain to bring the version of the Directory up to date. This will give it a chance to replicate any changed data and make its version of the Directory current. The File Replication Service will also replicate with its partners to get a current version of any scripts being replicated between servers. When these steps have been completed, your domain controller will be restored.


www.sybex.com


367

Restoring a Damaged Directory This scenario occurs when the Windows 2000 installation is running normally but the Active Directory database is damaged on that one computer. In this case, you don’t have to repair or restore the computer or the operating system, but you do need to restore the Active Directory database. Restart the computer and select Directory Services Restore Mode from the Advanced Options menu, as shown in Figure 8.5. You get to the Advanced Options by pressing the F8 key during boot. FIGURE 8.5

Press F8 during boot to access the Advanced Options menu.

Once the computer is restarted in Directory Services Restore Mode, use Windows Backup to restore the latest System State information from the backup. When you restart the computer, Windows 2000 will re-index the Directory database and replicate current information from the other domain controllers. Performing an Authoritative Restore An authoritative restore marks the newly restored information as the correct copy to be replicated to all domain controllers. Without this mechanism, any Directory information that had been deleted and then restored would simply be deleted again when replication occurred. With an authoritative restore,


www.sybex.com

368

Chapter 8


you have a very similar situation to the damaged database discussed previously. What’s unique here is that the operating system and the Directory are operating normally; you’re just trying to replace one or more objects that have been deleted from the Directory.

Before you do an authoritative restore, make sure the data you are restoring needs to overwrite more “current” data on the network.

Restart the computer and select Directory Services Restore Mode from the Advanced Options menu, as shown previously in Figure 8.5. (You get to the Advanced Options by pressing the F8 key during boot.) Once Windows 2000 is running in Directory Services Restore Mode, restore the most recent System State information that contains the objects you want to restore. Now you have to tell Active Directory that these objects should stay and not be removed when the next replication event occurs. EXERCISE 8.4

Marking Objects to Remain during a Replication To mark the objects, follow these steps:

1. At a command prompt, run Ntdsutil.exe. 2. Type authoritative restore at the command prompt. This indicates to Ntdsutil.exe that you want to mark recently restored Directory information as authoritative, that is to say that the restored copy is the real copy and should be replicated to the other domain controllers.

3. Use the command restore subtree to mark the restored object as authoritative for the Directory. For example, if you had accidentally deleted the Seattle OU of our example company Coolcompany, you would use the command restore subtree OU=Seattle,DC=coolcompany,DC=local to mark the Seattle OU that had been restored from tape as authoritative. This will cause the restored OU to be replicated to other domain controllers instead of being deleted again when replication occurs.


www.sybex.com


369

Backing up the System State is as simple as placing a check in a box. However, not doing it could be disastrous if your domain controller crashes. EXERCISE 8.5

Backing Up System State Information This exercise assumes that you have a Windows 2000 computer set up as a domain controller and that it has over 300MB of free space on a local hard disk.

1. Open Backup by clicking Start Programs Accessories System Tools Backup.

2. Click the Backup tab. 3. Expand the My Computer node in the left pane of the Backup window if it isn’t already expanded. Place a check mark in the box beside System State.

4. Click the Browse button next to the Backup Media Or File Name field at the bottom left of the dialog.

5. Browse for a local hard drive location that has at least 300MB of free space. Name the file System.bkf and click Open. This will return you to the Backup dialog.

6. Click the Start Backup button to begin the backup operation. Make note of the information provided on the various dialogs during the backup operation. Once you have successfully performed a backup of the System State, try it again using the Backup Wizard.

The Recovery Console Windows 2000 includes a number of enhancements that will help your troubleshooting. One of the best of these is the Recovery Console. Unfortunately, Microsoft decided not to install this utility by default, perhaps for security reasons, but it is easy to install. The Recovery Console is a commandprompt version of Windows 2000 to which you can boot your computer if it won’t boot to the graphical version of Windows 2000. It is an add-on to the Safe Mode options available from the Advanced Options.


www.sybex.com

370

Chapter 8


To install the Recovery Console, place the original Windows 2000 CD-ROM in your local CD drive and run the following command: D:\i386\ Winnt32 /cmdcons where D:\ is the letter assigned to your CD-ROM drive. This command will run a mini version of the Windows 2000 Setup program that will install the Recovery Console. The Recovery Console can also be accessed through the Repair process. If you need to use the Recovery Console and have not installed it ahead of time, you can access it by booting the computer with the Windows 2000 startup disks or by booting with the Windows 2000 CD-ROM. When the Setup program prompts you to choose between setting up Windows 2000 and performing a repair, select Repair. When you reach the Repair menu, one of the options presented to you will be to run the Recovery Console.

The Windows 2000 startup floppies can be created with the MAKEBOOT.EXE and MAKEBT32.EXE programs in the Bootdisk folder on the Windows 2000 CD-ROM.

The Recovery Console is almost like a small version of MS-DOS, except that the commands are native to Windows 2000. But the concept is the same—you’re booting the computer to a command prompt where you can perform various tasks using the commands built into the Recovery Console. Those commands are listed in Table 8.2. TABLE 8.2

Commands Supported by the Recovery Console Command

Description

Chdir (cd)

Changes the current folder, or if typed without parameters it will display the current folder path.

Chkdsk

Checks the hard disk for errors and displays a status report of its findings.

Cls

Clears the screen display.

Copy

Copies a file from one location to another. Can be used to copy the file to a new filename in the same folder.

Delete (del)

Deletes one or more files.


www.sybex.com


TABLE 8.2

371

Commands Supported by the Recovery Console (continued) Command

Description

Dir

Displays the contents of the current folder.

Disable

Disables a device driver or system service.

Enable

Enables a stopped device or service.

Exit

Exits from the Recovery Console and restarts the computer.

Fdisk

Manages partitions on the fixed disks in your computer.

Fixboot

Writes a new copy of the boot sector to the active partition.

Fixmbr

Writes a new Master Boot Record to the boot drive’s first physical sector. Repairs the partition table contained in the MBR.

Format

Formats a disk with any of the supported file systems in Windows 2000.

Help

Displays the list of commands available within the Recovery Console. If you type in help , you will receive additional help specific to that command.

Logon

Logs you on to an existing Windows 2000 installation on the local computer.

Map

Displays current drive mappings.

Mkdir (md)

Creates a new folder.

More

Displays a text file one screen at a time.

Rmdir (rd)

Deletes an empty folder.


www.sybex.com

372

Chapter 8


TABLE 8.2

Commands Supported by the Recovery Console (continued) Command

Description

Rename (ren)

Renames a file.

Systemroot

Changes the current folder to the systemroot folder of the Windows 2000 installation you are logged onto. For example, if Windows 2000 is installed in C:\winnt, then the systemroot command will change directory to C:\winnt.

Type

Displays a text file without breaks for pages.

You can use the Recovery Console to repair Windows 2000 if the problem you are working on involves corrupted or missing files or services and devices that are misbehaving. The Enable and Disable commands in particular will be useful for resolving issues with services and devices. If your problem involves the Registry or Active Directory, then the Recovery Console won’t be of much help. However, Registry issues that prevent your Windows 2000 computer from booting will often involve some new software service or device driver that you’ve installed. From that standpoint, the Recovery Console will be of great use.

Restoring Network Services Restoring network services in the event of a failed network migration will be possible if you took precautions before beginning the migration to Windows 2000. This means that you prepared backups of your network servers and that you held one server offline with current copies of your network service databases. To restore your network services, you can use either of two basic approaches, depending on your preparation:

Reinstall NT and restore system data and the Registry from the tape backup. This will give you a very clean restore of the original environment, but it does take time to perform a separate reinstallation of the operating system and restore from tape on every server.


www.sybex.com


373

Bring the offline server back online. If you prepared a single server with current versions of your network services under NT, then bringing this server back online may be all that you need to do to restore the original services.

Restoring your DHCP services may be more difficult to accomplish by restoring from tape. It is very possible that the address leases stored in the backup version of the database do not match the current leases. One of the easiest ways to resolve this would be to bring the DHCP server back online and then have your client computers release and renew their IP addresses. Alternatively, you can manually release all of the leases from the DHCP server and then have your clients release and renew their addresses. Restoring the WINS servers is something that I feel is best done from scratch. Restore the servers that will be running the Windows Internet Name Service (WINS) and then delete all of the entries in the WINS database. When your clients reboot their computers, they will create new entries in the database automatically. Restoring the Domain Name System (DNS) servers can be done simply by restoring the system from tape. DNS databases are held in static text files, and they won’t have changed since they were backed up, except for the dynamic information entered by Windows 2000. Since earlier versions of NT cannot use this dynamic information, you really aren’t losing much when you lose the dynamic information.

Restoring Accounts Restoring accounts to your network is simple if you prepared a backup domain controller before the migration. If you did not take that precaution, then your work to restore the original environment will be somewhat more difficult. EXERCISE 8.6

Restoring Accounts Using a Backup Domain Controller To restore your domain accounts using a backup domain controller from the original domain, follow these steps:

1. Shut down all running Windows 2000 domain controllers for the upgraded domain.


www.sybex.com

374

Chapter 8



2. Bring the BDC connected to the network online. 3. Promote the BDC to become the primary domain controller for its domain. This means that the copy of the domain user database that the BDC had is now made writable and is the master copy of the database.

4. Reinstall some of the other domain controllers with NT as backup domain controllers for the original domain.

5. Move server computer accounts into the original domain. 6. Move client computer accounts into the original domain.

Using these steps, your user accounts are intact, just as they were when the BDC was last synchronized prior to the migration. Adding the other computer accounts back into the domain makes them and the resources they contain accessible to the users. Be sure to carefully check user permissions and rights when moving back to the original domain environment, as you won’t have the luxury of the SIDHistory to help maintain user access. Restoring user accounts without a BDC held in reserve will take more legwork since you will have to visit every computer that needs to be reinstalled and then perform the tape restore on each of the servers, but in some ways it’s easy. EXERCISE 8.7

Restoring User Accounts without a Reserved Backup Domain Controller To restore your user accounts without a reserved BDC, follow these steps:

1. Pick a server to become the primary domain controller for the restored domain. Reinstall NT Server on this server.


www.sybex.com

Summary

375


2. Restore the last tape backup of the primary domain controller onto this server, including the Registry.

3. Verify that this computer comes online as the PDC of the original domain.

4. Repeat these steps with the other domain controllers. 5. Move server computer accounts into the original domain. 6. Move client computer accounts into the original domain. The member servers and workstations may remain on Windows 2000 or they can be returned to NT, whichever will best suit your needs.

I hope that everything will go well for your migration and that you will never have to resort to these methods to roll back the migration. But it is required knowledge for the exam, and it should be a required skill set for anyone who is going to manage a Windows 2000 migration project.

Summary

I

n this chapter, you learned how to implement hardware and software RAID to protect data. You learned how to use Windows Backup to back up and restore system data and the System State information. We discussed how planning should take into account your hardware, software, infrastructure, and personnel to provide a reliable disaster-recovery plan. In the last portion of the chapter, you learned how to restore your network to its condition prior to the migration. We examined the rollback of the migration, including domain controllers, network services, and user account information.


www.sybex.com

376

Chapter 8


Key Terms Before taking the exam, make sure you are familiar with the following terms: authoritative authoritative restore basic disk disk striping disk duplexing dynamic disk fault tolerant mirroring parity Recovery Console Redundant Arrays of Inexpensive Disks (RAID) striping with parity System State


www.sybex.com

Case Study: Consultants R US (CRU)

377


Background Your consulting company is bidding for a contract to perform a large migration from Windows NT 4.0 to Windows 2000. The RFB (Request For Bid) mandates that the proposed solution include a complete disaster-recovery plan in the event of a field migration. You have been assigned the task of building this plan.

Questions 1. Which of the following is the easiest and quickest way to ensure that

the old user and group account can be restored? A. Perform a complete backup of the PDC before upgrading it. B. Just before performing the upgrade of any domain, force replica-

tion and take the BDC offline. C. Document the environment before upgrading so that accounts can

be re-created. D. Back up the Registry of each domain controller before it is

upgraded.


www.sybex.com

CASE STUDY


CASE STUDY

378

Chapter 8


2. Build list and reorder: You need to document the process involved in

recovering a failed Windows 2000 domain controller. Place the tasks in the appropriate order. Task

Task Install Windows 2000. Fix or replace hardware. Restore data. Restore the System State information.

3. You want to suggest the most fault-tolerant and best-performing solu-

tion for any new servers that the client might need. Which one of the following would meet these criteria? A. Have all disks mirrored by Windows 2000. B. Wherever possible, utilize Windows 2000’s RAID 5 disk configuration. C. Wherever possible, utilize disk striping. D. Implement hardware-controlled RAID.


www.sybex.com


379

1. B. In the event of a failed upgrade process, you can take all of the new

Windows 2000 domain controllers offline, bring the BDC online, and promote it to PDC. 2.

Task Fix or replace hardware. Install Windows 2000. Restore the System State information. Restore data. 3. D. Hardware-controlled RAID provides the best combination of fault

tolerance and performance.


www.sybex.com

CASE STUDY ANSWERS

Answers

380

Chapter 8


Review Questions 1. RAID stands for what? A. Redundant Arrays of Individual Disks B. Removable Arrays of Individual Disks C. Redundant Arrays of Inexpensive Disks D. Redundant Arrays of Expensive Disks 2. Which RAID levels are supported in hardware for Windows 2000

Professional? A. All of them B. None of them C. RAID levels 1 and 5 D. Depends on the RAID controller 3. Which software RAID level can be used in Windows 2000 to protect

the operating system files? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10 4. You have decided to implement a RAID 5 set to protect your data.

How many disks must you use to create the set? A. one B. two C. three D. four


www.sybex.com

Review Questions

381

5. You need to perform a backup of your server’s data on Tuesday at

10:00 P.M., but you will be unable to come into the office at that time. How can you perform the backup? (Choose all that apply.) A. Write a batch file that starts Ntbackup, and schedule the file with

the AT command. B. Use a batch file for the Backup program, and schedule the batch

file with the System Scheduler. C. Use the integrated scheduling utility in Windows Backup to sched-

ule the backup job. D. Call in one of your junior Windows 2000 administrators to per-

form the backup. 6. Which of the following is not backed up as part of the System State? A. DNS database files B. Active Directory database C. COM+ Registration database D. Sysvol 7. How would you prepare for the possible loss of your user accounts

during the migration to Windows 2000? A. Perform a tape backup of the PDC prior to the migration. B. Use ClonePrincipal to copy the accounts from the Windows 2000

domain to the NT 4 domain. C. Synchronize one of the member servers with the PDC before the

migration. D. Synchronize one of the BDCs with the PDC before the migration,

then keep it offline in case you need to roll back the migration. 8. Which Windows 2000 tool would you use to recover a single user

account that was deleted from Active Directory? A. Backup B. Ntdsutil.exe C. Adsiedit.exe D. ClonePrincipal


www.sybex.com

382

Chapter 8


9. You are unable to boot your computer running Windows 2000. You

suspect that the problem is being caused by an incorrect Registry entry. Which tool should you use? A. Advanced Startup Options B. Recovery Console C. Ntdsutil.exe D. Adsiedit.exe 10. How would you reset the Master Boot Record so that it boots Win-

dows 2000? A. Advanced Startup Options B. Recovery Console C. Ntdsutil.exe D. Adsiedit.exe 11. Which file systems are supported on a RAID 1 mirror set under Win-

dows 2000? (Choose all that apply.) A. FAT B. FAT32 C. NTFS D. HPFS 12. Which Windows 2000 tool should you use to create a RAID 5 fault-

tolerant set? A. Fdisk B. Computer Management C. Active Directory Users and Computers D. Recovery Console


www.sybex.com

Review Questions

383

13. You want to back up your system configuration. Which option

should you pick in Backup to accomplish this? A. Include Registry B. System State C. Systemroot D. Full Backup 14. You are adding a new fault-tolerant set to your Windows 2000

Server but don’t want to use a drive letter for the volume. How can you do this? A. Assign a drive path to the volume using an empty folder on an

NTFS volume. B. Install it on another computer and connect to it using a UNC path. C. You must use a drive letter. D. Assign a drive path to the volume using an empty folder on a FAT

volume. 15. Which software RAID levels can be used in Windows 2000 to protect

your data files? (Choose all that apply.) A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10 16. How would you reset the boot sector so that it boots Windows 2000? A. Advanced Startup Options B. Recovery Console C. Ntdsutil.exe D. Adsiedit.exe


www.sybex.com

384

Chapter 8


17. How would you restore an object in Active Directory without having

the other domain controllers delete it again? A. Perform an authoritative restore. B. Use ClonePrincipal. C. Use Active Directory Migration Tool. D. Use the Active Directory Undo Wizard. 18. You are trying to perform an authoritative restore and have already

restored the objects from tape using Windows Backup. What command should you use next? A. adsiedit add B. cscript cloneadd /dom:name /object:name C. ntdsutil restore subtree D. addobject authoritative restore 19. You have just installed a new third-party service in Windows 2000,

and now your computer won’t boot. Which Recovery Console command might help with this? A. Fixmbr B. Fixserv C. Enable D. Disable 20. How can you install the Recovery Console? A. Winnt32 /cmdcons B. Winnt32 /recovery C. :\i386\Recovery\setup.exe D. Winnt /console


www.sybex.com


385

Answers to Review Questions 1. C. RAID stands for Redundant Arrays of Inexpensive Disks. 2. D. Windows 2000 Professional can use hardware-based RAID, but

the levels supported will depend on the controller. 3. B. The only RAID level available in Windows 2000 that can protect

the operating system itself is RAID 1 mirroring. 4. C. To implement RAID 5 striping with parity, you must use at least

three disks. 5. A or C. The Backup program in Windows 2000 includes the inte-

grated scheduling utility. Create the backup job, then use the Schedule tab to set the appropriate time for the job to run. 6. A. The DNS database files are not included in the System State infor-

mation unless the DNS zones are Active Directory Integrated Zones. 7. A or D. Having a fully synchronized BDC is the preferred answer to

this question; however, backing the PDC up to tape will also work. 8. B. To recover an object that was deleted from Active Directory, first

restore Active Directory using Backup, then use Ntdsutil.exe to mark the object as authoritative for Active Directory. 9. A. Use the Advanced Startup Options and select Last Known Good

Configuration. 10. B. Use the Recovery Console and run the Fixmbr command to reset

the MBR. 11. A, B, and C. Windows 2000 supports FAT, FAT32, and NTFS for

RAID 1 mirror sets. 12. B. Computer Management contains the Disk Management Console,

which enables you to perform all disk management tasks.


www.sybex.com

386

Chapter 8


13. B. Selecting System State backs up all of the important configuration

information for Windows 2000. 14. A. Windows 2000 will permit you to assign a path to a new volume if

you use an empty folder on an existing NTFS volume. 15. B and C. Both RAID 1 and RAID 5 can be used for data volumes in

Windows 2000. 16. B. Restart the computer with the Recovery Console and issue the

Fixboot command. 17. A. An authoritative restore tells Active Directory that the restored

object is the correct one for replication. 18. C. You would use the Ntdsutil.exe utility with the restore

subtree command followed by the distinguished name of the object being restored. 19. D. Use the Disable command to set the startup value for the new

third-party service to disabled, and then reboot the computer. 20. A. Use the winnt32 /cmdcons command to install the Recovery Con-

sole from the Windows 2000 CD-ROM.


www.sybex.com

Chapter

9

After the Migration THE FOLLOWING MICROSOFT OBJECTIVES ARE COVERED IN THIS CHAPTER: Perform post-migration tasks.

Redefine DACLs.

Back up source domains.

Decommission source domains and redeploy domain controllers.

Remove SIDHistory from objects.


www.sybex.com

S

o now the migration has been successfully completed, or at least mostly completed. There are still a few details that must be taken care of before you can enjoy the rewards of your success. In this chapter, you will learn about those last few tasks that must be finished in order to have a truly complete and successful migration to Windows 2000. We’ll start off by examining the Access Control Lists (ACLs) used by Windows 2000—especially the Discretionary Access Control List (DACL) and its impact on network security during and after the migration. Then we’ll move on to backing up your domain data and decommissioning the source domains. We’ll finish the chapter by describing how you might decide to redeploy your old domain controllers.

Redefining DACLs

D

iscretionary Access Control Lists (DACLs) are part of the Security Descriptor attached to every object in Windows 2000. The Security Descriptor is the set of information attached to an object that describes all of the security properties for that object. The DACL portion of the Security Descriptor contains the lists of users and groups who have been granted access to the object and the permissions assigned to them. The other part of the Security


www.sybex.com

Redefining DACLs

389

Descriptor is the System Access Control List (SACL). The SACL contains the information that controls the security auditing for the object.



Redefine DACLs.

To understand why the DACLs are important when performing a migration, we need to look at some of the things that DACLs do and how those are affected by the transition to a new domain.

Security Identifiers First of all, let’s go over Security Identifiers (SIDs) and their importance within Windows 2000. A SID is a 128-bit number that uniquely identifies an object within a domain, such as a user, a group, or a file. The operating system uses this 128-bit number as a handle to manipulate the object. Windows 2000 uses these handles to decide whether or not it should give you access to a file, folder, printer, or other resource on your computer or network. Windows NT used SIDs in exactly the same way. So if you are migrating away from NT and toward Windows 2000, your resources already have SIDs assigned to them, and those SIDs assign the permissions to the resources on the network. SIDs are considered unique because the authority issuing the SID never reuses a number if an account is deleted, and it never issues the same number twice. A SID consists of a hierarchy of information within that 128-bit number. An example of a SID would be S-1-5-21-5184503-1044856909627647339-512. It is composed of the following: Revision number The revision number in a SID marks the version of the SID structure. Currently, all Windows NT and Windows 2000 SIDs are using revision 1 of the SID structure. Identifier authority This value denotes the highest level of authority that can issue SIDs for the current object type. For example, the identifier authority value in a typical account’s SID is 5, which denotes NT Authority.


www.sybex.com

390

Chapter 9

After the Migration

Subauthorities The list of subauthorities creates the hierarchy of the SID’s structure. The subauthorities include two sections: Domain Indentifier The bulk of the subauthorities portion of the SID is the identifier of the domain and may contain several entries to fully describe the domain’s relationship with the enterprise network. Relative Identifier (RID) This is the last field in the SID. The RID identifies the individual account or group. This value is assigned by the FSMO RID Master, and it ensures uniqueness of SIDs throughout the domain. SIDs are stored in binary format but are converted to string format when they are displayed, such as when they are viewed in the Registry Editor. When viewed in their string format, the structure of the SID is easier to understand. For instance, in binary form, SIDs have the form shown in Figure 9.1. The first three fields are considered the header for the SID; they mostly identify the type and contents of the SID. The identifier authority comes next and will most commonly be 5 for NT Authority, meaning that it was an account created in Windows NT or 2000. FIGURE 9.1

The structure of a Security Identifier Subauthority Count

Reserved

Revision Number

Identifier Authority

Subauthority [1 to N-1]

Subauthority [N]

Domain Identifier

Relative Identifier

The next portion of the SID belongs to the subauthorities. There may be one or more subauthorities listed in the SID. The list of subauthorities up to but not including the very last subauthority entry uniquely identifies the domain that issued the SID. The very last subauthority in the list is the Relative Identifier (RID), which uniquely identifies the SID within the domain. No two domains within an enterprise network may have the same SID. The combination of these entries makes each SID unique. The built-in groups and users within Windows 2000 all have the same domain identifier, 32. When you look at the string representation of the Administrators group, for example, you’ll see that the string begins with S-1-5-32-544. The S signifies that the string represents a SID. The 1 is the


www.sybex.com

Redefining DACLs

391

revision (always the same for Windows NT and 2000), and the 5 denotes NT Authority. The 32 is the number that all built-in groups have in every domain, and the 544 is the RID representing the Administrators group. The built-in groups always have the same SIDs because they are local in nature; that is, they exist only within either the local computer or a single domain. They never interact across domains, so there is no need to keep them unique. The domain value of 32 denotes the Builtin domain, which exists on every Windows NT or Windows 2000 computer and domain. But the Relative Identifier of 544 is unique within the Builtin domain, belonging only to the Administrators group. As another example, the global group Domain Admins does interact with other domains and so must be uniquely identified by its SID. The Domain Admins group in coolcompany.local has the SID string S-1-5-215184503-1044856909-627647339-512. The beginning of the string is the same, S-1-5, and it has the same meaning as in the built-in Administrators group string. The domain identifier for the coolcompany.local domain is 21-5184503-1044856909-627647339. The final number is the RID, 512, and represents the built-in Domain Admins global group. By combining the revision number, the ID of the assigning authority (the domain controller that issued the SID), and the domain ID with the RID, a new SID is created. In a Windows 2000 domain, the RIDs are created from a pool of numbers controlled by the RID Master, which is one of the five Flexible Single Master Operations. Without a RID Master, you would not be able to create domain-level SIDs in Windows 2000 for long. The RID Master allocates a block of RIDs to each domain controller when they request a block. As the domain controllers issue SIDs for newly created objects in the Active Directory, they use up their block of RIDs. When they run out, they ask the RID Master for a new block of RIDs. The RID Master keeps track of all of the RIDs that have been allocated and never duplicates a block of RIDs. The domain controllers are responsible for keeping track of the SIDs they have issued to ensure that they never duplicate a SID that they have issued. Because SIDs are unique to the domain in which they were created, when you move a security principal (such as a user or group) from the original domain to a new domain, the SID will be changed. This may seem very academic, but remember that the SID assigned to a security principal is how Windows 2000 determines access. If the SID assigned to your user account changes, you may no longer have access to the resources on the network or even on your local computer. When you migrate users and groups from your


www.sybex.com

392

Chapter 9

After the Migration

source domain to the new target domain, you are changing the SIDs for all of those accounts. Without some mechanism to preserve the old SID information, your users won’t be able to access their resources. Fortunately, Windows 2000 provides just such a mechanism with SIDHistory feature. SIDHistory stores the original SID of a security principal when it is moved or copied to the new domain. Windows 2000 understands the SIDHistory feature and will evaluate security access both by the current SID and by the SIDHistory. When you upgrade a domain to Windows 2000, you don’t affect any of the SIDs assigned to objects within the domain. Upgrading maintains the same SIDs because Windows 2000 maintains all data and settings during the upgrade process. Restructuring or migrating requires that you move existing accounts to a new domain. This means that you would have to create new SIDs in the process. Once the users and groups have new SIDs, their resource access may be interrupted if you don’t resolve the issue of assigning new permissions to the new SIDs instead of relying on the SIDHistory feature.

Access Tokens The next step in understanding the security process is the Security Access Token. An Access Token is a protected object that contains information regarding a user’s identity and group membership and is used to evaluate a user’s access to secure resources in Windows 2000. An Access Token includes the following information: User This is the SID for the user’s account. It may be from the local computer’s user database if the user logged on to the local computer, or it may be taken directly from the user’s information in Active Directory if the user logged on to the domain. It will also include the SIDHistory object if the account was migrated from another domain. Groups This is a list of the SIDs for all of the groups that the user belongs to. This list will also include the SIDHistory information for any of the groups that have been migrated from another location. Privileges This is a list of privileges on the local computer held by the user and by any group the user belongs to. Owner This is the SID for any group the user belongs to; by default, the group becomes the owner of any object the user takes ownership of.


www.sybex.com

Redefining DACLs

393

Primary Group The primary group information is included for POSIX compliance. POSIX is a government standard that describes what a “unified” Unix should look like. This information is ignored by Windows 2000 but is required for any POSIX application you may run on the computer. It is also used by Macintosh clients when accessing Windows 2000 resources using Services for Macintosh. Default Discretionary Access Control List (DACL) This is a list of default permissions that will be applied to any object the user creates if there are no other permissions to be applied to the object. The default DACL normally assigns Full Control of an object to the Creator Owner and System special groups. Source This is the process that caused the token to be generated, such as the Session Manager or RPC (Remote Procedure Call) server. Type This field in the token defines whether the token is a primary token or an Impersonation token. Impersonation is used when you execute a command under another user name, such as when you use the Connect As command to map a network drive. An Impersonation token is used by a thread within a process to temporarily adopt different credentials, such as when the thread needs to use a service account to access the functions of a Windows 2000 service. Impersonation Level If the token is an Impersonation token, this field marks the level of impersonation that is permitted for the token, that is, the level of impersonation to which this thread can adopt another security context. Statistics This is tracking information about the token itself, which Windows 2000 uses internally. Restricting SIDs This is an optional list of SIDs that may be added to the token by a process with permission to create a restricted token. A restricted token prevents the thread from accessing a level lower than the user is permitted. Session ID This field indicates whether the token is associated with a Terminal Services session. An access token in Windows 2000 actually contains a surprising amount of information. The token is created during the logon process just after the user’s credentials have been authenticated by the domain (or the local computer in the case of a local logon) and is attached to the user’s process. Every


www.sybex.com

394

Chapter 9

After the Migration

process you start will have a copy of this token attached to it. This means that every program you start will be able to operate with the same privileges and permissions that your user account has. Every process has a primary token that defines the security information for the accounts that started the process. A process may also have an impersonation token that will enable the process to operate under different security credentials. A number of SIDs are present in a typical access token. These SIDs may be active for use in checking the permissions assigned to the user, or they may be used to check for the Deny Access permission. There are two attributes that may be assigned to any of the SIDs in a token: SE_GROUP_ENABLED This attribute indicates that the SID is to be used for access checks when the user attempts to access a resource. When the process attempts to access a secure resource, Windows 2000 uses the Access Control Entries (ACEs) in a DACL to compare to these SIDs to determine the access level of the user. SE_GROUP_USER_FOR_DENY_ONLY This attribute is peculiar to Windows 2000 only. Remember that when assigning permissions to resources in Windows 2000, you can grant various levels of permission just like you did in Windows NT, but you can also assign specific levels of permission that are to be denied. This attribute placed on a SID tells Windows 2000 to deny this permission to the account. So all of this information put together becomes your access token, assigned to your user process when your logon is authenticated. This token is attached to every process you start during your logon session in Windows 2000, and every program you use then operates under the same security restrictions that your user account has.

Discretionary Access Control Lists DACLs are extremely important to the authorization process in Windows 2000. Authorization is the process of examining an account’s credentials to evaluate their security permissions. A DACL is a portion of the Security Descriptor attached to an object in Windows 2000 that houses the list of permitted users and groups, as well as the permissions assigned to them. These entries are referred to as Access Control Entries (ACEs). An ACE is a single entry within a DACL that contains a SID of a user or group account and the associated permission assigned to that account.


www.sybex.com

Redefining DACLs

395

DACLs are made up of a list of ACEs. The ACEs have a default order in Windows 2000. The preferred order of the ACEs within a DACL is called the canonical order. For Windows 2000, the canonical order of ACEs is as follows: Explicit ACEs All explicitly assigned Access Control Entries are placed in a group at the head of the list before the inherited ACEs. Deny ACEs Within any group of ACEs, the deny permission ACEs are listed before the allowed permission ACEs. Inherited ACEs These are the permissions that have flowed down the directory structure from parent objects. They are listed in order of inheritance, beginning with ACEs acquired from the object’s parent, then from the grandparent, and so on. Access Control Entries are created when you assign permissions to an object in Windows 2000. Figure 9.2 shows the Security tab of a folder’s Properties sheet where you would change the default permissions for the folder. These entries would then become the explicit entries in the DACL for the selected folder. Any Deny permissions you set in this dialog will be listed ahead of the Permit entries in the DACL. This enables Windows 2000 to always evaluate the Deny permissions before the Permit permissions. FIGURE 9.2

The Security tab enables you to alter the DACL for an object in Windows 2000.


www.sybex.com

396

Chapter 9

After the Migration

Changes to the DACL in a Migration When you move resources or security principals during a migration, there will necessarily be some changes to the DACLs of the resources. When a security principal is moved from one domain to another, its SID will change to reflect that move, and the old SID will be stored in the SIDHistory attribute. This assumes that you are moving the security principal to a Windows 2000 domain running in native mode, because the SIDHistory attribute is available only in Active Directory. The SIDHistory attribute will help maintain resource access during your migration, but you should consider reassigning the permissions to the new accounts once the migration is complete. The DACLs for all of your resources will still reference the original SID of every security principal that you had assigned in the old environment. This brings up a few possible options to consider.

These first scenarios assume that the SIDHistory attribute is not available as an illustration of the function it fills. You should be aware of these scenarios in case your migration requires that you not depend on the SIDHistory attribute to maintain resource access.

Adding the New SID for a User The first solution to the change of SIDs in a migration would be to reassign the permissions for all of the resources that a single user needs to the new SID for that user. Effectively, you are bypassing good administrative practice and assigning permissions directly to users instead. This fix is very time-consuming because the administrators working on the problem would have to touch every resource. This fix is undesirable for the following reasons:

Restructures and migrations often stretch out over a long period of time. Because of this, there might be new resources created for any given global group that is migrated, so reassigning permissions would have to continue over the entire duration of the project.

Adding the SID for a single user is a problem because that user may change job functions during the migration period and no longer need the resource. In that case, you would have to assign the permissions yet again. It is much easier to use global and local groups to assign permissions, because if the user changed jobs, you would simply have to change the user’s group memberships.


www.sybex.com

Redefining DACLs

397

Moving the Group Remember that groups can be moved in Windows 2000. You could consider simply moving the group that contains your users to the target domain. The problem with this method as a solution to the SID problem with user accounts is that moving the group causes it to have a new SID as well. So in addition to your user accounts having new SIDs and being unable to access existing resources, the groups they belong to also have new SIDs and are unable to access those same resources. When you move a group to another domain in Windows 2000, the group will receive a new SID. You would then have to reassign permissions to the new group SID to reflect the changed location of the group and its members, which results in quite a lot of work.

Using a Parallel Group If you are cloning accounts during your migration, you might use a parallel group as a solution. In this scenario, you would create a group in the new domain with the same name and properties as the old group and then assign permissions to the new group for any existing resources the group needs access to. This method does permit access to the resources, and it does enable you to move the user accounts incrementally. However, it also requires that you continue the reassignment of permissions throughout the migration as user accounts are moved or cloned. The benefits here are that the old group is still functional during the migration and that you could decide to roll back the migration and still have all of the original groups and permissions.

How SIDHistory Resolves This Problem In most cases, these scenarios are unnecessary because of the introduction of the SIDHistory attribute in Windows 2000. SIDHistory stores the original SID of the security principal when it is moved or copied to a new location. This attribute will become a part of the access token along with the current SID, to be evaluated when a user requests access to a resource. The SIDHistory attribute is available only in Active Directory. When you clone or move a security principal using a Windows 2000 migration utility, the tool will copy the existing SID to the SIDHistory attribute. This process is used for both user and group accounts.


www.sybex.com

398

Chapter 9

After the Migration

When you log on to an Active Directory domain running in native mode, the system checks your current SID and your SIDHistory and copies them both to the access token when you are authenticated. The SIDHistory attribute is seen as a normal SID by pre-Windows 2000 computers and can be used to grant user access to a resource even on Windows NT computers that don’t understand the SIDHistory attribute. There is one drawback to this scenario, however, and that involves the way the Windows NT 3.51 and earlier systems evaluate group membership. When you log on to the Active Directory domain using an NT 3.51 computer, the computer will retrieve only group information relative to the local domain or to accounts located on the local computer. Because of this, the computer won’t see the SID contained in the SIDHistory attribute as pertaining to the user account. NT 3.51 cannot see local groups from other domains or retrieve universal group information stored in other domains. This means that you may not have full access to resources located in other domains when logging on to the domain from a Windows NT 3.51 computer.

In order to retrieve universal group information, the computer logging on must also be able to contact a Global Catalog server.

Removing SIDHistory from Objects There may be some cases in a migration where you will be moving security principals from one domain to another and want to prevent them from having any access to the previous domain environment. SIDHistory would normally keep a list of the security principal’s past SIDs in order to facilitate resource access during the migration. This means that the security principals would have their old permissions and rights in the source domain as well as any new permissions and rights granted in the new domain.

Microsoft exam objective


Remove SIDHistory from objects.


www.sybex.com

Redefining DACLs

399

To remove the SIDHistory list from a security principal, you will use the Active Directory Service Interface Editor, ADSI Edit. ADSI Edit gives you direct access to the attributes of any object in Active Directory. EXERCISE 9.1

Removing the SIDHistory Attribute To remove the SIDHistory attribute for an object, use the following steps:

1. Open ADSI Edit from the Windows 2000 Support Tools group on the Start menu. The main interface is shown in the following graphic.

2. Browse down to the object you want to change in Active Directory. For instance, to remove the SIDHistory from a user object, expand the Domain NC (Naming Context) node in the left pane and browse to the container where the user account resides. In the Users container (or OU where the account is) find the user object.


www.sybex.com

400

Chapter 9

After the Migration


3. Right-click the object you wish to modify, and select Properties from the context menu. This opens the dialog shown in the following graphic.

4. Click the down arrow on the Select A Property To View drop-down list and select SIDHistory. The current SIDHistory list will be displayed. If the account has been moved more than once, there will be more than one SID listed in the SIDHistory list.

5. Highlight the SIDs to be removed, and click the Remove button. Click OK to save the changes and close the dialog.

Reassigning Permissions In the preceding section, I showed you some scenarios that gave possible solutions to reassigning permissions, and then I showed why these solutions weren’t necessary because of the SIDHistory attribute in Active Directory accounts. But there is one case I haven’t mentioned yet that does require the redefinition of the DACLs. When you decommission your old domains at the end of the migration process, all of the SIDs from those old domains will cease to be valid. If the domain cannot be validated, the SID cannot be validated for access.


www.sybex.com

Redefining DACLs

401

When the old domains are decommissioned, you will want to reassign permissions for the resources located in your network. In this section, I will show you how to reassign permissions for files, folders, and printers.

Reassigning File Permissions The bottom section of the Security tab of the file’s Properties dialog box controls the kind of access you get. This dialog is shown in Figure 9.3. FIGURE 9.3

The Security tab of a file’s Properties sheets lets you adjust the file permissions.

By default, it’s Full Control for the Everyone group, but several other options are available: Write, Read, Read & Execute, and Modify. Full Control can be modified by special accesses, but we’ll get to that in a minute. Let’s look at each type of access briefly: Write Allows a user to write a file to a folder if they have this permission. On a file, this permission has little meaning since the file is already created, but you may see files with this permission if they inherited the permission from the parent folder. A user with Write permission can write attributes, read permissions, and synchronize the file or folder. Read Means that you can look at the contents of a file, examine the file’s attributes (read-only, system, hidden, and whatever other userdefined attributes the file may have), and display the file’s “owner” (a concept we’ll get to a bit later) and permissions.


www.sybex.com

402

Chapter 9

After the Migration

Read & Execute The same as Read permission, except that you can also execute the file if it is a program file. Modify Lets you do everything you can do with Read access—look at a file, its attributes, permissions, and owner, as well as run the file if it’s a program—and adds the ability to change the file attributes and the data in the file, as well as to delete the file altogether. A person with Modify permission cannot delete subfolders or files within those subfolders unless they have explicit permission to do so, meaning that they must have Modify permission for the subfolders also. Note that someone with Modify access cannot change the file’s owner. Full Control Exactly like Modify access except that it adds the ability to change a file’s owner and the very file permissions that you are working with right now. If those five levels of access are a bit coarse for your needs, you can finetune someone’s access with what Microsoft calls special access. To modify the special access permissions for a file or folder, on the Security tab for that object, click the Advanced button to open the Access Control Settings dialog shown in Figure 9.4. This dialog is used to directly set the special access for the object, as well as set the auditing and ownership. You can add or remove accounts and permissions on this dialog. FIGURE 9.4

The Access Control Settings dialog


www.sybex.com

Redefining DACLs

403

To view the special access permissions, click the account whose permissions you want to modify, then click the View/Edit button. Now you have more options: Traverse Folder/Execute File Allows you to change directories through this folder and run this file. Traverse Folder allows or denies moving through folders to reach subfolders. This permission applies even when you have no permissions to access the traversed folders. This permission takes effect only when the user or group account has not been granted the Bypass Traverse Checking user right. By default, the Everyone group is granted the Bypass Traverse Checking user right. List Folder/Read Data Lets you read the contents of a file and display the contents of a folder. Read Attributes Allows you to display the current attributes of a file or folder. Read Extended Attributes Enables you to display the extended attributes of a file or folder, if there are any. Create Files/Write Data Allows you to write data to a new file. When applied to a folder, this permission means that you can write files into the folder but not view what’s already in the folder. Create Folders/Append Data Means you can make new folders in this location, and you can append data to existing files. Write Attributes Gives you the ability to modify the attributes of a file or folder. Write Extended Attributes Allows you to enable or set extended attributes for a file or folder. Delete Subfolders and Files Gives you the ability to remove folders contained within the folder you’re working in and the files contained in them. Delete Allows you to delete files. Read Permissions Makes it possible to display the current permissions list for the file or folder. Change Permissions Enables you to modify the permissions for the file or folder. This permission is normally included only in Full Control. Take Ownership Gives you the ability to claim ownership of a file or folder.


www.sybex.com

404

Chapter 9

After the Migration

Synchronize Allows you to synchronize offline copies of files or folders with online versions when you connect to the network. These permissions have changed quite a bit from previous versions of NT where only six permissions made up the standard permissions: Read, Write, Execute, Delete, Take Ownership, and Change Permissions. The new levels of granularity make security a more difficult topic to learn in Windows 2000, but they give a skilled administrator much finer control over how files and folders can be accessed. To prevent someone from accessing a file or folder, you have two choices. The first way—and usually the best—is to simply not grant the person access to the file or folder. This means that you don’t add their account to the list of permissions. Not having explicit permission is like having No Access; either way, you don’t get in. The second method is to add the person’s account to the permissions list but check Deny for each permission. This creates an explicit No Access-type permission.

Reassigning Folder Permissions When your migration is in progress, you will very likely still have permissions for resources assigned to user and group accounts from the old domains. Figure 9.5 shows just such a scenario for a test folder on the Sea-1 domain controller in coolcompany.local, where the Everyone group is defined, along with three user accounts from the old Seattle domain. FIGURE 9.5

The Security tab for the Test folder in coolcompany.local


www.sybex.com

Redefining DACLs

405

When the trusts between the new coolcompany.local domain and the old Seattle domain are removed, the appearance of the accounts will change. For any accounts that exist solely in the source domain (the domain that was decommissioned), the Security tab will be unable to resolve the display names. Instead, the accounts will be listed by their SIDs, as shown in Figure 9.6. These accounts should be removed once you are certain that the old domains are no longer needed. FIGURE 9.6

The Security tab showing some orphaned accounts

The only real difference in the Permissions dialog for a folder from the Permissions dialog for a file is the List Folder Contents permission. Of course, there are some other differences in how folder permissions work, but they are hidden for the most part in the Advanced Security options. The Security tab for folders works just like the Security tab for files, so we won’t go over it again here. Instead, let’s look at some of the differences to keep in mind. One option you should be aware of on the Security tab is the checkbox at the bottom of the tab, Allow Inheritable Permissions From Parent To Propagate To This Object. Quite a mouthful, but what it’s trying to say is that if this box is checked (which it is by default), Windows 2000 security will propagate any permission changes from the parent container, or the folder that this folder is in, to this folder and all its contents. This enables you to


www.sybex.com

406

Chapter 9

After the Migration

prevent your permissions from being overwritten by someone else changing permissions at a higher folder level. Pressing the Advanced button brings up the Access Control Settings dialog for the folder. At first glance, this appears to be the same dialog we saw earlier for Advanced settings on file permissions, and it does work the same way. The difference is in the checkbox at the bottom of the dialog. Checking the option to reset permissions on all child objects will deliberately overwrite any existing permissions on subfolders and files.

Reassigning Printer Permissions By default, only administrators have full access to the printer. Only those with Manage Printers permission can pause or resume a printer or change its permissions. Those who have only print access can administer only their own documents. The default print permissions in Windows 2000 are as follows: Administrators and Power Users have Full Control permission; the Everyone group has Print permission; Creator Owner (the person who submits a job) has Manage Documents permission for the job they have submitted. If the printer is located on a domain controller, the Print Operators and Server Operators groups will also have Full Control. In the Printer Properties dialog box, click the Security tab to see the dialog box shown in Figure 9.7. FIGURE 9.7

The Security tab of the Printer Properties sheet


www.sybex.com

Backing Up Source Domain Data

407

The Security tab lists the accounts for which some kind of printer access has been set up. From here, you can change the level of access that each user group has. Printing permissions are usually granted to groups, not individual users. Therefore, granting a user a permission means making that user a member of a group with the printing permission you want that user to have. The default permission levels are as follows: Print Members of the user group can print documents and manage their own documents. Manage Documents Members can control document settings and pause, resume, restart, and delete documents lined up for printing, including documents submitted by others. Manage Printers Members can do anything with the printer—print; control document settings; pause, resume, and delete documents and printers; change the printing order of documents; and change printer properties and permissions. To change someone’s level of permission for the printer, simply check the box beside the type of permission you want to grant. In NT 4, you could assign the No Access permission to a user or group if you really wanted to keep them out of your printer. Windows 2000 no longer has a separate No Access permission. To get the equivalent level of permission, that is to keep the user out of your printer completely, simply add that person to the list of groups and users but uncheck all of the boxes. If you do not grant permission, it’s the same thing as saying No Access. If, for some reason, you really want to keep someone out of your printer, you could assign Deny permissions for each of the permission levels.


