IntroduCtion xIv
Document Conventions xlv
Resource Kit ComPact Disc xlvi
Resource Kit ComPact Disc xlvi
Resource Kit Support Policy xlvii
Part 1 Active Directory
Chaptr 1 Active Directory Logical Structure
Active Directory Domain Hierarchy
Active Directory Domain Names
DNS Nandng Conventions
NetBIOS Domain Names
Active Directory and DNS
DNS Hierarchy and Active Directory
DNS and the Internet
Active Directory and the Internet
DNS Host Names and Windows 2000 ComPuter Names
DNS Name Servers and Zones
Active-Directory--Integrated DNS
Support for Dynandc Updates
Tree and Forest Structure
Tree: Implementation of a Domain Hierarchy and DNS Namespace
Forest: ImPlementation of All Trees
Forest Root Domain
Trust Relationships
Transitive and Nontransitive Trust
Direction of Trust
Authentication Protocols
Trust Path
Processing Authentication ReferraIs
Types of Trust Relationships
Trust Relationships Between Windows 2000 and Windows NT 4 .0
Domains
Mixed-Environment Scenario
Active Directory Objects
Object NaIning
Distinguished Name
Relative Distinguished Name
Nandng Attributes
Object Identity and Uniqueness
Active Directory Name Formats
DNS-to-LDAP Distinguished Name Mapping
Logon Names l
Domain Controllers
Multimaster Operations
Single-Master Operations
Global Catalog Servers
Global Catalog Attributes
Designating a Global Catalog
Global Catalog and Domain Logon Support
Search Requests and the Global Catalog
Organizational Units
Adndnistrative Hierarchy
Group Policy
Delegation of Control
Object Security
Access Control
Delegation of Adndnistration
Inheritance
Additional Resources
ChaPter 2 Active Directory Data Storage
Active Directory Architecture
Active Directory and Windows 2000 Architecture
Security Subsystem Architecture
Directory Service Architecture
Directory System Agent
Database Layer
PrOtocols and Interfaces to Active DirectOry
LDAP
ADSI
Active Directory Replication
MAPI
SAN
Data Storage
Data Characteristics
Storage Lindts
Object Size vs. Maximum Database Record Size
Garbage Collection
Database Defragmentation
Growth Estimates for Active Directory Users and Organizational Units
Directory Database Sizing Tests
Organizational Units
Adding Attributes
Windows 2000 SAM Storage
Mixed-Mode Storage Considerations
Mixed-Mode Storage Considerations
SAM Smicture
SAM Accounts on a Windows 2000 Server That Becomes a Dc
Controller
Migration of Windows NT .0 SAM Accounts to Active Direct
Objects
Data Model
Container Objects and Leaf Objects
Directory Tree
RootDSE
Extended LDAP Controls
Attribute Range OPtion
Directory Partitions
Directory Prthon Subtrees
Forest Root Domain
Configuration Directory Partition
Schema Directory Partition
Domain Directory Partitions
Directory Data Store
Linked Attributes
Searching on Back Links
Group Members from Extemal Domains
Phantom Records
Database Write Operations
Log-based Recovery
Attribute Indexing
Object-Based Security
Security Identifiers
Security Descriptors
Default Object Security
Installing Active Directory
Active Directory Configurations
Installation Prerequisites and Verifications
Verify Unique Names
Verify That TCPlIP Is Installed
Verify That DNS Client Is Configured
Get and Validate the DNS Domain Name
Get and Validate the NetBIOS Name
Enter Adndnistrative Password
Get Credentials for the User
Get and Verify File Paths
Configure Site
Directory Service Configuration
Configuring Directory Patitions
Setting Services to Start Automatically
Setting Security
Creating a New Domain
DNS Installation and Configuration
Operations That Occur Following Installation
Removing Active Directory
Adndnistrative Credentials
Removal from an Additional Domain Controller or the Last Domain
Controller
Removal of an Additional Domain Controller
Removal of the Last Domain Controller
Unattended Setup for Installation or Removal of Active Directory
Chapter 5 ConduCting Your Windows 2000 pilot
Overview of Conducting a Pilot
Pilot Process
Starting with Information Technology
Prerequisites for a Production PiIot
Creating a Pilot Plan
Scope and Objectives
pilot Scope
Pilot Objectives
Pilot Users and Sites
PiIot Training Plan
PiIot Support PIan
Communication
Pilot RoIlback PIan
ScheduIe
Preparing for the Pilot
Preparing Pilot Sites
Preparing Pilot Users
Establishing Eary Conununication
Keeping Participants Informed
DeveIoping the Rollout Process
Deploying the Pilot
Evaluating the Pilot
Monitoring the Pilot
Obtaining Feedback
Planning Task List fOr Conducting a Pilot
Part 2 Network lnfrastructure Prerequisites
Chapter 3 Preparing Your NetWork Infrastructure fOr Windows 2000
Documenting Your Current Environment
Hardware and Software Inventory
Network Infrastructure
PhysicaI Network Diagram
LogicaI Network Diagram
Network Configuration
File, runt, and Web Servers
Line-of Business Applications
Directory Services forhitecture
Domain Adndnistration Model
Security
Preparing Your Network forhitecture
Prelindnary Steps
Stabilizing Your Existing Network
Reviewing Your Network Protocols
Preparing Your Physical Infrastructure
Preparing Your Servers
Preparing Your Domain Controllers
Preparing Your Member Servers
Preparing Your Security InfrastrUcture
Preparing Your Clients
Windows 2000 Professional Upgrade Considerations
Preparing to Operate with Other Systems