I

n many cases, you won’t have to back up the data on your servers in the source domain, since you can upgrade them and then move them to the new domain. However, it’s always a good idea to have current backups of


www.sybex.com

408

Chapter 9

After the Migration

your data before performing a significant change to the server. And installing Windows 2000 definitely qualifies as a significant change.



Back up source domains.

Windows 2000 provides a useful tool for backing up data both locally and remotely. Windows Backup can be used in the following ways in your Windows 2000 network: Local computer backup You can use Windows Backup to back up and restore data on the local computer using a tape drive or other storage medium that is also located on your local computer. This method is good because it generates no additional traffic on the network. It’s bad because your users will be responsible for backing up their own data (which most of us seldom do). Remote backup In a remote backup, the backup operation is performed from a single server (or possibly multiple servers). The Windows Backup program is used to back up or restore data from shared folders on various computers across the network. This task can be made easier by implementing the Distributed File System (Dfs) since the Backup program would only have to connect to one shared folder in order to back up all the network data. Server-only backup In this scenario, users are instructed to store data only in a shared location on a server. Then, every night (or whatever regular period you decide on) a backup is performed of the server’s data. This method has the benefit that all of the backup work is performed locally on each server, protecting all data without added network traffic. Server and computer backup This last type of backup operation is a combination of the previous types. In this type, the server data is backed up locally, and any user data located on workstations is backed up across the network.


www.sybex.com


409

Obviously, there are many ways that backups can be performed, depending on the needs of your environment. There is no single “right way” to perform the backup of domain data prior to decommissioning the old domains after a migration to Windows 2000. There is one truth in backups, however, and that is that local backups are faster and generate no additional network traffic. Security is another consideration when planning for the backup of domain data. Such data will very likely include sensitive information from your original domain environment that must be protected during the transition from one domain to another. Implement a plan for securing the data media while migrating between the domains. Before decommissioning the servers in the source domain and after backing up the data from those servers, try to restore some data from each of the tapes to ensure that the tapes aren’t corrupted. No backup to tape should ever be considered good until you have successfully restored data from the tapes. I really prefer to move the data to the new server either by tape or across the network before re-formatting the drives on the old server. That way, if something goes wrong while moving the data, I still have the original image of the data.

Migration Scenario You have finished migrating your domain controllers, user and group accounts, and network services (such as DHCP and DNS) to Windows 2000. It is now time to decommission the old domains and finish the migration process. While the bulk of the work is done, the cleanup also takes some planning. Things to consider:

Are all clients going to be upgraded to Windows 2000 Professional? This might require a fresh project team and an analysis of current resources.

Have all of you older servers been upgraded? What will you do with any computers that are left?

If you have purchased new computers to act as your Windows 2000 Servers, can the old computers be utilized on the network?


www.sybex.com

410

Chapter 9

After the Migration

Are there any holes in your design—would any subnets benefit from having a local domain controller?

Would it improve performance or fault tolerance to place a DNS server at a remote site?

Is WINS still necessary?

Decommissioning the Source Domains

O

nce all accounts and data have been migrated from the source domains to the target domain, you’re ready to get rid of the old domains. There are a couple of possible scenarios to consider for decommissioning your old domains. In the first, you would have already moved your member servers and workstations to the new domains, and all that are left to tear down are the domain controllers. The second scenario occurs when you have created a parallel domain structure and cloned all of the security principals to the new environment and all of the servers are still in the original domain.



Decommission source domains and redeploy domain controllers.

Decommissioning the old domains may entail removing the physical hardware—and possibly the infrastructure as well. Things like cables, hubs, and switches may be getting an upgrade at the same time. Possibly you’re stringing new cables for the network or upgrading some of the physical network devices. The old hardware will need to either be removed or reused somehow to make room for the new hardware supporting your Windows 2000 network. Many organizations will find that this last step in a migration actually involves merely turning off the old domain controllers. This is the easiest decommission process of all.


www.sybex.com

Decommissioning the Source Domains

411

Decommissioning Domain Controllers If your migration plans included moving the client workstations and member servers to the new Active Directory domain locations, then the only servers left in your source domain will be the domain controllers. This scenario is easier to handle for decommissioning purposes since all you have to do is reinstall the computers with Windows 2000 and use them for the new domains. Many organizations will choose to upgrade their network server hardware at the same time that they are upgrading the software. If this is the case, then you would use the new servers to provide the domain controllers and member servers in the new domains. Otherwise, you would want to reclaim these servers to take over the member server roles in the new domain. To decommission the old domain, format the hard disks and install Windows 2000 Server on the remaining servers. They can now be used for member servers, or you can run dcpromo.exe to promote them to become additional domain controllers. If you are replacing the servers with newer models, then you will probably be sending the old machines to surplus once the new environment is fully configured and tested, or perhaps you will be using some of the old machines for testing or other purposes in the network.

Decommissioning Domains In the case where your migration called for creating a parallel structure to use for the target domains, you may have installed new computers for all of the servers in the new environment and possibly for the desktop computers as well. In this scenario, the resources have been copied to the new environment, and all of the users are logging on to the new domains after having been cloned from the source domains. All that remain are the old servers and possibly the desktop computers. Decommissioning a domain in this scenario gives you the opportunity to examine your server needs in the network. Are there places in the network that would benefit from having additional servers? How about workstations? Take the time to assess these needs before you decide to send the old hardware off to surplus. When you have thoroughly tested the new Active Directory environment and are sure that everything is running as planned, you can tear down the old environment. If the servers are being sent to surplus, make certain the data is safely removed from the drives first. A simple partitioning and formatting will suffice in most cases, though the most sensitive data should be erased using a utility that completely destroys all traces of the data from the disks.


www.sybex.com

412

Chapter 9

After the Migration

Redeploying Servers So now you’ve reached the end of the migration. What do you do with the extra servers left over from the old domains? Earlier I suggested that you consider reusing these servers elsewhere in your organization. Most companies have places in their networks that could use another server. Depending on the type of migration you performed, you may need the unused servers to backfill the new domains and to provide the member servers for file and print services or perhaps to support applications for your users. As you prepare to redeploy your old servers, here are some things to keep in mind: Evaluate current needs. Determine whether any departments in your organization could use another file and print server or an application server. Do you need another server for your test lab? Assess the hardware levels. Will those older servers run Windows 2000 effectively? Actually, the question is really more like “Will the servers run the operating system I plan to run?” You could quite easily decide that these servers would be useful running Windows NT as member servers in your new Windows 2000 environment. Examine the cost-effectiveness of upgrading the servers. Depending on what the servers will need to fill your needs, it may not be cost-effective to upgrade them. For example, if you determine that for the server to be useful you would have to replace the processors, upgrade the memory, and expand the hard disks, then you might find that it’s really more efficient to replace the server instead of upgrading it. Member servers can be run just fine with earlier versions of NT in a Windows 2000 environment, and they require less in terms of hardware to be useful. Budget for upgrading servers. At the tail end of a migration, chances are that you’re running pretty low on cash. There might not be any money left to update these old servers to run Windows 2000. If that’s the case, then your only choices may be to continue using them with earlier operating systems or to surplus them. Redeploying servers will most often be a relatively simple matter of reinstalling the operating system and joining the computer to the new Active Directory domains in the proper container.


www.sybex.com

Summary

413

Summary

In this chapter, you learned how Windows 2000 creates Security Identifiers using the domain SID and a Relative Identifier. You then learned that this information is combined with the SIDs of the groups the user belongs to and added to the Security Access Token when the user logs on to a Windows 2000 domain. When you move security principals during a migration to Windows 2000, the original SID will be copied to the SIDHistory attribute of the new user account in Active Directory. The SIDHistory attribute eliminates most of the issues involved in moving users and groups to Active Directory, but you learned how to handle the change of SIDs if the SIDHistory attribute is not available for some reason, such as in a mixed-mode domain. In the final portions of this chapter, we discussed using Windows Backup to back up system data on the servers in your source domains in preparation for decommissioning the old domains. We finished the chapter by looking at options for redeploying the servers from the source domains to the new Windows 2000 domains.

Key Terms Before taking the exam, make sure you are familiar with the following terms: Access Control Entries (ACEs) authorization canonical order Discretionary Access Control Lists (DACLs) Security Descriptor System Access Control List (SACL)


www.sybex.com

414

Chapter 9

After the Migration

Review Questions 1. What are the two components of a Security Identifier? A. The domain SID B. The relative SID C. A timestamp D. A Relative Identifier 2. What two items make up a Security Descriptor in Windows 2000? A. An SACL and a list of ACEs B. An SACL and a DACL C. A DACL and a list of ACEs D. A SID and a RID 3. What new feature of Windows 2000 makes it possible to safely move

security principals from one domain to another without losing resource access? A. RID history B. SIDHistory C. DACL mapping D. SACL mapping 4. Where does Windows 2000 get the information regarding Universal

groups when authenticating a user’s logon attempt? A. The PDC Emulator B. The RID Master C. The Global Catalog D. The Infrastructure Master


www.sybex.com

Review Questions

415

5. You have the choice of moving your user accounts from a source

domain by two methods: exporting the accounts to a comma-delimited text file that can then be imported into the target domain or using ClonePrincipal to copy the accounts. Which method should you choose? A. The text-file method. B. ClonePrincipal C. Neither method will work. D. Both, you must use the text-file method to generate the file for

ClonePrincipal. 6. What is the default NTFS permission that will be applied when you

create a new object? A. Everyone - Full Control B. Administrator - Full Control C. System, Creator Owner - Full Control D. Owner, Administrators - Full Control 7. What does canonical order refer to when discussing DACLs? A. The order of alias entries within the DACL B. The preferred order of ACEs within a DACL C. The explicit order of ACEs within a DACL D. The preferred order of DACLs within a Security Descriptor


www.sybex.com

416

Chapter 9

After the Migration

8. How are Discretionary Access Control Lists modified during a migra-

tion to Windows 2000? A. They aren’t. B. The SID of the DACL is copied to the SIDHistory attribute of the

new DACL. C. Windows 2000 automatically changes the SIDs referenced in the

DACL to reflect the changes in the account’s new location. D. The names will be changed to protect the system’s innocence. 9. If the SIDHistory attribute is not present for some reason, how would

you maintain resource access for your users during the migration? A. You can’t. B. Reassign all DACLs to the new SIDs of the security principals. C. Migrate the user accounts to parallel groups in the new domain.

Use the same names for the groups as the original groups in the source domain. D. If SIDHistory is unavailable, Windows 2000 will convert the

DACLs using the RID history information. 10. You are trying to change directories at the command prompt. When

you attempt to change directories to the Reports folder, you receive an access-denied message. What permission do you need to change directories through this folder to a subfolder? A. Traverse Folder/Execute File B. Read Attributes C. Execute Change Folder D. Synchronize


www.sybex.com

Review Questions

417

11. Your boss has asked you to design a backup strategy for the servers

in your company. Your priority is to achieve the fastest backups possible. How would you accomplish this goal? A. Perform local backups on each server. B. Perform network backups from a single backup server. C. Back up all data to a rewritable CD drive. D. Back up to a local floppy drive. 12. You have decided to decommission your old domain after successfully

migrating to Windows 2000. There are still five domain controllers left in the old domain. What should you do next? A. Evaluate the server needs of your organization. B. Evaluate the current hardware level on these servers. C. Call the local computer surplus company for their best price. D. Take them home for your own network. 13. Besides the domain SID and the Relative Identifier, what other com-

ponents reside in a SID? A. Owner field B. Identifier Authority C. Revision Number D. DACL 14. Which of the following items is not a component of the Access Token

used in Windows 2000? A. Privileges B. Owner C. Timestamp D. Impersonation level


www.sybex.com

418

Chapter 9

After the Migration

15. How does Windows 2000 ensure that Deny permissions will be eval-

uated before Allow permissions? A. It maintains a separate list of Deny permissions within the DACL. B. The lists of permissions are evaluated alphabetically. Deny will be

listed before Permit. C. DACLs are evaluated from the bottom up, and Deny permissions

are listed at the bottom. D. Deny ACEs are always listed before Allow ACEs in each section of

the DACL. 16. Which Windows 2000 migration tool will create the SIDHistory

attribute for accounts that are moved during a migration to Active Directory? A. ClonePrincipal B. ADMT C. Active Directory Users and Computers D. All of the above. E. None of the above. 17. In which of the following situations is the SIDHistory attribute available

for use? A. Migration B. Restructure C. Upgrade and then Restructure D. All of the above E. None of the above


www.sybex.com

Review Questions

419

18. Which of the following is not a Flexible Single Master Operations role

in Windows 2000? A. RID Master B. PDC Emulator C. Global Catalog D. Schema Master 19. Which portion of a SID is completely unique to that SID within the

forest? A. The domain SID B. The revision information C. The serial number D. The Relative Identifier 20. What is the last server in a domain to be upgraded to Windows 2000

during a migration? A. The reserve BDC B. The PDC C. The administrator’s workstation D. The Exchange Server


www.sybex.com

420

Chapter 9

After the Migration

Answers to Review Questions 1. A and D. A normal SID is composed of the domain SID and a Relative

Identifier (RID). 2. B. The Security Descriptor is made up of the System Access Control

List (SACL) for auditing information and the Discretionary Access Control List (DACL), which contains a list of the security principals that are permitted to access the resource. 3. B. The SIDHistory attribute stores a copy of the original SID for each

security principal when it is moved or copied to a Windows 2000 Active Directory domain. This provides consistent resource access for accounts when they are migrated. 4. C. The Global Catalog servers store all information regarding Univer-

sal groups for a forest, since these groups are available forest-wide. 5. B. You should use Windows 2000 migration tools to move security

principals to their new locations so that the SIDHistory attribute will be set correctly for the accounts. 6. C. When you create a new object on an NTFS volume, Windows 2000

assigns the default permission of Full Control to the System and Creator Owner groups. 7. B. Canonical order describes the preferred order of Access Control

Entries (ACEs) within a DACL. 8. A. The DACLs aren’t changed by a migration; that’s part of the prob-

lem that the SIDHistory attribute was created to fix. The security principals will be given new SIDs when they are relocated to the target environment, but the DACLs are stored at the resource and are not modified. The SIDHistory attribute enables the account to maintain proper access of the resource.


www.sybex.com


421

9. B. If the SIDHistory attribute is not available, you would have to man-

ually reassign all of the DACLs to reflect the changed SIDs for the security principals. 10. A. The Traverse Folder/Execute File permission enables you the

change directories through a folder to a subfolder. 11. A. Local backups are generally the fastest method of performing back-

ups on server data. Network backups add traffic to the network and must wait for transmission of the data across the physical network before the data can be sent to the backup device. 12. A. Answer A is the best answer, though B and C are also strong pos-

sibilities. Before going any further with your planning for these servers, I recommend evaluating the needs of your organization to see where these servers might be best used. 13. B and C. The three major components of a SID are the Revision Num-

ber, the Identifier Authority, and the subauthorities that contain the domain SID and the RID. 14. C. There is no timestamp value within an Access Token in Win-

dows 2000. 15. D. The canonical order specifies that the Deny ACEs should be listed

before the Allow ACEs in each section of the DACL. This ensures that Deny permissions will be applied first. 16. D. All of the Windows 2000 migration tools will correctly create the

SIDHistory attribute for security principals that are moved or copied during a migration. 17. D. The SIDHistory attribute will be used any time a security principal

is moved or copied to a new Active Directory location.


www.sybex.com

422

Chapter 9

After the Migration

18. C. The Global Catalog servers store a copy of the entire Active Direc-

tory for a forest with a subset of the attributes for each object. These servers are used for searches of the Directory and to store information about Universal groups. There can be many Global Catalog servers in a forest, and there should be one per Active Directory site. 19. D. The Relative Identifier (RID) portion of a SID is completely unique

to that SID within a forest. 20. A. The backup domain controller that you held aside in reserve to pro-

vide a method of rolling back the migration should be the last server to be upgraded in a migration to Windows 2000.


www.sybex.com

Chapter

10

Troubleshooting a Failed Upgrade MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Troubleshoot a failed domain upgrade.

Resolve hardware failures.

Resolve third-party tool issues.

Resolve issues associated with rights necessary for upgrade.

Resolve domain name issues.


Back up domains



www.sybex.com

S

o far in this book I’ve been telling you how to handle things when they go right. The rest of the book will focus on troubleshooting techniques to use when things go wrong. In this chapter, you will learn about common problems that can occur while upgrading a domain to Windows 2000 and, more important, what to do about those problems. We will begin with an overview of the types of issues you might encounter during an upgrade and then progress toward the specific troubleshooting process for the different issues.

Things That Might Go Wrong

I

have to start off this discussion by saying that so far, in my experience, Windows 2000 looks to be the most stable operating system yet from Microsoft (at least since DOS). This is not to say that it doesn’t have its share of “undocumented features,” but that these “features” don’t seem to have as big an impact as the bugs we’ve seen in previous graphical operating systems. Having said that, I’ll add one more comment that is supportive of Microsoft’s past efforts with NT, and that is that most of the troubleshooting you will do with Windows NT/2000 will involve either faulty hardware or misconfigured hardware.


Troubleshoot a failed domain upgrade.

Resolve hardware failures.


www.sybex.com


425

The first section will cover most of the problems you might see when upgrading a server to Windows 2000. But don’t dismiss the other sections dealing with third-party software drivers or tools or configuration issues like permissions and domain-level problems that can occur. We will deal with each of those in turn in this chapter. With luck and perseverance, you should be well prepared to troubleshoot upgrade-specific issues by the end of this chapter.

Using the Readiness Analyzer Many of the problems you’ll encounter during the setup of Windows 2000 will be related to hardware in some way. Typically, these will be issues that can be avoided by ensuring that your hardware is compatible with Windows 2000 before you begin the installation. One tool that Microsoft provides to help this process is the Readiness Analyzer, which can be accessed in a couple of different ways. The Readiness Analyzer is part of the Winnt32.exe Setup program for Windows 2000. It will run automatically when you start the setup process within an earlier version of Windows, or you can modify the Winnt32.exe program to run only the Readiness Analyzer by using the winnt32 /checkupgradeonly command. The Readiness Analyzer can also be downloaded as a separate standalone program (Chkupgrd.exe) from Microsoft’s Web site at http:// www.microsoft.com/WINDOWS2000/downloads/deployment /readiness/default.asp. The Readiness Analyzer can perform a fairly thorough check of your computer for both hardware and software compatibility issues. In my experience, this program has been able to notify me of possible compatibility issues and, in many cases, recommend a course of action that will resolve the conflict either before or after the upgrade to Windows 2000. EXERCISE 10.1

Using the Readiness Analyzer To use the Readiness Analyzer, follow these steps:

1. Browse to the folder where you stored the Chkupgrd.exe file after downloading it from Microsoft’s Web site. Double-click the file to start it.


www.sybex.com

426

Chapter 10

Troubleshooting a Failed Upgrade


2. Read through the License Agreement and click Yes to signify that you agree to its terms. The program is licensed for a 90-day period, which should be sufficient for any compatibility testing you need to perform. The program will now extract its files to begin.

3. The program will run without intervention and compile a report of compatibility information. The following graphic shows the Readiness Analyzer as it runs.

Once the Readiness Analyzer has completed its scan of your computer, it displays a brief summary of its findings, as shown in Figure 10.1. A more complete report will be placed in your Windows folder (or whatever folder the operating system is installed in).


www.sybex.com


FIGURE 10.1

427

The Readiness Analyzer displays a brief report.

The report generated by the Readiness Analyzer is entitled either Upgrade .txt (on Windows 9x) or Winnt32.log (on Windows NT) and is a plain ASCII text file located in the root of your operating system folders. Figure 10.2 shows the Upgrade.txt file for a Windows 95 computer. In the report, you would find sections for hardware, software, and any general compatibility issues. In the sample shown in Figure 10.2, I had only Hardware and General Information sections because there was no additional software that caused problems installed on the computer. I did notice in this sample report that the Readiness Analyzer got a little confused by the configuration I had. It lists one problem as insufficient RAM, stating that I had 24MB and that Windows 2000 requires 32MB at a minimum. It went on to say that I needed to add 235MB to the computer in order to successfully run Windows 2000! I think that’s a little excessive.


www.sybex.com

428

Chapter 10


FIGURE 10.2

The Readiness Analyzer creates a detailed report from its findings in the Upgrade.txt file.

In most cases, the Readiness Analyzer is completely accurate in its reports and is very helpful in determining what needs to be updated prior to installing Windows 2000. Very likely the error in the sample report I mentioned earlier was caused by the software configuration of the computer I was testing, since this was the only time I’d seen an error like this. The Readiness Analyzer is also available to be run as part of the Windows 2000 Setup program. If you start an upgrade within an earlier version of Windows NT or Windows 9x, the Readiness Analyzer will run automatically in the background as part of the upgrade process. You will receive notification of any issues it detects and be prompted whether to continue with the upgrade or not. If there are no problems, it won’t interrupt the upgrade process at all. The other way to access the Readiness Analyzer is to use the winnt32 /checkupgradeonly command. This command will start the program just as if you were running the stand-alone version downloaded from Microsoft.


www.sybex.com


429

The only difference is in how the program is started; everything else will run the same and generate the same report. EXERCISE 10.2

Running the Readiness Analyzer First, insert the Windows 2000 CD-ROM into your CD-ROM drive. Open the command prompt and browse to the I386 folder of your CD-ROM. Use the following command to start the Readiness Analyzer: winnt32 /checkupgradeonly Note the steps involved in running the Readiness Analyzer utility. Once the utility has finished its work, examine the report that it generates. For the second part of this exercise, if you have Internet connectivity, download the Readiness Analyzer from Microsoft’s Web site using the following URL: http://www.microsoft.com/WINDOWS2000/downloads/deployment /readiness/default.asp The filename is chkupgrade.exe. Once the Readiness Analyzer has been downloaded, browse to the folder where you saved the file and double-click chkupgrade.exe. The Readiness Analyzer will run normally. Notice the similarities between running the stand-alone version of the Readiness Analyzer and running the built-in version with Winnt32.

Troubleshooting Hardware Issues Hardware has always been one of the sore spots in supporting Windows NT, and Windows 2000 is starting off the same way. Early in the lifespan of any operating system, the issue seems to be driver support for your hardware. Later on, the issue is whether the operating system can support the latest hardware innovations. Windows 2000 should be easier to support over the


www.sybex.com

430

Chapter 10


long term for a variety of reasons, including Plug and Play, a unified driver model, and better diagnostics within the operating system. Of course, the same is true for Windows 2000 as was true for NT: The best way to avoid hardware problems is to select a computer system from the Hardware Compatibility List (HCL). Microsoft goes to great lengths to test computer systems that are submitted by the manufacturer to ensure that they will be fully compatible with the operating system. The testing includes setup, of course, and a barrage of automated procedures designed to prove that all areas of the operating system would be correctly supported. The testing documents which hardware configurations from a manufacturer will work. Unfortunately, there is no way to know whether a system has failed the testing. You can only tell which systems have passed. Microsoft doesn’t publish a list of the computers that have failed the tests or the systems that have never been tested. If your computer system is not on the HCL, then you should check with the manufacturer (usually by visiting their Web site) to see if they offer driver and technical support for Windows 2000. If so, then the system will most probably work fine with Windows 2000. If the manufacturer isn’t willing to support Windows 2000 on their computer system, then you can assume there is cause for the lack of support. This would be a good reason to choose another computer system instead. The HCL for Windows 2000 has substantially changed from what we’ve used in the past. Microsoft has created a dynamic Web page that enables you to search for computer systems, hardware devices, and software titles that are compatible with Windows 2000. The addition of the software category is especially useful. The ability to enter the name of the device or computer system and search the HCL is particularly nice, since the HCL has grown so large that it would occupy hundreds of pages. Figure 10.3 shows the interface for the Hardware Compatibility List.


www.sybex.com


FIGURE 10.3

431

Microsoft’s Hardware Compatibility List Web site

So suppose you’ve selected a computer from the HCL, and drivers in Windows 2000 support everything in the computer. What happens if you encounter problems while upgrading from Windows 9x or NT? If the computer is included in the HCL, then the problem is most likely either a faulty piece of hardware or something configured incorrectly. If your hardware isn’t on the HCL, you will need to contact the manufacturer for more information before proceeding. To tackle the troubleshooting of your hardware, let’s begin by breaking down the areas of concern into more manageable pieces. I’ll describe the troubleshooting methods for the common subsystems of your computer: disks, display, network, memory, and resources. I’ll also give you a crash course (no pun intended) on troubleshooting blue screens. First though, let’s pause for a little sermon about effective troubleshooting. Troubleshooting is the act of moving from the Big Picture to a small picture. That is to say, you begin with a wide, overall view of the entire system,


www.sybex.com

432

Chapter 10


including all symptoms you can observe, and start asking questions that enable you to eliminate possibilities that are not part of the problem. Don’t forget to ask the really basic questions like, “Is it plugged in?” and “Is it turned on?” Remember that people get very sensitive when you ask these questions, so be careful how you ask them. Also ask questions like the following:

Has it ever worked before?

If it has worked before, when did it stop working?

What happened around that time? (No, really. You can tell me, I won’t laugh.)

Is there anything else that is not acting right?

Troubleshooting Disk Problems Disk problems are something you can expect to encounter during setup. They’re fairly common if you’ve changed the hardware configuration of the computer prior to the upgrade to Windows 2000. If you are working with a server, the hard disks most likely use the Small Computer System Interface (SCSI)-type disks and controllers. In my experience, nearly 90 percent of the troubleshooting issues of Windows 2000 Setup on SCSI-based computers involve termination problems. But there are other issues as well to be aware of. For instance, is the BIOS of the SCSI controller activated? If not, Setup may be unable to find the drive on which to install Windows 2000. A low-level format that is incorrect for the current drive geometry is a possible cause of file corruption, drives not being recognized by Setup, and system crashes. If you are installing a new SCSI drive or changing to a new make or model of SCSI controller, you should perform a low-level format of the drive to ensure that the drive geometry will line up correctly. In simpler terms, the drive controller performs a format of the disks within the drive so that the operating system will be able to write data to the individual sectors on the drive. In a way, sectors are like tiny boxes that are meant to contain information. Imagine trying to drop golf balls into small boxes. If you are lined up correctly, it’s easy. The balls simply drop right into place every time. But imagine now that you’re slightly off your aim. The balls usually go in the boxes, but sometimes they bounce off the edges and roll away. That’s what happens when your drive isn’t low-level formatted correctly for the specific controller. Each SCSI controller has its own geometry, or way of laying out those little boxes.


www.sybex.com


433

If multiple SCSI controllers are in the computer, do more than one of them have an active BIOS? If so, they may be competing for Int13 calls. This means that the wrong controller may be trying to boot the computer and therefore preventing the right controller from doing its job. It’s common today for people to try to mix SCSI device types—that is, to add 50-pin SCSI-2 devices to the same chain as SCSI-3 devices with 68 pins. That means that the cable has to change sizes from 68 wires to 50 wires. If you mix these devices, be certain that you buy the proper cable to make the conversion. If you don’t, or if you try to convert from 68 to 50 wires and then back to 68, you will have wires that are not being terminated correctly. It is better by far to have only “wide” devices with 68 pins on one chain and “narrow” devices with 50 pins on a separate chain. Of course, we have to assume that the computer was able to boot a previous operating system during the upgrade process, so many of these issues are moot. Still, if you are using SCSI devices, check your termination and the controller settings. If you are not using SCSI, then you’re probably using drives that use the Integrated Device Electronics (IDE) bus type. Most IDE systems are relatively trouble-free. The only issues we used to see with IDE involved the use of a drive that was too large for the BIOS to access all of the disk. Today, however, all of the BIOS systems support large drives, and large drives have become extremely common. A possible issue is the use of Ultra DMA/66 drives and unsupported drive controllers. If you find that the Windows 2000 Setup program does not recognize your drive, contact the manufacturer of your motherboard or hard drive controller for a new driver.

Troubleshooting Display Problems Display problems in Windows 2000 usually involve the driver. In some rare cases, the problem resides in the chipset used on the display adapter, but even then the problem can usually be overcome with a new video driver. One serious issue that could be a problem is that the drivers used in Windows 2000 are very different from the drivers used in Windows NT 4. In fact, there are some cases documented in the Knowledge Base where using an older driver (such as a driver for NT 4) can cause Windows 2000 to blue-screen. Most problems I’ve seen dealing with display adapters have been driver related—like the wonderful display adapter I purchased recently for gaming on one of my Windows 2000 computers from a manufacturer I won’t name. The product is fantastic, but the driver support has been very slow


www.sybex.com

434

Chapter 10


in coming to market. This problem seems to be more common with Windows 2000 than it has been in the past. From my perspective, it’s caused by two factors: First, computer hardware is advancing very quickly, and second, Windows 2000 uses a new driver model that unifies the drivers for Windows 9x, Millennium Edition (Me), and 2000. Because of this, many manufacturers have been slow to release drivers that support all of the features of their product under Windows 2000. The Setup program for Windows 2000 tries to help with this problem by running in a plain vanilla, 16-color, 640x480 resolution. Nearly every adapter on the market can handle this setting, so display problems won’t normally cause you any grief during setup. The one area where I have seen some real problems reported with Windows 2000 displays is in the use of a second monitor. Windows 2000 supports multiple monitors, but a number of display adapters cannot currently be used for the second display adapter. Most of the problems have symptoms similar to using an incorrect resolution or refresh rate. That is to say, the picture is distorted and portions of the image may appear as black blocks, or the entire image is distorted and appears slightly brown in color. Unfortunately, the only solution for most of these is to use a different display adapter for the second monitor. Any time you find that you cannot see your screen after changing either the driver or the resolution, you should use the advanced startup features of Windows 2000 to choose Safe mode. Safe mode uses a standard VGA driver and allows you to change your display back to a driver that works. EXERCISE 10.3

Finding Hardware Information Using Device Manager In this exercise, you practice finding hardware information in Windows 2000. Practice locating the following hardware items using at least two different methods:

System BIOS

Hard drive controller type

Model information for your CD-ROM drive

Amount of memory in the computer


www.sybex.com


435


Type and model of your display adapter

Device Manager is one of the best ways to find this information in Windows 2000. But you can also use the Computer Management Console and select System Information to view the information.

Troubleshooting Network Problems The single most common network protocol today is TCP/IP. Its popularity is most likely due to the Internet, but it’s also because TCP/IP is an industrystandard suite of protocols designed to perform specific tasks. That means that if you have Macs and NetWare and Unix computers on your network, your Windows 2000 Professional computer can easily communicate with all of them using TCP/IP. This protocol is also popular with support people because it has so many troubleshooting tools built in.




Ping The Packet Internetwork Groper (Ping) is the most basic test of network connectivity over TCP/IP. What Ping does for you is bounce a series of packets off a remote host. You’re essentially just saying “Hello?” four times and (you hope) getting a response each time. The basic syntax is ping www.host.com or ping 10.1.0.44. So what does this tell you? Getting a response when pinging by IP address means that your network card is installed correctly, the driver is working, the TCP/IP protocol is working, the other computer is working, and everything in between is working. That’s quite a lot of information for just one small command! When you ping by hostname, you get all the previous information, plus you know that your hostname resolution is working. You can also ping the address 127.0.0.1. This address is reserved for the local host (the local computer) and is a loop-back diagnostic test of your installed TCP/IP software. Successfully pinging the local host verifies that TCP/IP is correctly installed on the local computer.


www.sybex.com

436

Chapter 10


Hostname The Hostname utility returns the hostname of the local computer. This utility can be helpful when you aren’t sure what the hostname is. IPConfig IPConfig is right up there with Ping when it comes to valuable TCP/IP utilities. This tool enables you to view some or all of your TCP/IP configuration, as the name might imply. To use it, type ipconfig at the command prompt to receive your IP address, subnet mask, and default gateway. If you type ipconfig /all, you will see a listing of every TCP/IP configuration for every interface on your computer. To give you some idea of the scope of information, Figure 10.4 shows the output of the ipconfig /all command. IPConfig can also be used to release and renew IP addresses acquired through DHCP. The commands for this are ipconfig /release and ipconfig /renew. FIGURE 10.4

Output of the ipconfig /all command


www.sybex.com


437

A new feature of IPConfig in Windows 2000 allows you to renew your DNS registrations. This feature can be very useful when you are trying to add computers to a domain and you are unable to locate the domain controllers. Use the ipconfig /registerdns switch to add the dynamic registration for the computer to the DNS server. Name resolution for Windows 2000 domain controllers depends on the presence of the SRV records in dynamic DNS servers. These SRV records will be renewed with the ipconfig /registerdns switch. This command won’t help if the problem is caused by a bad A record for a host. ARP The ARP utility views and modifies the Address Resolution Protocol (ARP) cache. TCP/IP uses ARP to resolve an IP address such as 10.1.0.1 to a unique hardware address or MAC address. At the Application layer, the user types in a Universal Resource Locator (URL) to browse a favorite Web site. The user’s computer is configured to use a certain Domain Name System (DNS) server that is responsible for resolving the name in the URL to an IP address. Then TCP/IP uses ARP to resolve that IP address to a unique physical address. Every network card has a unique hexadecimal number assigned to it when it is manufactured. That’s the physical address or MAC address of the card. When ARP resolves an IP address to a unique hardware address, it stores the resolution in its cache. One thing you can do to improve the connection speed to a server that you use frequently is to make a static entry in the ARP cache. The command string below will add a static entry for a computer: arp–s 10.1.0.1 00-40-05-16-DA-8A The –s switch tells the arp command to make the entry permanent. You should be aware that permanent in this case means only until the computer is rebooted. If you want this entry to really be permanent, you must use the arp command in a logon script or batch file in your Startup group. Tracert The Trace Route (Tracert) utility is very much like Ping in that it bounces several packets of information off of a remote computer. But Tracert does more than that. It also shows a response from every router that the packets go through on their way to the remote computer.


www.sybex.com

438

Chapter 10


This can be especially useful when dealing with communications issues with a remote host that is very far away (as in many routers away). TCP/IP uses a mechanism called a Time To Live (TTL) to determine how long a packet of data should be allowed on the network. If we didn’t drop packets after a set period of time, packets would still be roaming the Internet from 20 years ago or more. The TTL is decremented automatically by at least one at each and every router it passes through, also called a hop. If a packet is forced to wait in a router due to network congestion, its TTL may be decremented by more than one. Tracert can reveal when the default TTL isn’t high enough to allow for network congestion on the way to the remote host. The TTL setting can be adjusted in Windows 2000 through the Registry at this location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \Tcpip\Parameters Value name: DefaultTTL The maximum setting for this value is 255. Netdiag Netdiag is a utility that helps isolate networking and connectivity problems by performing a series of tests to determine the state of your network client and whether it is functional. These tests and the key network status information they expose give you a more direct means of identifying and isolating network problems. Also, this tool does not require parameters or switches to be specified. This lets you focus on analyzing the output instead of worrying about tool usage. Netdiag diagnoses network problems by checking all aspects of a host computer's network configuration and connections. Beyond troubleshooting TCP/IP issues, it also examines a host computer’s Internetwork Packet Exchange (IPX) and NetWare configurations. Run Netdiag whenever a computer is having network problems. The utility tries to diagnose the problem and can even flag problem areas for closer inspection. Netdiag performs its tests by examining .dll files, output from other tools, and the system Registry to find potential problem spots. It checks to see which network services or functions are enabled and then runs up to 25 network configuration tests, depending on which services are running on the computer.


www.sybex.com


439

Netdiag gives you everything ipconfig /all gives you, and then some. For more information about Netdiag, see Windows 2000 Support Tools Help. PathPing The PathPing tool is a route-tracing tool that combines features of Ping and Tracert with additional information that neither of those tools provides. PathPing sends packets to each router on the way to a final destination over a period of time and then computes results based on the packets returned from each hop. Since PathPing shows the degree of packet loss at any given router or link, you can pinpoint which routers or links might be causing network problems. A number of switches are available for custom testing. For more information about PathPing, see Windows 2000 Support Tools Help. Network Monitor Windows 2000 Network Monitor can be a useful tool for troubleshooting network performance. The only limitation of Network Monitor is that it cannot capture all traffic on the network, only traffic sent to or from the computer on which it is running. To capture all traffic, you would need a third-party network monitor or Microsoft’s Systems Management Server (SMS). Network Monitor is best suited for capturing and analyzing network packets. How does this help? Well, if you have one network card producing excessive network traffic, Network Monitor can detect it. Oftentimes when network adapters fail, they become “chatty” cards, broadcasting excessively. This can cause the network to flood and reduce production.

Troubleshooting Memory Problems An old saying among Windows NT support engineers goes like this: “There’s no memory tester in the world as good as NT for finding bad memory.” There’s a lot of truth to that saying. Like NT, Windows 2000 can be very sensitive to memory problems. Unfortunately for us, the symptoms of bad memory can vary wildly. Everything from blue screens to random crashes, to hanging, to individual programs crashing can be tied to bad memory. One trick I learned in order to diagnose blue screens caused by bad memory was to carefully record the memory address of the module that caused the blue screen. If the address is the same each time the error occurs, you probably have some bad RAM causing the problem. It’s normal for programs to load into memory at different addresses from time to time. If the driver or program causes the error, the memory address should vary. If the address stays exactly the same for each error, then the memory at that address is probably the culprit.


www.sybex.com

440

Chapter 10


You should avoid mixing memory types whenever possible. I’ve helped customers resolve serious problems on their computers only to discover that the issues were caused by mixed memory. In one case, the memory modules were the same as far as their specifications were concerned, but one module had tin leads and the other had gold leads. This difference in metals used for the contacts was enough to blue-screen the computer. On another computer, you may be able to get away with this same configuration without any problems. If you suspect that a problem with Windows 2000 is being caused by bad memory, there are some things you can do to try to isolate the problem. One technique that I had good luck with was to swap memory modules in the slots on the motherboard. Sometimes you can move the problem to a different address. Many of the error messages that you will be troubleshooting will give you an address in memory where the error occurred. If you move the memory modules to different slots on the motherboard, and the address of the error moves, you know that you have a bad memory module. Another technique I used with Windows NT 4 was to add the switch /maxmem:x to the boot.ini file. The switch told Windows NT 4 to boot with only a portion of its memory. This technique should work equally well with Windows 2000. However, you should try not to limit the memory to something that Windows 2000 will not operate with. For example, try not to limit the switch to use only 32MB of memory for Windows 2000 Server. The /maxmem switch limits memory used to only the bottom portion of memory. If the bad memory exists in the upper memory range, the switch will block out the bad memory and prevent the error from occurring. If this switch doesn’t resolve the error, try swapping the memory modules around and using the switch again. To use the /maxmem:x switch, replace x with the amount of memory in megabytes you plan to use.

Troubleshooting Resource Conflicts One of the most common causes of problems during setup is conflicting resources in your hardware. Many operating systems allow you to share hardware resources, but Windows 2000 absolutely will not allow such sharing. With the amount of hardware that most of us are running in our computers, it’s easy to see how conflicts can arise. The most common scenario today for hardware conflicts is that an ISA device is trying to use the same


www.sybex.com


441

resource as a PCI device. This is because ISA devices are usually manually set, while PCI devices are dynamic. A possible solution to this problem is to reserve the resources that the ISA devices use in the system BIOS. The usual indication of a resource conflict is when two devices on the computer do not work. Sometimes this problem will be very easy to detect; for example, the mouse will not work and neither will the soundcard. Other times, the conflict is subtler. For instance, it might be difficult to detect the conflict between a SCSI controller that is used for a scanner and a soundcard. Neither of these devices would be used during setup, and so the problem would be difficult to spot until later. Assuming that you can boot into Window 2000, you can use Device Manager to help spot the problem. To open Device Manager in Windows 2000, right-click My Computer and choose Properties. Click the Hardware tab, and then click the button for Device Manager. Figure 10.5 shows Device Manager for Windows 2000. FIGURE 10.5

Device Manager will display any conflicts.


www.sybex.com

442

Chapter 10


Device Manager will display the conflicts in your system with either a red X through the device, meaning that the device isn’t working, or a yellow exclamation point (!), meaning that there is a warning. If you have a device that is showing a warning in Device Manager, double-click the device to open its Properties page. Figure 10.6 shows the Properties page for a mass storage controller. FIGURE 10.6

The Properties page for a mass storage controller

The Properties page for a device provides a general description of the device, the settings for the device driver, and the resources used by the device. If the device has a conflict, click the Resources tab to change the resources and resolve the conflict. On the Resources page, uncheck the Use Automatic Settings checkbox to make changes to individual resource settings. Figure 10.7 shows the Resources tab for a soundcard.


www.sybex.com


FIGURE 10.7

443

The Resources tab for a Yamaha soundcard

You can set ISA devices in this fashion if they are Plug and Play-compliant. PCI devices do not give you this option since their settings are set by the BIOS. If you cannot resolve the hardware conflicts using Device Manager, you may have to remove some devices from the computer to resolve the conflict. If you find yourself in this situation, remove devices that are not required for the operation of the computer. Once you have installed Windows 2000, you can start adding devices back to the computer until you find the source of the conflict.

Troubleshooting Blue-Screen Errors Blue-screen errors, stop screens, or the dreaded Blue Screen of Death are all the same type of error: Something blew up in Kernel mode and the operating system is unable to continue working. These errors can be caused by a wide variety of problems, from software to hardware—or even by environmental factors (like heat). They all have some common points that will be useful for troubleshooting. Consider the following illustration of the top line of a STOP message: STOP: 0x0000000A (0x00000060, 0x0000001C, 0x00000000, 0x80114738) IRQL_NOT_LESS_OR_EQUAL


www.sybex.com

444

Chapter 10


The first line provides most of the troubleshooting information you will need to resolve the issue. First of all, the STOP: 0x0000000A segment tells us that the blue screen is a Stop 0xA (it’s okay to omit the leading zeros when talking to tech support), which usually refers to a bad hardware driver. A Stop 0xA can also be caused by bad memory, though, so we still need to do some troubleshooting. The set of four 8-digit hexadecimal numbers in the parentheses is a vital clue to what happened to cause the error. Always write them down with the actual stop code because you will need them to query the Knowledge Base on Microsoft’s Web site for the solution. If you end up calling technical support, they will need to have these numbers to help you. The remainder of the screen is really only useful if you are capable of performing a live debug of the crashed system. Two blue screens are most commonly seen during setup. The first is STOP: 0x0000001E KMODE_EXCEPTION_NOT_HANDLED And the second is STOP: 0x0000000A IRQL_NOT_LESS_OR_EQUAL Both of these blue screens can indicate faulty hardware, especially memory. A misbehaving driver most commonly generates these, though a hardware problem can also cause them. One of the first things to rule out is any thirdparty driver you may be installing. Try to use only drivers supplied with Windows 2000, if possible. If you can’t avoid using a driver supplied by someone else, then be certain the driver was written specifically for Windows 2000 and not for an earlier version of NT. Try contacting the vendor for an updated driver file, possibly through their Web site. Another common blue-screen error involves Windows 2000’s inability to access the hard drive to boot the computer. The STOP code is STOP 0x0000007B INACCESSIBLE_BOOT_DEVICE This one is usually not nearly as bad as it first seems. What Windows 2000 is telling you is that it can’t use the driver you chose during the Text-mode portion of Setup. You can work through this blue screen by using standard hard-disk troubleshooting. That means asking questions like, “Is it plugged in?” Check the cables, and if it’s a SCSI drive, check the termination. Be sure


www.sybex.com


445

the drive is getting power and is spinning normally. If the drive is connected to a controller that has a BIOS, check the BIOS settings for the controller to make certain the controller can see the drive. One of the most interesting causes of the STOP 0x7B is adding an IDE drive to a SCSI-based system. IDE controllers are enumerated before the SCSI controllers, meaning that the BIOS of the computer looks for them first. If you add an IDE drive to a computer that is already working fine with SCSI hard drives, you may very well see this blue screen. You can fix this situation in the computer’s BIOS. If your BIOS supports the option, set the boot order to go to the SCSI drives first, then to the IDE drive. One last thing to mention about blue screens applies mostly to upgrading Windows 2000 from an earlier version and less to a fresh install. If you are using third-party drivers or programs that run in NT as services, you should always disable them until after Setup is completed. Please be aware that some services, especially network clients, are specifically designed for one version of Windows NT. One situation that I saw a lot of when NT 4 was released was a STOP screen caused by having Novell’s Client32 installed when the Setup program was run to upgrade from 3.51 to 4. The following STOP screen message appeared: STOP: 0x00000093 INVALID_KERNEL_HANDLE This STOP screen is caused by installing the Novell Client32 version 3.5b on Windows NT 4 or by having it installed on NT 3.5x when performing an upgrade to NT 4. The solution is to remove Client32 before performing the upgrade. This situation will likely become common again with the upgrades to Windows 2000. Recovering from this problem is difficult and usually involves some creative Registry hacking and a lot of patience. Now this is not intended to bash the Novell product in any way, only to illustrate that a good piece of software designed for one version of NT may not work at all on the next version. If you are using this client on NT 4 and intend to upgrade to Windows 2000, check with Novell for a Windows 2000 version prior to performing the upgrade, and you’ll be fine. In fact, the last time I checked Novell’s Web site, they already had released various software packages designed to run with Windows 2000. When in doubt, disable the service before performing the upgrade.


www.sybex.com

446

Chapter 10


There’s one last critical error to talk about here: Setup has encountered a fatal error that prevents it from continuing. Contact your software representative for help. Status code (0x4, 0, 0, 0) This error message is displayed on a blue screen, but it is not actually considered a “blue screen” because it does not display the typical STOP message. The message indicates a problem with the Master Boot Record (MBR). Either the MBR has become corrupted or it’s infected with a boot-sector virus. Yes, even NTFS (NT File System) can become infected with a virus. This usually happens only on dual-boot systems, but it can also happen if you boot the computer with an infected floppy disk. NTFS is resistant to viruses in that Windows 2000 doesn’t allow any program to access the hardware directly. In theory, this should prevent any boot-sector virus. The key words here are “in theory.” It is possible to repair the MBR if you have a bootable floppy that you know is clean of any virus infection (that’s the hard part in getting rid of a virus). An emergency boot disk from Windows 95/98 is especially helpful for this because you need fdisk.exe. After booting the infected computer with the boot floppy (you did write-protect the floppy, didn’t you?), run mem.exe at the command prompt. The Total Bytes of Memory (before anything is subtracted) should equal 640K. Next, run chkdsk.exe and look at the line for Total Bytes of Memory (it’s near the bottom), which should read 655,360. If either amount of memory is off, and especially if only one of them is off, you probably have a boot-sector virus loaded in memory. If both of these programs correctly report the amount of conventional memory, you can be reasonably certain that the virus is not in memory. If that’s the case, you can type fdisk /mbr at the command prompt to rebuild the MBR. This command won’t do anything else, provided the virus is not in memory. However, if the virus is in memory, this command may be fatal to your data.

The fdisk /mbr command is dangerous and should never be used without being absolutely positive that a boot-sector virus is not loaded in memory. The result could be total data loss. Most boot-sector viruses work by moving the MBR elsewhere on the disk, then replacing it with their own code. Anything that tries to scan the MBR is first infected by the virus and then redirected out to the real MBR in its new location.


www.sybex.com

Troubleshooting Third-Party Tools

447

It’s interesting to note that the Master Boot Record is operating system independent. It’s quite possible to rebuild the MBR for a Windows 2000 computer using an emergency boot disk from Windows 98.

Troubleshooting Third-Party Tools

I

t’s very common to use software on Windows NT that runs as a service, especially for anti-virus or network client access. The only thing wrong with these programs is that they can cause problems when performing an upgrade of the operating system. As an example, I remember supporting customers running Windows NT 3.51 and Novell Client32 for NetWare. This is an excellent piece of client software that runs as a service on NT 3.51, but if it were running when you performed the upgrade to Windows NT 4, you would encounter a particularly nasty blue screen. This wasn’t Novell’s fault; it was just that the Setup program wasn’t prepared to handle third-party services. If you stopped the service prior to performing the upgrade, everything went fine.



Resolve third-party tool issues.

The Readiness Analyzer will assist you with these issues as well as the hardware issues we discussed in the previous section. For more information on the Readiness Analyzer, please refer to the earlier section on hardware troubleshooting. Outside of the recommendations made by the Readiness Analyzer, it would be prudent to temporarily disable any third-party software you are currently running before upgrading to Windows 2000. This will help to avoid any nasty surprises during the setup procedure. As a general practice, you should disable all third-party software packages before installing Windows 2000, especially all anti-virus programs. This last step is particularly


www.sybex.com

448

Chapter 10


important because Windows 2000 Setup will modify the boot sector of the hard drive. The problems caused by third-party tools can range from blue-screen errors to system crashes. If you encounter a blue-screen error, please consult the earlier section on troubleshooting blue screens. Blue-screen errors are fairly common with third-party tools during an operating system upgrade. In those cases, the blue-screen information should point out the third-party software that caused the error. If you can determine which third-party tool was at fault, simply disable it and the error should be resolved. Of course, by the time you receive the blue-screen error, it may already be too late to disable the third-party software. Once again, it’s better to disable all of these packages before performing an upgrade. Once the upgrade has been performed, you should be able to reinstall or re-enable your software. As an added precaution, always check with the vendor of the software prior to enabling it in Windows 2000. You can normally find this information on the vendor’s Web site.

Troubleshooting Rights and Permissions

Troubleshooting user rights and permissions can be somewhat difficult in Windows 2000. Normally these problems should be resolved by using the SIDHistory property of the user accounts in Active Directory. But in some cases after upgrading a computer to Windows 2000, you may find yourself unable to log on to the computer with a normal user account. This should probably only happen if you’ve chosen to upgrade the member server to a domain controller in Active Directory. This is because domain controllers do not allow normal user accounts to log on locally at the computer. If you are able to log on using an administrator account, you’ll be able to change the local rights in the computer to allow local logon for users. Of course, that may not be a good idea.



Resolve issues associated with rights necessary for upgrade.


www.sybex.com

Troubleshooting Rights and Permissions

449

Problems with rights and permissions typically show up when you access resources. The SIDHistory property of the accounts should help users to maintain access to resources in Windows 2000. And of course, remember that an access-denied message always means you do not have permission to do what you just tried to do. One note of interest with Windows 2000 Professional is that all users will have administrator rights after the upgrade. This behavior occurs when you have upgraded from Windows 95 or 98, where all users have Full Control access to the entire operating system. This situation is caused by design and is completely normal behavior, based on the type of upgrade you have performed. When you upgrade from NT Server to Windows 2000 Server, this behavior does not exist, as all permissions and rights are maintained in the upgrade. Other problems you might experience with rights and permissions during an upgrade occur with Remote Installation Services (RIS), where the user installing the client workstation must be able to create the computer account and must even have the ability to run the Remote Installation Services to begin with. In order for someone to install a client machine using RIS, they must have permission to log on as a batch service. In order to troubleshoot rights and permissions, you must analyze the error messages that the users encounter. By comparing the groups the user belongs to and the permissions associated with those groups to the error messages the users are receiving, you will often find the problem. This can be a tedious process; however, it is one that must be done to resolve the issue. The situation where I have encountered problems with user permissions and rights most commonly during an upgrade is with service accounts for server software. Service accounts are used by server applications to log on to the local server as well as to remote servers. The SIDHistory feature in Active Directory may resolve the problem for Windows 2000, but it likely will not be recognized by the server application. This means that you’ll need to manually reset the service account for the server applications once you’ve upgraded to Windows 2000. This situation most commonly occurs when you migrate away from an NT 4 domain into an Active Directory domain using Windows 2000. It should not be a problem when you are performing a simple upgrade of an NT 4 server. Another resource for troubleshooting information in Windows 2000 is the Event Viewer application in the Administrative Tools group. Event Viewer will display errors regarding the service account startups. In most cases, Event Viewer will display the service and the account name that is having trouble starting.


www.sybex.com

450

Chapter 10


Troubleshooting Domain Issues

The domain issues you are likely to run into when upgrading to Windows 2000 include a variety of things mostly based on finding the domain controllers. Because the Windows 2000 network depends on DNS exclusively for locating the servers, older clients may have difficulty if they are not configured for DNS resolution. Possible solutions to this problem include using a Hosts file or making sure that the TCP/IP configuration is set to use DNS for resolution.



Resolve domain name issues.

Along the lines of the DNS resolution issue, the DNS servers in your network must support the dynamic update feature. There are some possible solutions to be considered. One such solution would use the WINS server to provide NetBIOS name resolution for the older clients. Since WINS is not used in a native Windows 2000 environment, WINS will likely not be available if you’re creating the network from the ground up. Providing name resolution for clients being upgraded to Windows 2000 might be a great example of why you would want to include the WINS server. Another possible solution would be to use an LMHosts file to provide the NetBIOS resolution. Using this method, the NetBIOS resolution would contain a mapping for the domain controllers in the network with a #DOM in the LMHosts file. The best solution, however, is still to provide the DNS resolution for clients being upgraded to Windows 2000. A fairly common error that you might encounter dealing with domain issues in an upgrade would be the inability to create a computer account in the domain. The user account performing the upgrade must have the permission to create a new computer account in the domain, or else the computer account must already exist. An administrator, or anyone with the permission to create new accounts in the domain or an OU, may create the new computer account for the user during the upgrade. Remember that the default location in Active Directory for a new computer account is the Computers


www.sybex.com

Troubleshooting Domain Issues

451

container. The user may have permission to create computer accounts in an OU but lack permission to create a computer account in the Computers container. When troubleshooting domain problems, be sure to start with the basics. For example, make sure that you have established network connectivity with the domain controllers. This is another area where asking whether the domain controller is plugged in or turned on may be beneficial. Sometimes your inability to add a computer to a domain will stem from the lack of network connectivity. Check the cables to be sure that they are connected. Verify that your computer is running the same network protocol that the servers are running. Simple network troubleshooting should always be used in these cases. Earlier I mentioned that DNS might very well be the cause of your problems connecting to a domain. A simple way to test this idea is to try to connect to a new computer by its DNS name. If you can connect by the DNS name, then the DNS resolution is working. If you cannot connect by the DNS name, then try to connect by the TCP/IP address. A situation that you may encounter when adding computers to a domain is that you may have mistyped the name. It’s funny how many times we overlook a simple problem with spelling. The computer will put in exactly what you type and has no kind of spell checking enabled. I’ve seen this problem happen, especially when users get the domain name over the telephone from an administrator. In this case, the person types in exactly what they think they heard from the administrator. The problem may exist on either end; it may be the administrator, or it may be the user. The result is the same. One last situation to consider is a member server that is being promoted to a domain controller in a new domain. In order for a member server to be promoted to a domain controller in a domain, there must be reliable communication with an existing domain controller in the domain. This means that the domain controller must be able to be resolved through DNS. For this to work, dynamic DNS entries in the DNS server must support the location of the domain controllers within an Active Directory network. Dynamic DNS entries are supported in the BIND DNS server version 8.1.1 and higher and in the DNS server supplied with Windows 2000. If your domain is still running in mixed mode, you must be able to reach the primary domain controller. This is where NetBIOS name resolution will be important. In mixed mode, domain client computers will locate the primary domain controllers by using NetBIOS name resolution. This means using a WINS server or an LMHosts file. If the client computer and the primary domain controller are on the same network segment, the client will also be able to


www.sybex.com

452

Chapter 10


locate the primary domain controllers through a NetLogon broadcast. Once your domain has been converted to native mode, a client computer will be able to add itself to the network by contacting any domain controller.



Back up domains.

Even though this topic is at the end of the troubleshooting section, don’t underestimate its importance. Make sure to not only back up your domains before you begin the migration, but also back up the domains after migration as well. You just went through a lot of work. Seeing it all go to waste would make for a bad day.

Summary

I

n this chapter, you learned how to use the Microsoft Readiness Analyzer to prepare your system for installation of Windows 2000. You learned how to access the Readiness Analyzer of the Winnt32 Setup program by downloading the stand-alone version from Microsoft’s Web site and also by using the winnt32 /checkupgradeonly switch. The Readiness Analyzer is capable of analyzing software and hardware incompatibilities prior to your installation of Windows 2000. We discussed how to troubleshoot major components of Windows 2000. You learned how to troubleshoot hardware problems using both the Readiness Analyzer and Device Manager within Windows 2000. You saw how to open up the properties of the device driver with Device Manager and how to use the Resources tab to change the settings and device if it supports Plug and Play. I introduced to you various options for troubleshooting network connectivity. Windows 2000 includes several utilities for testing network connections, especially over TCP/IP. You saw how to use Ping to test network connections over TCP/IP, how to use the ARP utility to view the ARP resolution cache, and how to use IPConfig to view your TCP/IP configuration.


www.sybex.com

Summary

453

You also learned how to troubleshoot memory problems on your computer and to troubleshoot common display problems. I described how third-party services and device drivers on Windows 2000 may cause problems during the upgrade. The best way to prevent problems with third-party services is to disable the services prior to the upgrade to Windows 2000. And of course, when in doubt check with the manufacturer of the software for Windows 2000 solutions. I finished the chapter by describing some common problems you may encounter with rights and permissions and also with adding computers to domains. The SIDHistory feature will take care of most rights and permissions issues for users and groups in Active Directory. The most common issues with adding computers to domains involve name resolution used to locate the domain controllers.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Readiness Analyzer Ping Hostname IPConfig ARP Tracert


www.sybex.com

CASE STUDY

454

Chapter 10




Background Widgets, Inc. is in the early stages of a migration to Windows 2000. Their current environment includes a mixture of Windows 3.x, Window 95/98, and Windows NT 4.0 clients accessing servers running Unix, NetWare 3.x, 4.x, and 5.x, and Windows NT 4.0. You have been assigned as manager of the test lab.

Goals Management wants the migration to go as smoothly as possible, so all aspects should be tested before implementation. Most of the server computers will be replaced with newer, more powerful computers. Many of the client computers, however, will be upgraded rather then replaced. Your job is to design and recommend procedures that will limit the impact that the migration will have on the production environment. While your budget is not unlimited, you have been told to spend what is necessary to achieve your goal.

Current System The current system was designed by a group of people who believed in numerous, less-powerful servers spread across the network. One of the goals of the migration is to move critical data and services to fewer, but more robust computers. The current standard NT 4.0 server is a Pentium II or III single-processor computer with 256MB of RAM. All servers have been configured with dual EIDE drives mirrored for the system/boot partition, and all data is stored on SCSI drives that NT controls in a RAID 5 configuration. The client computers run the gamut from Pentium 200s with 64MB of RAM to the latest Pentium IIIs with 256MB of RAM. The design team has decided that all clients will run Windows 2000 Professional unless a missioncritical application is incompatible.


www.sybex.com


455

Questions 1. Build list and reorder: Place the tasks in the table in the correct order.

Task

Task Submit recommendations to the design team. Install all applications used by employees on Windows 2000based computers; document any incompatibilities. Run Readiness Analyzer on all current configurations of hardware and document the results. Install Windows 2000 on test-configuration computers. Order the test hardware and software for the lab. Build a list of required changes to current hardware to comply with Windows 2000 requirements.

2. Management has asked you to suggest uses for the servers that are

replaced during the migration. Which of the following should be your first suggestion? A. Move network services, such as DHCP and DNS, off of the new

servers and onto these extra computers. B. Place at least one server in the remote office connected by an

ISDN line. C. Use them to replace those end-user computers that will not support

Windows 2000 Professional. D. Donate them to the local school system and use them as a tax

write-off.


www.sybex.com

CASE STUDY

Your network spans five physical locations. All but one of these offices have two or more NT 4.0 servers that will be upgraded. That office, which has no local server, has an ISDN line and connects to the corporate headquarters through an Internet-based VPN.

CASE STUDY

456

Chapter 10


3. You are upgrading an NT 4.0 domain controller configured with

Novell’s Client 32 for NT. It also provides WINS, DHCP, and DNS services. Which of the following is true? A. You should run Winnt32.exe on the computer without making

any changes to its configuration. This will ensure that all services are upgraded correctly. B. You should disable or uninstall Gateway Services for NetWare

before performing the upgrade. C. You should leave WINS running on the computer until all

NetBIOS applications are updated or replaced. D. You should remove DNS before the upgrade because it is not nec-

essary in a Windows 2000 environment.


www.sybex.com


457

1.

Task Run Readiness Analyzer on all current configurations of hardware and document the results. Build a list of required changes to current hardware to comply with Windows 2000 requirements. Order the test hardware and software for the lab. Install Windows 2000 on test-configuration computers. Install all applications used by employees on Windows 2000-based computers; document any incompatibilities. Submit recommendations to the design team. The test-lab process can be divided into three major areas. First, document the current hardware and compare it with Windows 2000 requirements. Second, order the equipment needed to reproduce your production environment in the lab. Third, test Windows 2000 and applications in the lab, document any problems, and submit your recommendations. 2. B. While each of the answers presented is valid, your first answer

should be to place a server at the remote site. Make it a domain controller so that those users can log on through a local computer. 3. B. Microsoft recommends that all third-party services be disabled

before running an upgrade.


www.sybex.com

CASE STUDY ANSWERS

Answers

458

Chapter 10


Review Questions 1. What switch with the Winnt32 Setup program can be used to run the

Readiness Analyzer? A. /checkupgradeonly B. /readinesscheck C. /testhardwareonly D. /testsoftwareonly 2. You want to install Windows 2000 on a computer with 64MB of

RAM, a 1.2GB hard disk, and a Pentium 100 processor, but the setup won’t complete. Why? A. You need to start Setup with the /lowmemory switch to enable a

compact setup. B. You need to upgrade the BIOS on the computer before it will run

Windows 2000. C. The hardware is insufficient to run Windows 2000. D. Call technical support for help. 3. You have a quad-processor server with 486DX4-100 processors and

512MB of RAM. How could you determine whether this computer will run Windows 2000 without actually starting the Setup program? A. Start the Setup program with winnt32 /checkupgradeonly. B. Download the Readiness Analyzer from Microsoft’s Web site and

run it on the server. C. Use the Active Directory Migration Tool to run a check on the

system. D. Call the Help Desk.


www.sybex.com

Review Questions

459

4. You have just installed Windows 2000 but now your sound card doesn’t

work. Where can you view the current settings for the sound card? A. The jumpers on the card B. Device Manager C. Windows NT Diagnostics D. winnt32 /displayhardwaresettings 5. Where can you view the latest information about compatible hard-

ware for Windows 2000? A. The hardware manufacturer’s Web site B. The Readiness Analyzer C. Microsoft’s HCL Web site D. The Knowledge Base 6. You are attempting to install Windows 2000 on a computer that was

built from spare parts. Your computer fails with a blue-screen error. What should you do first? A. Write down the first two lines of information on the screen. B. Call your network consultant. C. Reboot the computer, as this happens from time to time. D. Call technical support. 7. You are trying to install Windows 2000 on a computer with SCSI

disks, but you keep encountering errors when Setup is copying files to the hard drive. What should you check first when troubleshooting this problem? A. Make certain the computer is plugged in. B. Check the termination of the IDE channels. C. Check the SCSI termination. D. Perform a low-level format of the CD-ROM drive.


www.sybex.com

460

Chapter 10


8. You have successfully installed Windows 2000 on a computer. After

installation, you try to change the display properties to take advantage of the new video card you added, but when you change the driver all you get is a black screen with a few color squiggles. What should you do? A. Reboot into VGA mode to change the driver back. B. Reboot and use the Advanced Startup options to boot into Safe

mode so you can change the driver. C. Do nothing, the display will reset automatically after 15 seconds. D. Format and reinstall Windows 2000; there’s no other way to

recover. 9. During the installation of Windows 2000, you are unable to connect

to a domain controller in order to join the domain. How can you tell if the network connection is working? A. Ping the domain controller by name and by IP address. B. Use the net view command to locate the domain controller. C. Use the Hostname utility to locate the name of the domain

controller. D. Make sure the computer is turned on first. 10. How can you be certain that the DNS information for your computer

has been updated? A. Manually configure the DNS server tables. B. Use the ipconfig /renew command. C. Use the ipconfig /registerdns command. D. Use the ipconfig /release command.


www.sybex.com

Review Questions

461

11. You are preparing to upgrade your NT 4 computer to Windows 2000

Server, but you are concerned about the possibility of crashes due to the third-party anti-virus program you are running. What should you do to prevent problems caused by the anti-virus program? A. Don’t worry, these programs almost never crash. B. Completely uninstall the anti-virus program. C. Disable the services that run for the anti-virus program until after

setup has been completed. D. Use the Readiness Analyzer to prevent the anti-virus program from

causing any problems. 12. After upgrading your Windows 98 computer to Windows 2000 Pro-

fessional, you discover that every user with a profile on your computer has been added to the local Administrators group. What went wrong? A. You ran Setup with the /addallusers switch. B. Nothing went wrong; this is by design. C. You performed the upgrade as the Administrator. D. You probably have a corrupted Registry. 13. You are trying to promote a member server to domain controller in

your Windows 2000 domain but are receiving an error that no domain controllers can be located. What is the most likely cause of this? A. The member server is not properly configured for DNS. B. The WINS server is offline. C. The PDC is on another subnet and cannot be located by broadcast. D. The domain controllers aren’t listed in the WINS server.


www.sybex.com

462

Chapter 10


14. Which Windows 2000 migration tool is best suited to moving users to

a new Active Directory domain without disturbing them in the source domain? A. ADMT B. ClonePrincipal C. Move Tree D. NETDOM 15. The Domain Name System resolves what kind of names to IP

addresses? A. Hostnames B. Hostess names C. NetBIOS names D. Computer names 16. You suspect that the secure channel of communication has been bro-

ken between an NT 4 Workstation computer and its Windows 2000 domain controller. Which tool should you use to reset this secure channel? A. ChannelReset B. ClonePrincipal C. NETDOM D. ADMT 17. You are trying to upgrade your computer running Windows NT 3.51

to Windows 2000 Server but are receiving a message that you don’t have enough memory installed. What is the minimum amount of RAM you should have for Windows 2000 Server to install? A. 16MB B. 128MB C. 64MB D. 256MB


www.sybex.com

Review Questions

463

18. Which command-line utility can modify the Access Control Lists of an

Active Directory object? A. Move Tree B. NETDOM C. Dsacls.exe D. ADMT 19. Which TCP/IP utility enables you to verify the route taken from your

computer to a server on the Internet? A. Route /verify B. Tracert C. Ping D. IPConfig 20. You have upgraded your computer to Windows 2000 Professional

and are trying to use multiple monitors. However, the second monitor appears distorted with the image being brown and twisted on the screen. What is the problem? A. Windows 2000 Professional doesn’t support multiple monitors. B. The second display adapter must also be an AGP adapter. C. The second display adapter is not supported by Windows 2000 for

use as a second display. D. Your monitor is going bad and cannot display the image correctly.


www.sybex.com

464

Chapter 10


Answers to Review Questions 1. A. Using the winnt32 /checkupgradeonly command will run the

Readiness Analyzer and then exit the Setup program without installing any files. 2. C. Windows 2000 has much higher hardware requirements than

NT 4 did. 3. B. You can get this information from the Readiness Analyzer, which

can be downloaded from Microsoft’s Web site for free. 4. B. Windows 2000 includes the Device Manager utility for viewing and

modifying hardware resources on your computer. 5. C. Microsoft’s HCL Web site contains the very latest information

regarding compatible hardware for Windows 2000. 6. A. Even if you were to call technical support, they would want to have

the information contained in the first two lines of text on the screen. 7. C. SCSI problems most often involve poor termination. You should

always verify that the SCSI bus is properly terminated before moving on to other troubleshooting options. 8. B. Safe mode enables you to reset the display drivers. When you

change the color depth or resolution used by a specific driver, the display will automatically reset after 15 seconds, but not after changing the driver. 9. A. The Ping utility is a standard method for testing TCP/IP connectiv-

ity. Using both the name and the IP address of a domain control tests the hostname-resolution methods as well as the basic connection. 10. C. The ipconfig /registerdns command will cause the computer

to renew its dynamic DNS registrations with all of the DNS servers it is configured to use.


www.sybex.com


465

11. C. It is a good practice to always disable any third-party services prior

to running an upgrade of your operating system. 12. B. Since all users of a Windows 9x computer have full access to every-

thing on the computer, Windows 2000 maintains this access by adding everyone to the local Administrators group. 13. A. Windows 2000 uses DNS for all name resolution by default. Very

likely, the member server isn’t looking at the right DNS server. 14. B. ClonePrincipal is very useful for creating copies of accounts in a new

Active Directory location without disturbing the original environment. 15. A. The most correct answer is A. DNS resolves hostnames to IP

addresses. Saying computer names is a bit too non-specific as hostnames and NetBIOS names are both computer names. 16. C. NETDOM can verify or even reset the secure communication chan-

nel that exists between member servers or workstations and the domain. 17. C. While the recommended amount of RAM for Windows 2000

Server is 128MB, it will install on 64MB as the real minimum. 18. C. Dsacls.exe is a Resource Kit utility that edits the Access Control

List for an Active Directory object from the command line. 19. B. Tracert bounces packets of data off of a remote host, but it also

sends a reply from each router that it passes through on its way to the remote host. 20. C. There are several display adapters that are supported as primary

displays for Windows 2000 but not supported as secondary displays. Your adapter most likely falls into this category.


www.sybex.com

Chapter

11

Troubleshooting Account Issues MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Troubleshoot account issues for all types of migrations.

Resolve System Policy translation failures.

Resolve logon script failures.

Resolve issues associated with duplicate accounts that have different SIDs.

Resolve issues associated with user rights.


www.sybex.com

B

ecause Windows 2000 has a completely different way of dealing with user accounts and groups than we had in NT 4, you may encounter several problems along the way. In this chapter, we will consider some of the troubleshooting you may have to do with user accounts and group accounts. We’ll examine the troubleshooting related to duplicate user accounts with different SIDs and show what happens when you have insufficient user rights to perform a specific task. But first let’s examine some of the problems that may arise with the transition from System Policy to Group Policy Objects (GPOs) and with the transition from logon scripts to Windows 2000.

Troubleshooting System Policy Problems

I

n Windows NT, you used System Policy to enforce a specific view of the Desktop for all of your users. And even though there were problems associated with System Policy, it was an effective way to control the user’s workspace. System Policy was applied directly to the Registry of the user’s computer. This method was effective for controlling quite a few different options. However, there were problems in terms of changing the policy, which was not always correctly applied, and problems in applying the correct policies in the correct order. You would sometimes experience unexpected results stemming from the order in which System Policy was applied.


www.sybex.com


469

Also, old policies had to be manually removed from the Registry in NT. In 2000, they are cleanly removed.


Troubleshoot account issues for all types of migrations.

Resolve System Policy translation failures.

Windows 2000 uses a different approach to controlling the user’s workspace. Now instead of using System Policy, you use Group Policy Objects to apply a specific policy to the users, computers, OUs, or an entire domain or site. With Windows 2000 and Active Directory, a much more granular configuration is possible. You can set Group Policy to flow down from the very highest level, or you can set it at a lower level and apply it directly to one OU. In addition, you can block Group Policy inheritance at any level or prevent it from being blocked. So, other than when a user calls to complain, how will you know when your Group Policy implementation is broken? Windows 2000 includes the ability to enable diagnostic logging for Group Policy. The logging events will be displayed in the event log. These events can be useful in diagnosing problems associated with Group Policy by providing greater detail on what went wrong. EXERCISE 11.1

Enabling Diagnostic Logging To enable diagnostic logging, follow these steps:

1. Log on as a local administrator account. 2. Click Start Run and type Regedt32.exe. Click OK. 3. Browse down to HKLM\Software\Microsoft\WindowsNT\ CurrentVersion key.


www.sybex.com

470

Chapter 11

Troubleshooting Account Issues


4. Select Add Key from the Edit menu. Enter Diagnostics as the name of the new key. Click OK.

5. Highlight the Diagnostics key, and select Add Value from the Edit menu. In the Value Name field, type RunDiagnosticLoggingGlobal, and in the Data Type field, type REG_DWORD, as shown in the following graphic.

6. Double-click the new RunDiagnosticLoggingGlobal value, type 1 in the Data field, and click OK. This setting will cause all events generated by Group Policy to be recorded in the Event Viewer. Now exit the Registry Editor.

Once you have enabled diagnostic logging for Group Policy, you’ll be generating a large number of events in the application log. These events will occur mostly when a user logs on to the local computer. You can also choose to enable verbose logging to generate more details in a separate log file. This involves adding another value to the Registry. To enable verbose logging, use the Registry Editor to browse down to HKEY_Local_Machine\Software \Microsoft\WindowsNT\CurrentVersion\Winlogon. From the Edit menu, select Add Value, then name the value UserEnvDebugLevel, with a type of REG_DWORD. Entering a value of 30002 enables verbose logging; a value of 30001 enables logging of errors and warnings only, and a value of 30000 turns off logging. To disable verbose logging, delete the new value from the Registry.


www.sybex.com


471

Group Policy Troubleshooting Tools Windows 2000 offers four tools for troubleshooting Group Policy. Two of the tools are included in Windows 2000, and the other two are available in the Windows 2000 Resource Kit. Some of the tools relate to network connectivity, such as Netdiag, and some of them relate directly to the replication of policy and to the functioning of Group Policy. The troubleshooting tools for Group Policy are: Netdiag.exe This command-line tool from the Windows 2000 CD-ROM helps solve connectivity problems by performing a series of tests to determine where the connection occurs. Netdiag is useful to determine whether the Group Policy problems are being caused by network failure. Replmon.exe This tool can help you solve problems that are related to incomplete or incorrect replication of the Group Policy container and the Group Policy template. Replmon is included on the Windows 2000 CD-ROM and is installed automatically with the Support Tools. This tool lets you see the low-level replication activities of Active Directory in your network. It enables you to force replication, monitor replication, and force synchronization between domain controllers. GPOtool.exe GPOtool is a command-line tool from the Resource Kit that lets you check the status of Group Policy Objects on domain controllers. You can check all portions of the GPO on the domain controller. GPResult.exe This command-line tool is available in the Windows 2000 Resource Kit. GPResult displays information about the results of all GPOs applied to the current user and the computer. You should be able to determine much about the source of the problem from the reports from your users. If their trouble reports indicate that Group Policy is not being applied at all, then you need to investigate network connectivity. If, however, the trouble tickets indicate that policy is not being applied correctly, then you need to investigate the Group Policy on the domain controllers. In this last case, the source of the trouble may


www.sybex.com

472

Chapter 11


be replication of the GPOs or it may be a result of incorrectly applied GPOs. Figure 11.1 shows the results of using GPOtool to display the status of Group Policy Objects on a domain controller. FIGURE 11.1

The output of GPOtool.exe

The tool that I find particularly useful and interesting is GPResult. This tool enables you to determine how GPOs are being applied to a given user, which can be especially useful when troubleshooting incorrectly applied GPOs. It seems that most of the time I’ve spent troubleshooting GPOs has been spent determining why someone is getting the result they are actually seeing. Figure 11.2 shows the output of GPResult.exe.


www.sybex.com


FIGURE 11.2

473

GPResult.exe is useful for determining how GPOs are applied.

We’ve been waiting years for this tool. When troubleshooting System Policy problems on Windows NT, it was often necessary to use a piece of graph paper to map users and the groups they belonged to. Now when troubleshooting Group Policy within Windows 2000, GPResult allows us to see


www.sybex.com

474

Chapter 11


which groups a user belongs to and how Group Policy is applied to that user. I guess I really am a geek—I just can’t help getting excited about this tool! EXERCISE 11.2

Determining the Result of Group Policy This exercise requires that you have access to a Windows 2000 domain running in native mode with Active Directory and that you have installed the Windows 2000 Resource Kit tools. You will first need to create at least one Group Policy Object to be assigned within the domain to a group or a single user. The results of the exercise are more satisfying if you create multiple GPOs at different levels of Active Directory. As a suggestion, do the following:

Create a user account to which you can apply Group Policy.

Create a GPO at the site level to control software distribution.

Create a GPO at the domain level to control logon hours for users.

Create a GPO at the user’s OU level to redirect the My Documents folder.

After you have applied Group Policy at various levels to groups and your test user, run the GPResult.exe tool to analyze the resulting policy as it applies to your user. To determine the Group Policy results, follow these steps:

1. Log on to your test computer with the test user account you created for this exercise.

2. Open a command prompt. 3. Type gpresult.exe and press Enter. 4. Examine the output of the command to determine the policy results for the user and the computer.

5. Type gpresult.exe /? at the prompt to display the various options for modifying the output of the gpresult.exe command.


www.sybex.com


475


6. Enter the command to display the Group Policy results for the currently logged-on user only. I suggest trying out this command as often as possible to help you understand the way that Group Policy Objects combine to affect a single user or computer within an Active Directory environment.

Common GPO Issues There are a couple of possible scenarios that you might have to troubleshoot with Group Policy. In the first scenario, you cannot access or open the GPO. In the second scenario, your GPO is not being implemented as expected. In the first situation, you intend to either open or edit a GPO but receive an error message telling you that the GPO cannot be accessed or opened. A couple of possible causes for this are shown here:

You do not have the correct permissions to access the GPO. Check the DACL (Discretionary Access Control List) for the GPO that you’re trying to access. You must have both Read and Write permissions to open or edit a GPO.

You’re unable to connect to the domain controller that the GPO is trying to reach. This problem can be caused either by network connectivity problems or by failure to resolve the domain controller name in DNS.

Another thing to check when you receive an access-denied message for the GPO is the delegation of authority for the GPO. You may be logged on with an account that you believe has authority for the GPO but that actually does not. I find it to be a good practice to check how I am logged on to the machine whenever I receive such a message. Many times I have found that I am actually logged on with a user account instead of an administrator account.


www.sybex.com

476

Chapter 11


In the second scenario, your GPOs are not being applied as you would expect. There are several possible causes for this scenario, including the following: Inheritance conflicts If Group Policy settings are not being applied as you expect, be sure that inheritance is not being blocked or that the inheritance is not causing problems at a lower level. This can take some time to track depending on the size of your Active Directory hierarchy. Starting at the top of the forest, work your way down through all of the sites, domains, and OUs that apply in this inheritance. Don’t forget to also check computer settings in the GPOs. Remember that, in most cases, computer settings will override user settings if they are in conflict. The last thing to check for in this scenario is a No Override setting on some OU in the chain. Permission issues Check the DACLs of all GPOs that you expect to be applied to the user or the computer in question. Remember that a user must have Read and Apply Group Policy permissions in order to have a GPO applied. Now for fun part: You also need to check in the groups that the user belongs to. Make certain that you check for Deny permissions set on any of the DACLs. Always remember that Deny permissions override Allow permissions. Disabled GPOs If your GPOs are not being applied as you would expect, make certain that the GPOs have not been disabled. Remember to check both the user configuration and the computer configuration to see if they have been disabled. Computer or user object has been moved If the user or computer object has been moved to Active Directory, it may not have the correct location for its GPO. Remember that a client caches the Active Directory location information for up to 30 minutes, so this situation should correct itself in due time. If the Group Policy refreshes before the cache location does, the new Group Policy settings will not be processed. However, they will be processed the next time Group Policy refreshes. Replication issues Remember that GPOs depend on both the Group Policy container and Group Policy template portions that are stored in the Sysvol. If replication has not completed, these portions of the GPO will not be present on all domain controllers. Make certain that both Active Directory replication and Sysvol replication have completed successfully. If one or both of these replications fails, the GPO will not be applied correctly—and possibly not be applied at all.


www.sybex.com


477

Inter-domain GPO link issues If you have linked a site, domain, or OU to a GPO in another domain, the GPO must be accessed across a trust relationship. If the trust fails for any reason—perhaps data network connectivity problems—the GPO will be unavailable. If the GPO is unavailable, then Group Policy processing will fail. Having multiple domain controllers per domain should correct this problem. If you have multiple domains in a single site, you should also try to have more than one domain controller from each domain in the site. Just because I call these common troubleshooting issues with Group Policy doesn’t necessarily mean that Group Policy will frequently have problems. If you read these situations carefully, you will see that most of them can be avoided with careful administration of Group Policy. Here is a list of things to keep in mind when you’re designing your Group Policy:

Try to place limits on your use of the No Override and Block Inheritance permissions and the filtering of GPOs, especially across domains. Every time you make changes to the flow of inheritance of Group Policy, you introduce complications into the overall flow.

Always try to limit the number of GPOs that affect anyone within your network. The more GPOs you add to the network, the more complicated your job will become. Troubleshooting is always easier if there are a limited number of GPOs to view.

Logically group related settings within a single GPO. For example, group Registry settings for Office 2000 within the same GPO that controls the software installation for Office 2000. That way, if there are any problems with Office 2000, you have to look at only one GPO.

Limit the number of administrators for any single GPO. This is definitely a case where too many cooks will spoil the soup. The more administrators you have for a single GPO, the greater the chance that two of them will modify the same GPO at the same time. Exercise caution when setting up delegation of authority for GPOs to prevent possible conflicts.

Try to avoid linking a GPO to a site that contains multiple domains. When you assign the GPO to a site, it affects every domain within that site. Computers from each domain must contact the domain controller for the domain that houses the GPO every time they log on.


www.sybex.com

478

Chapter 11


Remember that it is possible to disable unused portions of a GPO. Disabling portions of a GPO that will not be needed or that no longer apply can improve performance.

Carefully lay out your needs for Group Policy during your planning of the network. Careful planning of Group Policy ensures that you will not use too many GPOs in your network.

There is that word again, planning. Careful planning prior to installing Windows 2000 in your network will enable you to make sensible decisions about the structure of the network. Most of the problems that you run into with Group Policy can be avoided with careful planning before the installation.

Troubleshooting Logon Script Failures

W

indows 2000 supports the use of scripting to control the user environment. In NT 4, the only scripting we had was batch files. Windows 2000 lets you use batch files, Visual Basic scripting, executable files, and any other files supported by the scripting host. For more information about writing scripts for the Windows Scripting Host, see the Windows Script Technology’s Web site at http://msdn.Microsoft.com/scripting.



Resolve logon script failures.

You can use Group Policy in Windows 2000 to assign scripting to four different events: Startup scripts Startup scripts run when the computer is booted. They run hidden, in the background, and are run synchronously by default. This means that each script must complete before the next script can begin running. If one script fails, the other script must wait for its timeout before it can begin.


www.sybex.com


479

Logon scripts Most administrators are familiar with logon scripts. These are the same scripts that we’ve had since the early days of Windows NT. They can be the same batch files that we’ve run all along, or they can be any of the new supported files. By default, logon scripts are hidden and run asynchronously. Logoff scripts Logoff scripts execute when the user logs off the current session. These scripts can be useful in cleaning up custom settings after a user session. Shutdown scripts Shutdown scripts execute in the background when the computer is being shut down and after a user has logged off. The scripts are very useful for doing things that Group Policy is unable to do. For example, they might be helpful when you want to attach network drives, connect to network printers, or create custom shortcuts on the Desktop. It’s a good idea to continue running your custom logon scripts until you have fully established Group Policy in the network. Over time, you may find that most logon scripts can be replaced with Group Policy. Still, it’s useful to use logon scripts to map network drives. It’s possible to assign scripts to a user individually in the properties for the user account. However, the preferred method is to assign scripts using Group Policy. That way, policy can be defined according to site, domain, or organizational unit. It’s important to remember the order in which scripts will be applied. Startup scripts will be applied first, followed by logon scripts when the user actually logs onto the computer. Logoff scripts will be run when the user ends the current session on the computer. And finally, shutdown scripts will be executed when the computer is being shut down. Since the default action for these scripts is to run hidden in the background, it may be difficult to determine when they are in fact running. Being familiar with what the scripts actually accomplish will help you determine whether a script has been run. The default value for the timeout to run scripts is 10 minutes. If you have a script that will require more than 10 minutes to run, you must increase the timeout value in Active Directory. Be aware that when you increase a script’s timeout value, you affect the time that all scripts will have to run.


www.sybex.com

480

Chapter 11


Assigning scripts to run with a GPO is a two-step process. First, you must make the GPO aware of the script by copying the script into the Group Policy template. Second, you must assign the scripts from the Group Policy template to the GPO script settings. Figure 11.3 shows the dialog used to add a script to a logon script setting in a GPO. FIGURE 11.3

Logon scripts can be assigned to an individual GPO.

The troubleshooting for scripts falls into two categories. The first category occurs when the user does not have permission to access a script during logon, logoff, or shutdown. The second category occurs because of errors in the script file. To troubleshoot the second category, use the Microsoft Script Debugger included with Windows 2000. To troubleshoot the first category, you need to complete some steps to determine whether a permission issue, network connectivity issue, or some other problem is preventing the script from loading.

Troubleshooting Scripts You can use the GPResult utility included with the Windows 2000 Resource Kit to troubleshoot scripts assigned to a user or to a GPO. GPResult will show you the GPOs affecting a given user. It can also show you the result of any scripts being assigned to the user by any of those GPOs. When you run GPResult in verbose mode, you see which scripts have actually been received for execution. Figure 11.4 shows GPResult.exe displaying the list of scripts applied to a user.


www.sybex.com


FIGURE 11.4

481

Running GPResult.exe in verbose mode displays which scripts have been received.

Look for the heading entitled The User Received “Scripts” Settings From These GPOs. If no text appears in the output, the user is not receiving the correct scripts. Now you can begin your troubleshooting for network connectivity, permissions, or the actual presence of the scripts on the servers. The script must be present on all domain controllers to be applied reliably. This point is especially true if there is text in the readout from GPResult but certain scripts are being applied incorrectly or not at all. Make certain that the Sysvol folder is being replicated to all domain controllers correctly. The first thing I would try is to make sure that the client computer can connect with the domain controller. Try resolving the name of the domain


www.sybex.com

482

Chapter 11


controller by typing ping from the command prompt. If this works, attempt to connect a drive using the name of the domain controller and a known shared folder. These steps verify network connectivity and name resolution. If this method does not work for you, I would strongly suspect the problem is with the server and not with the client computer. One last thing to try from this computer is to verify that other users are receiving the script. This final step identifies whether the problem belongs to a single user or to all users trying to access the domain through this computer. When troubleshooting scripts from the server side, the first thing to check is whether the script actually exists and is in the correct location on the server. Open the properties for the GPO in question, and double-click the entry for the correct type of script. For example, if you’re troubleshooting a logon script, double-click the node for logon scripts in this GPO. Figure 11.5 shows the dialog used to add scripts to a GPO. Make certain the scripts are assigned correctly to this GPO. If they do not show up in the list, they will not be applied. FIGURE 11.5

The Properties dialog for logon scripts in a GPO

Once the scripts have been added to this dialog, they will be applied in order from top to bottom. This order in itself can cause some of the problems. If your scripts apply conflicting settings, the one that is applied last will


www.sybex.com

Troubleshooting Duplicate Accounts

483

win, which may cause unexpected results. Another point to consider is whether you have assigned the script to the correct policy. It’s actually fairly easy to assign a logon script to an incorrect policy. For example, you could have assigned a logon script to the logoff event. When troubleshooting a script problem, you will have to check each GPO that applies to the user in question. Check the computer settings and the user settings within the GPO. Make certain that the logon script is assigned to the logon event, that the logoff scripts are applied to the logoff event, and so on.


Having duplicate accounts in a network has always been a problem for administrators. Duplicate accounts can cause security holes or prevent users from getting to resources they are authorized to use. When migrating from one operating system to another, it is actually fairly easy to create duplicate accounts without realizing it. For example, consider the use of ClonePrincipal to move accounts from one domain to another. ClonePrincipal actually works by copying the accounts, or “cloning” them, from the source domain to a new Active Directory location. This is considered normal behavior for this tool. Now consider the use of ClonePrincipal within an Active Directory forest. In this case, you can clone accounts from one domain to another within the same forest, creating duplicate accounts within that forest.



Resolve issues associated with duplicate accounts that have different SIDs.

On the surface you may not see a problem, but a careful examination of the situation will reveal several security issues. Having two accounts within the same forest that have the same SID can cause serious conflicts. Consider the following situation: I apply Group Policy to affect a single user account in the source domain. Then I affect the same account in the new domain by applying a different GPO. Which GPO will apply when the user logs on? The result may depend on which domain controller authenticates the user logon first.


www.sybex.com

484

Chapter 11


Remember that when accounts are cloned from the source domain to the target domain, the SID is copied to the SIDHistory value of the new account. So even though the distinguished name of the account has changed, the SID and the SIDHistory will remain the same. Windows 2000 evaluates security according to the SID of the user. It will also use the SIDHistory to check for additional permissions. As a general rule, you should never duplicate user accounts anywhere on the same network. By adhering to this practice, you will avoid any complications caused by duplicate user accounts or duplicate SIDs. Actually, this shouldn’t be much of a problem since Active Directory Users and Computers should prevent you from creating duplicate accounts in the enterprise. Duplicate accounts will probably be a problem only during and immediately after migration. So how would you go about locating duplicate user accounts in your forest? Fortunately, the Active Directory Users and Computers console lets you search the entire forest to locate objects by name. To search for a user within a forest, right-click the root domain of the forest in Active Directory Users and Computers and select Find from the context menu. Figure 11.6 shows the Find Users, Contacts, and Groups dialog. FIGURE 11.6

The Find Users, Contacts, and Groups dialog lets you search Active Directory for an object.