Network InfrastrUcture Preparation Task List
Chapter 7 Dtermining NtWork Conne0tivity Strtegies
Network Connectivity Overview
Sites
Remote Connectivity Methods
Intema Local Area Network Connectivity Within Sites
Extemal Connectivity Within an Organization
Designing the Dendlitarized Zone
Site Connectivity for an Organization
Remote Client Connectivity
Windows 2000 TCPlIP
New Features in the Windows 2000 TCPttP Suite
Automatic Private IP Addressing Configuration
Large Window Support
Selective Acknowledgment
ImProved Estimation of Round Trip Time
Planning Considerations for Microsoft TCPlIP
IP Address Classes
Subnet Masks and Custom Subnetting
TCP/IP and Windows Intemet Name Service
WINS Desigri Considerations
Routing and Remote Access
New Features of Windows 2000 Routing and Remote Access
Service
Remote Access PoIicy
Remote Access Design Considerations
VPN Security ()
Benefits of Virtual Private Networking
Point-to-Point Tunneling Protocol VPNs
LTP over IPSec VPNs
LTP DePOyment Considerations
LTP ExampIes
VPN Security with IPSec
Internet Authentication Service and Centralized Management
Multihondng
IP Routing lnfrastructure
Static Routed Networks
RIP-for-IP Network Design
OSPF Network Design
IPX Routing Structure
IPX Network Design
AppIeTalk Routing Structure
Multicast Support
Network Address Translation
Windows 2000 DHCP
Benefits of Using DHCP
New Features of Windows 2000 DHCP
Enhanced Server Reporting
Additional Scope Support
DHCP and DNS Integration
Unauthorized DHCP Server Detection
Dynandc Support for Bootstrap Protocol Clients
Read-OnIy Console Access to the DHCP Manager
Designing DHCP Into Your Network
Network Infrastructure Size
Windows 2000 Asynchronous Transfer Mode
Benefits of Using Windows 2000 ATM
Features of Windows 2000 ATM
ATM User Network Interface Call Manager
Updated NDIS and ATM Hardware Support
ATM LAN Emulation
IPlATM
Multicast and Address Resolution Service
ppWhm
ATM Design Considerations
Quality of Service
Planning Task List for Networking Strategies
ChaPter 8 Uslng Systms Management Server to Analyze Your Ntwork InfraStructure
Analyzing Your Network Infrastructure
Using Systems Management Server
How Systems Management Server Can Expedite Windows 2000
Deployment
Systems Management Server l. Differences
Collecting Inventory
Assessing the Current State of Your Hardware
Hardware Capacity
Hardware ComPatibility
Using Systems Management Server Hardware Inventory
Assessing the Current State of Your Software
Using Inventory to Prepare Your Network Infrastructure
Reporting the Collected Data
SamPle Systems Management Server Report of Windows 2000
Readiness
Using the Product Compliance Subsystem
Analyzing and Using the Collected Data
Monitoring Your Network
Ensuring Application ComPatibility
Network Analysis Planning Task List
Additional Resources
Part 3 Active Diedory Inftastructure
ChaPter 9 Designing the Active Directory Structure
Overview of Active Directory
PriN Active Directory Features
Providing a Foundation for New Technologies
Planning for Active Directory
General Design Principles
ComPosing Your Active Directory StrUcture Plans
Creating a Forest Plan
Forest Planning PrOcess
Deteedning the Number of Forests for Your Network
Creating a Single Forest Environment
Creating a Multiple-Forest Environment
Incremental Costs for an Additional Forest
Creating a Forest Change Control Policy
Schema Change Policy
Configuration Change Policy
Changing the Forest Plan After Deployment
Creating a Domain Plan
Domain Planning Process
Detendning the Number of Domains in Each Forest
How Creating Domains Has Changed
When to Create More Than One Domain
Incremental Costs for an Additional Domain
Choosing a FOrest Root Domain
Assigning DNS Names to Create a Domain Hierarchy
Ananging Domains into Trees
Domain Nandng Recommendations
Domain Names and ComPuter Names
Planning DNS Server Deployment
Authority and Delegation in DNS
Domain Controller Locator System
DNS Server Requirements
Locate Authoritative Servers
Optindzing Authentication with Shortcut Trust Relationships
Planning Domain Upgrade
Detendning Supported Upgrade Paths
Exandning the Existing Domain Structure
Developing a Recovery Plan
Managing the Transition to the Windows 2000 Forest
Considering the Upgrade of Resource Domains
Detendning a Strategy for Upgrading Domain ControIlers
Windows 2000 Domain Modes
Upgrading the Windows NT PDC
PDC EmuIatiQn in Windows 2000
Access Control Components
Detendning the Order for Upgrading Domains
Guidelines for Upgrading Account Domains
Guidelines for Upgrading Resource Domains
Child Domains and Trusts
Detendning When to Move to Native Mode
Reasons for Continuing in Mixed Mode
Reasons for Moving to Native Mode
Exandning Windows 2000 Groups
Local Groups
Domain Local Groups
Global Groups
Universal Groups
Nesting Groups
Group Membership Expansion
Effects of Upgrade on Groups
Using NetBIOS with Windows 2000
Transitioning to File Replication Service
LAN Manager Replication Service Process
The FRS Process
Maintaining LAN Manager Replication Service in a Mixed
Environment
Using Routing and Remote Access Service in a Mixed Environment
Planning Domain Resmicture
Detendning the Reasons to Restructure Domains
Detendning When to Restructure Domains
ExaInining the ImPlications of Resimcturing Domains