To locate a user account within your forest, type the name of the user in the Name field. As an alternative, you can search on the description of the account. Once you’ve entered the name to search for, click Find Now. The Find utility will locate all instances of the name that you entered into the Find dialog. If it locates duplicate entries for the same user name, carefully consider whether or not they are the same user. If they are the same user account,


www.sybex.com


485

you must delete one of the accounts. Remember that there should be only one instance of a user within the entire forest. I recently had the opportunity to observe a case of duplicate user accounts within a forest. One of the Windows 2000 courses that I teach has scripts that automatically add users to the local domain. A few my students encountered a problem when they ran the script twice. In this case, since the user accounts had been created within the same containers in Active Directory, the second instance of the account would have the GUID (Globally Unique Identifier) attached to it. The students received some very unpredictable results when working with these duplicate accounts. In many cases, they would apply properties to a single account only to discover later that the properties had never been saved. These problems were cleared up completely when we deleted the account with the appended GUID. Windows 2000 may become confused if there are two similarly named accounts in the same container. Even though it takes care of the duplicate account by appending a GUID, the accounts still get mixed up in some operations. You may think it impossible to ever have duplicate accounts in the same container within Active Directory. Consider what might happen if two administrators are working from different computers on the same container. They may inadvertently add duplicate user accounts in the course of their normal duties, so you may suddenly experience various errors with the two accounts. If you try to manually add duplicate accounts to Active Directory, you will receive an error message, as shown in Figure 11.7. Fortunately, these duplicate accounts can also be located by performing a search within Active Directory. FIGURE 11.7

You will receive an error when you attempt to add a duplicate account to Active Directory.

So far in my experience, the only way I’ve added duplicate user accounts in Active Directory has been through the use of a script. When you’re adding user accounts through Active Directory Users and Computers, the operating system will prevent you from adding duplicates. This implies that the only time you need to worry about duplicate user accounts is at the end of your migration to Active Directory.


www.sybex.com

486

Chapter 11


Troubleshooting User Rights

User rights are the ability to perform tasks. In Windows 2000, you would normally assign user rights by placing the user into one of the builtin groups, such as Administrators or Guests. It is easy to confuse user rights with permissions, so try to remember that user rights grant the ability to perform tasks, whereas permissions grant (or deny) the ability to access resources.



Resolve issues associated with user rights.

If you follow the standard administrative philosophy of granting user rights by adding users to the appropriate groups, then you will rarely experience problems when troubleshooting user rights. But if you start to customize the assignment of rights, then all bets are off. Here are some guidelines to follow when assigning custom user rights: Assign user rights to groups instead of individual users. Customizing the assignment of rights is something that you normally want to avoid. But if you find that you must assign an individual user right to someone, create a group for the user(s) that need the right and assign the right to the group. Grant rights only when you must. The standard rights assignments will be adequate in nearly every case. If you need to delegate a specific task for a server to a user in your organization, and you cannot use one of the existing groups for some reason, then you will need to assign the necessary rights. Grant no more rights than are necessary. Just because you can grant rights doesn’t mean that doing so is a good idea. It is a fundamental principle of administration to never grant more ability than is necessary to perform a job. In this case, grant no more user rights than are absolutely needed. Very often, you’ll find that Windows 2000 will shield you from having to assign custom user rights. If there are tasks that require elevated user rights,


www.sybex.com


487

the operating system will frequently assign those rights through the wizard that you’re using to configure the service. But what can you do about incorrectly assigned user rights? Unfortunately, there is no easy answer to that question. This is one of those areas of troubleshooting where the only way to solve the problem is by performing the tedious work. You’ll need to check the assignment of user rights before you can determine the problem. The Domain Security Policy console will help you determine what rights have been assigned at the domain level. If you’re troubleshooting the use of user rights at the local computer, use the Local Security Policy console instead. Figure 11.8 shows the Domain Security Policy console. FIGURE 11.8

The Domain Security Policy console


www.sybex.com

488

Chapter 11


Notice that Local Security can be confusing in Windows 2000. You open the Local Security Policy from the Administrative Tools group on the Start menu. The window it opens is titled Local Security Settings. Both names refer to the same tool.

One possible source of confusion with User Policy is that domain policies will override local computer policies. You may have assigned the correct policies using the Local Security Policy only to discover that domain-level policies are overriding your local policies. For this reason, try to always assign user rights at the local computer level. Assigning user rights works pretty much the same at the domain level as at the local computer level. Figure 11.9 shows the Local Security Settings console. This console displays the name of the user right, the local setting, and the effective setting. The effective setting is the combination of local settings and domain settings as well as any Group Policies that might be in effect. FIGURE 11.9

The Local Security Settings console


www.sybex.com


489

To change settings in the Local Security Settings console, simply doubleclick the user right that you want to change. This will open up the dialog shown in Figure 11.10. This dialog will display the users and groups currently granted the user right and the effective setting for those users. On this dialog you can click the Add button to add additional users and groups for this right. FIGURE 11.10

The Local Security Policy Setting dialog box

Viewing these dialogs for each user right is really the only way to determine which user rights have been assigned to which users. Of course, some problems will be fairly obvious, such as when Windows 2000 explains which user right is missing in an error message. An example would be the installation of the Terminal Services for Windows 2000, which requires the Logon Locally right for any user who will access the server using Terminal Services running in Application mode. If you found that a particular user could not successfully access the server using the Terminal Services Client because the user lacked the Log On Locally right, they would receive an error message stating that the local policy doesn’t allow them to log on interactively. The error message generated by this example is shown in Figure 11.11.


www.sybex.com

490

Chapter 11


FIGURE 11.11

The error generated by attempting to log on to Terminal Services without the necessary user rights

EXERCISE 11.3

Troubleshooting User Rights This exercise requires the use of a Windows 2000 Server computer and a suitable client computer running the Terminal Services Client. The computer may be either stand-alone or a member of a domain. The computer system must have Terminal Services installed. This exercise will introduce a problem related to user rights and then resolve it.

1. Open the Local Security Settings console by clicking Start Programs Administrative Tools Local Security Settings.

2. Expand Local Policies User Rights Assignment. 3. Double-click the Log On Locally user right to open the Local Security Policy Settings dialog for this right. CAUTION: Do not proceed unless you have an administrative account with which to access the machine so that you can undo your settings after the exercise.

4. Uncheck the Local Policy Setting checkbox for the Users group. 5. Click OK to close the dialog and save your changes. Exit from Windows 2000.

6. Attempt to log on to the computer using the test user account you created in Exercise 11.2. Did it work? Record the error message if it did not work.

7. Attempt to connect to the computer using the Terminal Services Client from another computer. Record the error message you receive.


www.sybex.com

Summary

491


8. Attempt again to access the server with the Terminal Services Client, this time with an administrator account. Did it work?

9. Repeat steps 1 through 4 to restore the ability for the Users group to log on locally to the server, except this time check the Local Policy Setting checkbox. You may have noticed that the error message doesn’t tell you exactly which user right is missing, only that the local policy doesn’t allow you to log on interactively. Based on this error message, do you think you would be able to identify which user right needs to be adjusted? The most important thing to note here is that the error message directs you to examine the assignment of user rights.

Summary

W

e examined a number of potential problems in Windows 2000 in this chapter. You learned how to troubleshoot failed System Policy translations to Group Policy. You saw that Windows 2000 includes the ability to log Group Policy events using the RunDiagnosticLoggingGlobal value in the Registry. We also introduced you to some useful tools for diagnosing Group Policy issues, including GPOtool.exe and GPResult.exe. Next you learned about some common issues you might face in the production environment dealing with logon scripts. Here it is important to ensure that the scripts are being correctly replicated between domain controllers and placed in the proper location in the Sysvol folder on each domain controller. You learned about a rather rare issue involving duplicate user accounts within the same container in Active Directory. We discussed how the Find tool might be used to locate the duplicate accounts within Active Directory, and we examined some of the problems that may arise from the occurrence of duplicate accounts. We finished the chapter by examining the assignment of user rights and some of the ways to troubleshoot rights that have been incorrectly assigned. These concepts should be useful both for the exam and for the real-world situations you may face when administering a large Windows 2000 environment.


www.sybex.com

492

Chapter 11


Key Terms Before you take the exam, be sure you’re familiar with the following terms: effective GPOtool GPResult Netdiag permissions Replmon user rights


www.sybex.com

Case Study: Royal Entertainment

493


Background You are a consultant working with Royal Entertainment (RE) to upgrade their existing Windows NT 4.0 network to Windows 2000. RE produces animated feature shorts for children. They had a big hit last year with “Snubby the Turtle” and received a large federal grant to upgrade their studio and business environments. They had a big investment in powerful workstations used to render the shows but very little networking experience. Their NT 4.0 network was designed and maintained by outside consultants. With this new grant, they hope to hire their own administrators and build the infrastructure of their business.

Current System The RE network consists of four Windows NT 4.0 Servers: one IIS Web server, one Exchange 5.5 Server, and two file and print servers. Because of their lack of internal support, the consultants who designed their network made heavy use of NT 4.0 System Policies. They have policies that lock down just about every user’s Desktop to some degree—from the office staff who have very little control over their environment to the studio engineers who were given quite a bit of freedom in configuring their workstations. Only one person on site, Susan, has administrative rights to the NT 4.0 Servers. Over the years, Susan has picked up quite a few of the skills necessary to manage an NT network. She can create users, assign permissions, perform backups, reboot servers, and even troubleshoot minor problems. Most of the more complex system administration has been handled by outside consultants.


www.sybex.com

CASE STUDY


CASE STUDY

494

Chapter 11


Project Goal You job is to convert their current policies into policies in the new Windows 2000 environment. You will have to convert a series of NT policies and logon scripts and ensure that the System Policies are migrated properly.

Questions 1. You have installed a temporary domain controller in the new Win-

dows 2000 domain. You plan to use this machine to test all of the policies and scripts that you create. You want to enable GPO logging on this machine. Which of the following will enable GPO auditing? A. In the GPO snap-in for the MMC, click the Enable Auditing option

on the General tab. B. Edit the Registry to include a new key named RunDiagnosticLog-

gingGlobal with a value of 1. C. Edit the Registry and in the CurrentControlSet add a key named

EnableGPOLogging with a value of 1. D. In the computer’s AD account, click Enable Logging on the Diag-

nostics tab. 2. You have enabled GPO logging on your test system and would like to

increase the amount of information that is logged to its highest level. This involves adding a new key named UserEnvDebugLevel to the local Registry. Which of the following values for that key will produce the most output? A. 3000 B. 3001 C. 3002 D. 4


www.sybex.com


495

the new Windows 2000 domain. You are concerned that since you are cloning users in batches (to different OUs based upon job function) that you will create duplicate user accounts (a user has multiple functions and so gets cloned more than once). Which of the following would be the best way to deal with this concern? A. After each merge, use the Find Users feature in the Active Directory

Users and Computers tool to search for duplicates. B. Clone all users to a temporary OU first, because AD won’t allow

the creation of duplicate User IDs in the same container. Then move the user accounts to the appropriate OUs. C. Prepare detailed lists before performing the clone. D. The duplicate user accounts shouldn’t cause any kind of problem—

just clean them up as you find them later.


www.sybex.com

CASE STUDY

3. You are using ClonePrincipal to clone users from the old domain to

CASE STUDY ANSWERS

496

Chapter 11


Answers 1. B. Once this key has been added to the Registry, GPO events will be

logged to the application log of the Event Viewer. 2. C. 3002 enables verbose logging; 3001 enables logging of errors and

warnings only; 3000 turns off logging. 3. B. The best way to deal with a problem is to avoid it in the first place.

Cloning all the accounts as one process into the same OU will prevent duplicate accounts from being created.


www.sybex.com

Review Questions

497

Review Questions 1. You want to enable the use of diagnostic logging to help determine a

problem with Group Policy. Which Registry value should you change? A. RunGlobalDiagnosticLogging B. RunDiagnosticLoggingGlobal C. EnableDiagnosticLogging D. GroupPolicyLogging 2. You have discovered that some of the domain controllers within

your domain are not applying Group Policy correctly and you suspect that the problem is being caused by incorrect replication. Which Windows 2000 tools will help you to check the replication of Active Directory components? A. GPOtool.exe B. Replmon.exe C. Netdiag.exe D. Replfix.exe 3. You are trying to use the GPResult.exe tool to analyze the policy set-

tings for one of your users, but when you run the command, you see only the policy settings for your own computer and account. What switch do you need to use to examine the user’s policy results? A. /U user_name B. /V user_name C. /user:user_name D. You don’t need to use a switch; the tool displays the GPO results

for only the currently logged-on user.


www.sybex.com

498

Chapter 11


4. You are trying to edit a GPO for an OU in your domain but receive an

error message when you try to open it. What are two possible reasons why this may occur? A. Network problems are preventing you from contacting a domain

controller required by the GPO. B. Network problems are preventing you from connecting to the

GPO Master computer for the domain. C. You don’t have the required permissions to open the GPO for

editing. D. You have not been assigned the Edit Group Policy Objects user

right in the domain. 5. You have applied a GPO at the OU level to prevent the Users group

from logging on locally at computers in a specific OU. However, the users are still able to log on. What is most likely wrong? A. The local computer settings are overriding the OU GPO settings. B. You have accidentally applied the Block Inheritance setting at the

OU level. C. You cannot prevent the Users group from logging on locally. D. Another administrator has undone your settings. 6. You are trying to troubleshoot a problematic logon script. Sometimes

it works, and sometimes it doesn’t run at all. What do you suspect is the problem? A. Your computer isn’t plugged in to the network. B. Windows 2000 doesn’t support logon scripts. C. The logon script hasn’t been replicated to every domain controller. D. Gremlins. Need I say more?


www.sybex.com

Review Questions

499

7. Which Windows 2000 tool can help determine which logon scripts

have been processed? A. Netdiag.exe B. Replmon.exe C. GPResult.exe D. Script Analysis console 8. How are duplicate accounts distinguished within Active Directory? A. The duplicate account is colored blue in the console display. B. The duplicate account has the account’s GUID appended after

the name. C. The duplicate account has an asterisk appended to it. D. Duplicate names can never occur in Active Directory. 9. You suspect that the problems one of your users is encountering are

caused by a duplicate user account. How can you determine if there is a duplicate account? A. Use the Find command in Active Directory Users and Computers. B. Use the Search tool on the Start menu to search the Active Directory. C. Use the Duplacct.exe tool at the command prompt. D. Scan through Active Directory Users and Computers to see if there

are any duplicates. 10. Where is the best place to modify user rights to enable a user to log on

through Terminal Services? A. At the site level in Active Directory B. At the domain level in Active Directory C. At the OU level in Active Directory D. On the Terminal Services computer


www.sybex.com

500

Chapter 11


11. You are troubleshooting a problem with a logon script. How can you be

certain the client computer is able to connect to a domain controller? A. Ping the server. B. Map a drive to the Sysvol folder on a domain controller. C. Browse for the domain controller in My Network Places. D. Use the netview command from the command prompt. 12. You have defined an OU Group Policy setting on your computer but

have discovered that the domain policy is still being used instead of your OU’s settings. Why is this happening? A. You have used the Block Inheritance option. B. You set the No Override option on your local policy. C. The administrator set the Block Inheritance option on the domain

policy. D. The administrator used the No Override option on the domain

policy. 13. How are user rights normally granted? A. Through the User Rights Wizard. B. They aren’t used by default. C. Through Group Policy. D. By group membership. 14. You want to assign a custom user right at the domain level. Which

Windows 2000 tool will assist you in doing this? A. Active Directory Users and Computers B. Domain Security C. Local Security Settings D. Security Analysis and Configuration


www.sybex.com

Review Questions

501

15. User rights give you the ability to: A. Access resources B. Access files and folders C. Perform tasks D. Perform maintenance 16. Permissions enable you to: A. Access resources B. Access files and folders C. Perform tasks D. Perform maintenance 17. What permissions must you have to edit a GPO? A. Read B. Edit C. Full Control D. Write 18. How can you enable diagnostic logging for Group Policy? A. Check the Enable Logging option in the Group Policy dialog. B. Add the RunDiagnosticLoggingGlobal value to the Registry. C. Use the Diagnostic Logging Wizard. D. Write a custom script using VBScript to check for Group Policy

events.


www.sybex.com

502

Chapter 11


19. Why is it a bad idea to use duplicate user names in Active Directory? A. It’s simply bad form. B. It may cause unforeseen results. C. It may confuse the users. D. It’s confusing for the administrators. 20. Which Windows 2000 tool enables you to verify the status of all

Group Policy Objects on a domain controller? A. GPResult.exe B. Netdiag.exe C. GPOtool.exe D. Replmon.exe


www.sybex.com


503

Answers to Review Questions 1. B. The RunDiagnosticLoggingGlobal value in the Registry will enable

the logging of Group Policy events within Windows 2000. 2. B. The Replmon.exe tool assists in the diagnosis of problems with

Active Directory replication. 3. D. You must log on with the user account in order to examine the

results of Group Policy for that account. 4. A and C. Group Policy changes are focused on the PDC Emulator for

a domain to ensure that conflicting changes won’t be made to a GPO. If you are unable to reach the PDC Emulator, you may not be able to open the GPO. In addition, you must have Read and Write permissions to edit a GPO. 5. D. The only possible answer would be that someone else has changed

the settings. GPOs applied at the OU level will override a local GPO. Blocking inheritance would prevent a GPO from a higher level from affecting this OU, but no other GPOs were mentioned. 6. C. When logon scripts aren’t applied uniformly at each logon, you

should check to be certain that the script has been replicated to every domain controller. 7. C. Running GPResult.exe in verbose mode details which scripts have

been received and processed during logon. 8. B. Windows 2000 normally prevents duplicate accounts, but if a script

has imported the accounts, duplicates may occur. In the case of a duplicate account, the duplicate will have its GUID appended to the user name. 9. A or B. You can use either the Search tool on the Start menu or the

Find command in Active Directory Users and Computers to locate duplicate accounts within Active Directory. The preferred method is normally the Find command, but both will work.


www.sybex.com

504

Chapter 11


10. D. Terminal Services permissions are assigned through Terminal Ser-

vices Manager, which is located on the Terminal Services computer. 11. B. All of these methods will show some level of connectivity, but map-

ping a drive to the Sysvol folder shows that a session can be established and that the user has permissions to access the Sysvol folder where the scripts are located. 12. D. No Override is set so lower-level GPOs will not take precedence

over the settings in the desired GPO. Even if an administrator were to check Block Inheritance at the GPO level, No Override would take effect. 13. D. User rights are normally assigned by your group membership. 14. B. User rights are assigned at the domain level by using the Domain

Security console. 15. C. User rights enable you to perform tasks such as changing the system

clock or shutting down a server. 16. A. Permissions control your ability to access resources such as files,

folders, and printers. 17. A and D. You must have both the Read and the Write permissions to

edit a GPO. 18. B. The RunDiagnosticLoggingGlobal value in the Registry enables

diagnostic logging for Group Policy in Windows 2000. 19. B. Having duplicate accounts may cause various problems in Active

Directory that are difficult to trace. It is possible to have the same user name at different locations in Active Directory without a problem, but it’s still not a good idea. Actually, you could argue that all of the answers are correct, but B is the most accurate. 20. C. GPOtool.exe enables you to verify the status of all Group Policy

components on a given domain controller.


www.sybex.com

Chapter

12

Troubleshooting Access Problems MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Troubleshoot access issues for all types of migrations.

Resolve client computer connectivity issues.

Resolve permission issues involving NTFS.

Resolve issues associated with the inaccessibility and absence of shared resources.

Resolve authentication issues.

Resolve trust relationship and inappropriate access issues.


www.sybex.com

I

n this chapter, you will learn how to troubleshoot various access problems in Windows 2000. We will begin by examining how to troubleshoot client access issues. This would typically involve network access to the domain controllers or other file and print resources. Then we’ll delve a little deeper into the issue by examining how shared permissions interact with NTFS permissions and how to troubleshoot problems arising from this interaction. Next you’ll learn how to troubleshoot missing or inaccessible shared resources. The latter portion of this chapter will deal more with network problems such as authentication issues. This discussion will examine authentication problems when logging onto a domain, as well as when accessing resources. Then we will examine trust relationship issues and how they may affect users in a larger Windows 2000 environment. We’ll revisit the problems caused by duplicate user accounts within a forest environment, and we’ll show how they can cause inappropriate access conflicts.

Resolving Connection Issues

S

omething I learned about connection problems while working in Microsoft’s phone support was that customers always begin the description by saying that they can’t see the server. After a while, this kind of thing can make you crazy. Troubleshooting a connection issue for a customer requires that you narrow down the symptoms of the problem as quickly as possible. You should try to define the parameters of the problem by asking such questions as, “Can you ping the server?” “Can you map a drive letter directly to


www.sybex.com


507

a shared folder on the server?” Very often, the customer’s complaint will involve the ability to browse for a shared resource. You should never trust the browse list. In troubleshooting the connectivity problem, you should determine whether the problem involves name resolution or is a more fundamental networking issue. If the customer cannot map a drive by using the server name, suggest that they try mapping the drive using the IP address of the server. This technique seems to take many people by surprise. It is actually possible to map a drive using the IP address in place of the server name. This technique is a very good test to verify connectivity. Windows 2000 gives us another factor to consider, which also involves name resolution: DNS. It is very difficult to overstress the importance of DNS to Windows 2000 networks. I’ve seen the importance of DNS both in the field and in the classroom over and over again. In the classroom, my students often thought that I was making a big deal out of nothing by saying that DNS is important to check. But by the end of the class, they’ve seen me solve many problems on their computers by resolving DNS issues. Believe me when I say that DNS is critical to the success of your Windows 2000 network. The primary name-resolution method for Windows 2000 is to submit a name query to a DNS server. Windows 2000 also uses DNS to locate the domain controllers and Kerberos servers that will provide authentication into the domain. Before we spend too much time troubleshooting DNS, let’s spend some time on basic network troubleshooting skills.

Troubleshooting the Network


Resolve client computer connectivity issues.

When troubleshooting network connectivity issues, keep in mind the basics of what is required to connect two computers. At a bare minimum, you need the following in order to make network connections: Physical connectivity There must be a physical medium to carry the signals between computers before they can communicate.


www.sybex.com

508

Chapter 12

Troubleshooting Access Problems

Common protocol The network protocol sets the rules of communication between two hosts. Before the computers can communicate, there must be a common language. Proper addressing In network protocols such as TCP/IP, you must use the correct addressing before the computers can communicate. Application-level support One computer must have a redirector, and the other computer must have a server component to host a session at the application level. There are many different client-side applications. The key question is, does your particular client know how to talk to that server? For example, if you have a Microsoft network-based client but a NetWare server, they won’t talk. Good network troubleshooting will take these items into account. Begin at the physical layer and work your way up, slowly verifying each level before proceeding. As I tell my students in class, always ask yourself whether the computer is plugged in and turned on before going to more difficult questions. In network troubleshooting, this means verifying that the network cable is plugged into the network card. If it is plugged into the network card in the computer, make sure that the network cable is plugged into the nearest hub. It’s amazing sometimes how many experienced troubleshooters overlook the simplest solution, such as whether the cable is plugged in. When troubleshooting TCP/IP, you have several tools at hand to help the process. For instance, you can use the IPConfig and Ping utilities from the command prompt to verify that the physical layer is working and that IP addressing is working. If you verify that you can ping by IP address, you can also try pinging by DNS name. EXERCISE 12.1

Troubleshooting TCP/IP Microsoft recommends the following steps for troubleshooting TCP/ IP on Windows 2000:

1. Run IPConfig on your machine. If it reports an error, or the IP address is 0.0.0.0, then it’s senseless to proceed. Check your IP configuration or your connection to the DHCP server.

2. Ping the loop-back diagnostic address of 127.0.0.1. This verifies that your TCP/IP software is installed correctly.


www.sybex.com


509


3. Ping your own computer’s IP address. This verifies that your network card is functional. It also verifies that your IP address is not duplicated on the local network.

4. Ping the IP address of your default gateway. This verifies the IP configuration for your local subnet and that your router is functional.

5. Ping the address of a remote host. This proves that everything is working to communicate with a remote computer.

Although Microsoft recommends following this process for troubleshooting using Ping, in the real world you should perform the last step second. If the last step works correctly, you’ll know that everything preceding that will work correctly.

The Ping utility is very simple to use. Simply type ping followed by either the name of the host or the IP address you are trying to reach. Ping can be modified with switches just like any other command-line utility. If you want Ping to continue without stopping, type in -t after the command. For example, if I wanted to test communication with server1.coolcompany.local and I wanted the output of the ping command to continue uninterrupted while I tested network cables, I would use this command: ping server1.coolcompany.local -t. Another useful switch is –l. The default packet size when you ping is 32 bytes, and most cables can handle this size of a packet even if they are having problems. Make the packet bigger, and it’s a better test. Granted, this causes more traffic, but the tradeoff is worth it when testing cable integrity. Here’s an example of using both switches together: Ping -t –l 64000 This will cause a persistent ping and make the packets 64KB each. If these steps work correctly for the IP address, repeat all of them using the hostname for each computer. One extra step that I learned by working in the field is that if the remote host fails to respond, you should also try to ping the address of another computer on the same subnet. If another computer on the same remote subnet responds, you know that the remote


www.sybex.com

510

Chapter 12


host you are trying to reach is most likely offline. Using these steps to test TCP/IP connectivity proves that the physical media are working, the network cards are working, and the TCP/IP stack up to the Internet layer is working correctly. If pinging by the hostname does not work, then you need to move on to troubleshooting hostname resolution. Most of the hostname resolution troubleshooting you perform with Windows 2000 will involve DNS servers. However, before we move on to troubleshooting DNS, you need to be careful that there is no Hosts file present on the Windows 2000 computer. The Hosts file is located in the following directory path: %SystemRoot%\System32\Drivers\Etc. The Hosts file is a static text file that performs hostname-to-IP address resolution. Typically the Hosts file will be checked before the computer will go onto a DNS server to resolve a hostname to an IP address. If the Hosts file containing the resolution is incorrect, you may reach an incorrect address or fail to connect to a server. Check the Hosts file carefully for incorrect mappings.

In Windows 2000, Microsoft wants to avoid the use of Hosts files if at all possible. They believe that their current DNS implementation is a more than adequate solution for name resolution. The Hosts file has become passé.

One point I’d like to make about client connectivity issues and DNS is that the client computer must be configured to use a DNS server. You can accomplish this configuration either manually or through DHCP. Once the client computer is set up to look for at least one DNS server, it will begin using DNS for hostname resolution whenever required. If the computer doesn’t appear to be using DNS at all, check to make sure that it has been configured with the address of at least one DNS server.

Windows 2000 DNS caches DNS name resolutions. Before troubleshooting DNS resolution issues, clear the DNS cache with the IPConfig /flushdns command.

The premier tool for troubleshooting DNS issues is the NSLookup utility. NSLookup enables you to query a DNS server either in interactive mode or in a single lookup mode. To perform a simple query using NSLookup, you would simply type in nslookup followed by the hostname you are trying to resolve. Figure 12.1 shows the output for an NSLookup query for arcticwolf.coolcompany.local.


www.sybex.com


FIGURE 12.1

511

The NSLookup results for a server name

NSLookup can also be used to query for single records in a DNS server. This is particularly useful when testing the dynamic DNS functions of Windows 2000. To search for a specific record type, start NSLookup in interactive mode by typing nslookup at the command prompt and pressing Enter. Use the command ls -t SRV domain_name to query for all the SRV record types within a given domain. Figure 12.2 shows an example of this output. FIGURE 12.2

NSLookup can be used to query for single record types in DNS.


www.sybex.com

512

Chapter 12


There are many more options available to an NSLookup query. For a complete list of all of the options available to NSLookup, type help at the DNS lookup interactive prompt. As I stated earlier in this section, DNS is one of the most critical services available on a Windows 2000 network. If you have resolved all issues with DNS and your client computers still cannot connect with the domain controller, then you need to start troubleshooting basic connectivity problems a little more deeply. As a general precept of troubleshooting, always start with the simplest issues first, then move onto more complex ones. In a Windows 2000 network environment, DNS will be one of the most common sources of network connectivity problems. But you still need to consider things that may interfere with basic connectivity from the outside. I personally have observed some very strange events on many occasions. Once, for example, when we turned on the lights in the classroom, connectivity between computers was lost. This particular situation occurred because the cabling was run through the suspended ceiling and right across the top of the ballasts for the fluorescent light fixtures. Another case I heard of involved a printing device located too close to a huge coil of network cable. When the device was turned on, its power supply created a large magnetic field, which interrupted the flow of network data through the cable. Problems such as these are very difficult to track down. Fortunately, Microsoft included a tool with Windows 2000 that will help in diagnosing such strange network behavior. The Netdiag utility will help you isolate and identify various network connectivity issues. This command-line utility runs several types of queries against network connectivity and records the results. Figure 12.3 shows a sample of output from typing netdiag at the command prompt. The full output of the command takes up about three times what I’m showing you here. You’ll need to run this command yourself to really appreciate what it can do for you.


www.sybex.com


FIGURE 12.3

Netdiag reports connectivity for your network line.

Here is full list of what Netdiag tests: Ndis Netcard queries test IpConfig IP configuration test Member Domain membership test NetBT Transports NetBT transports test Autonet Automatic Private IP Addressing (APIPA) test IpLoopBk IP loop-back ping test DefGw Default gateway test


www.sybex.com

513

514

Chapter 12


NbtNm NetBT name test WINS WINS service test Winsock Winsock test DNS DNS test Browser Redirector and browser test DsGetDc DC discovery test DcList DC list test Trust Trust relationship test Kerberos Kerberos test Ldap LDAP test Route Routing table test Netstat Netstat information test Bindings Bindings test WAN WAN configuration test Modem Modem diagnostics test NetWare NetWare test IPX IPX test One of the features that I like most about Netdiag is that it does not require any command-line switches. This means that if you use this command while you’re on the phone with a customer, you do not have to spend time teaching the customer how to use Netdiag. Since you don’t have to really teach anyone how to use it, the simplest way to parse this is have them scan the screen for words like “FATAL.” If you do any kind of phone support, you will probably appreciate this feature. On the downside, Netdiag will not be able to clearly identify problems on the network. If you use Netdiag along with Ping and NSLookup, however, you should be able to clearly identify the problems in short order.


www.sybex.com


515

Another option for using Netdiag is to save the output to a text file. Once it’s saved to a text file, you can use any text editor (such as Notepad) to examine the Netdiag output. To save Netdiag output to a file, type Netdiag .exe :\<documenttitle.txt> where localdrive is the current hard drive, and documenttitle is what you want to call the output file. By default, the document is saved to the current directory. You should bear in mind that troubleshooting is the process of eliminating possible causes until you’re left with only one answer; using these tools in combination will help you along that path. Ping will help you to verify basic network connectivity. NSLookup will help you to verify name resolution in DNS. And Netdiag will help you to verify other network connectivity issues.

Using Network Monitor Once you move beyond troubleshooting on the local computer and you need to resolve the networking issues, you want a tool that allows you to examine exactly what is crossing the wire. Fortunately, Windows 2000 provides such a tool. Microsoft has packaged a version of Network Monitor with Windows 2000. Network Monitor is a full-featured network analyzer. You can use it to capture data moving across the network wire, record that data, modify it, and retransmit it if necessary. While this tool can help you a great deal, it’s not for the faint of heart. In fact, I’ve often joked with students that Network Monitor has one of the least user-friendly interfaces I’ve ever used. That certainly was not intentional on Microsoft’s part. Network Monitor is a wonderful utility. It’s like a Swiss Army knife—it seems to have a tool for every occasion built into it. Figure 12.4 shows the main interface of Network Monitor.


www.sybex.com

516

Chapter 12


FIGURE 12.4

The main interface of Network Monitor while capturing network traffic

The Network Monitor window contains four main sections while it’s performing a network capture: Graph pane The first section displays a histogram of the local network activity. This section is located in the upper-left portion of the main window. Session statistics pane The next section contains information about current sessions being maintained between pairs of computers. The session statistics pane is located midway down the left side of the main window. Total statistics pane The total statistics pane is located on the top-right side of the main window. As the name implies, the total statistics pane contains information about the capture since it began.


www.sybex.com


517

Station statistics pane The station statistics pane contains statistics for every host that has transmitted or received data during the capture. The station statistics pane is located across the bottom of the main window. EXERCISE 12.2

Capturing Network Traffic with Network Monitor This exercise requires a Windows 2000 computer with Network Monitor installed. It also assumes that your Windows 2000 computer is connected to a local area network. To capture traffic with Network Monitor, follow these steps:

1. Open Network Monitor by clicking Start Programs Administrative Tools Network Monitor.

2. If your Windows 2000 computer has more than one network interface, you will be prompted to decide which network to capture traffic on, as shown in the following graphic. When you highlight each network interface, its properties will be displayed in the pane on the right. This will help you to identify the correct interface for the capture.

3. Start the capture by selecting Start from the Capture menu. You should begin to see some activity in your network capture. If not, you may need to generate some activity by browsing the network or opening a file from another computer. Allow the capture to continue for five or ten minutes, or at least until you have some activity recorded.


www.sybex.com

518

Chapter 12



4. When you’re ready to end the capture, select Stop from the Capture menu.

5. Select Display Captured Data from the Capture menu to display the data that you just recorded from your network. Congratulations! You have just successfully captured data from your local network.

You’re probably thinking right about now, “What’s so difficult about capturing network traffic?” Actually, capturing the data is the easy part. Deciphering the mass of information you have just captured is the difficult part. Figure 12.5 displays a capture analysis window. When you first display the capture window, you see only the summary pane. The summary pane contains a line-by-line listing of every frame of data captured from the network. FIGURE 12.5

The summary pane of Network Monitor displays a list of all frames captured from the network.


www.sybex.com


519

To display more information, double-click one of the frames listed in the summary pane. This will split the window into three separate panes, each displaying a portion of information about the highlighted frame. The sections are: Summary pane The summary pane is still displayed at the top of the window. The selected frame is still highlighted in this pane. Detail pane The detail pane is located in the middle of the window and contains detailed information about the layers of data within the frame. Each layer that appears with a plus sign (+) to the left of it can be expanded to display more information within the layer. Hexadecimal pane The pane in the bottom of the window displays hexadecimal translations of the binary data in the frame. This is one of the most useful panes in the entire display. Notice the column of ASCII data to the right to the hexadecimal information. This column translates the binary data into plain ASCII text. As you browse through the data in your capture, you may begin to feel rather frightened of what can be read from the wire. You should be. Any person running a network analyzer on your network has access to sensitive data as it passes across the wire. Fortunately for the network administrator, Network Monitor also announces its presence to other Network Monitor computers. When you’re actively capturing data, another Network Monitor computer can detect your capture. This feature helps to preserve the security of your network. When I worked with Network Monitor for the first time, I found that I began to really appreciate what the computers are doing when they communicate on a network. It can be truly amazing how much information is being passed across the wire and how quickly it moves. When you get over the sense of wonder about what is happening on the wire, be sure to remember how much data is visible in these frames. When we discuss the various network services available to Windows 2000 in the next chapter, remember the amount of data being displayed in Network Monitor. Many network services transmit information in clear text. This means that if somebody is using


www.sybex.com

520

Chapter 12


Network Monitor on your network, they’ll be able to actually read the information in your file as it passes across the wire. EXERCISE 12.3

Analyzing Captured Data in Network Monitor In this exercise, you analyze some of the data from your earlier capture. If you have not captured some traffic from your local network, please use the instructions in Exercise 12.2 to perform a network capture now. Then follow these steps:

1. Display the data in your network capture by selecting Display Captured Data from the Capture menu.

2. Browse down the Protocol column until you locate a frame that reads ARP_RARP.

3. Double-click this frame to see its information. 4. In the details pane, double-click the plus sign beside Frame. This will expand the properties for the Frame layer. This layer is not actually a part of the network frame, but instead is included by Network Monitor to describe the properties of the frame itself.

5. Now double-click the plus sign beside ETHERNET. This will expand the properties for the Ethernet header on the frame. In this section of the frame, you can find information about the source hardware address of the client making the request, as well as the destination hardware address. The purpose of an Address Resolution Protocol (ARP) frame is to resolve an IP address to a hardware address. Notice that the destination address is FFFFFFFFFFFF, which is the hardware broadcast address. Since the client does not know the hardware address of its destination computer, it must send the request to the broadcast address. The destination computer will hear the broadcast and respond by sending back its own hardware address.


www.sybex.com


521


6. Now double-click the plus sign beside the ARP layer. This will expand the actual packet of information being sent across the wire. Notice that I use the terms packet and frame differently. A packet is the chunk of data being sent, while frame refers to the entire pattern being sent across the wire, including all of the header information defining the structure of the data. Obviously, an ARP request is actually a very simple frame of data. Browse to some of the other frames of information recorded in your capture. You’ll no doubt find some frames that are much more complex than an ARP frame.

The version of Network Monitor included with Windows 2000 Server is a somewhat crippled version, meaning that some of the tools are disabled. The full version of Network Monitor with all of the tools enabled is available only in Microsoft’s System Management Server (SMS). However, this version of Network Monitor will help you to diagnose problems that exist between computers on your physical network. While it will reveal problems created by various software layers on the computer, it shows only data that has been transmitted across the physical network. Another point to consider is that Network Monitor is a very complex tool. Please do not expect to open up this tool with little or no network experience and be able to understand any of the information being presented. On the other hand, the more you understand about protocols and services on the network, the more useful this tool becomes. Network Monitor’s online help can give additional information about the various features of this tool. But only time and experience can give you a mastery of the tool itself. In my years of experience working with networks, I have met only a handful of professionals who are truly proficient with Network Monitor—or any other network analyzer for that matter.


www.sybex.com

522

Chapter 12


Assuming that you have some proficiency in network protocols and services, you can use Network Monitor to diagnose problems with network connectivity. I have run across a couple of very strange problems that could only have been solved by analyzing the traffic using a network analyzer. For instance, I worked out a support issue where one computer could not communicate with any computer on a remote subnet. From the interface of the computer everything looked perfect. The IP addressing, subnet mask, and default gateway were all listed correctly on the computer, but the problems remained. Using Network Monitor to capture the traffic from this computer, I discovered that the frames being sent to the default gateway were, in fact, being sent to an incorrect address. This of course would account for the inability to connect to any computer on a remote subnet. This was a very rare case where the Registry contained one piece of information and the interface displayed a different piece of information. In that specific example, understanding the pattern of traffic the computer would generate when it tried to go to a remote subnet was very useful. When you attempt to communicate with a remote computer, IP examines the destination address to determine whether it is local or remote. If the destination address is determined to be remote, the IP layer on the client computer will attempt to make an ARP request for the hardware address of the default gateway or router. Knowing this process was my key to finding the problem using Network Monitor. I located an ARP request in my capture and looked to see which IP address it was trying to resolve to a hardware address. In that particular case, the destination address was incorrect. I could then use Registry Editor to correct the problem in the operating system. I sometimes helped customers with this very problem when they called Microsoft for technical support—which brings up an excellent point. If you’re trying to troubleshoot a problem that requires Network Monitor and you do not feel comfortable using the tool, you can call someone for help. Microsoft has support engineers who can assist you with this area. There are also consultants who are qualified to help you with Network Monitor issues.


www.sybex.com

Troubleshooting Share Permissions

523



Troubleshoot access issues for all types of migrations.

Resolve permission issues involving NTFS.

Resolve issues associated with the inaccessibility and absence of shared resources.

When someone asks you about troubleshooting networking, probably one of the first things that comes to your mind is shared resources. Sharing folders and printers on a server is not a particularly difficult task, but you may encounter some problems along the way. Typically, most problems arise because of the combination of NTFS file system permissions and shared folder permissions. Before we examine how to troubleshoot these issues, I would like to spend some time discussing how these permissions are applied. When I faced my first two Windows NT MCSE exams, permissions were one of the areas that gave me a great deal of difficulty. After teaching the MCSE courses over the years, I’ve found many easy ways to relate how permissions are applied. The easiest way to understand permissions is to take them one step at a time. First, evaluate the NTFS file and folder permissions. Next, evaluate the shared folder permissions. Then, compare the results of the two sets of permissions to find the effective permissions. Let me use an example to illustrate this process using the diagram in Figure 12.6. When you look at the diagram, examine the two sides of the permissions separately. First, let’s evaluate the NTFS permissions on the left side of the diagram. For this illustration, assume that BobR is a member of all of the groups listed in the diagram. For the NTFS permissions, BobR has Read and Write permissions for his own account, Group1 has the Modify permission, Group2 has the Read permission, and Group3 has no specified permission. When you add all the permissions together, you discover that BobR has the Read, Read and Write, and Modify permissions. This means that the effective NTFS permission for BobR is Modify.


www.sybex.com

524

Chapter 12


FIGURE 12.6

An example of combining share permissions and NTFS permissions

NTFS Public

Public

= Modify

= Read

Group1

Group1

= Read

= Read

Group2

Group2

= None

= Change

Group3

Group3

= Read and Write

= Full Control

BobR Totals =

BobR Modify

Full Control

Effective Permission = Modify

Now use the same process for the shared folder (Public) permissions. In this case, Group1 has Read, Group2 has Read, Group3 has Change, and BobR has Full Control. When you add all of these permissions together, you find that BobR has Read, Change, and Full Control permissions. So the effective permission for the shared folder is Full Control. Now for the really complicated part: We have to combine the shared folder permissions and the NTFS permissions. When access to a shared folder across the network is secured with the shared permissions and NTFS permissions, you must use the most restrictive of the permissions. In the case of our diagram, we’re evaluating the total permissions between the NTFS permissions and shared folder permissions. Remember that our total permissions were Modify for NTFS and Full Control for the shared folder permissions. In this


www.sybex.com


525

case, Modify is more restrictive than Full Control, so Modify is the effective permission when BobR accesses this folder across the network. To make this process easier, always evaluate the NTFS permissions first, and then evaluate the shared folder permissions. Only when you have the effective permissions for each of those levels do you combine them to find the most restrictive permission. If you take this one step at a time, you’ll find that the process is actually fairly simple. However, you may find that it will take a lot of practice before it becomes easy for you. So far, the process doesn’t look too complicated. But what happens when you start using the Deny permission? In Windows 2000, every permission that you assign can be granted or denied. This is where your troubleshooting will become very complicated. Consider the example in Figure 12.7. FIGURE 12.7

An example of Deny permissions

NTFS Public

Public

= Modify Group1

= Read Group1

= Deny Read Group2

= Deny Read Group2

= None Group3

= Change Group3

= Read and Write BobR Totals =

= Full Control BobR

Modify (Deny Read)

Full Control (Deny Read)

Effective Permission = Modify (but Deny Read)


www.sybex.com

526

Chapter 12


In this example, the Read permission is being denied to Group2. The process we must follow is exactly the same as in the previous example, but the end results are very different. The results of adding up all the NTFS permissions and shared permissions are almost exactly the same as the previous example. The major exception is that because Group2 is being denied the Read permission, the NTFS permission becomes Modify without Read, and the shared permission becomes Full Control without Read. This is a rather interesting situation. It means that BobR will be able to write to the file, delete the file, or execute the file. But no matter what BobR does, he will not be able to read the file. Imagine BobR’s confusion at having been granted Full Control permission for the shared folder and Modify for the NTFS folder when he cannot read the file. This can be a very difficult situation to troubleshoot. You’ll have to manually add up all of the permissions on both the NTFS side and shared folder side to determine where the problem lies. This problem arises because Windows 2000 always evaluates denied permissions before granted permissions. There is one other issue with NTFS permissions that changed with Windows 2000, and that is the inheritance of permissions. In Windows 2000, the default behavior when applying permissions is that they will be inherited throughout the entire folder tree. This means that when you set a permission on one folder, it applies to everything in the folder and all subfolders automatically. The reason why this becomes important with troubleshooting permissions is that the permission causing your problem may be coming from a parent container rather than from the folder you’re trying to access. When you apply permissions in NTFS, you have the choice of blocking the inheritance or allowing the permissions to propagate down through all of the folders. When you use the Security tab of the folder’s Properties dialog to apply permissions, if you want to block inheritance of the permissions, you must remove the check mark beside Allow Inheritable Permissions From Parent To Propagate To This Object, as shown in Figure 12.8.


www.sybex.com


FIGURE 12.8

527

You can allow or deny inheritance of permissions on the Security tab of the Properties dialog.

If you remove the check mark for the inheritance, you’ll be asked how to apply the initial permissions, as shown in the following graphic. Windows 2000 needs to know what to do with the inherited permissions. Will you copy the previously inherited permissions to this object and then modify them from there? Are you going to remove the inherited permissions and keep only the explicitly assigned permissions? In Windows 2000, inheritance of permissions can be a powerful tool in NTFS. But as with any powerful tool, it can also present a number of problems.


www.sybex.com

528

Chapter 12


Let’s look at an example of what can happen with inheritance. Let’s say that you have applied explicit permissions to the root level of the hard drive on your Windows 2000 Server and are counting on those permissions propagating downward. If you are unaware that someone has changed the permissions of a folder at a lower level, it may drastically change the security of your system. If this person were to block inheritance of permissions on the lower folder and apply permissions that opened up the security, people would be able to access sensitive data below that folder. On the other hand, that person may just as easily set permissions to prevent people from getting the data they need.

Resolving Shared Resource Issues There are two possible courses of action to avoid this problem in the future. I recommend to my students that they always apply Deny permissions to individual users rather than groups. Denying permissions to groups can cause conflicts when people are members of multiple groups. Denying permissions to an individual user, on the other hand, means that one user will be blocked from that permission. This is the behavior that we actually intend in almost every case. Now if we only had a tool to evaluate all of the permissions automatically and display the results, we would be in business. Nearly every case of permission issues that I have dealt with has been due to someone granting No Access or Deny permissions to a group. If you’re careful to remember that denying access will always override any granted permission, you will be safe. Permission conflicts will account for most of the shared-resource access problems. But there are other issues that you may have to troubleshoot when accessing shared resources. If you can determine that the problem is not caused by permissions, you need to start with basic network troubleshooting. Remember that very often a user will call you about the shared resource problem and state something like, “I can’t see the server.” In a case like this, you really need to determine what the problem actually is. Is the user trying to browse for the shared resource? Or is the user actually trying to map a drive letter to the shared folder? If the user is trying to browse for the resource, have them attempt to connect directly to the resource instead. If the user is attempting to map a drive directly to the share, try to ping for the server name. If you are unable to ping for the server name, try to ping for the server IP address. If all of your attempts to ping


www.sybex.com

Troubleshooting Authentication

529

fail, you’ll need to locate the failure in the network connection. This is another situation where the Netdiag utility will be helpful to you. If you discover that you can ping by IP address but not by name, you’re facing a name-resolution issue. On a Windows 2000 network, that means DNS. If the server’s address has been manually entered into the DNS server, you’ll need to check the references in the DNS console. If the server’s entry has been dynamically registered with DNS, you’ll need to force the server to reregister its entry. You can accomplish this in one of two ways. The easiest way for most users will be to reboot the server. Of course, this can be very time-consuming. The faster way to force the server to reregister its DNS entry is to use the command ipconfig /registerdns. This command tells the Windows 2000 computer to reregister its information dynamically with the DNS server that it is configured to use. If you discover that you can connect to the server but are still unable to locate the shared resource, make certain that the resource is actually shared. I frequently cause this problem for myself. I have on several occasions thought that I had shared out a folder on a server only to discover later than I had forgotten to perform that step.



Resolve authentication issues.

O

h, the joys of troubleshooting authentication! While I was writing this chapter, I had a firsthand opportunity to troubleshoot authentication issues in Windows 2000. I was trying to install a new driver on my Windows 2000 domain controller, and the driver caused several blue screens. The long and short of the situation was that my domain controller completely crashed. I was able to recover the domain controller eventually, but I lost all user accounts in the domain.


www.sybex.com

530

Chapter 12


After rebuilding the user accounts (of course I did not have a current tape backup of the system), I began to encounter serious authentication problems with my Exchange Server. After troubleshooting the Exchange Server for some time, it became apparent that I was in for a very bad week. I worked on the problem overnight, and then I resorted to reinstalling the Exchange Server and then restoring the data. A soon as that was completed, I began getting events in Event Viewer similar to the text below: Description: Domain\User was validated as /o=ORG/ou=SITE/cn=Recipients/cn=USER but was unable to log on to /o=OLDORG/ou=OLDSITE/cn=Recipients/cn=USER. In every event, the text was exactly correct for the user name and organization name. I won’t tell you how many hours I spent fighting this problem before I realized that I still had the Active Directory Connector (ADC) installed on my domain controller. Apparently, every time I corrected the problem in Exchange’s directory, the ADC would pump bad information back into it. The root of the problem is very similar to what would happen with the conflicting accounts in Active Directory. The directory in Exchange had one version of the user accounts, and the Active Directory had a different version. Once I removed the ADC, everything went back to normal. When troubleshooting authentication problems, just like with any other troubleshooting, always start with the simple things first. If you are unable to log on to a Windows 2000 computer, verify that the Caps Lock key is not turned on. Caps Lock is the primary cause of authentication problems during logon. In Windows 2000, the user name is not case-sensitive, but the passwords are case-sensitive. Checking this for yourself can save you a lot of embarrassment when you call tech support. The next most likely cause of logon problems is trying to log on to the wrong domain. Windows 2000 will attempt to validate your user account based on the location you define. If you give an incorrect domain location for your account, don’t blame the operating system when it fails to log you on. The standard method of logging on to Windows 2000 is to enter your user name and password and use the drop-down list box to select the correct domain. Figure 12.9 shows this dialog.


www.sybex.com


FIGURE 12.9

531

The Windows 2000 logon dialog

Windows 2000 also offers a new method of logging on to the domain. Instead of having to enter your name and domain separately, you can enter instead your user principal name (UPN). The UPN is your username@ domain.name, and it uniquely identifies your user account name as well as its location in Active Directory. When you enter your UPN, Windows 2000 will gray out the box for selecting a domain, as shown in Figure 12.10. If you’re troubleshooting a logon problem, try having the user enter their UPN instead of their simple user name. FIGURE 12.10

You can also use your UPN to log on to Windows 2000.


www.sybex.com

532

Chapter 12


Of course, authentication problems reach beyond logon. You may be troubleshooting the inability to access a shared resource because of an authentication problem. Whenever I am unable to do something I should be able to do, I find out how I am supposed to log on. If you have more than one user account within the domain, this problem can happen easier than you might think. Even if you do have only one user account in the domain, you may also have a user account on your local computer. To determine how you are logged on to Windows 2000, press Ctrl+Alt+Del to open the Security dialog box, as shown in Figure 12.11. FIGURE 12.11

The Security dialog box in Windows 2000

The Security dialog box clearly displays how you are currently logged on. I see this problem in the classroom very frequently. In most of the courses that I teach, students are required to log off and log on as different users during the course of their lab exercises. It is common for students to tell me that they are unable to perform some portion of the lab because of authentication problems. I can nearly always solve the problem by asking them how they are logged on and directing them to press Ctrl+Alt+Del to find that information. These authentication issues account for the easy parts of troubleshooting authentication. The more difficult troubleshooting areas have to do with duplicate account information. In Chapter 11, “Troubleshooting Account Issues,” I discussed some other problems with duplicate user accounts in Active Directory. If you managed to have duplicate user accounts after your migration to Windows 2000, you may run into authentication conflicts using some of those accounts.


www.sybex.com

Trust Relationship Issues

533

In the normal order of things, Windows 2000 will prevent you from entering duplicate user accounts in the same container of Active Directory. But when user accounts are created by a script or imported during a migration, duplicates can occur. The first user account will appear normal, while the second account will have its Globally Unique Identifier (GUID) appended to it. As a refresher, a GUID is a unique 128-bit hexadecimal number that identifies an object in Windows 2000. When duplicates occur, your use of these accounts will be unpredictable. Experiments in my classroom have shown that sometimes the accounts will perform normally, while other times settings made to the account will never be applied. I have witnessed situations where duplicate accounts have caused failed logons, failed resource access, or conflicts in the application of Group Policy. I would love to be able to tell you that any time you see one particular symptom, you should look for a duplicate user account. However, the symptoms of duplicate accounts are wide and varied. After my experiences with duplicate accounts in the classroom, I know this is something to check for after completing the simple tests.



Resolve trust relationship and inappropriate access issues.

Troubleshooting trust relationships in Windows 2000 has gotten a little more interesting than it was in Windows NT. In Windows NT, trust relationships exist between only two domains, and they point in only one direction. What’s more, trust relationships in Windows NT are nontransitive, meaning that security information cannot flow across more than one trust. In a native Windows 2000 forest, trust relationships are established automatically, they are two-way, and they are transitive. These facts alone were enough to give me bad dreams for a week.


www.sybex.com

534

Chapter 12


In a Windows NT multiple domain environment, troubleshooting a trust relationship usually involves the flow of access from one domain to another. That is to say, I have established a trust relationship between two domains and now I cannot access the resource that I think I should be able to access. Often this would be because the trust relationship was established in the wrong direction. This situation can still occur with Windows 2000 domains that are running in mixed mode. In a native-mode Active Directory environment, every domain in the forest has a two-way transitive trust with its direct parent and any child domains. This can cause some interesting situations to occur after migrating from a Windows NT environment. In a Windows NT environment, trust relationships are carefully crafted to allow resource access from domains housing the user accounts. If your migration plan calls for an upgrade of existing domains, you may discover that users now have access to resources that they were not able to reach before. In many cases, this will be a desirable outcome. But in any case of sensitive or highly secure materials, this access may pose quite a security risk. If the access permissions for resources are defined using domain groups, security will probably be preserved. If some of those domain groups also contain users or groups from other domains, however, you may be inadvertently allowing access to unauthorized users. This is one of the reasons why I feel that a migration to a parallel Windows 2000 environment is a better migration than an upgrade of an existing environment. When you upgrade your domain structure to Windows 2000, you also maintain all of the existing problems in the network. When you replace the network with a parallel Windows 2000 network, you have the opportunity to start fresh and clearly define the security for the network. But not everybody has the luxury of designing a parallel Windows 2000 network for their migration. To illustrate this point, let’s use an example from Coolcompany Inc. This company started with the network running Windows NT 4.0 and multiple domains, as shown in Figure 12.12. In their existing domain structure, user accounts from the main domain in Seattle can access resources in either of the child domains. But any user account existing in a child domain cannot access resources in the other child domain.


www.sybex.com


FIGURE 12.12

535

The existing network environment of Coolcompany

Seattle

Resource1

Resource2

The existing configuration preserved the security of resources located in the child domains. But now consider what happens when we upgrade the domains to Windows 2000 and convert to native-mode Active Directory, as shown in Figure 12.13. Because the trusts existing between the child domains and a parent domain in Seattle are transitive and two-way, a user account in Resource1 now has access to resources in the Resource2 domain. This may or may not be what you want to have happen. Troubleshooting these problems can be difficult and may require that you reassign permissions to the resources themselves. At the very least, trust relationships in Active Directory environments require careful planning for resource access. FIGURE 12.13

The Coolcompany network using Active Directory

coolcompany.local

Resource Access User

Shared folder

Resource1

Resource2


www.sybex.com

536

Chapter 12


Another trust issue that may arise in your network environment comes from the use of shortcut trusts. A shortcut trust is a trust that you manually establish between two domains in separate portions of an Active Directory network for the purpose of speeding up searches of Active Directory. For example, in Figure 12.14 the process normally used to browse for resources in Active Directory requires that you search from the Sales domain all the way to the root domain of coolcompany.local and back down another branch of the tree to reach resources in the Marketing domain. Creating a shortcut trust from the Sales domain to the Marketing domain prevents a user from having to browse all the way to the root of the forest and back down the other branch. FIGURE 12.14

The use of a shortcut trust can speed access to other branches of an Active Directory tree.

coolcompany.local

Shared folder seattle.coolcompany.local marketing.coolcompany.local st

t tcu

Tru

or

Sh

User sales.seattle.coolcompany.local


www.sybex.com


537

Shortcut trusts are established manually and have the same properties as trust relationships in Windows NT. This means that they are single directional by default and nontransitive. If the two domains connected by the shortcut trust are native-mode Windows 2000 domains, the trust can be made two-way and transitive. You can even establish an external trust from a Windows 2000 domain in a forest to a Windows NT domain outside the forest. If you do this, all of the normal cautions apply. An external trust from a Windows 2000 domain to an NT domain will be single directional and nontransitive. These trusts fall victim to the same problems that we’ve always had in Windows NT. You must point the trust in the correct direction in order to provide correct resource access. If you have manually created trusts and determine that they cannot provide the correct access to resources, the best way to fix the problem is to delete the trust and re-establish it. Of course, if the trust is a shortcut trust between two native-mode Windows 2000 domains, and you determine that the problem is due to a single-directional trust pointed in the wrong direction, you can solve the problem by converting the trust to a two-way transitive trust. To create a shortcut trust, use the Active Directory Domains and Trusts console. Right-click the domain that will form one end of the trust relationship, and select Properties from the context menu. Click the Trusts tab, and click the Add button beside either Domains Trusted By This Domain or Domains That Trust This Domain. This will enable you to define the name of the other domain that will participate in the trust relationship. Once you’ve entered the name of the other domain, you can specify whether this trust relationship will be one-way or two-way and whether it will be transitive or nontransitive. To delete the trust, highlight the existing trust relationship you want to remove and click the Remove button. If you want to change the properties of an existing trust relationship, highlight the trust and click the Edit button. This will permit you to change the nature of the trust relationship from nontransitive to transitive or from one-way to two-way.


www.sybex.com

538

Chapter 12


Summary

In this chapter, you learned how to troubleshoot various problems with network connectivity. We started off by examining several techniques to confirm network connectivity between the client computer and the server. First we described the basic requirements for network communication and then described how to test each one of these in a troubleshooting scenario. You learned how to use the Ping utility to test basic TCP/IP communication and then how to use NSLookup to test the DNS functions. You also saw how to use the Netdiag utility to help isolate and identify various networkconnectivity problems. In the next section of the chapter, you learned about Network Monitor, a full-featured network analyzer included with Windows 2000. We showed you how to capture traffic from the network, as well as display the data that you captured. Next you learned about troubleshooting share permissions and how they combine with NTFS permissions. We examined how to assign permissions, and then we examined how to combine shared folder permissions with NTFS permissions. We explained that the easiest way to determine the effective permission is to add up all of the NTFS permissions, then add up all of the shared folder permissions, and finally compare the results of the two types of permissions. The most restrictive permission of the two results is the effective permission. In the last section of the chapter, we examined how to troubleshoot authentication and trust-relationship problems. Logging on to the wrong domain will often cause authentication conflicts. But sometimes authentication problems can be caused by duplicate accounts in Active Directory. The trust relationship problems are similar to those seen with NT domains when your Windows 2000 network is running in mixed mode. But when you convert to native-mode Active Directory, the trust relationships are two-way and transitive by nature. We also discussed how to use a shortcut trust to improve the performance of Active Directory.


www.sybex.com

Summary

539

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Deny permission effective permissions frame Globally Unique Identifier (GUID) packet shortcut trusts user principal name (UPN)


www.sybex.com

540

Chapter 12


Review Questions 1. You have a user in your network who reports that she is unable to con-

nect to a server. How can you determine if her computer is able to communicate with the server? A. Use My Network Places to look for the server. B. Try to map a drive. C. Ping the address of the server. D. Reinstall Windows 2000. 2. You are troubleshooting a computer in your Windows 2000 net-

work. You are trying to verify connectivity with a remote server. You use Ping and determine that you can ping by IP address, but that pinging by name fails. What is the most likely problem? A. There is incorrect address mapping in the LMHosts file. B. DNS name resolution is failing. C. There is incorrect address mapping in the Hosts file. D. WINS is not working correctly. 3. You are trying to troubleshoot your DNS server in a Windows 2000

environment. What tool can assist with this? A. Network Monitor B. Ping C. NSLookup D. Netdiag


www.sybex.com

Review Questions

541

4. Users in the Marketing domain need access to some sales reports in the

Sales domain, which is located in another branch of your Active Directory tree. They complain that browsing for the resources is slow. What is one way you can speed up access for these users? A. Create a shortcut trust from the Sales domain to the Marketing

domain. B. Create a shortcut trust between the Sales domain and the root of

the tree. C. Create an external trust from the Sales domain to the Marketing

domain. D. Create an external trust between the Sales domain and the root of

the tree. 5. You would like to retrieve a list of all of the SRV records in your DNS

server. Which of the following commands will accomplish this task? A. netdiag -t SRV domain_name B. ping -type SRV server_name C. Use NSLookup with the command ls -t SRV domain_name. D. DNS /srvrequest domain_name 6. DaveH is a user in your network. He received an access-denied mes-

sage when he tried to open a folder located on a server. His account has been granted Full Control permissions for the share. What do you suspect is the problem? A. There is a problem with the network connectivity. B. There is a problem with the DNS server. C. One of the groups that DaveH belongs to has a Deny permission. D. The server is down.


www.sybex.com

542

Chapter 12


7. You have applied NTFS permissions to block users from accessing a

folder on your Windows 2000 Server. Later you discover that users are unable to access any of the data in a subfolder of that folder. What is the most likely cause of the problem? A. Someone changed your permissions. B. The subfolder is on a FAT partition. C. The subfolder is offline. D. The child folder inherited the permissions you applied. 8. A user tells you that he cannot connect from his Windows 2000 Pro-

fessional computer to a shared folder on a Windows 2000 Server computer. You try to connect by IP address and are successful. What do you suspect is the problem? A. There is incorrect address mapping in the LMHosts file. B. DNS name resolution is failing. C. There is incorrect address mapping in the Hosts file. D. WINS resolution is not working correctly. 9. A user tells you that he cannot connect from his NT Workstation com-

puter to a shared folder on a Windows NT 4 Server computer. You try to connect by IP address and are successful. What do you suspect is the problem? A. There is incorrect address mapping in the LMHosts file. B. DNS name resolution is failing. C. There is incorrect address mapping in the Hosts file. D. WINS resolution is not working correctly.


www.sybex.com

Review Questions

543

10. You are the administrator for a Windows 2000 Server. You have

received calls from multiple users informing you that a shared folder is not available. You verify that name resolution for the server is working and that you can ping by name and address. What should you check next? A. That the folder is shared and visible B. That the server is online C. That the server is using the same network protocol as your

computer D. That the server’s network cable is plugged in 11. You attempt to log on to a Windows 2000 Professional computer, but

the computer will not accept your logon credentials. What is the first thing you should check? A. Whether the domain controllers are online B. Whether Group Policy allows you to log on to the domain C. Whether the Caps Lock key is on D. Whether Group Policy allows you to log on at this time 12. You are the administrator for a Windows 2000 Server computer.

Recently you assigned permissions so that you can access a data folder with your administrator account. When you attempt to access the folder, you receive an access-denied message. What should you check first? A. Whether the domain controllers are online B. How you are logged on C. Whether the Caps Lock key is on D. Whether Group Policy allows you to access the folder


www.sybex.com

544

Chapter 12


13. What is the fastest way to verify how you are currently logged on? A. Log off and then log back on. B. Open a command prompt and run the Whoami command. C. Press Ctrl+Alt+Del to open the Security dialog box. D. Ask your administrator to check in the Active Users console. 14. Your Windows 2000 Professional computer is able to communicate

with all of the other computers on your local subnet but cannot reach any remote computer. What should you check first? A. That the computer is plugged into the network B. That the default gateway is configured correctly C. That the remote computers are running D. That you are logged on correctly 15. What is the default method of name resolution for Windows 2000

networks? A. DNS B. WINS C. ARP D. Broadcast 16. You can ping your own host, the default gateway, and local hosts by

name and by IP address, but you cannot ping a remote host. How can you verify that the problem is with that particular remote host? A. Call the administrator of that computer. B. Ping another computer on the same subnet as the remote host. C. Use the ping /downquery command. D. Use the net view /down_server command.


www.sybex.com

Review Questions

545

17. You are trying to verify that your TCP/IP software is working. Which

of the following addresses will specifically test the TCP/IP stack on your computer? A. 192.164.0.1 B. 10.1.0.1 C. 1.0.0.127 D. 127.0.0.1 18. Which Windows 2000 tool will help you to determine the functional-

ity of the networking components on your own computer? A. Network Monitor B. Netdiag C. Ping D. NSLookup 19. You are using Network Monitor to analyze network traffic from your

computer to a server located on another subnet. You see ARP_RARP requests and responses being made from your computer to the default gateway but not to the remote server. Why not? A. IP has determined that the destination address is remote, and so the

frames must go through the default gateway to reach the destination. B. Obviously, IP is misconfigured on your computer. C. The default gateway and the remote server have the same IP

address. D. Your Hosts file is providing the wrong address for the remote

server.


www.sybex.com

546

Chapter 12


20. Bob has the Change permission for the Public share on Server1 and

belongs to a group with the Read permission for the share. In addition, he has the Read & Execute permission for the NTFS folder, and the group he belongs to has the Full Control permission. What is Bob’s effective permission when accessing the folder locally on Server1? A. Modify B. Change C. Full Control D. Read & Execute


www.sybex.com


547

Answers to Review Questions 1. C. The Ping utility is a simple way to test TCP/IP connectivity. Ping-

ing the address of the server will tell you if the two computers can communicate. 2. B. Ping can be used to confirm communication with another computer

by hostname or IP address. If the name resolution is not working at all in Windows 2000, check the DNS configuration. 3. C. NSLookup is the correct tool to use when testing the configuration

of a DNS server. Netdiag would help to determine the client’s configuration for DNS but would not test DNS itself. 4. A. A shortcut trust between the Sales and Marketing domains would

prevent users from having to travel up their branch of the tree to the root and back down the other branch to the other domain. This would increase performance for resource access and authentication. 5. C. NSLookup can be used to query for records of a specific type by

using the ls command and adding the -t switch followed by the record type and the domain name. 6. C. The simplest answer is that one of the user’s permissions is Deny.

Deny permissions always override any granted permissions. The access-denied message always means that you do not have permission to do you what you just tried to do. 7. D. The default action for Windows 2000 NTFS permissions is to apply

them to all contents of a folder and all subfolders. If you want different permissions on the subfolder, you would have to explicitly define them and possibly block the inheritance of permissions. 8. B. Windows 2000 will always attempt to resolve names using DNS

first. If you can connect to a Windows 2000 Server by IP address but not by name, check the DNS configuration.


www.sybex.com

548

Chapter 12


9. D. Windows NT Servers and Workstations resolve names using

NetBIOS methods. The most prevalent NetBIOS name-resolution method on Microsoft networks is WINS. 10. A. Knowing that you can ping the server by name and IP address tells

you that you have a common protocol and that the server is online and responding. You should next verify that the folder is in fact shared. 11. C. Whenever you are being denied to log on due to incorrect creden-

tials, always check the Caps Lock key. This is because passwords are case-sensitive in Windows 2000. 12. B. Whenever you receive an access-denied message while trying to

access a resource that you believe you have permission to access, check how you are logged on. In this case, you may very well be logged on with a user account instead of your administrator account. 13. C. Pressing Ctrl+Alt+Del opens the Security dialog box in Windows 2000

just as it did in Windows NT. This dialog displays the credentials you are currently using in your session. 14. B. If you can communicate successfully with local computers but not

with any remote computer, you should check the configuration for the default gateway. Any communication with a remote subnet will pass through the default gateway, so that is the common point of failure to check first. If the router were down, no one would be able to communicate with remote servers and you’d probably be hearing more complaints, so check the simple part first: your own configuration. 15. A. The Domain Name System (DNS) is the default and preferred

method of name resolution for Windows 2000. 16. B. Pinging another computer on the same subnet as the computer

you are trying to reach will confirm that the problem is not with the router or a physical outage on that remote subnet. This means that the problem is most likely with the particular computer you are trying to reach.


www.sybex.com


549

17. D. 127.0.0.1 is the reserved address for diagnostic loop-back testing.

It will verify that the TCP/IP software is functional. 18. B. While each of these tools will give you information regarding your

networking capability, only Netdiag will give you a complete view of the network configuration for your own computer. 19. A. This is the normal pattern of events for remote commun-ication

using IP. If the destination is local, IP will make an ARP request for the destination. If the destination is considered remote, meaning on the other side of a router, then IP will make an ARP request for the default gateway’s hardware address. 20. C. When Bob accesses the folder locally from Server1’s console, the

only permissions in effect are the NTFS permissions. Since he has Read & Execute and the group he belongs to has Full Control, the effective permission is both Read & Execute and Full Control, or simply Full Control.


www.sybex.com

Chapter

13

Troubleshooting Network Services MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Troubleshoot network services problems for all types of migrations.

Resolve name resolution issues.

Resolve remote access permissions failures and logon failures.

Resolve file and directory replication issues.

Resolve network service issues, including DHCP, WINS, and DNS.


www.sybex.com

I

n this chapter, you will learn some of the specifics of troubleshooting the major network services in Windows 2000. We’ll go more in depth troubleshooting name resolution, especially the Domain Name System (DNS), exploring some of the more serious symptoms of name-resolution issues. We will examine the entries that Windows 2000 places in DNS to provide domain logon services to Windows 2000 clients. We will also look at the role that the Windows Internet Name Service (WINS) plays in a Windows 2000 environment. Then you will learn about some of the issues you may encounter in supporting the Remote Access Service (RAS) in Windows 2000. We’ll examine some of the policy changes that will affect your users when they dial in and connect to the RAS server. We’ll also examine some of the problems you may have to troubleshoot with the File Replication Service (FRS). In the final portion of the chapter, you’ll learn how to troubleshoot domain network services in Windows 2000. We’ll spend some time examining the Dynamic Host Configuration Protocol (DHCP), WINS, and DNS.


www.sybex.com

Troubleshooting Name Resolution

553



Troubleshoot network services problems for all types of migrations.

Resolve name resolution issues.

I

mentioned in several places in this book, and I’ll mention it again here, that DNS is critical to the operation of a Windows 2000 network. DNS is the primary and default method of name resolution in a Windows 2000 environment. But it is not the only method of name resolution that Windows 2000 uses. Windows 2000 also supports NetBIOS name resolution using either the LMHosts file or a WINS server, though it doesn’t require NetBIOS at all. It supports a Hosts file for static hostname resolution, and it will also fall back to broadcasting in the local subnet. Most of the time when you work with name resolution issues on Windows 2000 networks, you’ll be working with DNS. The primary tool for troubleshooting DNS is NSLookup. We covered NSLookup in depth in Chapter 12, “Troubleshooting Access Problems,” but the syntax for the command is outlined in Table 13.1. NSLookup can be used in two modes: The interactive mode can be used to run multiple queries against the DNS server, and the single-query mode can be used to submit a single query. TABLE 13.1

The NSLookup Command Syntax Command

Description

Help

Displays the full list of all possible options for the NSLookup command.

Name

Reports information about a given hostname; uses the default DNS server as the source.

Name1 Name2

The same as Name, except that it uses the second hostname given as the source DNS server for the query.


www.sybex.com

554

Chapter 13

Troubleshooting Network Services

TABLE 13.1

The NSLookup Command Syntax (continued) Command

Description

Set option

Modifies the behavior of NSLookup. For example, Set can be used to change the root server or default domain name for the queries. For a full listing of options for the Set command, start NSLookup in interactive mode and type help.

Server name

Sets the default DNS server to the name given. You can also use an IP address instead of a hostname.

Lserver name

Changes the default DNS server to the hostname specified but uses the initial DNS server to perform the lookup of the new server’s hostname.

Root

Sets the default DNS server to the root of the Internet.

Ls

Displays a set of information from a DNS server in list form. The Ls command has several useful output switches: -a Lists the canonical names and aliases. -d Lists all records. -t TYPE Displays all records of a given type. For example, to display all MX records for a specified domain, use the command ls -t MX domain_name.

Exit

Quits out of the interactive mode of NSLookup.

Understanding NetBIOS Name Resolution Before you can readily understand name resolution in Windows 2000, it’s helpful to become acquainted with the name-resolution techniques that the operating system will attempt to use. Let’s start with the NetBIOS nameresolution methods in Windows 2000. The operating system will use the following techniques in the order listed to resolve NetBIOS names: NetBIOS name cache NetBIOS maintains a local cache of all names that have been recently resolved. During any NetBIOS name-resolution attempt, this cache will be checked first to see if the information already


www.sybex.com


555

exists locally. If the resolution exists in the cache, the IP address of the destination can be passed immediately to IP for hardware address resolution using the Address Resolution Protocol (ARP). The NetBIOS name cache can be preloaded with static entries by using the #PRE command in the LMHosts file. The #PRE entries will remain in the NetBIOS name cache until the computer is rebooted. Other cache entries will remain for about 11 minutes before they are flushed from the NetBIOS name cache. NetBIOS name server The next step in name resolution is to consult a NetBIOS name server (NBNS). In a Windows 2000 or Windows NT network, this would be a Windows Internet Names Service (WINS) server. WINS is a dynamic database of NetBIOS-name-to-IP-address resolutions. Client computers must be configured with the address of at least one WINS server before they can take advantage of this service on the network. Broadcast If the previous methods fail, the client computer will attempt to resolve the NetBIOS name through a broadcast on the local subnet. This is perhaps the biggest problem with NetBIOS: It uses broadcasts for several of its functions. The broadcast will succeed if the destination computer is online and located on the same physical network segment as the client computer. LMHosts file The LMHosts file is a static text file that maintains a list of NetBIOS-name-to-IP-address resolutions. The LMHosts file is similar in structure to the Hosts file used for hostname resolution, but it also includes several commands that can modify the behavior of the NetBIOS client. These include the #PRE command, which will insert a name-resolution entry into the NetBIOS name cache when the computer is started. Hosts file A NetBIOS name-resolution method that surprises many people is that Windows 2000 will check the Hosts file for a resolution. The Hosts file is a static text file that contains hostname-to-IP-address resolutions. Windows 2000 is making a big assumption here—that the hostname and the NetBIOS name of the destination computer are the same. They don’t have to be, but the default action in Microsoft network operating systems is to make them the same. If they are alike, then the Hosts file might contain an entry for the hostname of the destination, which can be assumed to be the same as the NetBIOS computer name of the destination.


www.sybex.com

556

Chapter 13


Domain Name System DNS is a server-based method of resolving hostnames to IP addresses. But Windows 2000, still operating on the assumption that the hostname is the same as the NetBIOS computer name, will try to query its configured DNS server to resolve the NetBIOS name. This is another of Microsoft’s proprietary methods, though it’s actually fairly clever.

A helpful mnemonic device for memorizing the NetBIOS name-resolution methods is “Can We Buy Large Hard Drives?” This represents Cache-WINSBroadcast-LMHosts-Hosts-DNS.

The first three methods are fairly reliable. The NetBIOS name cache will always contain correct information provided the source of the information is correct. If there is any doubt of the validity of the cache information, you can easily purge the NetBIOS name cache by using the NBTStat –R command from the command line. Note that the –R switch is case-sensitive. This command will purge the NetBIOS name cache and also preload the new cache with the #PRE entries in the LMHosts file, which can be very useful while troubleshooting NetBIOS name resolution. WINS will be covered in more detail later in this chapter, but essentially the database should contain only name-resolution entries submitted by client computers. Thus, the information should be correct. Of course, if computers go offline suddenly or are improperly shut down, they won’t have the opportunity to release their registrations from the WINS database, and so the information may no longer be correct. NetBIOS name resolution by broadcast tends to work just fine, as long as you understand its limitations. The biggest limitation is that these broadcasts are confined to the local subnet by design. This is because routers are typically configured to block broadcasts. In fact, one of the most compelling reasons to purchase a router is to cut down on broadcast traffic! Of course, broadcast resolution also depends upon basic networking requirements, such as a common protocol and correct addressing. The remaining methods of NetBIOS name resolution are really more of a last-ditch effort to resolve the name. Of the remaining methods, checking the LMHosts file is the most reliable. As stated in the description earlier, the LMHosts file is a static text file containing NetBIOS-name-to-IP-address resolutions. The limitations of this file are mainly that it is static and that it falls


www.sybex.com


557

victim to any name misspellings that you placed in the file. Otherwise, checking the LMHosts file is actually a good method of NetBIOS name resolution. Microsoft’s use of DNS and the Hosts file for NetBIOS name resolution is based on the assumption that the hostname and the NetBIOS computer name are one and the same. This is the default on all Microsoft network operating systems, but it does not have to be the case.

Using LMHosts for NetBIOS Name Resolution The LMHosts file is a little known or understood file nowadays. Back in the days of Windows for Workgroups, the LMHosts file was commonly used for NetBIOS name resolution. I believe that this file is useful in cases where it is necessary to clearly define a NetBIOS name resolution. Figure 13.1 shows an example of the LMHosts file. FIGURE 13.1

An example of the LMHosts file

Notice a couple of things in this example. The pound symbol (#) is used to signify the beginning of a comment. With the exception of commands, any


www.sybex.com

558

Chapter 13


text entered after a pound symbol will be ignored. Table 13.2 lists the commands used in the LMHosts file. TABLE 13.2

Available Commands for the LMHosts File Command

description

#PRE

Preloads the entry into the NetBIOS name cache. The #PRE command is often used to define important servers or in conjunction with the #DOM command to identify domain controllers.

#DOM:domain_name

Identifies a domain controller. This command is also used to locate a master or backup browser on remote subnets, since every domain controller will be at least a backup browser.

#BEGIN_ALTERNATE

Begins a list of possible locations for LMHosts files to include. The list is typically redundant in that the client can draw the LMHosts information from any single location. Identify these locations by the Universal Naming Convention (UNC) path for best results.

#END_ALTERNATE

Signifies the end of the alternate location list.

#INCLUDE

Defines the UNC path to a centrally located, shared LMHosts file. This command instructs the local computer to also use the defined LMHosts file for NetBIOS name resolutions. The #INCLUDE command makes it possible to maintain one central copy of the LMHosts file, while the only items defined in the local LMHosts file would be the #INCLUDE command and the resolution for the server where the included file resides. The path should be defined by UNC for best results.

#MH

Enables you to list multiple IP addresses to be associated with a single NetBIOS name. Useful for multihomed computers, or computers with more than one network interface card.


www.sybex.com


559

Now let’s look at some basic rules for using the LMHosts file. First of all, the file is parsed from the top down. This means that an incorrect entry near the top of the file will be read instead of the correct entry at the bottom of the file. For this reason, you should be very careful about duplicate entries. Next, always place the #PRE statements at the end of the file. Because these statements are preloaded into the NetBIOS name cache, they need to be read only at the startup of the computer or when the NetBIOS name cache is flushed. This will save you time when parsing the LMHosts file for other resolutions. A sample LMHosts file is included with Windows 2000. The file is located in %systemroot%\System32\Drivers\Etc and is called LMHosts.Sam. Feel free to add your resolutions onto the end of this file. The LMHosts.Sam file contains instructions for using the valid switches listed in Table 13.2. There is one last caution that I will give you. The LMHosts file must be a plain ASCII text file in order to be used correctly. Since Windows 2000, like Windows NT, has the ability to save files as Unicode text, I feel that it is important to specify this. Unicode text stores each character with two bytes, whereas ASCII text uses only a single byte per character. If you save the LMHosts file as anything but ASCII text, Windows 2000 will not read the file and NetBIOS name resolution will fail. This caution also extends to editing the LMHosts file with WordPad.

Understanding Hostname Resolution Hostname resolution in Windows 2000 bears many similarities to NetBIOS name resolution. In fact, the same resolution methods are used but in a different order. Hostname resolution is the process of mapping a hostname to an IP address. Since Windows 2000 uses hostnames rather the NetBIOS names for primary name resolution, this process is critical to the success of your Windows 2000 network. Windows 2000 will attempt to resolve the hostname in the following order: Local hostname The computer will first check its own configured hostname to see if it matches the destination hostname. If it does, it communicates directly with itself. If it does not match, the name-resolution process continues.


www.sybex.com

560

Chapter 13


Hosts file The Hosts file will be parsed next to see if there is an entry that resolves the destination hostname to an IP address. The Hosts file is a static text file, similar to the LMHosts file but without the extra commands. Domain Name System DNS is a server-based method of resolving hostnames to IP addresses. Windows 2000 uses this as the primary method of network-based name resolution. The DNS server in Windows 2000 supports dynamic updates, incremental zone transfers, and service (SRV) records. DNS is required if you plan to use Active Directory. NetBIOS name cache Before proceeding to any NetBIOS nameresolution attempt, Windows 2000 will check this cache first to see if the information exists locally. If the resolution exists in the cache, the computer will assume that the NetBIOS name is the same as the hostname and attempt to contact the computer at the address listed in the cache. NetBIOS name server The next step in hostname resolution is to consult a NetBIOS name server. In a Windows 2000 or Windows NT network, this would be a Windows Internet Name Service (WINS) server. WINS is a dynamic database of NetBIOS-name-to-IP-address resolutions. Again, we are making the assumption that the NetBIOS name and the hostname are the same; otherwise, this method will not work. Broadcast If the previous methods fail, the client computer will attempt to resolve the NetBIOS name through a broadcast on the local subnet. As we said earlier, this is perhaps the biggest problem with NetBIOS—that it uses broadcasts for several of its functions. The broadcast will succeed if the destination computer is online and located on the same physical network segment as the client computer. LMHosts file The LMHosts file is a static text file that maintains a list of NetBIOS-name-to-IP-address resolutions. If the NetBIOS name is the same as the hostname, and if it is listed in the LMHosts file, then name resolution will succeed with this method. If none of these name-resolution methods succeed, then the only way to communicate with the destination host will be to use the IP address.

Understanding the Hosts File The Hosts file is perhaps the oldest method of hostname resolution. In the early days of the Internet, the Stanford Research Institute Network Information Center (SRI-NIC) maintained a single copy of the Hosts file. As the


www.sybex.com


561

Internet began to grow and the number of hostnames climbed, it became impractical to maintain this single Hosts file. This problem led to the development of the Domain Name System (DNS). But even though most of the Internet resolves hostnames with DNS today, Hosts files are still in use in many places. The Hosts file is a static text file that maintains hostname-to-IP-address resolutions. Like the LMHosts file, the Hosts file must be plain ASCII text in order to be read by Windows 2000. The Hosts file is parsed from the top down, and so duplicate entries may cause problems. Figure 13.2 shows a sample of the Hosts file. FIGURE 13.2

A sample of the Hosts file

Comments in the Hosts file are preceded by the pound symbol (#). It’s really not a bad idea to include comments in your Hosts file. Comments can be used to explain the cryptic names that we have in our networks today. Notice in the sample in Figure 13.2 that some of the entries simply have hostnames listed, while others have a Fully Qualified Domain Name (FQDN). An FQDN includes the hostname and the domain name of the destination host, and to be fully correct it should include the dot at the end of the name. For example, for


www.sybex.com

562

Chapter 13


the host exchange in the coolcompany.local domain, the FQDN would be “exchange.coolcompany.local.” If an entry in the Hosts file does not have a domain name specified, the computer will assume that the hostname exists within the same domain. That is to say, if my computer does not see a domain name appended to the hostname, it will append my domain name. The Hosts file entries are better defined by FQDN if the host’s domain name is different from your computer’s domain name.

When discussing hostname resolution, the term domain refers to a DNS domain and not to a Windows 2000 domain. This similarity of terms has been very confusing for years, and it has become even worse with Windows 2000 since Windows 2000 uses DNS names for its domain names.

You may have also noticed in the sample Hosts file that the IP address is followed by a hostname and sometimes by another name. The first name listed is the actual hostname of the destination computer. The second name listed (if present) is an alias for the hostname. It is not uncommon in Microsoft network operating systems to see the hostname listed in lowercase followed by the hostname in uppercase as the alias. Windows 2000 is case-insensitive when dealing with the Hosts file. This means that listing the hostname in uppercase as the alias entry is completely optional. On the other hand, if you wanted to list a true alias name for the host, enter the alias name as the second name for the entry. There must be a Hosts file on each computer. At a minimum, the Hosts file must contain an entry for localhost resolved to the IP address 127.0.0.1. Localhost is another name for the local computer. Since the Hosts file is parsed from the top down, you should place the most commonly referenced hostnames at the top of the Hosts file. Another restriction on the Hosts file is that each entry can be no more than 255 characters in length. If you find that entries are being ignored, you may want to check the length of the entries. The Hosts file is located in the following path on Windows 2000: %systemroot%\System32\Drivers\Etc. The Hosts file can have no file extension. Windows 2000 will ignore any Hosts file with a file extension. Understanding the various methods of name resolution in Windows 2000 will help you in troubleshooting. For instance, if you are unable to connect to another computer using the name, you can try using the IP address. If you can connect by IP address but not by name, this is a clear indication that


www.sybex.com

Resolving RAS Issues

563

name resolution is failing. To test NetBIOS name resolution, use the Net View command at the command prompt. This command will attempt to resolve the name using NetBIOS and will list the shared resources on the remote computer. To test hostname resolution, ping the remote host by its hostname. If this fails, ping the remote host by its IP address. When troubleshooting name resolution, always remember the LMHosts and Hosts files. If the client computer is having trouble with name resolution, verify that it isn’t receiving bad information from either the LMHosts or the Hosts file. Be very careful to check for the presence of duplicate entries in either of these files. If the incorrect entry is in the LMHosts file and has been preloaded with the #PRE statement, you’ll need to clear the NetBIOS name cache after correcting the entry.




Resolve remote access permissions failures and logon failures.

T

he Routing and Remote Access Service (RRAS) in Windows 2000 enables clients to dial up and connect to your network from remote locations. In this section, I will focus on the Remote Access Service (RAS) portion of RRAS. RAS is the component of Windows 2000 that enables inbound connections over serial lines, ISDN, or direct cable connections. Because it covers so many components, it can be very difficult to troubleshoot. Troubleshooting RAS covers several categories. First we’ll discuss troubleshooting the physical components of RAS. Next we’ll talk about configuring RAS correctly. Then we’ll move on to learning how to monitor RAS.

Troubleshooting the Physical Components of RAS The physical components of RAS can be broken down into two sections: the physical hardware and the communication line. Windows 2000 provides several tools for troubleshooting computer hardware, including Device


www.sybex.com

564

Chapter 13


Manager, Event Viewer, and Phone And Modem Options in Control Panel. But before you move on to any of these tools, the first thing I recommend that you do in troubleshooting RAS is to carefully write down any error messages you receive. This often-neglected step will enable you to find the correct answer in Microsoft’s Knowledge Base. EXERCISE 13.1

Troubleshooting a Modem To troubleshoot a modem, use the following steps:

1. Choose Start Settings Control Panel to open Control Panel. 2. Double-click Phone And Modem Options to open the dialog shown in the following graphic.

3. Click the Modems tab. 4. Select the modem you want to troubleshoot, and click the Properties button.


www.sybex.com


565


5. In the modem Properties sheets, click the Diagnostics tab. This will open a dialog similar to the one shown here.

6. Click the Query Modem button. The test may take a few seconds. You will receive either a report similar to the one in the preceding graphic or an error message saying that Windows 2000 couldn’t communicate with the modem.

If you receive an error message from the modem diagnostics, you can try uninstalling the modem and reinstalling it. Another possibility is to check the Web site for the modem’s manufacturer to see if they have any white papers or software updates that will solve the problem. If these steps do not resolve the problem with the modem, you must proceed with hardware troubleshooting. It’s worth the try to remove all devices from the computer that are not absolutely required for operation. If the modem works under these conditions, then you can start adding one component at a time back to the computer until you discover which device is conflicting. Troubleshooting the communication lines can be little more difficult. The troubleshooting methods are indirect in nature. Of course, if you’re dealing with a normal analog phone line, you can simply plug in a telephone to see


www.sybex.com

566

Chapter 13


if the line is active. You can check a digital line with a digital phone. If the line outage is intermittent in nature, you may not be able to catch it in progress. Here the system event log will be helpful to you, as it records any intermittent failures that RAS detects. Another possible cause of intermittent line failures is faulty hardware in the computer. Always check the serial ports to see if they are functioning correctly and correctly configured in the system BIOS. If you have a multiport adapter, such as the DigiBoard, you can try running the system diagnostics software for the card. When you examine the system log for errors due to faulty hardware, you will see that the modem port in question will appear to be unused even during periods of high activity. If the faulty line is used for a virtual private network (VPN) connection, then you’re actually troubleshooting an Internet connection. The first and foremost cause of failure for a VPN is a failure in hostname resolution. Most VPN connections are established by hostname and require proper DNS name resolution. Follow standard DNS troubleshooting procedures if this turns out to be the case. Another possible cause for failure in a VPN is a firewall. If your RAS clients must connect to the VPN server through a firewall, check to ensure that the correct ports are open on the firewall server.

Verify RAS Configuration Troubleshooting RAS configuration must be done several different ways. The method used will depend upon the type of error that is being encountered. For instance, if the RAS client can dial in and appears to connect correctly but is still unable to access network resources, then you need to troubleshoot network connectivity issues. If the client computer can dial up successfully but never connects to the server, then you need to troubleshoot the client’s configuration. If none of the client computers can connect to the server, you need to troubleshoot the server’s configuration. Most often the troubleshooting you’ll need to do for RAS configuration will involve the client computer. The first step you should take in troubleshooting the client, after writing down any error messages received, is to check the event log. The system log will very likely assist you in your troubleshooting efforts. Once you’ve completed this step, verify the setup of the physical hardware. When you’re satisfied that the hardware is working correctly, move on to the logical setup of the connection. Verify that the Phone


www.sybex.com


567

Book entry is configured correctly for the type of server being dialed in to. Pay particular attention to the security settings for the Phone Book entry. You’ll often discover that the problem stems from a change that the user made in their configuration. If you are supporting a user in the field, this is where careful questioning of the person will help you out. If you approach the topic carefully and with some sensitivity, you’ll gain the cooperation of the user. Users can tell you what was changed and when. However, in my experience, most users know very well what they did but are afraid to tell you for fear that they will look stupid. This is why you need to be careful about how you ask the questions if you expect to gain their cooperation. To quickly determine whether the problem stems from a configuration error on the client computer, re-create the Phone Book entry for the server. If the newly created Phone Book entry works to connect to the remote access server, you’ll know that the original Phone Book entry was configured incorrectly. While RAS problems happen less frequently with the server, you do have better tools for troubleshooting from the server end. Of course, some rules remain the same. Always write down the error message you receive, as this will shorten your troubleshooting a great deal. Next, check the event logs for any events that may give you a clue as to what is happening when the clients dial in to the server. The final step that you can take is to trace remote access connections. RAS tracing is described in the following section.