Moving Security Principals
Moving Users and Global Groups
Moving Profiles and SIDhistOry
Moving ComPuters
Moving Member Servers
Establishing Trusts
Cloning Security Principals
Domain RestrUcture Scenarios
Scenario #2: Migrating Users Incrementally frOm Windows NT to Windows 2000
Scenario #: Consolidating a Resource Domain into an OU
Domain Migration Tools
ClonePrincipal
Netdom
Migration Planning Task List
ChaPter 11 Plannlng DiStrlbuted Securlty
Developing a Network Security Plan
Security Risks
Security Concepts
Security Model
Domain Model
Trust Management
Security Policy
Security Configuration and Analysis
Synuntric Key Encryption
PUblic Key Encryption
Authentication
Single Sign-On
Two-Factor Authentication
Access Control
Data Integrity
Data Confidentiality
Nonrepudiation
Code Authentication
Andit Logs
Physical Security
User Education
Distributed Security Strategies
Authenticating All User Access
Planning Considerations
Kerberos Authentication and Trust
How Kerberos Authentication Works
ImPlementing Kerberos Authentication
Considerations about Kerberos Security
Smart Card Logon
How Smart Cards Work
Prerequisites for Implementing Smart Cards
How to Implement Smart Cards
Considerations about Smart Cards
Remote Access
How Remote Access Works
Remote Access Policies
How to Enable Remote Access
Considerations About Remote Access
Applying Access Control
Access Control Lists
How ACLs Work
Prerequisites for ImPlementing ACLs
How to ImPlement ACLs
Security Groups
How Security Groups Work
Security Group Types
Default Pendssions of Security Groups
Prerequisites for Implementing Security Groups
lmPlementing Security Groups
Considerations About Security Groups
Establishing Trust Relationships
Domain Trust
How Trust Relationships Work
Prerequisites for Implementing Trusts
Prerequisites for Implementing Trusts
How to ImPlement Trusts
Considerations About Trusts
Enabling Data Protection
Encrypting File System
How EFS Works
Prerequisites for ImPlementing EFS
How to Implement EFS
Considerations About EFS
IP Security
How IPSec Works
Prerequisites for ImPlementing IPSec
How to Implement IPSec
Considerations for IPSec
Setting UnifOrm Security Policies
Group POlicy
How Group Policy Works
Prerequisites for ImPlementing Group Policy
How to ImPlement Group Policy
Considerations About Group Policy
Group Policy Security Settings
Account Policies
Local ComPuter Policies
Event Log Policies
Restricted Groups Policies
Systems Services Policies
Registry Policies
File System Policies
PUblic Key Policies
IP Security Policies on Active Directory
Security Templates
How Security TemPlates Work
Prerequisites fOr Implementing Security TemPlates
How to Implement Security TemPlates
Considerations About Security Templates
Deploying Secure Applications
Authenticode and Software Signing
How Authenticode Works
ImPlementing Authenticode Screening
Considerations fOr Authenticode and Software Signing
Secure E-mail
How Secure E-mail Works
Considerations for Secure E-mail
Secure Web Sites and Commnications
Considerations fOr Secure Web Sites
Managing Adndnistrahon
Delegation
Security Groups, Group Policy, and Access Control Lists
Built-in Security Groups
Delegation of Control Wizard
Deegate Adndnistration Wizard
Delegating ContrOl of Group Policy Objects
Auditing
How Auditing Works
Prerequisites fOr ImPlementing the Audit Funchon
How to ImPlement the Audit Function
Considerations About Auditing
Planning Task List for Distributed Security
Chapter 12 Planning Your PubIic Key lnfraStruoture
Overview of Public Key InfrastrUcture
How PKI Works
Prerequisites for ImPlementing PKI
How to ImPlement PKI
Creating a Local Certification Authority
Managing Your Cenificates
Using the Certificate Services Web Pages
Setting PUblic Key Policies in Group Policy Objects
Building Your PUblic Key InfrastrUcture
Designing Your PUblic Key Infrasmicture
Identify Your Certificate Requirements
Basic Security Requirements for Certificates
Detendning Which Certificate Types to Issue
Define Certificate Policies and Certification Authority Practices
Certificate Policies
Certificate Practices Statements (CPS)
Define Certification Authority Trust Strategies
Benefits of Certification Authority Trust Hierarchies
Benefits of Certiflcate Trust Lists
Additional Considerations for Certification Authority Trust
Stratgies
Define Security Requirements for Certification Authorities
Define Certificate Life Cycles
Define Certificate Enrollment and Renewal Processes
Define Certificate Revocation Policies
Policies for Revoking Certificates
POlicies for Certificate Revocation Lists
Define Maintenance Strategies
Developing Recovery Plans
Failed Certification Authority
ComProndsed Certification Authority
Developing Optional Custom Applications
Perfondng Resource Planning
Deploying Your PUblic Key Infrastructure
Schedule Production Rollout in Stages
Install Certification Authorities
Install and Configure Supporting Systems and Applications
Configure Certificates to Be Issued
ExamPles of Configurations
Security Access Control Lists for Certificate TemPlates
Configure Certificate Revocation List Publication
Configure PUblic Key Group Policy
Configure Certificate Enrollment and Renewal
Start Issuing Certificates
PUblic Key Infrastructure Panning Task List