Monitoring the Remote Access Service One of the most important jobs of the administrative staff is to monitor the health and well being of the servers. To assist you with that job, Microsoft has incorporated several different types of monitoring for the Remote Access Service (RAS). There are three basic types of monitoring for RAS that will be helpful to your troubleshooting efforts: the event logs, modem logging, and tracing RAS connections. The event logs are the first place you should check when troubleshooting an issue in Windows 2000. The system log will commonly contain information that will help you troubleshoot operating system components or hardware problems. Any problems regarding RAS will be listed in the system log. Windows 2000 is capable of automatically recording a log of all communications made from the computer to the modem during the connection. By


www.sybex.com

568

Chapter 13


default, Windows 2000 Professional has this logging enabled. On the Windows 2000 Server products, the logging must be enabled manually. EXERCISE 13.2

Enabling Modem Logging To enable modem logging for Windows 2000 Server, follow this procedure:

1. Open Control Panel and double-click Phone And Modem Options. This will open the Phone And Modem Options dialog.

2. Click the Modems tab, select the modem that you want to configure, and then click Properties.

3. In the Properties dialog box for the modem, click the Diagnostics tab. This will open the dialog shown in the following graphic.

4. To enable modem logging, check the Record A Log checkbox. Click OK to close the Properties. On Windows 2000 Professional, this option appears as Append To Log.


www.sybex.com


569

After enabling modem logging, when you want to view the modem log go back to the Diagnostics tab in the modem Properties dialog and click the View Log button. The modem log will display details of all modem activity and may be used to troubleshoot connections. The last type of monitoring available for RAS is to trace connections. Connection tracing collects very detailed information about the routing of packets from the RAS to the network interfaces on the computer. The information is so complex that it may be useful only to Microsoft support engineers. If you become very experienced with the routing of network traffic through a Windows 2000 computer, connection tracing may be useful in troubleshooting. However, tracing does consume a large amount of computer resources and so should not be left enabled for a long period of time. EXERCISE 13.3

Enabling Connection Tracing To enable connection tracing for RAS, use the following steps:

1. Open the Registry Editor by clicking Start Run and typing in REGEDT32.EXE.

2. Browse down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Tracing. Double-click the EnableFileTracing value to open the value editor. Enter a value of 1 to enable tracing; a value of 0 disables tracing. The default value is 0.

3. Browse down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Tracing. Double-click the FileDirectory value. Enter the path to the folder where you want to store the tracing information. The default value is %systemroot%\Tracing.

4. Browse down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Tracing. Double-click the FileTracingMask value. This value determines the amount of information gathered in the tracing process and is expressed as a hexadecimal value. The default is FFFF0000, which is the maximum amount of detail.


www.sybex.com

570

Chapter 13



5. Browse down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Tracing. Double-click the MaxFileSize value. This value sets the maximum size of the tracing log file. The default value is 65,536 bytes (64K). Of these values, only the first one really needs to be changed. The EnableFileTracing value determines whether tracing will be enabled on the server. The other three values can be left at their defaults without any problem. Always remember that connection tracing is very hard on system resources. Enable tracing when you need it for troubleshooting, but always remember to disable it immediately afterward. For this reason, I would leave tracing as the last option for monitoring RAS.

Troubleshooting Replication Problems



Resolve file and directory replication issues.

W

indows NT offered the Directory Replication service to assist us in moving files from one domain controller to another. This was used primarily for logon scripts and policy files. It was one of the more problematic services ever invented for Windows NT. It could be very cranky and difficult to configure initially, but once it was working, it tended to keep working indefinitely. Directory Replication in NT used an export computer to send the original versions of the files out to other computers that were designated as import computers.


www.sybex.com


571

Windows 2000 has several different requirements for file replication. We still need to replicate logon scripts and policy files, but there is also a need to replicate the Active Directory information and the data used by the Distributed File System (Dfs). To answer these needs, Windows 2000 includes the File Replication Service. FRS has several enhancements over the old Directory Replication service. These enhancements include: Multimaster replication Windows 2000 uses a multimaster replication model. This means that there is no single source for replicated information, but rather multiple sources for replicated data. FRS includes the ability to track changes being made by multiple replication masters. Site-aware clients All of the Active Directory clients have the ability to query DNS to locate servers hosting the Sysvol. These clients use this awareness to locate domain controllers and servers hosting Dfs resources. Scheduling capability Portions of FRS can be scheduled for available replication times and frequency of replication. Replication of all attributes FRS is able to replicate all of the attributes of files, including ACLs. This enhances the ability to create complete replicas of data on multiple servers while maintaining the security of the resources. While Active Directory replication and FRS are technically separate, Active Directory replication does depend on FRS to move several portions of its data. For example, the Sysvol stores portions of Active Directory’s Group Policy structures, and FRS is responsible for replicating the Sysvol. Just as the Sysvol is automatically created on every Windows 2000 domain controller, replication of the Sysvol using FRS is also enabled by default. When replicating the Sysvol objects, FRS will use the same connection objects as Active Directory replication uses. Therefore, FRS will also be affected by any scheduling you impose upon Active Directory replication connections.


www.sybex.com

572

Chapter 13


Because FRS practices multimaster replication, it can be difficult to determine where the originating copy came from. To test whether FRS is replicating correctly, create a sample file in the Sysvol named after the server where the file is placed. You can then verify that the other servers are receiving correct replication by checking for the test file in their Sysvol.

Replicating Dfs Dfs can be installed on nearly any Windows 2000 computer. The Dfs root folder can be hosted on any Windows 2000 Server. The Distributed File System enables Windows 2000 administrators to share resources from multiple servers as though they were located on a single server. Users can connect to the Dfs root and browse through a folder structure that appears to be one single hard drive, when actually the folders may be located on a variety of different servers. Dfs can be installed in stand-alone fashion on a Windows 2000 member server. A stand-alone Dfs root stores all of the topology information on that server and does not use Active Directory to replicate information. It can also be installed on a domain controller and its topology information stored in Active Directory. Once Dfs is integrated with Active Directory, information about the folder structure is replicated automatically as part of Active Directory. However, the data must be manually enabled for replication before it will be shared with other servers. You can enable it in the Dfs console. EXERCISE 13.4

Enabling Replication of Dfs Data To enable replication of Dfs data, use the following steps:

1. Open the Dfs console by clicking Start Programs Administrative Tools Distributed File System.


www.sybex.com


573


2. In the left pane of the Dfs console, right-click the Dfs link for the replica set and select Replication Policy from the context menu. This step assumes that you have already created a replica for a particular node in Dfs. The dialog shown in the following graphic will appear.

3. In the Replication Policy dialog, click the Enable button to turn on FRS for this replica.

There are a few instances when replication will not be an allowable option for a Dfs replica. In these cases, the shared folder will appear as N/A:

When the shared folder is located on a computer that does not have FRS installed

When the shared folder is located on an NTFS partition that has not been updated to NTFS version 5

When the shared folder uses a cluster name as part of its path

When the shared folder is located on a computer that is not a member of a Windows 2000 domain

When the shared folder is located on a computer in a domain that is inaccessible to the currently logged on user


www.sybex.com

574

Chapter 13


If you are trying to configure Dfs replication and the console will not permit you to establish replication, carefully check out these five possibilities. Typically, problems with Dfs replication stem from configuration more than any other issue. When dealing with possible conflicts in replicated data, FRS uses a “last writer wins” algorithm. That is to say that FRS checks the time stamp of the last change and decides that is the most recent information and writes that to the data. Because of this, if two users are modifying data in replicated folders at approximately the same time, one user’s changes may be lost. This brings up one more detail: checking your troubleshooting. If some users are having problems saving data in replicated folders, check the time set in their system clock. If the system time settings are being synchronized across the domain, this problem should never happen. However, if the time is not being synchronized, differences in system clock settings may cause confusion for FRS. It is possible during a migration to Windows 2000 that you will see file replication problems. This is likely due to the transition from directory replication to FRS. Directory replication was used to move logon scripts and User Policy files from the NetLogon directory on one server to the NetLogon directory on another server. Experienced Windows NT administrators may assume that this functionality is still present in Windows 2000 only to discover that their policy files and logon scripts are not being replicated. Windows 2000 does not support the directory replication that was used in Windows NT. This can create problems if you need to maintain a mixed environment of Windows 2000 and NT Servers. Please do not confuse this with mixed-mode operation in a domain. Mixed environment, in this case, means a Windows 2000 domain with a few Windows NT Servers that need to participate in file replication. To accomplish this, choose one of your Windows 2000 Servers to be a bridgehead for replication to the Windows NT Servers. You will then need to write a script that will copy the necessary files from the Windows 2000 Server to the correct folder on the Windows NT Server. The directory replication service on NT can then move the files from that NT Server to all of the other NT Servers. FRS will display its events in the system log. When troubleshooting FRS, check the system log to see if events are being filed for the staging directory that’s filling up. If this directory fills up, FRS will be unable to do its job correctly. Next, check the Services console in the Administrative Tools group to verify that FRS is started and correctly running. You’ll need to do this on all


www.sybex.com


575

computers involved in the replication issue. When checking the system log in Event Viewer, look to see if event number 13,508 is present. This event signifies an issue with RPC communication between servers. If this number is present, there could be a problem with the RPC services on either of the computers. Other events to watch out for include 13511, database is out of disk space, and 13522, staging directory is full. Verify that all computers in the replication pattern can communicate with one another. See if you can ping the other computers by name and by IP address. I have actually witnessed people troubleshooting replication issues only to discover that one of the computers is offline.

Replicating Active Directory Active Directory replication is another instance of multimaster replication in Windows 2000. In this case, the replication takes place between all domain controllers in the domain. There are two basic types of replicas of the Active Directory information: full replicas and partial replicas. Full replicas contain all three of the following partitions:

The schema partition contains all class and attribute definitions for the entire forest. There is only one schema directory partition for the forest.

The configuration partition contains replication configuration information for the entire forest. There is one configuration directory partition per forest.

The domain partition contains all objects that are stored within a single domain. There is one domain directory partition for each domain in the forest.

Every domain controller within a domain contains a full replica of the domain partition. Every domain controller within a forest contains a replica of the forest configuration and schema partitions. A partial replica contains only a subset of Active Directory information. The partial replica is set to Read Only and is stored only on a global catalog server. On any given domain controller, a single Active Directory database stores copies of the objects that belong to that domain only, in addition to copies of the schema in the configuration objects that apply to every domain in the forest. If the domain controller is also a global catalog server, the database


www.sybex.com

576

Chapter 13


will also contain a partial replica of directory partition objects for every domain within the forest. The partial replica is stored on global catalog servers to facilitate searches of Active Directory. The components of the Active Directory replication model include: Multimaster loose consistency with convergence Isn’t that a wonderful statement to memorize? Multimaster refers to the fact that Windows 2000 has multiple sources of replicated information instead of a single authority. Any single domain controller can be modified and will then replicate that modification to all other domain controllers within the domain. Loose consistency refers to the fact that replicas are not guaranteed to be consistent with each other at any given point in time. Convergence is a little harder to explain. Convergence means that if no changes are made for a period of time and the domain controllers are allowed to become stable, then all replicas of Active Directory will converge on a single given version. Store and forward replication Store and forward replication refers to the pattern of replication within a Windows 2000 network. Windows 2000 domain controllers replicate changes in Active Directory to only a few domain controllers. Those domain controllers then pass on the information to other domain controllers. This pattern continues until the changes have been replicated to every domain controller within the domain. Pull replication In the Windows 2000 replication model, domain controllers request changes from the replication partners, or “pull” the changes down from their replication partners. State-based replication Windows 2000 does not store a full change log for the Active Directory replication. Instead, each Active Directory partition stores per-object and per-attribute data for the replication. Windows 2000 automatically builds the replication topology for Active Directory. It does this by using the Knowledge Consistency Checker (KCC). The KCC is the built-in Windows 2000 process that runs on every domain controller and automatically creates the replication topology for the entire forest. If you have more than one site, the KCC also creates site links. The KCC takes care of replication topology automatically, thus relieving you from having to manually set up the replication links.


www.sybex.com


577

There are several errors you may encounter in Active Directory replication. To fix many of the common problems, use the Active Directory Sites and Services console. Some in the common problems in Active Directory replication include:

Replication does not complete. This would be more commonly seen in multisite Active Directory environments. The problems are commonly caused by some sites not being connected to other sites and the network. You can correct this in the Active Directory Sites and Services console by creating a site link from the current site to another site that is connected with the rest of the network.

Replication is slow. This can happen when your sites are connected in a daisy-chain pattern. That is to say, the directory replication information must travel through each site in turn to reach the other end of the network. Site link scheduling can add to this problem if the site links are available only at off-hours or at longer than normal intervals.

Replication causes an increase in network traffic. This one may be difficult to fix, since it points to the fact that your network may not be capable of handling the network traffic that is present. You may need to investigate segmenting your network further with additional routers, increasing the throughput of the network by going to a faster network medium, or reducing network load. As a temporary fix, use Active Directory Sites and Services to adjust the scheduling on site links so that the replication can occur during off-hours.

Replication clients receive a slow response from other servers. This could point to name-resolution issues with DNS, or more likely some of these replication clients have to authenticate across a slow WAN link. This is another case where examining your site-links topology may lead to an answer. You may be able to create additional site links to alleviate some of the authentication issues, or you may need to surrender to the inevitable and get a faster WAN link.

The KCC is unable to complete the topology for given server. The KCC locates all domain controllers by querying DNS and looking for SRV records, which indicate network services that are important to the domain. If the SRV records are missing for a domain controller, then that domain controller may not be added to the replication topology.


www.sybex.com

578

Chapter 13


Some of the practices you can use to avoid problems with Active Directory replication include:

Schedule Active Directory replication across site links for times when traffic is light. This will help to alleviate the burden on the network that is caused by Active Directory replication.

Place at least one domain controller in every physical site throughout your forest. This will help to ensure that no clients will have to go across a WAN link in order to find the server for authentication.

Install at least one DNS server in every physical site. DNS is critical to Windows 2000 networks. You may be getting tired of me saying that, but it really is important. Windows 2000 computers use DNS to locate the domain controllers and the catalog servers.

Place a global catalog server in every physical site. Universal groups are stored only on global catalog servers. If a client computer is unable to contact the global catalog server to retrieve universal group membership information, the user will be unable to log on to the domain. Having a global catalog server in the site ensures that the client will have ready access to universal group information.

Fixing Network Services



Resolve network service issues, including DHCP, WINS, and DNS.

P

erhaps the most important troubleshooting you’ll ever perform in the Windows 2000 environment will concern the network services that provide the fundamental structure of the network. We’ll examine in this section the three major network services that provide support for a Windows 2000 network: the Dynamic Host Configuration Protocol (DHCP), the Windows Internet Name Service (WINS), and the Domain Name System (DNS).


www.sybex.com


579

Our troubleshooting perspective in this chapter focuses primarily on fixing the server end of the process. Troubleshooting that can be done from the client perspective was covered in Chapter 12. All three of these services were known in Windows NT networks, but each of them has received new enhancements with Windows 2000. When troubleshooting network services, it’s useful to understand where to find the configuration information for each service. Services and devices are no longer controlled from Control Panel, but rather from the Services console in the Administrative Tools group. Figure 13.3 shows the Services console. FIGURE 13.3

The Services console give you access to all Windows 2000 services configurations.

The basic information you can gather from the Services console includes: Name The display name of the Windows 2000 service. Description This is a new feature with Windows 2000. The description gives you a fairly good idea of what the service does for Windows 2000.


www.sybex.com

580

Chapter 13


Status There are only two options. The Status column will either be blank if the service is not running or it will say Started to indicate that the service is currently running. Startup Type This value indicates when the service should be started in the Windows 2000 boot process. Values include Automatic, Manual, and Disabled. Log On As Many Windows 2000 services require that they log on as a user account. This column displays the account credentials used by the service at startup. When you want to modify the properties of a service, simply doubleclick the Services entry in the Services console. The Properties dialog for any given service offers tabs that allow you to enter the information to control how the service will behave. Figure 13.4 shows the properties for the DNS Server service. FIGURE 13.4

The Properties sheets for the DNS Server service

The Properties sheets for a given service have some very nice capabilities. Let’s look at the tabs of the Server Properties: General tab The General tab allows you to modify properties such as the display name of the service, its description, and its startup type. One


www.sybex.com


581

of the features that I really like about the General tab is the buttons for starting or stopping the service. Log On tab The Log On tab allows you to determine which account the service will use to log on to the server during startup. You can choose to have it log on as the local system account, in which case it will run under the credentials of the system, or you can specify a particular user account. Be very careful about the password that you supply for the account as this dialog will not go out and verify the password for you. The Log On tab also allows you to enable or disable the service for a particular hardware profile. Recovery tab You can use the Recovery tab to specify what action the operating system should take if the service fails for any reason. You can select Run A File, in which case if the service fails, it will kick off a particular file that you specify. A nice option that is included here is the ability to have the service automatically restart if it fails. Dependencies tab The final tab of the four enables you to determine which other services must be loaded before the service can start successfully. This is useful for troubleshooting if a particular service does not start and saves you the time of looking in the Registry.

DHCP I like to tell my students that the Dynamic Host Configuration Protocol is the best thing since sliced bread. DHCP enables an administrator to distribute nearly all of the TCP/IP configuration information that is useful in their network dynamically from a single server. This spares your support staff from having to go around and touch every client workstation to configure TCP/IP networking. TCP/IP can be a very difficult protocol to configure. Instead of a group of people having to manually configure every computer on your network, one person can set up the DHCP server to hand out all of the configurations for every computer. Two main aspects of DHCP have changed with Windows 2000. The first is that all DHCP servers in an Active Directory environment must be authorized in Active Directory before they will be permitted to hand out client leases. This is to prevent rogue DHCP servers from handing out bad addresses on the network. The second change in DHCP is its participation in dynamic DNS. The process by which dynamic DNS works depends upon the participation of the DHCP server that is handing out client leases. By default, when the DHCP


www.sybex.com

582

Chapter 13


server issues the client lease, it notifies the DNS server of the reverse lookup information. The DHCP client is then responsible for notifying the DNS server of the forward lookup information. The DHCP service in Windows 2000 can be configured to create both portions of the dynamic DNS entries. EXERCISE 13.5

Authorizing a DHCP Server To authorize the new DHCP server in an Active Directory environment, use the following steps:

1. Open the DHCP console by clicking Start Programs Administrative Tools DHCP. This should open up a window similar to the one shown in the following graphic.

2. In the left pane of the DHCP console, right-click the name of the server you wish to authorize. Select Authorize from the context menu. Authorization will normally take a minute or two.

3. Press the F5 key to refresh the view. When the authorization process is complete, the icon for the server will show a green arrow pointed outward. This signifies that the server is authorized and active.


www.sybex.com


583

Authorization of DHCP servers will be a common issue during migrations to Windows 2000; I believe it will also be a question that appears frequently on the exams. If you’re troubleshooting dynamic DNS and want to find out why some clients are not being registered correctly, you’ll want to check the DNS configuration of your DHCP Server service. These properties are set at the DHCP server level and apply to every scope within the DHCP server. To modify these properties, simply right-click the entry for the DHCP server in the left pane of the DHCP console and select Properties from the context menu. The DNS tab, as shown in Figure 13.5, enables you to set the properties for dynamic DNS updates. FIGURE 13.5

The DNS tab of the DHCP server Properties dialog

On this tab, you can determine the behavior of your DHCP server when updating dynamic DNS entries. By default, DHCP will only inform the DNS server of an inverse query for clients that request the service. You can select the option to always update DNS for every DHCP lease it has handed out. You can also determine whether the DHCP server will enter only inverse query information or if it will update both the forward and inverse lookup. There is one last consideration for troubleshooting DHCP. DHCP is based upon the BootP (Bootstrap Protocol) and is broadcast based on the initial lease acquisition. Because routers normally are configured to block the


www.sybex.com

584

Chapter 13


propagation of broadcast traffic, you must be certain that the router will allow the DHCP broadcast to propagate. Depending on the router operating system, you may see this option listed either as BootP propagation or as RFC 1542 compliance. If the routers on your network are either unable to propagate BootP packets or not configured to do so, you must find another way for your clients to contact DHCP servers. There are two possible solutions to this situation. The first involves the use of the DHCP relay agent to listen for DHCP client broadcasts and act as a proxy on the client’s behalf to directly contact the DHCP server. The second solution is to place the DHCP server on every subnet of your network.

WINS The Windows Internet Name Service is a dynamic database that stores NetBIOS-name-to-IP-address resolutions. WINS is no longer truly required for network communication in Windows 2000. However, it is still provided with Windows 2000 Server products in order to support backward compatibility. Windows 9x and Windows NT clients depend on NetBIOS name resolution to communicate. WINS provides them with this service. Here’s a tip for running WINS on a Windows NT Server that will help in your troubleshooting. There is a little-documented problem with WINS on Windows NT that can cause many of the issues that you’ll ever see with WINS. The problem concerns the configuration of the primary and secondary WINS servers in the TCP/IP properties of the WINS server itself. To prevent problems, enter the WINS server’s IP address in both the primary and secondary WINS server configuration. This means that if the WINS server’s IP address is 10.1.0.5, you would configure the properties so that the primary WINS server address is 10.1.0.5 and the secondary WINS server address is also 10.1.0.5. This will alleviate most of the problems with the WINS server. Windows 2000 does not seem to be prone to this “ undocumented feature.” In fact, a Windows 2000 computer only needs to be configured with the address of one WINS server in order to be a WINS client. One of the enhancements of WINS in Windows 2000 is that the client can be configured with as many as 12 different WINS server addresses for greater redundancy. Some of the ways you can recognize a problem with the WINS server would be error messages stating that the RPC server is unavailable, or that


www.sybex.com


585

the TCP/IP NetBIOS helpers service on the WINS client is down and cannot be started, or that WINS itself is down and cannot be started. When you suspect that you are experiencing the WINS issue, you should first verify that WINS is actually running on the server and that the client can connect to the server. If the service is not running, try to start it. If WINS still refuses to start, the database may be corrupted. WINS normally maintains a backup of the WINS database at all times and will restore it automatically when the service starts. Although the restoration of a backup copy of the database will happen automatically if WINS detects corruption in the primary database, I have seen occasions where this failed. The WINS database is a Jet database entitled WINS.mdb located in the systemroot\system32\WINS folder. If you suspect that the database has become corrupt, or simply that it is becoming fragmented and performing poorly, you can compact the database to restore performance. The utility for this is called jetpack.exe. To compact the WINS.mdb file, type this command at the command prompt: jetpack WINS.mdb temp.mdb. Here are some other common problems you may encounter with WINS, along with their solutions: Network path not found If you’re trying to connect to another computer and WINS does not have a name resolution for the computer, it could be that the destination computer is not a WINS client. Possible solutions for this situation include enabling the computer as a WINS client or adding a static mapping for the destination computer in the WINS database. Unable to replicate If two or more WINS servers are unable to replicate their database information, you must check the replication configuration on each of the WINS servers. Typically, replication issues stem from configuration mistakes and sometimes from network-connectivity problems. Duplicate name errors Supposedly, WINS servers prevent duplicate entries from occurring. However, duplicate names can occasionally occur if one of them is a static entry in the WINS database. To troubleshoot this problem, you’ll need to look in the WINS database for the name that generated the error to see if more than one computer is registered for that name. If so, and one of them is a static entry, delete the static entry to resolve the problem.


www.sybex.com

586

Chapter 13


DNS The Domain Name System is a server-based method of resolving hostnames to IP addresses. As I have mentioned many times throughout this book, DNS is of critical importance to the success of an Active Directory network. Troubleshooting DNS is an art form in itself. I could probably spend several chapters discussing all of the issues you would need to cover to fully troubleshoot every aspect of DNS. Instead, I’ll just mention some rather common issues you might encounter with Windows 2000 and DNS: Event ID 7062 When this event appears in the system log, it signifies that the DNS server has sent a packet of information to itself. Normally, this is caused by a misconfiguration of the server. Typical causes of this problem are that the DNS server lists itself as a forwarder or that it contains secondary zones that list it as the master. Another possible cause would be if the server contains a primary zone that lists the server in the notify records. Zone transfers to BIND are slow The DNS server in Windows 2000 supports fast zone transfers. A fast zone transfer means that records will be compressed and that each message sent to another DNS server will contain multiple records. This enables a much faster transfer of zone information between servers. The problem is that older versions of the Berkeley Internet Name Daemon (BIND) do not support fast zone transfers. Normally, Windows 2000 installs DNS with fast zone transfers disabled by default. If you have enabled fast zone transfers and you have BIND 4.9.4 servers or older on the network, the BIND servers may have great difficulty handling the fast zone transfers. If this occurs, you’ll need to disable fast zone transfers on the Windows 2000 DNS servers. Default servers are not available When troubleshooting DNS with NSLookup, you may receive an error message that the default servers are not available when you start the command. This problem occurs when NSLookup cannot find the PTR record for the DNS server. NSLookup always performs an inverse query for the DNS server’s record when it opens its interactive mode. If you receive a message that the default server is not available, you should check your inverse lookup zone to make sure that there is a PTR record for the DNS server. DNS server returns incorrect data Traditionally, DNS zone files have been manually configured. If your DNS server returns the incorrect IP address for the hostname, it is possible that you made a mistake when you


www.sybex.com

Summary

587

configured the entry in the DNS console. This problem should never occur with dynamically created DNS entries, since the DHCP server that assigns the IP address entered the resolution information and DNS directly. Dynamic updates to DNS can also be problematic at times. A new command switch for IPConfig is /registerdns. This switch forces a Windows 2000 computer to renew its dynamic information in DNS. It may take a few minutes for this update to take effect, but I have seen it solve many problems in the classroom or production environment. If other computers are having difficulty connecting to your Windows 2000 server, type IPConfig /registerdns at the command prompt.

Summary

In this chapter, you learned how to troubleshoot network services in a Windows 2000 environment. We began by examining the name-resolution process using both hostnames and NetBIOS names. You learned the default order of name resolution using both types of names in Windows 2000. We discussed some other common troubleshooting methods to use when dealing with name-resolution issues. Then you learned how to troubleshoot remote-access issues in Windows 2000. We discussed some of the included tools for troubleshooting RAS hardware and software configurations. We also looked at some of the monitoring options for testing the health and stability of the RAS server, and we discussed logging options for the service. You learned about the role that the File Replication Service plays in a Windows 2000 domain. FRS plays an important part in replicating portions of Active Directory to all domain controllers in the domain. It can also be used to replicate topology information for Dfs. We discussed some other common issues you may encounter when troubleshooting the major network services in Windows 2000. We examined the Dynamic Host Configuration Protocol and its role in Windows 2000. Then we looked at how WINS still plays a role in Windows 2000 and some of the troubleshooting you may have to do with it. Finally, we spent time looking at the Domain Name System, including some of the common issues for DNS in Windows 2000 and their solutions.


www.sybex.com

588

Chapter 13


Key Terms Before you take the exam, be sure you are familiar with the following terms: Fully Qualified Domain Name (FQDN) Hosts LMHosts localhost multi-homed


www.sybex.com

Review Questions

589

Review Questions 1. What is the default method of name resolution for Windows 2000? A. WINS B. NetBIOS C. DNS D. LMHosts 2. Rob wants to display the entire list of mail exchanger records for the

coolcompany.local domain. Which of the following commands will do this? A. In NSLookup interactive mode, type ls -t MX coolcompany.local. B. In NSLookup interactive mode, type list -type MX coolcompany

.local. C. Type NSLookup ls -t MX coolcompany.local. D. In NSLookup list, type MX coolcompany.local. 3. What is the first method Windows 2000 uses to resolve a NetBIOS name? A. WINS B. LMHosts C. Name cache D. Hosts


www.sybex.com

590

Chapter 13


4. Rachel is trying to enable her Windows 2000 Professional computer

to browse remote subnets. There are no WINS servers on the network, so she decides to use an LMHosts file. Which command in the LMHosts file would help her computer locate the browse lists for the remote subnets? A. IP_address

computername

#PRE

B. IP_address

computername

#DOM:domain_name

C. IP_address

computername

#PRE

D. IP_address

computername

#MH

#BROWSE

5. Ted has recently used Notepad to edit his Hosts file. He saved it care-

fully as Unicode in the Systemroot\system32\drivers\etc folder, but Windows 2000 ignores his changes to the file. Why? A. The file should be located in the Systemroot\system folder

instead. B. He saved the file as Unicode. C. He should have used WordPad to edit the file. D. He should have named the file Host instead of Hosts. 6. What is the first method that Windows 2000 uses to resolve a hostname? A. WINS B. DNS C. Hosts D. Local hostname 7. Which of the following is a fully qualified domain name? A. dogbert.coolcompany.local B. hannibal.coolcompany.local. C. buffy.research.coolcompany.local D. [email protected]


www.sybex.com

Review Questions

591

8. David thinks he is having problems with his modem. He is unable to

dial out to his ISP. Where in Windows 2000 can he check to see if the modem is working? A. On the Diagnostics tab of the modem Properties sheet in Phone

And Modem Options B. On the Diagnostics tab of the modem Properties sheet in Device

Manager C. On the Advanced tab of the modem Properties sheet in Phone And

Modem Options D. On the Advanced tab of the modem Properties sheet in Device

Manager 9. Lisa thinks that the File Replication Service is broken on her Win-

dows 2000 Server. What is a simple way to test FRS to see if it is broken? A. Use the Performance Monitor FRS::Files/Minute counter. B. Use the frstest.exe command at the command prompt. C. Create a test file named after her server and place it in the Sysvol

folder to see if it replicates. D. Use the FRS Manager console to monitor the service. 10. You are unable to set up your Windows 2000 computer as an Import

computer to receive file replication from your Windows NT Server. What do you suspect is the problem? A. Windows 2000 cannot participate in NT directory replication. B. Windows 2000 must be the Export computer. C. You need to change the DirectoryReplica setting in the Registry. D. You need to install Dfs first.


www.sybex.com

592

Chapter 13


11. Recently you discovered that one of your network services is failing to

start. Upon investigating the matter in Event Viewer, you discover that the service is failing to log on when it starts. Where can you change the logon account for the service? A. Services in Control Panel B. The Services Console in Administrative Tools C. User Manager for Domains D. Active Directory Users and Computers 12. You are monitoring the logs on your firewall server at work. You

notice that a particular IP address has been attempting to access your network on a blocked port. What command can you use to determine the hostname and domain name for the offender? A. NSLookup -t IP_Address B. NSLookup -hacker IP_Address C. NSLookup IP_Address D. NSLookup -reverse IP_Address 13. Several people on your network have reported that they cannot con-

nect to a server using the NetBIOS name. They are configured as WINS clients. You use Network Monitor and discover that the WINS server is responding with an incorrect address. What should you check? A. Check the IP configuration of the WINS server. B. Check WINS replication. C. Look for a static entry in the WINS database. D. Check for a rogue WINS server that may be replicating bad

information.


www.sybex.com

Review Questions

593

14. You have a user on your network who reports that he is unable to

access the network after moving his computer. Routers separate your network, and there is a DHCP server located on another subnet. Which of the following problems could cause this? (Choose all that apply.) A. His network cable is unplugged from the hub. B. The routers are blocking the DHCP broadcasts. C. The DHCP server is offline. D. The DHCP server has run out of addresses. 15. How can you quickly determine whether a user’s Phone Book connec-

tion is the cause of his inability to dial out to his ISP? A. Create another Phone Book entry for the ISP. B. Click the Reset Defaults button in the Phone Book Properties. C. Dial the ISP from your computer. D. You can’t. You will have to reinstall RRAS. 16. Where do you enable logging for your modem sessions? A. In the Routing and Remote Access console B. In the Properties for the Phone Book connection C. On the Diagnostics tab of the modem’s Properties D. In the Windows 2000 Registry 17. How do you enable connection tracing in Windows 2000 to trouble-

shoot RAS communications? A. In the Routing and Remote Access console B. In the Properties for the Phone Book connection C. On the Diagnostics tab of the modem’s Properties D. In the Windows 2000 Registry


www.sybex.com

594

Chapter 13


18. You are concerned about the amount of traffic generated by the File

Replication Service across a WAN link between sites. How can you configure FRS to have less of an impact on bandwidth? A. Schedule replication to occur during peak hours only. B. Schedule replication to occur during off-peak hours only. C. Set the frequency of replication to a higher value. D. Set the frequency of replication to a lower value. 19. Which component in Windows 2000 creates the Active Directory rep-

lication topology? A. FRS B. KCC C. KFC D. RRAS 20. Ted has recently used Notepad to edit his LMHosts.sam file. He saved

it carefully in the Systemroot\system32\drivers\etc folder, but Windows 2000 ignores his changes to the file. Why? A. The file should be located in the Systemroot\system folder

instead. B. The file was saved as Unicode. C. Ted should have used WordPad to edit the file. D. He should have named the file LMHosts instead of LMHosts.sam.


www.sybex.com


595

Answers to Review Questions 1. C. Windows 2000 uses the Domain Name System (DNS) by default.

Active Directory requires the presence of DNS on the network. 2. A. The ls -t command within NSLookup interactive mode works

well to display all of the records of a given type. 3. C. The first thing that Windows 2000 checks for a NetBIOS name

resolution is the NetBIOS name cache. 4. B. Domain controllers always act as at least a backup browser for

their subnet. By loading the entries for the domain controllers located on the remote subnets, she can browse those subnets. 5. B. Windows 2000 requires that the Hosts file be saved as plain ASCII

text, with no file extension. Unicode text store each character using two bytes, instead of the single byte used by ASCII. 6. D. Windows 2000 checks its own hostname first before going any fur-

ther to resolve hostnames. 7. B. A fully qualified domain name (FQDN) has a hostname, a domain,

and a dot at the end to signify the root of the Internet. 8. A. You can use the Query Modem button on the Diagnostics tab of

the modem Properties sheet to see if Windows 2000 recognizes the modem and can communicate with it. 9. C. Placing a sample file in the Sysvol folder to be replicated is a simple

way to test FRS. The file should be named after the originating server because Windows 2000 uses multimaster replication. 10. A. The File Replication Service and the Directory Replication service

are incompatible. NT and Windows 2000 cannot share the same replication path.


www.sybex.com

596

Chapter 13


11. B. Open the Properties for the service in the Services console and use the

Log On tab to set the correct user credentials for the service. 12. C. Use NSLookup to query by IP address. This command will perform

an inverse lookup and return the FQDN associated with that IP address if there is one. 13. C. The most likely cause is a static entry in the WINS database with an

incorrect mapping for the server. Locate the static entry and either correct it or delete it. 14. A, B, C, D. All of these scenarios are possible and should be investi-

gated. The first one that you should investigate is whether his network cable is plugged in. 15. A. The easiest way to see if incorrect settings or a corrupted setting

have caused the problem is to create another connection to the ISP. 16. C. Click the Record A Log checkbox on the Diagnostics tab to turn on

modem logging. 17. D. Connection tracing can be enabled only through the Windows 2000

Registry. It places a heavy drain on system resources and should be disabled immediately after troubleshooting. 18. B. The File Replication Service is subject to the same constraints as

Active Directory replication between sites and can be scheduled for more efficiency. 19. B. The Knowledge Consistency Checker (KCC) creates the replication

topology for Active Directory. It also configures the site links for the highest efficiency. 20. B. Windows 2000 requires that the LMHosts file be saved as plain

ASCII text, with no file extension. Unicode text store each character using two bytes, instead of the single byte used by ASCII. In this case, Ted most likely forgot to change the file extension.


www.sybex.com

Chapter

14

Troubleshooting Application Failures MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Troubleshoot application failures for all types of migrations.

Resolve incompatibility issues.

Resolve issues associated with hard-coded account information in third-party applications.


www.sybex.com

I

n this chapter, you will learn how to troubleshoot application failures. To accomplish this, we will discuss application-compatibility testing in the Windows 2000 environment and show how to avoid application failures by assessing compatibility before the applications are installed. We’ll start by examining the process of testing application compatibility. By the end of this section, you’ll be able to identify the various certified compatibility levels that Microsoft guarantees for Windows 2000. Next you’ll learn how to resolve incompatibilities that may arise with particular applications. These will include commercial applications as well as line of business applications that may have been developed internally in your organization. We’ll explain how to obtain and apply compatibility patches for Windows 2000. Then we’ll show you where to find more information regarding application compatibility. We’ll also discuss how to resolve connectivity issues between applications and a Windows 2000 network environment. This would involve mostly applications written for Windows networking that depend upon NetBIOS to make network connections. Finally, we’ll discuss how to resolve issues caused by hard-coded information in your application.


www.sybex.com

Testing Application Compatibility

599



Troubleshoot application failures for all types of migrations. Resolve incompatibility issues.

I

would love to be able to tell you that Windows 2000 supports applications without any problems whatsoever. But unfortunately, that just isn’t true. During the beta process, Windows 2000 had difficulties supporting even major Microsoft Server applications like Exchange Server. With the release products, I’ve seen fewer application support issues. Still, Windows 2000 has incorporated some newer technologies, which means that some applications may not run correctly on the new operating system. The only way to know for sure is to thoroughly test the applications you will be using. Let’s look at several steps that you must include in a thorough testing process:

Prioritize the applications used in your organization. Use this process to identify the applications that are important to connecting your business. This helps you to define which applications are critical to run on Windows 2000 and which can be tolerated if they will not run correctly.

Develop a testing methodology. Identify a precise process for conducting tests on an individual application.

Allocate resources for testing, hardware, software, and personnel to perform the testing. Determine whether you will be outfitting a complete test lab or setting up a test group of users with the applications on the operating system in a live environment.

Create a project schedule for the testing. Keeping the testing on track is important for meeting the ultimate rollout plans. I have yet to see a rollout go completely on schedule without the constant attention of the project manager.


www.sybex.com

600

Chapter 14

Troubleshooting Application Failures

Document the test plan. Create a document that fully identifies your testing methodology, your testing schedule, and the dependencies of one test group upon another.

Acquire a test-tracking-and-reporting system. Whether you purchase an off-the-shelf solution or develop an internal database, tracking the progress of the testing and being able to draw reports from that information is very important.

Obtain the public endorsement of management for the testing process. This is an important step that many new project managers miss. Having the publicly visible support of management completes a transfer of power from management to the project manager. This helps the project manager to get the cooperation of all people involved in the project.

Track the testing progress. Periodically report progress to management, testing teams, support staff, and application vendors. The visibility of your testing project is important to its success. If the various members of your testing team know that other people are working on the testing, they will feel more inspired to complete their portions of the task. Ensuring that management knows the status of your project will guarantee their continued support for the project. Keeping the support staff and vendors involved means that you’ll have their support if any software solutions are required.

Throughout your testing project, make certain that you stay in touch with the vendors of your applications. It’s very likely that they are also resolving any compatibility issues that may exist with Windows 2000. From time to time, this may include the release of software patches to ensure compatibility. One bit of advice I would give you before we go any further: Maintain software standards. If you can develop standard software configurations, or images, for your organization, it will simplify the testing and troubleshooting that needs to be done while migrating to Windows 2000. I have experienced several different migrations, but two of them stand out in my mind. During the first migration, no standard images of software were enforced. The consulting firm I worked for was rolling out Windows NT to approximately 200 computers. Every time we came to a milestone for the software testing, one of the test groups would insist on adding another application to the image. The planning for this rollout of Windows NT extended over a year and a half, and when I left the consulting firm, they were still working on the project. The other project I had an opportunity to observe was to roll


www.sybex.com


601

out Windows NT to an environment of over 100,000 computers. In this project, software standards were rigorously tested and enforced. The rollout, including the testing and planning phases, took just over six months. Anytime you manage a project, you will run into a situation that project managers refer to as “scope creep.” This means that every time the project nears completion, someone will add a new feature to the project scope. A project scope that creeps upwards will never complete on time.

Identifying Applications This first step is very important for developing a standardized software image for your company. A couple of procedures for gathering this information are possible. The first is a manual process, where people provide you with the information about the software they are running on their computers. It is important to talk to the people actually doing the work in various departments of the organization, since they can give you a first-hand perspective of what is required for the job. The other possibility is to automate this process. Microsoft would of course like to recommend their Systems Management Server (SMS) for the role of software inventory. On the exam, this would make an excellent choice. In the real world, however, I find that this alternative depends on the size of the organization. A large organization is likely to already be using SMS or something similar to maintain an automated software inventory. A smaller company may not have the systems staff available to maintain SMS properly. You may find it necessary to create several different software images for the organization. It’s very possible that each department or job type requires a specific software image. Keep this possibility in mind as you do your software inventory. Here is a partial list of information to obtain during the software inventory:

Application name, version number, and any revisions or patches that need to be applied.

Manufacturer of the application.

Current status of the application. For instance, is the application currently in production use? Or is the application in development?

Current hardware platforms for the application. Be sure to also track any specific hardware requirements of the application.


www.sybex.com

602

Chapter 14


Description of the software. Is the software client/server based? If so, which components reside on the client, and which components reside on the server?

Network location of the application. If the application is Web-based, list the URLs of the servers and any specific pages or scripts required. If the application is server-based, make sure you have the UNC paths for the server locations.

Requirements for software installation. Does the software require specific security settings? Does the software require a specific path on the server or the local computer? Does the person who performs the installation require specific system privileges?

Contact names and phone numbers of vendors or the persons responsible for the software.

Simplifying the Software Environment Just as it is beneficial to have a standard software image for your organization, it’s also beneficial to keep that image as simple and straightforward as possible. One observation I have made in every network environment where I have worked is that users always have more software on their computers than they require to perform their job. Asking a user which software on their computer they really need may not give you the correct information. You might get a better idea by finding out how the software is used and then creating a sample software image in your test lab. If that sample software image can be used to perform the person’s job and nothing is missing, then the image is correct. Whatever applications you install, you can find very useful information during the installation, such as the name, size, and date stamp of the files that are installed. You should also keep track of where the files are installed and make note of any Registry settings that the program makes. It is probably best to gather this information in the lab setting where it will be easy to track any changes to a test system. Be careful to watch for redundant software applications. Often, users will have two or three different programs to perform the same task. You can simplify your support environment by limiting the number of applications that are installed to one or two specific types. This problem can take on many forms. The most common form that I have seen is a single application with multiple versions installed on the network. Another case would


www.sybex.com


603

be having multiple word processors installed because each department in your organization has its own preference as to which brand to use. Simplifying your environment by setting software standards is very beneficial to your troubleshooting. You can lower support costs and increase the expertise of your support staff if they have fewer applications to support.

Verifying Application Compatibility One of the best ways to begin testing applications is by using the Readiness Analyzer from Microsoft. The Readiness Analyzer is available as a separate download from Microsoft’s Web site, or it can be run as part of the Setup program for Windows 2000. The Readiness Analyzer is useful mostly for commercial applications and for some hardware issues. I’ve found as a general rule that applications that ran under Windows NT will run under Windows 2000, although this is not always true. There have been enough significant changes in the Windows 2000 architecture that some Windows NT applications will not behave correctly on Windows 2000. But in general, most of them will run just fine. You can download any of the three versions of the Readiness Analyzer as a separate stand-alone program (chkupgrd.exe) from http://www.microsoft.com /WINDOWS2000/downloads/deployment/readiness/default.asp. The Readiness Analyzer can perform a fairly thorough check of your computer for both hardware and software compatibility issues. This program has been able to notify me of possible compatibility problems and in many cases recommend a course of action that will resolve the issue either before or after the upgrade to Windows 2000. EXERCISE 14.1

Using the Readiness Analyzer To use the Readiness Analyzer, follow these steps:

1. Browse to the folder where you stored the chkupgrd.exe file after downloading it from Microsoft’s Web site. Double-click the file to start it.


www.sybex.com

604

Chapter 14



2. Read through the License Agreement and click Yes to signify that you agree to its terms. The program is licensed for a 90-day period, which should be sufficient for any compatibility testing you need to perform. The program will then extract its files to begin.

3. The program will run without intervention and compile a report of compatibility information. The following graphic shows the Readiness Analyzer as it runs.