Part 4 Windows 2000 Upgrade and lnstalIation
ChaPter13 Automatfng Server Instellation and Upgrade
Detendning Whether to Upgrade or Clean Install
Resolving Critical Planning Issues
Choosing Your Installation Method
Preparing for Installation
Creating Distribution Folders
Sthecturing the Distribution Folder
Installing Mass Storage Devices
Installing Hardware Abstraction Layers
Installing Plug and Play Devices
Converting File Name Size Using $$Rename.txt
Reviewing the Answer File
Creating the Answer File
Using the Answer File to Set Passwords
Extending Hard Disk Partitions
Using the Answer File with the Active Directory Installation Wizard
Reviewing the Windows 2000 Setup Conunands
Winnt.exe
Winnt.exe
Automating the Installation of Server Applications
Using Cmdlines.txt
Using the [GuiRunOnce] Section of the Answer File
Using Applicahon Installation Prograrns
Using a Batch File to Control How Multiple Applications Axe
Installed
Automating the Installation of Windows 2000 Server
New Options for Automated Installation
Automated Installation Methods
Using Syspart on ComPuters with DissiInilar Hardware
Using Sysprep to Duplicate Disks
Overview of the Sysprep Process
Sysprep Files
Running Sysprep Manually
Running Sysprep Automatically After Setup ComPletes
Using Sysprep to Extend Disk Partitions
Using Systems Management Server
Using a Bootable ComPact Disc
Installation Configuration ExamPles
Existing Servers
Example l: Windows NT Server with Windows WomPatble Ser
Applications
ExamPle : ComPuters Running Windows NT Server . or Earier, or
Servers Running Non-Microsoft Operating Systems
New Servers
Installation Planning Task List
Chapter 14 Using Systems Management Srver to DepIoy Windows2000
Using Systems Management Server to Distribute Software
Software Distribution with Systems Management Server 2.0
SMS Packages
Distribuhon
Advertising
SMS Software Distribuhon Best Prachces
How SMS Can Help with Windows 2000 Depoyment
Packaging Windows 2000 for Systems Management Server
Preparing the Windows 2000 Server Upgrade Package
Allowing User lnPut During the Upgrad
ExaInining the Windows 2000 Server Package Definition
Preparing the Windows 2000 Professional Upgrade Package
Windows and Windows Upgrades
Windows NT Workstation Upgrade
Distributing the Windows 2000 Packages
Preparing to Distribute the Packages
Check the Status of Site Servers and Distribution Points
Ensure Each Site Has an Adequate Number of Distribution Points
Use Distribution Point Groups
Ensure Sender Controls Aie in Place
Ensure Fan-out Distribution Will Work
Select a Test Site
Distributing the Packages to Sites and Distribution Points
Testing the Distribution
Expanding the Distribution
Distributing by Means of the Courier Sender
Monitoring the Distribution
System Status Subsystem
Reporting Package Distribution Status
Troubleshooting the Distributions
Advertising the Windows 2000 Packages
Selecting ComPuters to Upgrade
Preparing Clients to Receive the Advertisements
Advertising the Packages to ComPuters
Expanding Security on Distribution Points
Upgrading ComPuters
Executing the Adyertisement at Each Computer
Status of the Upgrade at Each ComPuter
Monitoring the Advertisements
The System Status Subsystem
Reporting Advertisement Status
Troubleshooting Advertisements
Using Systems Management Server to Ease Domain Consolidation and
Migration
Exndning Differences Between Systems Management Server . and System
Management Server 2.0
Planning Task List for Using Systems Management Server to Deploy
Windows 2000
Addihonal Resources
Chapter 15 Upgrading and InstaIling Member servers
Planning for Member Server Upgrade and Installation
Process for Installing or Upgrading to Windows 2000
Creating an Upgrade and Installation Plan
Create a Schedule
Scenario: MiniInizing Network Downtime During Server Upgrade
Preparing Member Servers for Upgrade or New Installation
Inventory the Existing Hardware
Detendne System Requirements
Detendne the Compatibility and Reliability of Existing Software
Detennine Third-Party Software Compliance
Perform Pfe-installation Tasks
PerfOedng an Upgrade or Installation
Pre-Upgrade Checklist
Upgrading Member Servers
Perfondng a New Installation
Deteodning Server Roles for Each Windows 2000 Server
File Servers
Macintosh Volumes
Novell NetWare Volumes
Test File Shares
Print Servers
Print Server Setup
Guidelines for Setting up a Network Printing Environment
Active Directory Integration with Windows 2000 Server Print
Services
Testing Printer Shares
APPIication Servers
ComPonent Services
Tendnal Services
Database Server
Web Servers
Proxy Servers
Perfonning Post-Upgrade and Installation Tasks
Testing Network Connectivity
Tuning Network Servers
Tools for System Adndnistration
Planning Task List for Member Servers
ChaPter 16 Dploying Trminal Services
Overview of Tenninal Services
Tendnal Services Licensing ComPonents
Microsoft Clearinghouse
License Server
Tendnal Server
Client Licenses
Required Licenses
Optional Tenninal Services Licenses
Third-Party Expansion
Creating Your Tendnal Services Deployment Plan
Process for Deploying Tendnal Services
Assembling the Tendnal Services Team
Identifying Your Tetrinal Services Requirements
Scenario l: Tendnal Services Remote Adndnistration
Scenario : Remote Access
Scenario : Line of Business Applications
Scenario : Central Desktop Deployment
Deployment Requirements
Preparing Your ComPuting Environment
Install License Server on Domain Controller
Access Over Wide Area Network
Access to Netwotk Services
Connecting the Tendnal Services Client and Server
Assessing the Current Environment
Considerations for Application Deployment
Planning EFS ImPlementation
Security Analysis
Best PraCtices
Recovery Policy
POlicy ImPlementation
Policy EnfOrcement
Storage
Certificates
User Certificates
Recovery Agent Certificates
Adndnistrative Procedures
Securing the Recovery Key
Assigning Recovery Agent Accounts
Configuring Recovery Agent Policy
Viewing RecovetyAgeni lnformation
Recovering a File or Folder
Disabling EFS for a Specific Set of ComPuters
Disabling EFS for a Specific Folder
Using the System Key
Printing EFS FiIes
Troubleshooting EFS
ChaPter16 Windows 2000 Certificate services and PubIic Key InfraStru0ture
Benefits of the PUblic Key InfrastrUcture
Strong Security with PUblic Key Technology
Integration with Active Directory and Distributed Security Services
Major ComPonents of the PUblic Key InfrastrUcture
Windows 2000 Certificate Services
Entry Module
POlicy Modules
Certificate TemPlates
Certificate Database
Exit Modules
Cenification Authority Console
Microsoft CryptoAPI and Cryptographic Service Providers
Hardware and Software Cryptographic Service Providers
Microsoft CryptograPhic Service Providers
FIPS l-l Level l Certification
Base vs. Enhanced Cryptographic Service Providers
Smart Card Cryptographic Service Providers
Cryptography Export Restrictions
Certificate Stores
Features of the PUblic Key Infrastructure
Certificates Console
Certification Authority Trust MOdel
Certification Authority Hierarchies
Certification Path
Certificate Trust Lists
Certificate Validation Process
Benefits of Multiple-Level Certification Hierarchies
General Benefits
AdIninistraive Benefits
Benefits of Multiple Issuing Certification Authorities
Windows 2000 Certification Authorities
Enterprise Certification Authorities
Stand-alone Certification Authorities
Certificate Life Cycle
Nested Validity Dates
Certificates Issued by Stand-alone Certification Authorities
Certificates Issued by Enterprise Certification Authorities
Certification Authorities Certificates
ExamPle of a Certificate Life Cycle
General Considerations fOr Key Lifetimes
Certificate Enrollment and Renewal Methods
Manual Certificate Requests for Windows ouased Clients
Automatic ComPuter Certificate Enrollment and Renewal
Web Enrollment Support Pages
Custom Enrollment and Renewal Applications
PUblic Key Group Policy
Cenificate Revocation Lists
Preinstalled Trusted Root Certificates
Smart Card Support
Cenificate MaPping
Domain User Accounts
Intemet Information Services
Rondng Profile Support
Certificate Services Deployment
Install Certification Authorities
Upgrading from Certificate Server 4.0
Creation of an Issuer Statement for the Certification
Authority (OptionaI)
Installing Windows 2000 Certificate Services
Configure Certification Authorities
Installation of the Certification Authority Certificate
Configuration of Policy Module Settings
Configuration of Exit Module Settings
Scheduling Certificate Revocation List PUblication
Configuration of Certificates to Be Issued
Modification of Security for a Certification Authority
Enabling Netscape-compatible Web-based Revocation Checklng
Modify the Default Security Pendssions for Certificate
TemPlates (Optional)
Install and Configure Support Systems or Applications
Configure PUblic Key Group Policy
Automatic Certificate Enrollment
Root Certificate Trust
Certificate Trust Lists
EFS Recovery Agents
Install Web Enrollment Support on Another Computer (Optional)
Trusting the Computer for Delegation
Installing the Web Enrollment Support Pages
Configure Security for Web Enrollment SuPPort Pages (OPtional)
Integrate with Third-Party Certificate Services (Optional)
Ongoing Certificate Services Tasks
Using the Web Enrollment Support Pages
Choosing the Type of Certificate to Request
Subndtting User Certificate Requests
Subndtting Advanced Certificate Requests
Installing the Certificate After It Is Issued
Requesting Certificates with the Certificate Request Wizard
Viewing Information About Certificates
Exporting Certificates and Private Keys
Backing Up and Restoring Certification Authorities
Windows 2000 Backup and Restore
Certification Authority Console Backup and Restore
Backup Strategies
Restore Considerations
Revoking Certificates
Publishing Certificate Revocation Lists
Approving or Denying Certificate Requests
Renewing Certification Authorities
Recovering Encrypted Data
Recovery for Encrypting File System
Recovery for Secure Mail
Using the Certificate Services Cornmand-Line Programs
CertUtil.exe
CertReq.exe
CertSrv.exe
Disaster Recovery Practices
Using Preventive Practices for Servers
Providing Security for Certification Authority Servers
PrOtecting Private Keys for Certification Authority Servers
Developing Recovery Plans
Failed Certification Authority
ComProndsed Certification Authority
Additional Resources
Part 3 Entrprise TechnoIogies
Chapter 17 Distributd FIle System
Introduction to Dfs
What Df Does
Features and Benefits
Basic Dfs Concepts
Nomenclature
Processes