The report generated by the Readiness Analyzer is entitled either Upgrade.txt (on Windows 9x) or Winnt32.log (on Windows NT) and is a plain ASCII text file located in the root of your operating system folders. In the report, you will find sections for hardware, software, and any general compatibility issues. As I mentioned, the Readiness Analyzer is also available to be run as part of the Windows 2000 Setup program. If you start an upgrade within an earlier version of Windows NT or Windows 9x, the Readiness Analyzer will be run automatically in the background as part of the upgrade process. You will receive notification of any problems it detects and will be prompted whether to continue with the upgrade or not. If there are no problems, it won’t interrupt the upgrade process.


www.sybex.com


605

The other way to access the Readiness Analyzer is to use the Winnt32 /checkupgradeonly command. This command will start the program just as if you were running the stand-alone version downloaded from Microsoft. The only difference is in how the program is started; everything else will run the same and generate the same report. Microsoft assists in your evaluation of application compatibility by establishing standards for compatibility certification. The Windows 2000 Application Specification defines various levels of software support under Windows 2000. There are four Application Levels: Certified Means that the application meets every requirement for compatibility and that it has been tested both by Microsoft and an independent test laboratory. This is the highest level of certification an application can achieve. Ready Indicates that the Independent Software Vendor (ISV) has performed Windows 2000 compatibility testing and certifies that the application will run correctly on Windows 2000. The ISV also promises to provide support for their application on Windows 2000. Planned Means that the ISV intends to provide support for Windows 2000 in a future release of the application. Caution Means that you may very well encounter problems with this application on Windows 2000. In this case, there is most likely a known issue that is documented and that probably has a workaround or solution available. Microsoft also makes your decisions easier from the standpoint of software compatibility by providing the Software Compatibility List (SCL) on their Web site. The SCL is a browsable database of tested applications and their compatibility with Windows 2000. The Software Compatibility List is available at: http://www.microsoft.com/windows2000/upgrade/compat /search/software.asp. This list is a great resource for checking application compatibility and should make your testing somewhat easier. The database is updated at least once a week and should contain fairly current information regarding new applications. By recognizing these certification levels, you will be better prepared to deploy applications for your Windows 2000 network.


www.sybex.com

606

Chapter 14


Application Compatibility Toolkit The Application Compatibility Toolkit contains documents and tools to help you diagnose and resolve application-compatibility issues. It includes the Windows Server and Professional logo documents, the white paper on common compatibility issues, several documents on best testing practices, and tools to help fix compatibility issues. You can find the toolkit and download it from http://msdn.microsoft.com/compatibility/.

Developing a Testing Strategy The Readiness Analyzer works fine for commercial applications, but what about those applications that were developed or modified in-house? To test compatibility for custom applications, you will need a complete testing strategy. This section describes the components of a good testing strategy.

Testing Deployment Functionality First of all, how do you intend to distribute the application? If the application will be deployed from a centralized location, you should include deployment as part of your testing strategy. The type of migration you are planning will often dictate this decision. If you plan to migrate to Windows 2000 by installing it on new machines, then the new applications must be deployed to these new machines. On the other hand, if you plan to migrate to Windows 2000 by upgrading your existing computers, deployment testing may not be necessary for your applications. You should consider deploying your applications by using the Windows Installer feature. This technology allows for software resilience as part of the IntelliMirror technology. IntelliMirror is an initiative to ensure that data can be protected and made readily available across a network. It helps to define items like resilient applications that can repair themselves, redirection of user folders to network locations, and remote installation of applications and Windows 2000 Professional according to Group Policy. The Windows Installer uses a file with an .msi file extension to install compatible applications. If you have been deploying applications to Windows 3.x, you should be aware that there are differences between the Windows 3.x environment and the Windows 2000 environment. I know, that seems terribly obvious, doesn’t it? But from a software application standpoint, it may not be as obvious. Many applications that have been designed to run on both Windows 3.x and on Windows NT will install different files based on which operating system they are


www.sybex.com


607

installed on. Some applications will require the use of a migration dynamic link library (DLL). This migration DLL may be provided by the application vendor, or you may have to develop it internally. The purpose of the migration DLL is to provide enhanced compatibility for applications written for an earlier Windows environment. This includes options such as where the files should be located, where the application settings should be stored, and which Registry entries should be made.

Testing Upgrades If you are planning to upgrade your existing computers to Windows 2000, you should test application compatibility in terms of this upgrade. A possible strategy would include installing a test computer with Windows 3.x, Windows 9x, or Windows NT 3.5x, installing the application to be tested, and upgrading the computer to Windows 2000. When the upgrade has been completed, try to run the application. Verify that all of the major functions of the application are available. If the application misbehaves, then you’ll need to contact the ISV to determine whether they have a fix for the problem. If the application was written entirely in-house, relay the problems to your software development team. Throughout the application-testing phase, you’ll need the involvement of your software development team to be sure that they are aware of the success or failure of any software.

Testing a Clean Installation This scenario is very similar to the deployment scenario. In the clean installation scenario, you have installed Windows 2000 on a brand-new computer and now you need to test the application. Once the operating system has been installed successfully on the clean computer, you can install the application to be tested. Next, you can run your test suite on the application to ensure that it functions correctly. If the application does not function correctly, contact the ISV for a software patch or possibly for a new setup program that will correct the behavior.

Testing Install and Uninstall This is one of my favorite types of testing. You need to verify first of all that the application can install on Windows 2000 without interruption. Then you need to verify that the application can survive failed installation attempts


www.sybex.com

608

Chapter 14


and correct itself. This means that you start the setup of the program and then interrupt various phases of the setup. Try as many things as you can think of to interrupt the setup. One of my favorites is to open the CD-ROM tray during the install. Test every type of installation you can for this application. Choose every different option that might be chosen in your organization. Try the installation as an administrator and as a normal user. Every time you successfully install the application, attempt to uninstall it. Find out whether a normal user account can uninstall the software. This is to determine whether a user can uninstall software installed by an administrator.

Testing Basic Functionality This portion of the testing is to determine whether all features of the application are available after installation on Windows 2000. Try installing the application, then completing all of the basic functions your users will employ with this application. This is where a detailed description of the usability will come in handy. The users in your organization can provide you with details of how they use the application in their daily tasks. Refer to this list of functions when testing functionality. Remember to log on as several different user accounts while testing the application. It is possible that one user may have permissions set that allow the application to work correctly, while another user may not. Try running the application as an administrator, a power user, and a normal user. Next, try running the application with other software applications. Be sure to leave the application running for a period of days to be certain that it will continue to work correctly. I’ve been called in to work on a number of application performance issues for problems that did not occur until the application had been running for more than a few hours. These issues can be very difficult to track down due to the length of time that must pass before the problem occurs. Also test the application in combination with all of the standard software images that are used in your organization. If the application supports automation through scripting, try using various scripts. Starting from very simple tasks, work your way up to very complex automations using scripting. If the software requires specific hardware, be sure to test the application with the hardware installed and with it disconnected.


www.sybex.com


609

Accessing Data If the application you are testing supports data exchange with a server or other computer, be sure to test this data access. Doing so may reveal whether the application has problems accessing Windows 2000’s network infrastructure. Also find out if the application’s back end can run on Windows 2000 Server. Compare the functionality of the application accessing data while running on a current Windows platform as well as running on the Windows 2000 platform. Be sure to test the application while several users are accessing the server data. This will enable you to test concurrent usage patterns as well as file-locking capabilities.

Testing Printing Printing is another aspect of your application that must be tested before rolling it out to the general user population. Be sure to print a variety of document types, preferably to every kind of printer that you have in your organization. Print documents that contain embedded documents from several different applications. For instance, print a Word document that contains an Excel spreadsheet. Another option that may reveal problems with older applications is to print documents having long filenames. Some older Windows applications have problems interpreting long filenames. EXERCISE 14.2

Developing a Test Plan In this exercise, you’ll develop a sample test plan to be used to evaluate application compatibility on Windows 2000. Application types to consider include:

Messaging

Database

Word processing

Web browser

MS-DOS database


www.sybex.com

610

Chapter 14



With these types of applications in mind, develop a plan to test application compatibility for Windows 2000 Professional. For the sake of this exercise, assume that you are making this plan for a company of 1000 users who work on computers that fall into five different hardware categories. As you develop the test plan, answer these questions:

1. How would this test plan differ for a technical company or a traditional office environment?

2. How would the number of servers affect your test plan? 3. How would the number of users affect your plan? 4. How would your test plan be affected by the available budget?

Resolving Incompatibilities


Troubleshoot application failures for all types of migrations.


C

areful testing should reveal most of the issues that you’ll face in your organization’s migration to Windows 2000. So what can you do when you find incompatibilities in your applications? The first course of action that I recommend you take is to check for software patches that will correct the issue. Microsoft has released a number of compatibility patches for various applications running on Windows 2000. You should also check the Web site of the software manufacturer to see if they have similar compatibility patches for their application when run on Windows 2000. The Microsoft Developers Network (MSDN) Web site contains considerable information regarding application compatibility with Windows 2000.


www.sybex.com

Resolving Incompatibilities

611

The Windows 2000 Compatibility Guide, located on the MSDN Web site, breaks down compatibility issues into four basic areas:

Setup and installation

General Windows 2000 compatibility

Application stability

Windows platform

This information will be of particular use to your in-house software development teams. I recommend that you encourage your software development teams to spend some time examining the Windows 2000 Compatibility Guide. Application incompatibility issues can be broken down into several key areas with Windows 2000. In addition to the four listed for the Windows 2000 Compatibility Guide, some of the common issues that cause incompatibilities are: System file protection Traditionally, the Windows operating systems have allowed applications to replace system files as needed. During my time at Product Support Services at Microsoft, I saw many issues related to system files being replaced incorrectly. It was common for us to run into problems where one application would be installed and other applications would break. An example of this was the Winsock.DLL file. It seemed that nearly every communication package that came along for the Internet wanted to install its own version of Winsock.DLL. Frequently, installing one version of the file would break every other application that required that file. Windows 2000 enforces Windows File Protection, a feature that prevents applications from replacing system files in Windows 2000. This is a big step forward for supportability in Windows 2000; however, it may cause problems for some applications that require a specific version of the file. Watch for this scenario in your software testing. Enumeration of hardware devices Plug and Play is a significant new feature in Windows 2000. It also has a major impact on the list of devices that are supported for the operating system. Some software applications will discover that they no longer have the devices they require. If the software application you’re testing requires a specific piece of hardware, be sure to test its compatibility carefully.


www.sybex.com

612

Chapter 14


Enumeration of fonts Windows 2000 has a new list of fonts. In addition to the fonts present in the Fonts folder, new Registry entries have been added to support internationalization of fonts. Because of this, some older applications may see duplicate lists of fonts in Windows 2000. Changed Registry structure The structure of the Registry has been modified in several areas in Windows 2000. Applications that modify the Registry through the Win32 APIs should encounter no difficulties in Windows 2000. But if you have an older application that makes changes to the Registry by writing directly to it, you may see problems. Version checking Setup programs that check versions incorrectly will encounter difficulties with Windows 2000. If the setup program checks the version through the Registry by using standard Win32 API calls, there should be no problem. Always check the minimum operating system requirements for your application, and install on that version of the operating system or later. There may still be problems if the application requires a specific version of Windows. File input/output security The security in Windows 2000 has been tightened significantly over Windows NT, extending even to file input and output. This tightened security may cause problems with applications that filter file input and output, such as anti-virus programs. The behavior may even extend to causing problems with network firewalls that have not been written specifically to deal with Windows 2000. As your application test team discovers incompatibility issues, you need to develop a way to track these issues and prioritize them. Once you have a prioritized list of incompatibilities, you can resolve them in a variety of ways. Issues with internally developed programs can be handed over to your software development team. Problems with commercial programs may be somewhat more difficult to resolve, depending on the size of your company. Software developers will be very interested in making the programs work with Windows 2000 but may be slow to respond to the needs of the small company. We’ve already described some of the things you can do to resolve these incompatibilities. These would include checking the software vendor’s Web site for updates and patches, checking Microsoft’s Web site for compatibility patches, and contacting Microsoft’s Support Services to find out if there have been any solutions for known issues. Other solutions would include replacing the application with a newer version or another application that does not


www.sybex.com

Troubleshooting Connection Issues

613

have the incompatibility. Most of the major software vendors have already released versions of their programs specifically designed to run on Windows 2000. You may want to evaluate these newer versions to see if they will meet your company’s needs. Another point to keep in mind before throwing out any current versions of your software is to determine whether the problem exists on all of your computer platforms on Windows 2000. That means to verify that the problem is truly because of Windows 2000 and not because of some particular hardware and software combination on the test computer. If your testing is thorough, it will include testing the application in operating systems on multiple hardware platforms within your organization.

Troubleshooting Connection Issues




M

any of the applications we deal with in our businesses today require interaction between a client desktop computer and a server. The applications your organization uses to perform its daily work will likely demand interaction with a server. Your testing of applications on Windows 2000 may reveal connectivity issues between the client and the server platform. Quite honestly, I have yet to run across a software application that experiences connectivity issues on Windows 2000 where there isn’t already a connectivity problem between my computer and a server. But that’s not to say that there won’t be any. The major issue that comes to mind when I think about application connectivity is name resolution. Because Windows 2000 depends heavily on DNS for name resolution and rarely if ever uses NetBIOS, some applications may have trouble resolving computer names. You should resolve this scenario through your application testing prior to the migration to Windows 2000. As I mentioned in the previous section, when testing applications that use data on a server, you should be testing the connectivity as well as the ability to handle a concurrent load. For example,


www.sybex.com

614

Chapter 14


you could have multiple users connect to the server using the same application at the same time. Or you could try to run complex interactions with the server concurrently to reveal any problems with the load. You can automate this process through the use of scripts or with a software-testing program. Because database applications are often critical to the business flow, you may need to develop a parallel system for testing. This is a great justification for a software test lab to use in planning for the migration. The parallel system does not need to have a current feed of data, just a good snapshot of enough data that you can run significant queries against it. It may be little more difficult to create a parallel load for messaging systems. You can set up the server itself as a parallel test system, but it may be difficult to generate a synthetic load on the server. It would seem that the only solution for this would be a “test festival,” where you call on the services of a number of users to enter data. When you’re testing software compatibility with Windows 2000, you will likely run into the incompatibility issues. When you experience incompatibilities, you need to determine how much incompatibility your organization is willing to tolerate. Many environments are able to tolerate small incompatibilities, which require a workaround on the part of the user. Other environments cannot tolerate any kind of a breakdown in the workflow. Now I know that most managers I’ve spoken with over the years would tell me that their offices cannot tolerate any kind of a breakdown in workflow. But upon close examination, most of these can tolerate a minor amount of downtime— especially if the issue is a matter of mere moments. There comes a point in your software testing where you have to decide whether a minor incompatibility is enough of a problem to prevent your use of the application. Network-based applications are less likely to tolerate interruptions in service than are desktop applications. Network-based applications imply that many users are involved in the application rather than a single user, as would be the case with the desktop application. This lack of tolerance necessitates the use of a parallel system for testing. It also requires that you pay a great deal of attention to the amount of load that can be placed on this application when running on Windows 2000. Of course, we assume here that your application runs correctly on your current Windows platform. If you are evaluating a new software solution for a particular business need, you might do well to evaluate it on your current Windows platform before evaluating it on Windows 2000. This will help you to identify whether any issues that arise are due to Windows 2000 or to networking problems that already exist in your organization.


www.sybex.com

Dealing with Hard-Coded Information

615

Occasionally, a network application will require you to configure the name of the server that contains the other portion of the program. If you encounter name-resolution issues, try configuring the application with the IP address of the server instead of the server name. If the application requires a NetBIOS name in order to connect to the server and NetBIOS name resolution is not functioning on your network, you may have to troubleshoot it from that aspect. This may require the institution of a WINS server if you do not already have one present on your network. Another possibility would be using the LMHosts file to provide NetBIOS name resolution on the client. If your application requires a specific network protocol, such as NetBEUI, you are faced with a decision. Do you keep your application and add NetBEUI to your Windows 2000 network? Or should you remove NetBEUI from the picture and upgrade your application to a version that will communicate with TCP/IP? If you are faced with this dilemma, contact the vendor of the application for a possible solution.

Dealing with Hard-Coded Information



Resolve issues associated with hard-coded account information in third-party applications.

E

very so often, application developers decide that their program should run only on one particular version of Windows. This causes tremendous problems for people who want to use the application but who also want to upgrade their version of Windows to a newer release. I have spoken with people who tried to fix this problem by editing the Registry to change the current version’s setting to the correct version of Windows for the application. The major problem with this approach is that it may very well break other applications that require Windows 2000. Fortunately for us, Microsoft has provided a way to fix this problem in Windows 2000. There is a little-documented program called Application Compatibility (apcompat.exe). The Application Compatibility program enables you to “lie” to your application so that it believes it is running on the


www.sybex.com

616

Chapter 14


correct version of Windows. To start the program, run apcompat.exe. Figure 14.1 shows the Application Compatibility program. FIGURE 14.1

The Application Compatibility program lets you set version information for applications.

In the first section of the screen, enter the name of the program that you want to modify. If you’re uncertain of the path to the application, use the Browse button to set the path and name. Next, select the operating system version that the application requires. Notice that nothing older than Windows 95 will be permitted. The first time I ran this program, I found it interesting that I could set a specific Service Pack version of Windows NT 4. In the next section of the screen, you can disable certain portions of Windows 2000’s new features. The first option disables the Heap Manager on Windows 2000. The heap is a portion of memory from which applications can allocate or free memory for their own usage. The Heap Manager may cause problems with a number of applications that may not be freeing memory correctly when they close. The second option enables you to use a Temp path that complies with pre-Windows 2000 compatibility. Because some applications have difficulty seeing more disk space than 2GB, the third checkbox enables you to correct the space detection for the application to enable it to see more disk space. The final checkbox allows you to make the settings permanent for the application. This means that whenever you start the application from the path that you gave, it will be run with these settings.


www.sybex.com

Summary

617

The Application Compatibility program should help to correct many of the incompatibility issues between Windows 2000 and older applications. This may enable your organization to continue using the applications they have already invested in.

Summary

In this final chapter, you have learned how to troubleshoot application incompatibility issues. Most of the information we have discussed in this chapter involves performing application compatibility testing. This knowledge will be very useful in the real world for determining which applications are likely to cause you grief after you migrate to Windows 2000. I firmly believe in obtaining that information before you perform the migration. We described many of the parameters you should include in any softwaretesting program and offered recommendations for how to approach this task. You can greatly improve the testing of your applications for compatibility with Windows 2000 by using the Readiness Analyzer from Microsoft, either as a stand-alone program or as part of the upgrade to Windows 2000. Then again, you can also expect to find a great deal of compatibility information on the application developer’s Web site. We finished the chapter by describing how to use the Application Compatibility program to convince your applications that they are running on a version of Windows other than Windows 2000. This applet will be extremely useful in resolving issues where the program is hard-coded to look for a specific version of Windows.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: heap image IntelliMirror


www.sybex.com

618

Chapter 14


Review Questions 1. You are developing a software inventory for your organization.

Once you have obtained a list of all of the applications used in your company, how do you decide which ones to begin testing? A. You must prioritize the list of applications to select those that are

critical to the organization. B. You should start with the one that your boss uses most. C. You should start with your favorite application since that will

inspire you to develop better procedures. D. You should always perform the testing in alphabetical order to

keep the applications organized. 2. How can you ensure that all of the applications are being thoroughly

tested? A. Do all of the testing yourself, since you can’t really trust anyone else. B. Ask your manager to speak with the team to give them a proper

outlook on the testing process. C. Document a standard testing procedure for all of your testers to

follow with each type of application. D. Ask a representative of each department to do their daily work on

the application. 3. How can you automate the process of gathering a list of all of the soft-

ware applications used within your organization? A. Install Systems Management Server on your network to gather the

inventory. B. Have your software development team write a set of Perl scripts. C. Create an Outlook form as a survey for your users to fill out. D. Purchase a third-party software inventory package.


www.sybex.com

Review Questions

619

4. You are planning the migration to Windows 2000 for your organiza-

tion. How can you determine whether your standard software image is compatible with Windows 2000? (Choose all that apply.) A. Run the Readiness Analyzer program. B. Start the Windows 2000 Setup program from within your current

version of Windows. C. Check the Microsoft Web site for the Software Compatibility List. D. Check with the application’s vendor for information about Win-

dows 2000 compatibility. 5. You have been reviewing Microsoft’s standard of Windows 2000

compatibility and are trying to decide which category best describes your internal application. Which category reflects the status that the application will soon support Windows 2000? A. Certified B. Ready C. Planned D. Caution 6. You are testing deployment compatibility for an application you intend

to deploy on Windows 2000. What new feature of Windows 2000 would enable you to deploy the application with resilience in case of a failure in the application? A. Windows Installer B. Systems Management Server C. WinInstaller D. Automating the process using a Perl script


www.sybex.com

620

Chapter 14


7. Your Windows 2000 migration plan calls for the installation of

brand-new computers that have no operating system installed. Which application compatibility-testing scenario should you check? A. Upgrade B. Upgrade and then migrate C. Clean install D. Clean install and then upgrade 8. You are concerned about the compatibility of the network database

application with Windows 2000. Which of the following describes a valid method for testing the network portion of this application? A. Have multiple users log on to the database and execute queries at

the same time. B. Log on to the database and execute queries. C. Have multiple users log on to the database, and then have a single

user execute a query. D. Log on to the database multiple times. 9. You’re trying to determine why a particular application fails after

being installed on Windows 2000. The application requires a specific version of the DLL used by Windows 2000. Why does the application fail? A. Windows 2000 write-protects all of the system files. B. Windows File Protection prevents system files from being

replaced. C. The user who installed the application did not have the correct

permissions. D. Group Policy prevents the application from replacing system files.


www.sybex.com

Review Questions

621

10. You have installed an important application for your organization on

Windows 2000, and now you receive an error message stating that the application was not designed for your version of Windows. Why is this? A. The application was written for MS-DOS. B. The application uses a proprietary method to access the Windows

Registry for version information. C. The program is hard-coded to look for a specific version of Windows. D. The application was probably corrupted during the setup process. 11. You are testing the client portion of the network application for com-

patibility with Windows 2000. The client application is configured to look for a specific name when connecting to the server. Since installing the application on Windows 2000, the client application has been unable to connect to the server. What do you suspect is the problem? A. The client program uses a method of name resolution not sup-

ported in Windows 2000. B. Windows 2000 changes the name of the server when it is installed

by default. C. The application probably uses NetBEUI to connect to the server. D. Applications running on Windows 2000 can communicate only with

applications running on other computers running Windows 2000. 12. You have an application running on Windows 2000 that is hard-coded

to look for Windows 95 as the operating system. How can you correct this problem so the application will run on Windows 2000? A. Run mkcompat.exe to convince the program to run on Win-

dows 2000. B. Run apcompat.exe to convince the program to run on Win-

dows 2000. C. Edit the Registry entry for the application to make it believe it is

running on Windows 95. D. Obtain an updated version of the application.


www.sybex.com

622

Chapter 14


13. Why is it important to simplify your application environment when

testing application compatibility with Windows 2000? A. Because Windows 2000 cannot run very many applications at the

same time. B. Because users will often have more than one application to per-

form the same task. C. Because users will frequently have pirated software on their

computers. D. Because you don’t have the budget to fully test every application in

the environment. 14. You are attempting to upgrade the test computer to Windows 2000.

When you start the setup process, you receive a warning that an application on your computer is not compatible with Windows 2000. Why is this happening? A. The Readiness Analyzer is automatically run as part of the setup

process. B. This behavior is probably caused by the presence of a virus. C. The error message is probably caused because you’re running

setup from within Windows 95. D. You need to run the Application Compatibility tool so that the

Windows 2000 Setup program can be run on an earlier version of Windows. 15. Where can you find the current listing of all applications that are com-

patible with Windows 2000? A. In the Hardware Compatibility List located on Microsoft’s Web site. B. In the Software Compatibility List located on Microsoft’s Web site. C. In the Hardware Compatibility List included with all Windows 2000

products. D. In the Software Compatibility List included with all Windows 2000

products.


www.sybex.com

Review Questions

623

16. Which one of Microsoft’s compatibility certifications indicates that

the software vendor has tested the application and found it compatible with Windows 2000? A. Certified B. Ready C. Planned D. Caution 17. Which one of Microsoft’s compatibility certifications indicates that

both Microsoft and an independent testing laboratory have tested the application and guaranteed it to be supported by Windows 2000? A. Certified B. Ready C. Planned D. Caution 18. Your Windows 2000 migration plan calls for upgrading existing com-

puters to Windows 2000. Which of the following test scenarios would be most appropriate for this plan? A. Upgrade B. Upgrade and then migrate C. Clean install D. Clean install and then upgrade 19. You would like to use the Windows Installer technology to deploy

applications to Windows 2000 Desktops. What is the file extension of the package files used by the Windows Installer? A. .csv B. .osi C. .msi D. .msft


www.sybex.com

624

Chapter 14


20. How can you use Windows Installer technology to deploy an applica-

tion to one group within your organization? A. Use Systems Management Server to deploy the application. B. Use Group Policy to assign the application to the user group. C. Write a custom script that will deploy the application during

logon. D. Use the File Replication Service to copy the files to every Desktop

in the user group.


www.sybex.com


625

Answers to Review Questions 1. A. You must develop a prioritized list of the applications used in your

organization. Start testing the applications that are most critical to the company’s business. 2. C. You should carefully devise a standard testing methodology for

your team to use while checking for application compatibility on Windows 2000. 3. A. Truth be told, any software inventory package will be able to help

you with this situation. However, the correct answer for the exam would be to choose a Microsoft product for the job, and that means Systems Management Server. 4. A, B, C, D. All of these suggestions are good steps to determine

whether your software is compatible with Windows 2000. The Readiness Analyzer program can be run either as a stand-alone program or by starting the Windows 2000 Setup program, and it will report on your current compatibility with Windows 2000. 5. C. The Planned certification level indicates that the application is not

currently compatible with Windows 2000 but that the vendor intends to support Windows 2000 in the next version of the application. 6. A. The Windows Installer is part of the IntelliMirror technology in

Windows 2000. The Windows Installer enables you to deploy applications easily using Windows 2000. If the applications become damaged or have missing files, they can repair themselves automatically. 7. C. In this scenario, Windows 2000 will be installed on the clean hard

drive with no existing operating system. The applications will also be installed in the clean environment; therefore the clean install scenario is the one to test. 8. A. Having multiple users access the database to run queries at the

same time verifies that the application can support concurrent use across the network.


www.sybex.com

626

Chapter 14


9. B. Windows File Protection is a new feature of Windows 2000 that pre-

vents vital system files from being replaced by any application. When the file is installed by the application and Windows 2000 detects that a system file has been replaced, the operating system will replace the new file with the original version. 10. B or C. If an application contains code to look for a specific version of

Windows and does not allow for a higher version, the application may return an error stating that it is not designed for your version of Windows when run on Windows 2000. The other possibility is that the application uses a nonstandard method to access Registry information regarding the version of Windows. 11. A. Basic network troubleshooting applies here. If you are unable to

connect to a server by using its name, then try using its IP address. If this method succeeds, then name resolution is failing. 12. B. The Application Compatibility program can convince the program

that it is running on a specific version of Windows. 13. B. Migrating to a new operating system gives you a great opportunity

to create a standardized software image for your company. Simplifying the software environment will reduce support costs, licensing costs, and testing time. There will sometimes be redundant software present that can be eliminated to simplify the environment. 14. A. The Windows 2000 Setup program automatically runs the Readi-

ness Analyzer as part of the normal setup procedure. 15. B. Microsoft maintains the Software Compatibility List on its Web

site for Windows 2000. This list contains a searchable database of all the applications that are known to be compatible with Windows 2000. 16. B. The Ready certification indicates that the software vendor has fully

tested the application and guarantees that it is compatible with Windows 2000.


www.sybex.com


627

17. A. The Certified level of certification indicates that both Microsoft

and an independent testing laboratory have verified that the application will work correctly with Windows 2000. 18. A. Since you are planning to upgrade existing software to Windows

2000, it would make sense to pay particular attention to test situations involving the performance of the applications when the operating system is upgraded in place to Windows 2000. 19. C. Application installation packages that have been designed to work

with the Windows Installer all have the .msi file extension. 20. B. Group Policy can be used to assign or to publish Windows

Installer packages for installation to specific groups within your organization.


www.sybex.com

Glossary


www.sybex.com

630

Glossary

A Accelerated Graphics Port (AGP) A type of expansion slot supported by Windows 2000. AGP is used by video cards and supports high-quality video and graphics performance. access control entry (ACE) An item used by the operating system to determine resource access. Each access control list (ACL) has an associated ACE that lists the permissions that have been granted or denied to the users and groups listed in the ACL. access control list (ACL) An item used by the operating system to determine resource access. Each object (such as a folder, network share, or printer) in Windows 2000 has an ACL. The ACL lists the security identifiers (SIDs) contained by objects. Only those identified in the list as having the appropriate permission can activate the services of that object. access token An object containing the security identifier (SID) of a running process. A process started by another process inherits the starting process’s access token. The access token is checked against each object’s access control list (ACL) to determine whether or not appropriate permissions are granted to perform any requested service. account lockout policy A Windows 2000 policy used to specify how many invalid logon attempts should be tolerated before a user account is locked out. Account lockout policies are set through account policies. account policies Windows 2000 policies used to determine password and logon requirements. Account policies are set through the Microsoft Management Console (MMC) Local Computer Policy or Domain Controllers Policy snap-in. ACE

See access control entry.

ACL

See access control list.

Active Desktop A Windows 2000 feature that makes the Desktop look and work like a Web page. Active Directory (AD) A directory service available with the Windows 2000 Server platform. The Active Directory stores information in a central database and allows users to have a single user account (called a domain user account or Active Directory user account) for the network.

Active Directory user account A user account that is stored in the Windows 2000 Server Active Directory’s central database. An Active Directory user account can provide a user with a single user account for a network. Also called a domain user account. Active Directory Users and Computers On Windows 2000 Server domain controllers, the main tool used for managing the Active Directory users, groups, and computers. AD

See Active Directory.

adapter Any hardware device that allows communications to occur through physically dissimilar systems. This term usually refers to peripheral cards that are permanently mounted inside computers and provide an interface from the computer’s bus to another medium such as a hard disk or a network. Administrator account A Windows 2000 special account that has the ultimate set of security permissions and can assign any permission to any user or group. Administrators group A Windows 2000 built-in group that consists of Administrator accounts. AGP

See Accelerated Graphics Port.

alert A system-monitoring feature that is generated when a specific counter exceeds or falls below a specified value. Through the Performance Logs and Alerts utility, administrators can configure alerts so that a message is sent, a program is run, or a more detailed log file is generated. anonymous access A type of access for a Web site that allows public use of the site. Anonymous Logon group A Windows 2000 special group that includes users who access the computer through anonymous logons. Anonymous logons occur when users gain access through special accounts, such as the IUSR_computername and TsInternetUser user accounts. answer file An automated installation script used to respond to configuration prompts that normally appear in a Windows 2000 Server installation. Administrators can create Windows 2000 answer files with the Setup Manager utility. Application log A log that tracks events that are related to applications that are running on the


www.sybex.com

Glossary

computer. The Application log can be viewed in the Event Viewer utility. application server mode A Terminal Services mode that gives users remote access to applications running on the server. Using this mode, Terminal Services delivers the Windows 2000 Desktop environment to computers that might not otherwise be able to run Windows 2000 because of hardware or other limitations. audit policy A Windows 2000 policy that tracks the success or failure of specified security events. Audit policies are set through Local Computer Policy or Domain Controllers Policy. Authenticated Users group A Windows 2000 special group that includes users who access the Windows 2000 operating system through a valid username and password. authentication The process required to log on to a computer locally. Authentication requires a valid username and a password that exists in the local accounts database. An access token will be created if the information presented matches the account in the database. automated installation The process of installing Windows 2000 using an unattended setup method such as Remote Installation Services (RIS), unattended installation, or disk images.

B backup The process of writing all the data contained in online mass-storage devices to offline mass-storage devices for the purpose of safekeeping. Backups are usually performed from hard disk drives to tape drives. Also referred to as archiving. Backup Operators group A Windows 2000 built-in group that includes users who can back up and restore the file system, even if the file system is NTFS and they have not been assigned permissions to the file system. The members of the Backup Operators group can only access the file system through the Windows 2000 Backup utility. To be able to directly access the file system, the user must have explicit permissions assigned. backup type A backup choice that determines which files are backed up during a backup process. Backup types include normal backup, copy backup, incremental backup, differential backup, and daily backup.

631

Backup Wizard A Wizard used to perform a backup. The Backup Wizard is accessed through the Windows 2000 Backup utility. bandwidth The total capacity of transmission media. Bandwidth is commonly expressed as bits per second (bps) or as Hertz (frequency). Bandwidth Allocation Protocol (BAP) A PPP option for multilink connections to control the amount of bandwidth used by connections to RAS servers. bandwidth throttling A method for limiting the maximum amount of bandwidth that can be used by a Web server. baseline A snapshot record of a computer’s current performance statistics that can be used for performance analysis and planning purposes. Basic Input/Output System (BIOS) A set of routines in firmware that provides the most basic software interface drivers for hardware attached to the computer. The BIOS contains the boot routine. basic storage A disk-storage system supported by Windows 2000 that consists of primary partitions and extended partitions. Batch group A Windows 2000 special group that includes users who log on as a user account that is only used to run a batch job. binding The process of linking together software components, such as network protocols and network adapters. BIOS

See Basic Input/Output System.

boot The process of loading a computer’s operating system, also called bootstrap. Booting usually occurs in multiple phases, each successively more complex until the entire operating system and all its services are running. The computer’s BIOS must contain the first level of booting. BOOT.INI A file accessed during the Windows 2000 boot sequence. The BOOT.INI file is used to build the operating system menu choices that are displayed during the boot process. It is also used to specify the location of the boot partition. Boot Normally A Windows 2000 Advanced Options menu item used to boot Windows 2000 normally.


www.sybex.com

632

Glossary

boot partition The partition that contains the system files. The system files are located in C:\WINNT by default.

client A computer on a network that subscribes to the services provided by a server.

BOOTSECT.DOS An optional file that is loaded if the user chooses to load an operating system other than Windows 2000. This file is only used in dual-boot or multi-boot computers.

Client Access License (CAL) A license that allows a computer to legally access a Windows 2000 server or domain controller.

bottleneck A system resource that is inefficient compared with the rest of the computer system as a whole. The bottleneck can cause the rest of the system to run slowly.

C caching A speed-optimization technique that keeps a copy of the most recently used data in a fast, high-cost, low-capacity storage device rather than in the device on which the actual data resides. Caching assumes that recently used data is likely to be used again. Fetching data from the cache is faster than fetching data from the slower, larger storage device. Most caching algorithms also copy data that is most likely to be used next and perform writeback caching to further increase speed gains. CAL

See Client Access License.

CD-based image A type of image configured on a Remote Installation Services (RIS) server. A CD-based image contains only the Windows 2000 operating system. CDFS

See Compact Disk File System.

central processing unit (CPU) The main processor in a computer. Check Disk A Windows 2000 utility that checks a hard disk for errors. Check Disk (chkdsk) attempts to fix file-system errors and recover bad sectors. CIPHER A command-line utility that can be used to encrypt files on NTFS volumes.

client license key packs Sets of client licenses that a Terminal Services license server distributes to clients. COM port Communications port. A serial hardware interface conforming to the RS-232C standard for low-speed, serial communications. Compact Disk File System (CDFS) A file system used by Windows 2000 to read the file system on a CD-ROM. compatibility script A script that helps applications run on a Terminal Services server. Compatibility scripts should be run after the program is installed to achieve the best performance on a Terminal Services server. compression The process of storing data in a form that takes less space than the uncompressed data. Computer Management A consolidated tool for performing common Windows 2000 management tasks. The interface is organized into three main areas of management: System Tools, Storage, and Services and Applications. computer name A NetBIOS name used to uniquely identify a computer on the network. A computer name can be from 1 to 15 characters in length. container An Active Directory object that holds other Active Directory objects. Domains and organizational units are examples of container objects. Control Panel A Windows 2000 utility that allows users to change default settings for operating system services to match their preferences. The Registry contains the Control Panel settings.

cipher text Encrypted data. Encryption is the process of translating data into code that is not easily accessible. Once data has been encrypted, a user must have a password or key to decrypt the data. Unencrypted data is known as plain text.

CONVERT A command-line utility used to convert a partition from FAT16 or FAT32 to the NTFS file system.

clean install A method of Windows 2000 Server installation that puts the operating system into a new folder and uses its default settings the first time the operating system is loaded.

counter A performance-measuring tool used to track specific information regarding a system resource, called a performance object. All Windows 2000 system resources

copy backup A backup type that backs up selected folders and files but does not set the archive bit.


www.sybex.com

Glossary

are tracked as performance objects, such as Cache, Memory, Paging File, Process, and Processor. Each performance object has an associated set of counters. Counters are set through the System Monitor utility. CPU

See central processing unit.

Creator Group The Windows 2000 special group that created or took ownership of the object (rather than an individual user). When a regular user creates an object or takes ownership of an object, the username becomes the Creator Owner. When a member of the Administrators group creates or takes ownership of an object, the Administrators group becomes the Creator Group. Creator Owner group The Windows 2000 special group that includes the account that created or took ownership of an object. The account, usually a user account, has the right to modify the object, but cannot modify any other objects that were not created by the user account.

D daily backup A backup type that backs up all of the files that have been modified on the day that the daily backup is performed. The archive attribute is not set on the files that have been backed up. data compression The process of storing data in a form that takes less space than the uncompressed data. data encryption The process of translating data into code that is not easily accessible to increase security. Once data has been encrypted, a user must have a password or key to decrypt the data. DCPROMO A utility used to upgrade a server to a domain controller, after the server has been installed with the Windows 2000 Server operating system. The DCPROMO utility also can be used to downgrade a domain controller to a member server. Debugging Mode A Windows 2000 Advanced Option menu item that runs the Kernel Debugger, if that utility is installed. The Kernel Debugger is an advanced troubleshooting utility. default gateway A TCP/IP configuration option that specifies the gateway that will be used if the network contains routers.

633

demand-dial routing connections Support for both inbound connections and outbound connections for an RAS server. Desktop A directory that the background of the Windows Explorer shell represents. By default, the Desktop includes objects that contain the local storage devices and available network shares. Also a key operating part of the Windows 2000 graphical interface. device driver Software that allows a specific piece of hardware to communicate with the Windows 2000 operating system. Device Manager A Windows 2000 utility used to provide information about the computer’s configuration. Dfs

See Distributed file system.

Dfs link A component of the Distributed file system (Dfs) topology. A Dfs link points from the Dfs root to one or more Dfs shared folders. Dfs replication The replication of one or more Dfs shared folders. Dfs replication ensures that if the host server goes down, the files and folders that are part of the Dfs will be available. Dfs root A component of the Distributed file system (Dfs) topology. The Dfs root contains the Dfs shared folders and Dfs links. You can create a domain-based Dfs root or a stand-alone Dfs root. Dfs shared folder A component of the Distributed file system (Dfs) topology. Dfs links point to Dfs shared folders. DHCP

See Dynamic Host Configuration Protocol.

DHCP server A server configured to provide DHCP clients with all of their IP configuration information automatically. dial-up networking A service that allows remote users to dial into the network or the Internet (such as through a telephone or an ISDN connection). Dialup group A Windows 2000 special group that includes users who log on to the network from a dialup connection. differential backup A backup type that copies only the files that have been changed since the last normal backup (full backup) or incremental backup. A differential backup


www.sybex.com

634

Glossary

backs up only those files that have changed since the last full backup, but does not reset the archive bit. Digital Versatile Disc (DVD) A disk standard that supports up to 4.7GB of data. One of DVD’s strongest features is backward compatibility with CD-ROM technology, so that a DVD drive can play CD-ROMs. Formerly known as Digital Video Disk. directory replication The process of copying a directory structure from an export computer to an import computer(s). Any time changes are made to the export computer, the import computer(s) is automatically updated with the changes. Directory Services Restore Mode A Windows 2000 Advanced Option menu item that is used by Windows 2000 Server computers that are configured as domain controllers to restore the Active Directory. This option is not available on Windows 2000 Server computers that are installed as member servers. Disk Cleanup A Windows 2000 utility used to identify areas of disk space that can be deleted to free additional hard disk space. Disk Cleanup works by identifying temporary files, Internet cache files, and unnecessary program files. disk defragmentation The process of rearranging the existing files on a disk so that they are stored contiguously, which optimizes access to those files. Disk Defragmenter A Windows 2000 utility that performs disk defragmentation. disk image An exact duplicate of a hard disk, used for automated installation. The disk image is copied from a reference computer that is configured in the same manner as the computers on which Windows 2000 will be installed. Disk Management A Windows 2000 graphical tool for managing disks and volumes. disk partitioning The process of creating logical partitions on the physical hard drive. disk quotas A Windows 2000 feature used to specify how much disk space a user is allowed to use on specific NTFS volumes. Disk quotas can be applied for all users or for specific users. distribution group A type of group that can be created on a Windows 2000 domain controller in the Active

Directory. A distribution group is a logical group of users who have common characteristics. Distribution groups can be used by applications and e-mail programs. Distributed file system (Dfs) A Windows 2000’s Server feature that uses a central database of links that point to shares across the network. Dfs provides users with a central location to access files and folders that are physically distributed across a network. Files that are stored on several computers in a domain appear to the user to all reside in the same network share. Distributed File System utility The Windows 2000 Server utility used to configure and manage the Distributed file system (Dfs). distribution server A network server that contains the Windows 2000 distribution files that have been copied from the distribution CD. Clients can connect to the distribution server and install Windows 2000 over the network. DNS

See Domain Name System.

DNS server A server that uses DNS to resolve domain or host names to IP addresses. domain In Microsoft networks, an arrangement of client and server computers referenced by a specific name that shares a single security permissions database. On the Internet, a domain is a named collection of hosts and subdomains, registered with a unique name by the InterNIC. domain-based Dfs root In the Distributed file system (Dfs), a type of Dfs root that automatically publishes its Dfs topology to the Active Directory. A domain-based Dfs root has Dfs replication capabilities for fault tolerance. domain controller A Windows 2000 Server computer that stores the complete domain database. Domain Controllers Policy A Microsoft Management Console (MMC) snap-in used to implement domain account policies. domain forest A set of domain trees that does not form a contiguous namespace. For example, you might have a forest if your company merged with another company. With a forest, you could each maintain a separate corporate identity through your namespace, but share information across the Active Directory.


www.sybex.com

Glossary

domain local group A scope for a group on a Windows 2000 domain controller. A domain local group is used to assign permissions to resources. Local groups can contain user accounts, universal groups, and global groups from any domain in the domain tree or domain forest. A domain local group can also contain other domain local groups from its own local domain. domain name A name that identifies one or more IP addresses, such as sybex.com. Domain names are used in URLs to identify particular Web pages. domain name server An Internet host dedicated to the function of translating fully qualified domain names (host names) into IP addresses. Domain Name System (DNS) The TCP/IP network service that translates fully qualified domain names (host names) into IP addresses. domain policies Policies applied at the domain level that allow administrators to control what a user can do after logging on. Domain policies include audit policies, security option policies, and user rights policies. These policies are set through Domain Controllers Policy. domain security Security that governs a user’s ability to access domain resources. Any domain policies you define override the local policies of a computer. domain tree A hierarchical organization of domains in a single, contiguous namespace. In the Active Directory, a tree is a hierarchy of domains that are connected to each other through a series of trust relationships (logical links that combine two or more domains into a single administrative unit).

635

driver signing A digital imprint that is Microsoft’s way of guaranteeing that a driver has been tested and will work with the computer. dual-booting The process of allowing a computer to boot more than one operating system. dynamic disk A Windows 2000 disk-storage technique. A dynamic disk is divided into dynamic volumes. Dynamic volumes cannot contain partitions or logical drives. You can size or resize a dynamic disk without restarting Windows 2000. Dynamic disks are accessible only to Windows 2000 systems. Dynamic Host Configuration Protocol (DHCP) A method of automatically assigning IP addresses to client computers on a network. dynamic storage A Windows 2000 disk-storage system that is configured as volumes. Windows 2000 Server dynamic storage supports simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes.

E EB

See exabyte.

effective rights The rights that a user actually has to a file or folder. To determine a user’s effective rights, add all of the permissions that have been allowed through the user’s assignments based on that user’s username and group associations. Then subtract any permissions that have been denied the user through the username or group associations. EFS

See Encrypting File System.

domain user account A user account that is stored in the Windows 2000 Server Active Directory’s central database. A domain user account can provide a user with a single user account for a network. Also called an Active Directory user account.

Emergency Repair Disk (ERD) A disk that stores portions of the Registry, the system files, a copy of the partition boot sector, and information that relates to the startup environment. The ERD can be used to repair problems that prevent a computer from starting.

drive letter A single letter assigned as an abbreviation to a mass-storage volume available to a computer.

Enable Boot Logging A Windows 2000 Advanced Options menu item that is used to create a log file that tracks the loading of drivers and services.

driver A program that provides a software interface to a hardware device. Drivers are written for the specific devices they control, but they present a common software interface to the computer’s operating system, allowing all devices of a similar type to be controlled as if they were the same.

Enable VGA Mode A Windows 2000 Advanced Options menu item that loads a standard VGA driver without starting the computer in Safe Mode. Encrypting File System (EFS) The Windows 2000 technology used to store encrypted files on


www.sybex.com

636

Glossary

NTFS partitions. Encrypted files add an extra layer of security to the file system. encryption The process of translating data into code that is not easily accessible to increase security. Once data has been encrypted, a user must have a password or key to decrypt the data. ERD

See Emergency Repair Disk.