Maintaining the Patition Knowledge Table (PKT)
Caching Referrals by Clients
Gaining Access to a Dfs Shared FoIder
Linking Logical Names to Physical Addresses
Switching Between Replicas During Failover
Replicating Files
Establishing Security
Getting Started
Adndnistrator Perspective
Client Perspective
Architecture
Block Diagrams
How Dfs Works
Windows 2000 Improvements of Dfs .x
Scripting
Design Guidelines for Dfs
Problems That Dfs Solves
Unified File System Namespace
High Availability
Load Sharing
Capacity Expansion
Intraneofntemet PUblishing
Nndng Strategy
Domain Nandng
Server Nandng
Dfs Root Nandng
Dfs Link Nandng
Shared Folder Naming
Dfs Namespace Strategy
Replication Strategy
Dfs Roots
Replica Sets
Site Topology
Security Strategy
Migration Strategy
Existing Windows NT Shared Folders
Dfs 4.x
Platform Interoperability
Disaster Recovery Strategy
Implementing Dfs
Setup Considerations
Dfs Server
Dfs Client
Dfs and Active Directory
Dfs andoad Shedng
Dfs and File Replication Service
Dfs and Cluster Service
Supporting Dfs
Monitoring Dfs Activity
Maintaining the Dfs Configuration
Checking Shared Folder Status
Taking Resources Offine
Removing Dfs
Troubleshooting Dfs Problems
Gaining Access to the Dfs Namespace
Tracking Shared Folders
Gaining Access to Dfsinks and Shared Folders
Security-Related Issues
Replicationatency
Dfs Utilities
Additional Information
ChaPter 18 File Replication Service
Introduction to FRS
Replicating SYSVOL
Replicating Dfs Replicas
How FRS Works
Detailed Operation
FRS Tables
FRS Startup
UpgradingMRepl to FRS
LMRepl Process
FRS Process
Maintaining a Mixed Environment
Custondzing FRS
Setting File and Folder FiIters
ScheduIing Replication
On SYSVOL
On Dfs Replicas
Tuning Recommndations
Monitoring Performance
Restoring Replicated Files
Nonauthoritative Restore Process
Authoritative Restore Process
Restoring Files on a Domain ControlIer
Restoring Files on a Member Server
TroubIeshooting FRS
FRSogs
Log Settings
Analyzingog FiIes
Ntfrsutl Tool
Chapter 19 NetWorkoad Balancing
Networkoad Balancing Overview
How Networkoad Balancing Works
System Requirements
Components
Networkoad Balancing Design
ImPlementing Networkoad Balancing
Configuring Networkoad Balancing
Cluster Parameters
Host Parameters
Host Priority ID
Initial State
Dedicated IP Address and Subnet Mask
Port Rules
Port Range
Protocols
Networkoad Balancing with Network Hardware Switches
Scenarios
IIS Server (Web Fann)
Port-rule Settings
Servicing Multiple Web Sites (Multihondng)
Servicing a Web Site with Active Server Pages
Servicing a Web Site That Uses Secure Socketsayer
Port-rule Settings
Creating a Virtual Private Network
Port-rules Settings
StreaITilng Media
Port-rules Settings
Single-Server Failover Support
Port-rule Settings
Default Handling of Client Requests
Wlbs Display Conunand
Changing Networkoad Balancing Resourceindts in the Registry
Additional Resources
Chapter19 Interpreting the CluSterog
Clusterog Basics
Anatomy of a Clusterog Entry
Component Eventog Entries
Meanings of Abbreviations
Resource DLLog Entries
Meanings of State Codes and Status Codes
Techniques for Tracking the Source of a Problem
TimestamPs
GUIDs, Resources, and Groups
Process and Thrad IDs
GUM Updates and Sequence Numbers
Sharedocks and gdwQuoBlockingResources
Cluster Form and Join Operation Entries
Initializing the Node
Joining a Cluster (Unsuccessful AttemPt)
Fondng a Cluster
Starting Resrcmon.exe
Bringing the Quorum Resource Online
Applying Quorumog Changes to the Cluster Database
Recreating Groups and Resources
Configuring the Networks
Bringing Resources Online
CIuster Successfully Formed
Log Summary of Cluster Formation
Failure Scenarios
Resource DLL Is Missing
Intracluster Network Connection Is Broken
Log from Node
Log from Node
Node Cannot Form Cluster Because QuonJmocation Changed
Tipsl
Reading theog in Word or WordPad
Correlating the Windows 2000 Eventog and the Clusterog
Identifying GUIDs in the Registry
Logging When Running the Cluster Service With the debug Option
State Codes
State Codes for Cluster Nodes
State Codes for Cluster Groups
State Codes for Cluster Resources
State Codes for Network Interfaces
State Codes for Networks
Context Numbers
Additional Resources
iktop Configuration Management
ChaPter19 Introduotion to Desktop Manaement
Change and Configuration Management
IntelliMirmr
User Data Management
Software Installation and Maintenance
User Settings Managementl
Windows 2000 Technologies That IntelliMirmr Uses
Active Directory
Group Policy
Windows 2000 Installer
Offine Files
Synchronization Manager
Folder Redirection
Disk Quotas
AddlRemove Programs
Windows 2000 Desktop
RoaIning User Profiles
Remote OS Installation
Configuring and Maintaining the Network Environment
Microsoft Systems Management Server
Combining Management Solutions
Managing the Desktop
Desktop Configuration
User and Computer Configurations
Understanding User Profiles
Creating and Editing User Profiles
DesktoP Configuration fOr Rodring and Mobile Users
Software Installation and Maintenance
RoaIning User Profiles
Folder Redirectionl
Offiine Filesl
Cache Settingsl
Rondng User Profile Settingsl
Enhancements to Roandng User Profiles
Merge Algorithml
Nonrotalng Folders
Profileocation
Quotas on Profile Size
SPecifying Security on the Desktop
Additional Resources
ChaPter20 Group Policy
Group Policy Overview
Active Directory Smicture and Group Policy
Managing Group Policy
Group Policy InfrastrUcture and Mechanics
Group Policy Objects and the Group PoIicy SnaP-in
Links to Sites, Domains, and Organizational Units
Access to the Group Policy SnaP-in
Filtering by Security Group Membership
Adndnistraive Requirements for Using Group Policy
Microsoft Management Console SnaP-in Extension Model
Configuring Group Policy
Group POlicy SnaP-in Namespace
ComPuter Configuration
User Configuration
Extensions to.the Group Policy SnaP-in
Adndnistrative TemPlates
Other Group Policy Extensions That Use the Registry
Security Settings
Incremental Security TemPlates
Security Configurations
Compatible
Secure
High Secure
Windows 2000 Default Security Templates
Software Installation
Scripts
Folder Redirection
Extending the Group Policy Snap-in
Client-side Extensions to Group Policy
Group Policy Storage
Non-Local, Active Directory--Based Storage
Group Policy Container
Group Policy TemPlate
Local Group Policy Objects
Group Policy Template Subfolders
Registry.pol Filesl
Group Policy Objectinks
No Ovetride as ComPared to Block Policy Inheritance
Multiple Group Policy Objects
Cross-Domain Editing of a Group Policy Object
Using Security Groups to Filter and Delegate Group Policy
Filtering the Scope of a Group Policy Object
Setting Security Pendssions fOr Receiving Group Policy
Delegating Control of Group Policy
Managing Group Policyinks fOr a Site, Domain, or Organizational
Unit
Creating Group Policy Objects
Editing Group Policy Objects
Examples of Group Policy Delegation
Creating MMC Consoles to Delegate Group Policyl
Group Policy Processing
Synchronous and Asynchronous Processing
Periodic Refresh Processing
Optional Processing of Group Policy Even If It Has Not Changed
Group Policy and Network Bandwidth
Setting Policy for Slow-Link Definition
Registry Reads
Specifying a Domain Controller for Setting Group Policy
Specifying Policy for Domain Controller Options
Domain Controller Selection Results
Client-side Processing of Group Policy
Client-side Extension Preferences
ComPuter Policy for Client-side Extensions
Using Group Policy on Stand-alone ComPuters
Local Group Policy Object
Starting Group Policy on Windows 2000 Professional
Using the Group Policy SnaP-in Focused on a RemOte ComPuter
Local Group Policy Object Processingl
Group Policyoopback Support
Supporting Windows NT 4.0 Windows 2000 , and Windows 2000 Clients
Using Windows NT 4.0 Adndnistrative TemPlates in the Windows 2000 Group
Policy Console
Migration Issues Pertaining to Group Policy
The Client Side
The Domain Controller Side
ComPuter and User Accounts Both on Windows NT 4.0 Domain
Controllers.
ComPuter and User Accounts Both on Windows 2000 Domain
ControIlers
ComPuter is Managed in a Windows NT 4.0 Account and User is Manag
in a Windows 2000 Account
User is Managed in a Windows NT 4.0 Account and Computer is Manag
in a Windows 2000 Account
Trust Relationships with Previous Versions of Windows 2000
Best Practices
Additional Resources
ChaPter21 SoftwarenstaIlation and Maintnance
Introduction
Software Installation
Windows 2000 Installer
Add/Remove Programs in Control Panel
Phases of Software Management
Preparation Phase
Analyze Software Requirements
Gather or Create Windows 2000 Installer Packages
Distribution Phase
Software Distribution Points
Distributing Windows 2000 Installer Packages
Using Remote OS Installation
Targeting Phase
Manage Your Software
Configure Software for Managementl
Targeting Software for Multilingual Usersl
Pilot Program
Software Installation User Scenarios
Installation Phase
Updating Software by Using Patches and Upgrades
Removing Software
Windows 2000 Installer Technology
Managing Windows 2000 Installer with Group Policy
Windows 2000 Installer Package
Natively AuthOring Windows 2000 Installer Packages
Addihonal Repackaging Programs
Managing Software with Existing Setup Programs
CustOndzing Windows 2000 Installer Packages
Modifying Windows 2000 Installer Package PrOperties
Distributing Additional Files
Teodnal Services and Software Installation and Maintenance
Software Installation and Maintenance and Backing Up Data
Best Practices and Troubleshoohng
Additional Resources
ChaPter22 RemOte OS InStaIltion
Remote OS Installation Overview
Remote OS Installation Requirements
Server Software Requirements
Hardware Requirements
Server Hardware Requirements
Client Hardware Requirements
Remote Installahon Services
RIS ComPonents
RIS Services
Installing RIS
Deploying RIS Servers
Authorizing RIS Servers in Active Directory
Configuring RIS Servers
Restricting Client Installation Options by Using Group Policy
Defining a ComPuter Nndng Poicy
Client Response Options
Pre-staging Clients in Active Directory Using GUID
GUID Format
Clients Installing Operating System Images
Preboot Execution Environment
RIS Server PXE Environment
DHCP and RIS on Separate Servers
DHCP and RIS on the Same Server
Verifying the Correct PXE ROM Version
Creating Operating System Images
Using CD-based Images
Creating New CD-Based Images
Modifying Properties of a CD-based Image
Using RIPrep Images
. RIPrep Considerations
Configuring a RIPrep Source Computer
Using Software Installation and Maintenance with RIPrep