Error event An Event Viewer event type that indicates the occurrence of an error, such as a driver failing to load. Event Viewer A Windows 2000 utility that tracks information about the computer’s hardware and software, as well as security events. This information is stored in three log files: the Application log, the Security log, and the System log. On a domain controller, the Event Viewer also includes logs for Directory Service, DNS Server, and File Replication Service. Everyone A Windows 2000 special group that includes anyone who could possibly access the computer. The Everyone group includes all of the users (including Guests) who have been defined on the computer. exabyte A computer storage measurement equal to 1,024 petabytes. extended partition In basic storage, a logical drive that allows you to allocate the logical partitions however you wish. Extended partitions are created after the primary partition has been created.

F Failure Audit event An Event Viewer event that indicates the occurrence of an event that has been audited for failure, such a failed logon when someone presents an invalid username and/or password. FAT16 The 16-bit version of the File Allocation System (FAT) system, which was widely used by DOS and Windows 3.x. The file system is used to track where files are stored on a disk. Most operating systems support FAT16. FAT32 The 32-bit version of the File Allocation System (FAT) system, which is more efficient and provides more safeguards than FAT16. Windows 9x and Windows 2000 support FAT32. Windows NT does not support FAT32.

fault tolerance Any method that prevents system failure by tolerating single faults, usually through hardware redundancy. File Allocation Table (FAT) The file system used by MS-DOS and available to other operating systems such as Windows (all versions), and OS/2. FAT, now known as FAT16, has become something of a mass-storage compatibility standard because of its simplicity and wide availability. FAT has fewer fault-tolerance features than the NTFS file system and can become corrupted through normal use over time. file attributes Bits stored along with the name and location of a file in a directory entry. File attributes show the status of a file, such as archived, hidden, and read-only. Different operating systems use different file attributes to implement services such as sharing, compression, and security. File Replication Service (FRS) The service used by the Distributed file system (Dfs) to automatically replicate Dfs shared folders. When changes are made to one shared folder, FRS updates the other shared folders to reflect the changes. file system A software component that manages the storage of files on a mass-storage device by providing services that can create, read, write, and delete files. File systems impose an ordered database of files on the mass-storage device. Storage is arranged in volumes. File systems use hierarchies of directories to organize files. File Transfer Protocol (FTP) A simple Internet protocol that transfers complete files from an FTP server to a client running the FTP client. FTP provides a simple, lowoverhead method of transferring files between computers but cannot perform browsing functions. Users must know the URL of the FTP server to which they wish to attach. frame A data structure that network hardware devices use to transmit data between computers. Frames consist of the addresses of the sending and receiving computers, size information, and a checksum. Frames are envelopes around packets of data that allow the packets to be addressed to specific computers on a shared media network. frame type An option that specifies how data is packaged for transmission over the network. This


www.sybex.com

Glossary

option must be configured to run the NWLink IPX/ SPX/NetBIOS Compatible Transport protocol on a Windows 2000 computer. By default, the frame type is set to Auto Detect, which will attempt to automatically choose a compatible frame type for the network. FRS

See File Replication Service.

FTP

See File Transfer Protocol.

G GB GDI

See gigabyte. See Graphic Device Interface.

gigabyte A computer storage measurement equal to 1,024 megabytes. global group A scope for a group on a Windows 2000 domain controller. A global group is used to organize users who have similar network access requirements. Global groups can contain user and global groups from the local domain. Graphics Device Interface (GDI) The programming interface and graphical services provided to Win32 for programs to interact with graphical devices such as the screen and printer. groups Security entities to which users can be assigned membership for the purpose of applying the broad set of group permissions to the user. By managing permissions for groups and assigning users to groups, rather than assigning permissions to users, administrators can more easily manage security. Guest account A Windows 2000 user account created to provide a mechanism to allow users to access the computer even if they do not have a unique username and password. This account normally has very limited privileges on the computer. This account is disabled by default. Guests group A Windows 2000 built-in group that has limited access to the computer. This group can access only specific areas. Most administrators do not allow Guests group access because it poses a potential security risk.

637

H HAL

See Hardware Abstraction Layer.

Hardware Abstraction Layer (HAL) A Windows 2000 service that provides basic input/output services such as timers, interrupts, and multiprocessor management for computer hardware. The HAL is a device driver for the motherboard circuitry that allows different families of computers to be treated the same by the Windows 2000 operating system. Hardware Compatibility List (HCL) A list of all of the hardware devices supported by Windows 2000. Hardware on the HCL has been tested and verified as being compatible with Windows 2000. HCL

See Hardware Compatibility List.

home folder A folder where users normally store their personal files and information. A home folder can be a local folder or a network folder. host An Internet server. A host is a node that is connected to the Internet. host server In the context of the Distributed file system (Dfs), the domain server that contains the Dfs root. The host server automatically publishes the Dfs topology to the Active Directory and provides synchronization of the topology across the domain member servers. HOSTS file A file that is used to map IP addresses to host names. A HOSTS file can be used in place of a DNS server. hot swapping The ability of a device to be plugged into or removed from a computer while the computer’s power is on. HTML

See Hypertext Markup Language.

HTTP

See Hypertext Transfer Protocol.

Hypertext Markup Language (HTML) A textual data format that identifies sections of a document such as headers, lists, hypertext links, and so on. HTML is the data format used on the World Wide Web for the publication of Web pages. Hypertext Transfer Protocol (HTTP) An Internet protocol that transfers HTML documents over the Internet and responds to context changes that happen when a user clicks a hyperlink.


www.sybex.com

638

Glossary

I IIS

See Internet Information Services.

ILS_Anonymous_User A special domain user account that is used by the ILS service. ILS supports telephony applications that use features such as caller ID, video conferencing, conference calling, and faxing. In order to use ILS, Internet Information Services (IIS) must be installed. inbound connections Connections that allow incoming access to an RAS server. incremental backup A backup type that backs up only the files that have changed since the last normal or incremental backup. It sets the archive attribute on the files that are backed up. Indexing Service A Windows 2000 service that creates an index based on the contents and properties of files stored on the computer’s local hard drive. A user can then use the Windows 2000 Search function to search or query through the index for specific keywords. Industry Standard Architecture (ISA) The design standard for 16-bit Intel-compatible motherboards and peripheral buses. The 32/64-bit PCI bus standard is replacing the ISA standard. Adapters and interface cards must conform to the bus standard(s) used by the motherboard in order to be used in a computer. Information event An Event Viewer event that informs you that a specific action has occurred, such as when a system shuts down or starts. inherited permissions Parent folder permissions that are applied to (or inherited by) files and subfolders of the parent folder. In Windows 2000, the default is for parent folder permissions to be applied to any files or subfolders in that folder. initial user account The account that uses the name of the registered user and is created only if the computer is installed as a member of a workgroup (not into the Active Directory). By default, the initial user is a member of the Administrators group. Integrated Services Digital Network (ISDN) A direct, digital, dial-up connection that operates at 64KB per channel over regular twisted-pair cable. Up to 24 channels can be multiplexed over two twisted pairs.

Interactive group A Windows 2000 special group that includes all the users who use the computer’s resources locally. interactive logon A logon when the user logs on from the computer where the user account is stored on the computer’s local database. Also called a local logon. interactive user A user who physically logs on to the computer where the user account resides (rather than over the network). internal network number An identification for NetWare file servers. An internal network number is also used if the network is running File and Print Services for NetWare or is using IPX routing. This option must be configured to run the NWLink IPX/SPX/NetBIOS Compatible Transport protocol on a Windows 2000 computer. Normally, the internal network number should be left at its default setting. Internet Information Services (IIS) Software that serves Internet higher-level protocols like HTTP and FTP to clients using Web browsers. The IIS software that is installed on a Windows 2000 Server computer is a fully functional Web server and is designed to support heavy Internet usage. Internet Protocol (IP) The Network layer protocol upon which the Internet is based. IP provides a simple connectionless packet exchange. Other protocols such as TCP use IP to perform their connection-oriented (or guaranteed delivery) services. Internet Server Application Programming Interface (ISAPI) filter A method for directing Web browser requests for specific URLs to specific ISAPI applications, which are then run. ISAPI filters are commonly used to manage customized logon authentication. Internet service provider (ISP) A company that provides dial-up connections to the Internet. Internet Services Manager A Windows 2000 utility used to configure the protocols that are used by Internet Information Services (IIS) and Personal Web Services (PWS). internetwork A network made up of multiple network segments that are connected with some device, such as a router. Each network segment is assigned a network address. Network layer protocols build routing tables that are used to route packets through the network in the most efficient manner.


www.sybex.com

Glossary

InterNIC The agency that is responsible for assigning IP addresses. interprocess communications (IPC) A generic term describing any manner of client/server communication protocol, specifically those operating in the Application layer. IPC mechanisms provide a method for the client and server to trade information. interrupt request (IRQ) A hardware signal from a peripheral device to the microcomputer indicating that it has input/output (I/O) traffic to send. If the microprocessor is not running a more important service, it will interrupt its current activity and handle the interrupt request. IBM PCs have 16 levels of interrupt request lines. Under Windows 2000, each device must have a unique interrupt request line. intranet A privately owned network based on the TCP/IP protocol suite. IP

See Internet Protocol.

IP address A four-byte number that uniquely identifies a computer on an IP internetwork. IPC

IRQ

See interrupt request.

ISA

See Industry Standard Architecture.

ISAPI filter See Internet Server Application Programming Interface filter.

ISP

See Integrated Services Digital Network. See Internet service provider.

IUSR_computername A special user account that is used for anonymous access for Internet Information Services (IIS) on a computer that has IIS installed. IWAM_computername A special user account that is used for Internet Information Services (IIS) to start from process applications on a computer that has IIS installed.

K KDC

Kerberos A security protocol that is used in Windows 2000 Server to authenticate users and network services. This is called dual verification, or mutual authentication. Windows 2000 Server uses Kerberos version 5. Kerberos policies Policies that are used to configure computer security settings for Kerberos authentication. Kerberos policies are set through account policies. kernel The core process of a preemptive operating system, consisting of a multitasking scheduler and the basic security services. Depending on the operating system, other services such as virtual memory drivers may be built into the kernel. The kernel is responsible for managing the scheduling of threads and processes. key distribution center (KDC) A domain controller that is responsible for holding all of the client passwords and account information. When a Windows 2000 Server computer is installed as a domain controller, it automatically becomes a KDC. Krbtgt A special domain user account that is used by the Key Distribution Center service.

See interprocess communications.

IPCONFIG A command used to display the computer’s IP configuration.

ISDN

639

See key distribution center.

L Last Known Good Configuration A Windows 2000 Advanced Options menu item used to load the control set that was used the last time the computer was successfully booted. license server A server that issues licenses to Terminal Services clients. This license is a digitally signed certificate that will remain with the client and cannot be used by any other client. LMHOSTS file A file used to map NetBIOS names to computers’ IP addresses. An LMHOSTS file can be used in place of a WINS server. Local Computer Policy A Microsoft Management Console (MMC) snap-in used to implement local account policies. local group A group that is stored on the local computer’s accounts database. Administrators can add users to local groups and manage them directly on a Windows 2000 computer.


www.sybex.com

640

Glossary

local logon A logon when the user logs on from the computer where the user account is stored on the computer’s local database. Also called an interactive logon. local policies Policies that allow administrators to control what a user can do after logging on. Local policies include audit policies, security option policies, and user rights policies. These policies are set through Local Computer Policy. local printer A printer that uses a physical port and that has not been shared. If a printer is defined as local, the only users who can use the printer are the local users of the computer that the printer is attached to. local security Security that governs a local or interactive user’s ability to access locally stored files. Local security can be set through NTFS permissions. local user account A user account stored locally in the user accounts database of a computer that is running Windows 2000. local user profile A profile created the first time a user logs on, stored in the Documents and Settings folder. The default user profile folder’s name matches the user’s logon name. This folder contains a file called NTUSER.DAT and subfolders with directory links to the user’s Desktop items. Local Users and Groups A utility that is used to create and manage local user and group accounts on Windows 2000 Professional computers and Windows 2000 member servers. locale settings Settings for regional items, including numbers, currency, time, date, and input locales. logical drive An allocation of disk space on a hard drive, using a drive letter. For example, a 5GB hard drive could be partitioned into two logical drives: a C: drive, which might be 2GB, and a D: drive, which might be 3GB. Logical Drives A Windows 2000 utility used to manage the logical drives on the computer. logical port A port that connects a device directly to the network. Logical ports are used with printers by installing a network card in the printers. logical printer The software interface between the physical printer (the print device) and the operating system. Also referred to as just a printer in Windows 2000 terminology.

logoff The process of closing an open session with a Windows 2000 computer or network. logon The process of opening a session with a Windows 2000 computer or a network by providing a valid authentication consisting of a user account name and a password. After logon, network resources are available to the user according to the user’s assigned permissions. logon script A command file that automates the logon process by performing utility functions such as attaching to additional server resources or automatically running different programs based on the user account that established the logon.

M MAC (media access control) address The physical address that identifies a computer. Ethernet and Token Ring cards have the MAC address assigned through a chip on the network card. MAKEBT32.EXE The 32-bit command used to create Windows 2000 Server Setup Boot Disks. mandatory profile A user profile created by an administrator and saved with a special extension (.man) so that the user cannot modify the profile in any way. Mandatory profiles can be assigned to a single user or a group of users. mapped drive A shared network folder associated with a drive letter. Mapped drives appear to users as local connections on their computers and can be accessed through a drive letter using My Computer. Master Boot Record (MBR) A record used in the Windows 2000 boot sequence to point to the active partition, which is the partition that should be used to boot the operating system. This is normally the C: drive. Once the MBR locates the active partition, the boot sector is loaded into memory and executed. MB MBR

See megabyte. See Master Boot Record.

megabyte A computer storage measurement equal to 1,024 kilobytes. member server A Windows 2000 server that has been installed as a non-domain controller. This allows the server to operate as a file, print, and application server without the overhead of account administration.


www.sybex.com

Glossary

memory Any device capable of storing information. This term is usually used to indicate volatile randomaccess memory (RAM) capable of high-speed access to any portion of the memory space, but incapable of storing information without power. Microsoft Management Console (MMC) The Windows 2000 console framework for management applications. The MMC provides a common environment for snap-ins. mirrored volume A volume set that consists of copies of two simple volumes stored on two separate physical partitions. A mirrored volume set contains a primary drive and a secondary drive. The data written to the primary drive is mirrored to the secondary drive. Mirrored volumes provide fault tolerance, because if one drive in the mirrored volume fails, the other drive still works without any interruption in service or loss of data. MMC

See Microsoft Management Console.

multi-booting The process of allowing a computer to boot multiple operating systems. multilink A PPP option that allows several physical connections to an RAS server to be combined into a single logical connection.

641

NET USE A command-line utility used to map network drives. NetWare A popular network operating system developed by Novell in the early 1980s. NetWare is a cooperative, multitasking, highly optimized, dedicated-server network operating system that has client support for most major operating systems. Recent versions of NetWare include graphical client tools for management from client stations. At one time, NetWare accounted for more than 70 percent of the network operating system market. network adapter The hardware used to connect computers (or other devices) to the network. Network adapters function at the Physical layer and the Data Link layer of the OSI model. Network Basic Input/Output System (NetBIOS) A client/server IPC service developed by IBM in the early 1980s. NetBIOS presents a relatively primitive mechanism for communication in client/server applications, but its widespread acceptance and availability across most operating systems make it a logical choice for simple network applications. Many of the network IPC mechanisms in Windows 2000 are implemented over NetBIOS.

mutual authentication The type of authentication used with Kerberos version 5. With mutual authentication, the user is authenticated to the service and the service is authenticated to the user.

Network Basic Input/Output System (NetBIOS) name A computer identification method used prior to Windows 2000 for Windows clients to communicate with other computers on the network. WINS servers are used to resolve NetBIOS computer names to IP addresses.

My Network Places The folder that provides access to shared resources, such as local network resources and Web resources.

Network group A Windows 2000 special group that includes the users who access a computer’s resources over a network connection.

N

Network News Transfer Protocol (NNTP) An Internet protocol used to provide newsgroup services between NNTP servers and NNTP clients.

NetBEUI

See NetBIOS Extended User Interface.

NetBIOS

See Network Basic Input/Output System.

NetBIOS Extended User Interface (NetBEUI) A simple Network layer transport protocol developed to support NetBIOS installations. NetBEUI is not routable, and so it is not appropriate for larger networks. NetBEUI is the fastest transport protocol available for Windows 2000.

network printer A printer that is available to local and network users. A network printer can use a physical port or a logical port. New Technology File System (NTFS) A secure, transaction-oriented file system developed for Windows NT and Windows 2000. NTFS offers features such as local security on files and folders, data compression, disk quotas, and data encryption.


www.sybex.com

642

Glossary

NNTP

See Network News Transfer Protocol.

normal backup A backup type that backs up all selected folders and files and then marks each file that has been backed up as archived. NTBOOTDD.SYS A file accessed in the Windows 2000 boot sequence. NTBOOTDD.SYS is an optional file (the SCSI driver) that is used when the computer has a SCSI adapter with the on-board BIOS disabled. NTDETECT.COM A file accessed in the Windows 2000 boot sequence. NTDETECT.COM is used to detect any hardware that is installed and add information about the hardware to the Registry. NTFS

See New Technology File System.

NTFS permissions Permissions used to control access to NTFS folders and files. Access is configured by allowing or denying NTFS permissions to users and groups. NTLDR A file used to control the Windows 2000 boot process until control is passed to the NTOSKRNL.EXE file. NTOSKRNL.EXE A file accessed in the Windows 2000 boot sequence. NTOSKRNL.EXE is used to load the kernel. NTUSER.DAT The file that is created for a user profile. NTUSER.MAN datory profile.

The file that is created for a man-

NWLINK IPX/SPX/NetBIOS Compatible Transport Microsoft’s implementation of the Novell IPX/SPX protocol stack.

O OEM branding Configuring a logo or background to display original equipment manufacturer (OEM) information. OEM branding is an option offered by the Setup Manager during answer file creation. Open Systems Interconnection (OSI) model A reference model for network component interoperability developed by the International Standards Organization (ISO) to promote cross-vendor compatibility of hardware and software network systems. The OSI model splits the process of networking into seven distinct services, or layers. From top to bottom, the layers are Application, Presentation, Session, Transport, Network, Data Link, and Physical.

Each layer uses the services of the layer below to provide its service to the layer above. optimization Any effort to reduce the workload on a hardware component by eliminating, obviating, or reducing the amount of work required of the hardware component through any means. For instance, file caching is an optimization that reduces the workload of a hard disk drive. organizational unit (OU) An Active Directory object that contains other objects. Each domain can consist of multiple OUs, logically organized in a hierarchical structure. OUs may contain users, groups, security policies, computers, printers, file shares, and other Active Directory objects. OSI model See Open Systems Interconnection model. OU

See organizational unit.

outbound connections Connections that allow users to dial out to external resources through an RAS server. owner The user associated with an NTFS file or folder who is able to control access and grant permissions to other users.

P page file Logical memory that exists on the hard drive. If a system is experiencing excessive paging (swapping between the page file and physical RAM), it needs more memory. partition A section of a hard disk that can contain an independent file system volume. Partitions can be used to keep multiple operating systems and file systems on the same hard disk. password policies Windows 2000 policies used to enforce security requirements on the computer. Password policies are set on a per-computer basis, and they cannot be configured for specific users. Password policies are set through account policies. PB

See petabyte.

PCI

See Peripheral Connection Interface.

Per Seat licensing A Windows 2000 Server licensing option that specifies that each client will be licensed separately and that each client can access as many servers as it needs to.


www.sybex.com

Glossary

Per Server licensing A Windows 2000 Server licensing option that specifies the concurrent number of network connections that can be made to a server. Performance Logs and Alerts A Windows 2000 utility used to log performance-related data and generate alerts based on performance-related data. Peripheral Connection Interface (PCI) A highspeed, 32/64-bit bus interface developed by Intel and widely accepted as the successor to the 16-bit ISA interface. PCI devices support input/output (I/O) throughput about 40 times faster than the ISA bus. permissions Security constructs used to regulate access to resources by username or group affiliation. Permissions can be assigned by administrators to allow any level of access, such as read-only, read/ write, or delete, by controlling the ability of users to initiate object services. Security is implemented by checking the user’s security identifier (SID) against each object’s access control list (ACL). petabyte A computer storage measurement that is equal to 1,024 terabytes. physical port A serial (COM) or parallel (LPT) port that connects a device such as a printer directly to a computer. PING A command used to send an Internet Control Message Protocol (ICMP) echo request and echo reply to verify that a remote computer is available. Plug and Play A technology that uses a combination of hardware and software to allow the operating system to automatically recognize and configure new hardware without any user intervention. Point-to-Point Protocol (PPP) A remote access protocol used with Windows 2000. PPP supports framing and authentication protocols. PPP is used to negotiate configuration parameters for local access protocols such as TCP/IP, IPX, and NetBEUI. policies General controls that enhance the security of an operating environment. In Windows 2000, policies affect restrictions on password use and rights assignments, and determine which events will be recorded in the Security log. POST

643

Power On Self Test (POST) A part of the Windows 2000 boot sequence. The POST detects the computer’s processor, how much memory is present, what hardware is recognized, and whether or not the BIOS is standard or has Plug-and-Play capabilities. Power Users group A Windows 2000 built-in group that has fewer rights than the Administrators group, but more rights than the Users group. Members of the Power Users group can perform tasks such as creating local users and groups and modifying the users and groups that they have created. PPP

See Point-to-Point Protocol.

Pre-Boot Execution Environment (PXE) A technology that allows a client computer to remotely boot and connect to a Remote Installation Service (RIS) server. primary partition A part of basic storage on a disk. The primary partition is the first partition created on a hard drive. The primary partition uses all of the space that is allocated to the partition. This partition is usually marked as active and is the partition that is used to boot the computer. print device The actual physical printer or hardware device that generates printed output. print driver The specific software that understands a print device. Each print device has an associated print driver. print processor The process that determines whether or not a print job needs further processing once that job has been sent to the print spooler. The processing (also called rendering) is used to format the print job so that it can print correctly at the print device. print queue A directory or folder on the print server that stores the print jobs until they can be printed. Also called a printer spooler. print server The computer on which the printer has been defined. When a user sends a print job to a network printer, it goes to the print server first. print spooler A directory or folder on the print server that stores the print jobs until they can be printed. Also called a print queue.

See Power On Self Test.


www.sybex.com

644

Glossary

printer In Windows 2000 terminology, the software interface between the physical printer (called the print device) and the operating system. printer pool A configuration that allows one printer to be used for multiple print devices. A printer pool can be used when multiple printers use the same print driver (and are normally in the same location). With a printer pool, users can send their print jobs to the first available printer. priority A level of execution importance assigned to a thread. In combination with other factors, the priority level determines how often that thread will get computer time according to a scheduling algorithm. process A running program containing one or more threads. A process encapsulates the protected memory and environment for its threads. process throttling A method for limiting the percentage of CPU processing that can be used by a Web site. processor A circuit designed to automatically perform lists of logical and arithmetic operations. Unlike microprocessors, processors may be designed from discrete components rather than be a monolithic integrated circuit. processor affinity The association of a processor with specific processes that are running on the computer. Processor affinity is used to configure multiple processors. protocol An established rule of communication adhered to by the parties operating under it. Protocols provide a context in which to interpret communicated information. Computer protocols are rules used by communicating devices and software services to format data in a way that all participants understand. PXE

See Pre-Boot Execution Environment.

RAS

See Remote Access Service.

RDP

See Remote Desktop Protocol.

real-time application A process that must respond to external events at least as fast as those events can occur. Real-time threads must run at very high priorities to ensure their ability to respond in real time. Recovery Console A Windows 2000 option for recovering from a failed system. The Recovery Console starts Windows 2000 without the graphical interface and allows the administrator limited capabilities, such as adding or replacing files and enabling and disabling services REGEDIT A Windows program used to edit the Registry. It does not support full editing, as does the REGEDT32 program, but it has better search capabilities than REGEDT32. REGEDT32 The primary utility for editing the Windows 2000 Registry. Regional Options A Control Panel utility used to enable and configure multilingual editing and viewing on a localized version of Windows 2000. Registry A database of settings required and maintained by Windows 2000 and its components. The Registry contains all of the configuration information used by the computer. It is stored as a hierarchical structure and is made up of keys, hives, and value entries. remote access policy A policy that specifies who is authorized to access an RAS server.

R RADIUS server See Remote Authentication Dial-In User Service server. RAID-5 volume A volume set that stripes the data over multiple disk channels. RAID-5 volumes place a parity stripe across the volume. RAID-5 volumes are fault tolerant. RAM

random-access memory (RAM) Integrated circuits that store digital bits in massive arrays of logical gates or capacitors. RAM is the primary memory store for modern computers, storing all running software processes and contextual data.

See random-access memory.

Remote Access Service (RAS) A service that allows network connections to be established over a modem connection, an ISDN connection, or a null-modem cable. The computer initiating the connection is called the RAS client; the answering computer is called the RAS server. Remote Access Service (RAS) server A Windows 2000 Server computer that is running the Routing and


www.sybex.com

Glossary

Remote Access service. An RAS server authenticates and services requests from remote clients to connect to the network. remote administration mode A Terminal Services mode that allows administrators to perform administrative tasks from virtually any client on the network. Remote Authentication Dial-In User Service (RADIUS) server A server that stores a central authentication database and allows administrators to manage RAS servers from a single location. remote control A feature used with Terminal Services to allow administrators to view or control a user’s session from another session. Remote Desktop Protocol (RDP) The protocol used with Terminal Services to allow Terminal Services clients to connect to the Terminal Services server. The Terminal Services server sends and receives commands to and from the client by using RDP. remote installation Installation of Windows 2000 performed remotely through Remote Installation Services (RIS). Remote Installation Preparation (RIPrep) image A type of image configured on a Remote Installation Services (RIS) server. An RIPrep image can contain the Windows 2000 operating system and applications. This type of image is based on a preconfigured computer. Remote Installation Services (RIS) A Windows 2000 technology that allows the remote installation of Windows 2000. An RIS server installs Windows 2000 on RIS clients. The RIS server can be configured with a CD-based image or a Remote Installation Preparation (RIPrep) image. Removable Storage A Windows 2000 utility used to track information on removable storage media, which include CDs, DVDs, tapes, and jukeboxes containing optical discs. rendering The process that determines whether or not a print job needs further processing once that job has been sent to the spooler. The processing is used to format the print job so that it can print correctly at the print device.

645

replica A folder within a replica set. Replica sets consist of one or more shared folders that participate in replication, for example through the Distributed file system (Dfs). Replicator group A Windows 2000 built-in group that supports directory replication, which is a feature used by domain controllers. Only domain user accounts that will be used to start the replication service should be assigned to this group. Requests for Comments (RFCs) The set of standards defining the Internet protocols as determined by the Internet Engineering Task Force and available in the public domain on the Internet. RFCs define the functions and services provided by each of the many Internet protocols. Compliance with the RFCs guarantees cross-vendor compatibility. resource Any useful service, such as a shared folder or a printer. Restore Wizard A Wizard used to restore data. The Restore Wizard is accessed through the Windows 2000 Backup utility. RFC

See Request For Comments.

RIPrep image tion image. RIS

See Remote Installation Prepara-

See Remote Installation Services.

roaming profile A user profile that is stored and configured to be downloaded from a server. Roaming profiles allow users to access their profiles from any location on the network. root share In the context of the Distributed file system (Dfs), a share used to replicate the Dfs root. Root shares are created on other member servers in a domain. router A Network layer device that moves packets between networks. Routers provide internetwork connectivity. Routing and Remote Access service A Windows 2000 Server service that allows an RAS server to connect mobile users to the network.


www.sybex.com

646

Glossary

S Safe Mode A Windows 2000 Advanced Options menu item that loads the absolute minimum of services and drivers that are needed to start Windows 2000. The drivers that are loaded with Safe Mode include basic files and drivers for the mouse (unless a serial mouse is attached to the computer), monitor, keyboard, hard drive, standard video driver, and default system services. Safe Mode is considered a diagnostic mode. It does not include networking capabilities. Safe Mode with Command Prompt A Windows 2000 Advanced Options menu item that starts Windows 2000 in Safe Mode, but instead of loading the graphical interface, it loads a command prompt.

security option policies Policies used to configure security for the computer. Security option policies apply to computers rather than to users or groups. These policies are set through Local Computer Policy or Domain Controllers Policy. separator page A page used at the beginning of each document to identify the user who submitted the print job. When users share a printer, separator pages can be useful for distributing print jobs. serial A method of communication that transfers data across a medium one bit at a time, usually adding stop, start, and check bits. service A process dedicated to implementing a specific function for another process. Most Windows 2000 components are services used by user-level applications.

Safe Mode with Networking A Windows 2000 Advanced Options menu item that starts Windows 2000 in Safe Mode, but it adds networking features.

Service group A Windows 2000 special group that includes users who log on as a user account that is only used to run a service.

See Small Computer Systems Interface.

service pack An update to the Windows 2000 operating system that includes bug fixes and enhancements.

SCSI

security The measures taken to secure a system against accidental or intentional loss, usually in the form of accountability procedures and use restriction, for example through NTFS permissions and share permissions. Security Configuration and Analysis tool A Windows 2000 utility that is used to analyze and to help configure a computer’s local security settings. Security Configuration and Analysis works by comparing the computer’s actual security configuration to a security template configured with the desired settings. security group A type of group that can be created on a Windows 2000 domain controller in the Active Directory. A security group is a logical group of users who need to access specific resources. Security groups are used to assign permissions to resources.

session In the context of Terminal Services, a connection between a Terminal Services client and a Terminal Services server. Users log on through any client on the network and can see only their individual session. Services A Windows 2000 utility used to manage the services installed on the computer. Setup Manager (Setupmgr) A Windows 2000 utility used to create automated installation scripts or unattended answer files. Setupmgr

See Setup Manager.

share A resource such as a folder or printer shared over a network.

security identifier (SID) A unique code that identifies a specific user or group to the Windows 2000 security system. SIDs contain a complete set of permissions for that user or group.

share permissions Permissions used to control access to shared folders. Share permissions can only be applied to folders, as opposed to NTFS permissions, which are more complex and can be applied to folders and files.

Security log A log that tracks events that are related to Windows 2000 auditing. The Security log can be viewed through the Event Viewer utility.

shared folder A folder on a Windows 2000 computer that network users can access. Shared Folders A Windows 2000 utility for managing shared folders on the computer.


www.sybex.com

Glossary

SID

See security identifier.

Simple Mail Transfer Protocol (SMTP) An Internet protocol for transferring mail between Internet hosts. SMTP is often used to upload mail directly from the client to an intermediate host, but can only be used to receive mail by computers connected to the Internet. simple volume A dynamic disk volume that contains space from a single disk. The space from the single drive can be contiguous or noncontiguous. Simple volumes are used when the computer has enough disk space on a single drive to hold an entire volume. slipstream technology A Windows 2000 technology for service packs. With slipstream technology, service packs are applied once, and they are not overwritten as new services are added to the computer. Small Computer Systems Interface (SCSI) A high-speed, parallel-bus interface that connects hard disk drives, CD-ROM drives, tape drives, and many other peripherals to a computer. SCSI is the mass-storage connection standard among all computers except IBM-compatible computers, which use SCSI or IDE. SMTP

See Simple Mail Transfer Protocol.

snap-in An administrative tool developed by Microsoft or a third-party vendor that can be added to the Microsoft Management Console (MMC) in Windows 2000. spanned volume A dynamic disk volume that consists of disk space on 2 to 32 dynamic drives. Spanned volume sets are used to dynamically increase the size of a dynamic volume. With spanned volumes, the data is written sequentially, filling space on one physical drive before writing to space on the next physical drive in the spanned volume set. special group A group used by the system, in which membership is automatic if certain criteria are met. Administrators cannot manage special groups. spooler A service that buffers output to a lowspeed device such as a printer, so the software outputting to the device is not tied up waiting for the device to be ready. stand-alone Dfs root In the Distributed file system (Dfs), a type of Dfs root that does not use the Active Directory or support automatic replication.

647

stripe set A single volume created across multiple hard disk drives and accessed in parallel for the purpose of optimizing disk-access time. NTFS can create stripe sets. striped volume A dynamic disk volume that stores data in equal stripes between 2 to 32 dynamic drives. Typically, administrators use striped volumes when they want to combine the space of several physical drives into a single logical volume and increase disk performance. subnet mask A number mathematically applied to IP addresses to determine which IP addresses are a part of the same subnetwork as the computer applying the subnet mask. Success Audit event An Event Viewer event that indicates the occurrence of an event that has been audited for success, such as a successful logon. Sysprep

See System Preparation Tool.

System group A Windows 2000 special group that contains system processes that access specific functions as a user. System Information A Windows 2000 utility used to collect and display information about the computer’s current configuration. System log A log that tracks events that relate to the Windows 2000 operating system. The System log can be viewed through the Event Viewer utility. System Monitor A Windows 2000 utility used to monitor real-time system activity or view data from a log file. system partition The active partition on an Intelbased computer that contains the hardware-specific files used to load the Windows 2000 operating system. system policies Policies used to control what a user can do and the user’s environment. System policies are mainly used for backward compatibility with Windows NT 4. System Policy Editor A Windows 2000 utility used to create system policies. System Preparation Tool (Sysprep) A Windows 2000 utility used to prepare a disk image for disk duplication.


www.sybex.com

648

Glossary

System Tools A Computer Management utility grouping that provides access to utilities for managing common system functions. The System Tools utility includes the Event Viewer, System Information, Performance Logs and Alerts, Shared Folders, Device Manager, and Local Users and Groups utilities.

T Task Manager A Windows 2000 utility that can be used to start, end, or prioritize applications. The Task Manager shows the applications and processes that are currently running on the computer, as well as CPU and memory usage information. TB TCP

See terabyte. See Transmission Control Protocol.

TCP/IP See Transmission Control Protocol/ Internet Protocol. TCP/IP port A logical port, used when a printer is attached to the network by installing a network card in the printer. Configuring a TCP/IP port requires the IP address of the network printer to connect to. terabyte (TB) A computer storage measurement that equals 1,024 gigabytes. Terminal Server User group A Windows 2000 special group that includes users who log on through Terminal Services. Terminal Services A Windows 2000 Server service that allows thin clients to connect to a Terminal Services server and access many Windows 2000 features. In Terminal Services application server mode, clients can access the Windows 2000 Desktop environment and run applications. In Terminal Services remote administration mode, administrators can perform server administrative tasks remotely from a client. Terminal Services client A client that uses thin-client technology to deliver the Windows 2000 Server Desktop to the user. The client only needs to establish a connection with the server and display the graphical user interface information that the server sends. This process requires very little overhead on the client’s part, and it can be run on older machines that would not otherwise be able to use Windows 2000. Terminal Services Client Creator A Windows 2000 Server utility used to create 32-bit and 16-bit

Terminal Services client software diskettes for use with client machines. Terminal Services Configuration A Windows Server utility used to change the properties of the RDP-TCP connection that is created when Terminal Services is installed and to add new connections. Terminal Services Manager A Windows 2000 Server utility used to manage and monitor users, sessions, and processes that are connected to or running on any Terminal Services server on the network. Terminal Services server A server that has Terminal Services installed. The Terminal Services server controls all of the Terminal Services clients that are connected to it. All Terminal Services operations take place on the Terminal Services server. thin client A client that has minimal requirements. With Terminal Services, a thin client can be run on a variety of machines, including older computers and terminals that would not otherwise be able to run Windows 2000. thread A list of instructions running in a computer to perform a certain task. Each thread runs in the context of a process, which embodies the protected memory space and the environment of the threads. Multithreaded processes can perform more than one task at the same time. Transmission Control Protocol (TCP) A Transport layer protocol that implements guaranteed packet delivery using the IP protocol. Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of Internet protocols upon which the global Internet is based. TCP/IP is a general term that can refer either to the TCP and IP protocols used together or to the complete set of Internet protocols. TCP/IP is the default protocol for Windows 2000. TSInternetUser A special domain user account that is used by Terminal Services.

U unattended installation A method of installing Windows 2000 remotely with little or no user intervention. Unattended installation uses a distribution server to install Windows 2000 on a target computer. UNC

See Universal Naming Convention.


www.sybex.com

Glossary

Uniform Resource Locator (URL) An Internet standard naming convention for identifying resources available via various TCP/IP application protocols. For example, http://www.microsoft.com is the URL for Microsoft’s World Wide Web server site. A URL allows easy hypertext references to a particular resource from within a document or mail message. universal group A scope for a group on a Windows 2000 domain controller. A universal group is used to logically organize users and appear in the global catalog (a special listing that contains limited information about every object in the Active Directory). Universal groups can contain users from anywhere in the domain tree or domain forest, other universal groups, and global groups. Universal Naming Convention (UNC) A multivendor, multiplatform convention for identifying shared resources on a network. UNC names follow the naming convention \\computername\sharename. Universal Serial Bus (USB) An external bus standard that allows USB devices to be connected through a USB port. USB supports transfer rates up to 12Mbps. A single USB port can support up to 127 devices. upgrade A method for installing Windows 2000 that preserves existing settings and preferences when converting to the newer operating system. URL

See Uniform Resource Locator.

USB

See Universal Serial Bus.

user profile A profile that stores a user’s Desktop configuration and other preferences. A user profile can contain a user’s Desktop arrangement, program items, personal program groups, network and printer connections, screen colors, mouse settings, and other personal preferences. Administrators can create mandatory profiles, which cannot be changed by the users, and roaming profiles, which users can access from any computer they log on to. user rights policies Policies that control the rights that users and groups have to accomplish network tasks. User rights policies are set through Local Computer Policy or Domain Controllers Policy. username A user’s account name in a logonauthenticated system.

649

Users group A Windows 2000 built-in group that includes end users who should have very limited system access. After a clean install of Windows 2000, the default settings for this group prohibit users from compromising the operating system or program files. By default, all users who have been created on the computer, except Guest, are members of the Users group.

V video adapter The hardware device that outputs the display to the monitor. virtual memory A kernel service that stores memory pages not currently in use on a mass-storage device to free the memory occupied for other uses. Virtual memory hides the memory-swapping process from applications and higher-level services. virtual private network (VPN) A private network that uses links across private or public networks (such as the Internet). When data is sent over the remote link, it is encapsulated, encrypted, and requires authentication services. volume A storage area on a Windows 2000 dynamic disk. Dynamic volumes cannot contain partitions or logical drives. Windows 2000 Server dynamic storage supports five dynamic volume types: simple volumes, spanned volumes, striped volumes, RAID-5 volumes, and mirrored volumes. Dynamic volumes are accessible only to Windows 2000 systems. VPN

See virtual private network.

W Warning event An Event Viewer event that indicates that you should be concerned with the event. The event may not be critical in nature, but it is significant and may be indicative of future errors. Web browser An application that makes HTTP requests and formats the resultant HTML documents for the users. Most Web browsers understand all standard Internet protocols. Win16 The set of application services provided by the 16-bit versions of Microsoft Windows: Windows 3.1 and Windows for Workgroups 3.11.


www.sybex.com

650

Glossary

Win32 The set of application services provided by the 32-bit versions of Microsoft Windows: Windows 95, Windows 98, Windows NT, and Windows 2000. Windows 9x The 32-bit Windows 95 and Windows 98 versions of Microsoft Windows for medium-range, Intelbased personal computers. This system includes peer networking services, Internet support, and strong support for older DOS applications and peripherals.

Windows 2000 Server Setup Boot Disks Floppy disks that can used to boot to the Windows 2000 operating system. With these disks, you can use the Recovery Console and the Emergency Repair Disk (ERD). Windows Internet Name Service (WINS) A network service for Microsoft networks that provides Windows computers with IP addresses for specified NetBIOS names, facilitating browsing and intercommunication over TCP/IP networks.

Windows 2000 Advanced Server The current version of the Windows server software designed for medium-size to large networks. It includes all of the features of Windows 2000 Server plus network load balancing, cluster services for application fault tolerance, support for up to 8GB of memory, and support for up to eight processors.

Windows NT The predecessor to Windows 2000 that is a 32-bit version of Microsoft Windows for powerful Intel, Alpha, PowerPC, or MIPS-based computers. This operating system includes peer networking services, server networking services, Internet client and server services, and a broad range of utilities.

Windows 2000 Backup The Windows 2000 utility used to run the Backup Wizard, run the Restore Wizard, and create an Emergency Repair Disk (ERD).

Windows Update A utility that connects the computer to Microsoft’s Web site and checks the files to make sure that they are the most up-to-date versions.

Windows 2000 boot disk A disk that can be used to boot to the Windows 2000 Server operating system in the event of a Windows 2000 Server boot failure.

WINS

Windows 2000 Datacenter Server The most powerful server in the Microsoft server family. This operating system is designed for large-scale enterprise networks. Windows 2000 Datacenter Server includes all of the features of Windows 2000 Advanced Server and adds more advanced clustering services, support for up to 64GB of memory, and support for up to 16 processors (OEM versions can support up to 32-way SMP). Windows 2000 Multilanguage Version The version of Windows 2000 that supports multiple-language user interfaces through a single copy of Windows 2000. Windows 2000 Professional The current version of the Windows operating system for high-end desktop environments. Windows 2000 Professional integrates the best features of Windows 98 and Windows NT Workstation 4, supports a wide range of hardware, makes the operating system easier to use, and reduces the cost of ownership. Windows 2000 Server The current version of the Windows server software designed for use in small to medium-sized networks. Windows 2000 Server can serve as a file and print server, an applications server, a Web server, and a communications server.

See Windows Internet Name Service.

WINS server The server that runs WINS and is used to resolve NetBIOS names to IP addresses. WMI Control A Windows 2000 utility that provides an interface for monitoring and controlling system resources. WMI stands for Windows Management Instrumentation. workgroup In Microsoft networks, a collection of related computers, such as those used in a department, that do not require the uniform security and coordination of a domain. Workgroups are characterized by decentralized management, as opposed to the centralized management that domains use. write-back caching A caching optimization wherein data written to the slow store is cached until the cache is full or until a subsequent write operation overwrites the cached data. Write-back caching can significantly reduce the write operations to a slow store because many write operations are subsequently obviated by new information. Data in the write-back cache is also available for subsequent reads. If something happens to prevent the cache from writing data to the slow store, the cache data will be lost. write-through caching A caching optimization wherein data written to a slow store is kept in a cache for subsequent rereading. Unlike write-back caching, writethrough caching immediately writes the data to the slow store and is therefore less optimal but more secure.


www.sybex.com

MCSE: Windows 2000 Migration Study Guide (Exam 70-222)

MCSE: Windows 2000 Migration Exam Notes

MCSE: Windows 2000 Server Study Guide Exam 70-215

MCSE: Windows 2000 Server Study Guide

MCSE Windows 2000 professional study guide

MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: Windows 2000 Network Management Study Guide with CD-ROM

MCSE: Windows 2000 Web solutions design study guide

MCSE: Windows 2000 Network Infrastructure Design Study Guide

MCSE: Windows 2000 Directory Services Design Study Guide, 2nd Edition

MCSA MCSE: Windows 2000 Network Management Study Guide

MCSE: Windows 2000 Network Security Design Study Guide

MCSA-MCSE Windows 2000 network management study guide

MCSE: Windows 2000 Network Infrastructure Administration Study Guide (2nd edition)

MCSE: Windows 2000 Server Study Guide (2nd edition)

MCSE: Exchange 2000 Server administration: study guide

MCSE: SQL Server 2000 Design Study Guide

MCSE: Exchange 2000 Design Study Guide

MCSE SQL Server 2000 design study guide

MCSE: Exchange 2000 Server administration: study guide

McSe SQL Server 2000 Administration: Study Guide

MCSE: Windows Directory Services Administration Study Guide

MCSE: Windows 2000 Network Security Design Study Guide Exam 70-220 (With CD-ROM)

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE Windows 2000 Network Infrastructure Exam Cram 2

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Migration Study Guide (Exam 70-222)

MCSE: Windows 2000 Migration Exam Notes

MCSE: Windows 2000 Server Study Guide Exam 70-215

MCSE: Windows 2000 Server Study Guide

MCSE Windows 2000 professional study guide

MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: Windows 2000 Network Management Study Guide with CD-ROM

MCSE: Windows 2000 Web solutions design study guide

MCSE: Windows 2000 Network Infrastructure Design Study Guide

MCSE: Windows 2000 Directory Services Design Study Guide, 2nd Edition

MCSA MCSE: Windows 2000 Network Management Study Guide

MCSE: Windows 2000 Network Security Design Study Guide

MCSA-MCSE Windows 2000 network management study guide

MCSE: Windows 2000 Network Infrastructure Administration Study Guide (2nd edition)

MCSE: Windows 2000 Server Study Guide (2nd edition)

MCSE: Exchange 2000 Server administration: study guide

MCSE: SQL Server 2000 Design Study Guide

MCSE: Exchange 2000 Design Study Guide

MCSE SQL Server 2000 design study guide

MCSE: Exchange 2000 Server administration: study guide

McSe SQL Server 2000 Administration: Study Guide

MCSE: Windows Directory Services Administration Study Guide

MCSE: Windows 2000 Network Security Design Study Guide Exam 70-220 (With CD-ROM)

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE Windows 2000 Network Infrastructure Exam Cram 2

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

Recommend Documents