RIPrep and User Profiles
Running the RIPrep Wizard
Relationship of SysPrep to Remote OS Installation
Removing RIS Server Operating System Images
Working with Answer Files
Creating and Modifying Setup Answer Files
Modifying Remote Installation Answer Files
Associating an Answer File with an Image
Setting Security Pendssions in Answer Files
How Answer Files Are Used During Remote Installation
Specifying a CD Key in the Answer File
Client Installation Wizard
Using Client Installation Wizard to Install Clients
Default Client Installation Wizard Process
Client Installation Wizard Screensl
Controlling Client Setup Options
Automatic Setup
Custom Setup
Restart a Previous Setup AttemPt
Maintenance and Troubleshooting
Client Installation Wizard Error Screens
Custondzing CIient Installation Wizard Screens
Adding Screens and Working With OSC VedabIes
Modifying the OSChoice.osc File
Creating a New Display.osc Screen
Modifying the Answer Files to Work with the New OSC Variables
Reserved OSC Variables
Multilanguage RIS Servers
Language Restrictions
Single Instance Store
Single Instance Store Groveler
Backing UP a SIS Volume
SIS GroveIer Configuration Parameters
OPtional Registry Parameters for RIS BINL
TroubIeshooting RISl
Troubleshooting: No Response From a RIS Serverl
Troubleshooting: Working with Routers
Chaptr TroubIeshooting Chane and Configuration Manaement
-
Best Practices
TroubIeshooting TooIs
Verboseogging
Group Policy Issues
Scripts Do Not Run
Regisny Settings Using Adndnistrative TemPlates Are Not Applied
Group Policy Object Does Not OPen
Active Directory and SysvoI Are Unsynchronized
More Than, Group Policy Objects are present and Group PoIicy
fails
No Group Policy Objects Are AppIied
Inheritance Issues with Group Policy Objects Cause Unexpected
Results I
Only Some IP Security and User Rights Policy Settings for Applied
Security Settings on Group Policy ob j..t Cause Unexpected Results
User Data Management Issues
Files Do NOt Synchronize
User Cannot Make Files and Folders Available Offine
Files Available When Online Are Not Available When Offine
My Documents Icon Is Missing
Folders Are Not Redirected
Redirection Is SuccessfuI But Files and Folders Are Unavailable
Software Installation and Maintenance Issues
Published Application Does Not Appear
Published APplication Does Not Auto-install
Unexpected Application Automatically Installs
Installation Ermr Messages
Feature Is Not Found
Computer-Assigned Applications Do Not Install
Installed Application Is Unexpectedly Removed
Opening APplication InstaIls New Application
Shortcuts Still Appear for Removed Application
Unexpected Applications Appear in Add/Remove Programs
Upgrading Base Application Does Not ComPIete
Another Install in Progress Ermr Messagel
Opening Application Starts Windows 2000 Installer
Cannot Prepare Package for Deployment
Active Directory Does Not Allow Package to Deploy
User Settings Management Issues
Roandng User Profile Does Not Roam Correctly Using Multiple
ComPuters
Rondng User Profileost and Usereft with Temporary Profile
Not All Settings Roam
User Profile Does Not Roam
Remote OS Installation Issues
OSChooser Skips User
File Not Found Before Welcome.osc
File Not Found After Welcome.osc
Duplicate Machine Account Warning Message
Risetup Fails Due tonsufficient mghts
RPC Server Unavailable Ermr Message
BWh Server Does Not Respond and No Scope Problem Ermr Message
Appears
BINL Server Does Not Respond and Debugging Error Message
APpears
BINL Server Does Not Respond and Server Not Authorized Error Message
Appears
BINL Server Does Not Respond and Unable to Read Active Directory Settin
Ermr Message Appears
BINL Server Does Not Respond and Server Not Set to Answer Error Message
Appears
BINL Server Does Not Respond and Client Unknown Error Message
Appears
BINL Server Does Not Respond and Prestaged Clients Server Down Ermr
Message Appears
BINL Server Does Not Respond and DHCP Packets Not Forwarded Ermr
Message Appears
BINL Server Does Not Start and Unknown User Error Message
Appears
Remote OS Installation Cannot Join Domain
Gathering More Troubleshooting Information
User Data Management
Software Installation and Maintenance
Software Installation and Maintenance Eventog Entries
User St
Part ApPendixes
ApPndix A FrequentIy EncounteredDAP API Functions
ApPndix BDAP Requests for Comments
ApPndix C Active Directory DiagnoStic Tool (Ntdsutil.exe)
Invoking Ntdsutil Commands and Parameters
How to Use Ntdsutil Menu Cornmands
How Ntdsutil Processes Conunand Input
How to Use Arguments with Ntdsutil Commands
How to Automate Ntdsutil Commands
Managing Active Directory Files
Using the Connections Menu
Selecting an Operation Target
Managing Operations Master Rolesl
Managing Orphaned Metadata
Perfondng an Authoritative Restore
Managing Domains
Managingightweight Directory Access Protocol Policies
Managing the IP Denyist
Managing Security Accountsl
Using Semantics Database Analysisl
List of Menu Conunands
Appendix D UserRights
Logon Rightsl
Privilegesl
Appendix E Wll-Known Securitydentifiers
Appendix F “Certified for Microsott Windows 2000”Applications
Windows 2000 Desktop Applications
Windows 2000 --based Distributed Applications
ApPendix GSCML and CIientnstaIIation Wizard VariabIes
Glossary
lndex