Windows 2000 Server Study Guide

INSTALLATION REQUIREMENTS
Windows 2000 Server requires the following:

Windows 2000 Server:

Once you meet these criteria, you need to check your hardware and software compatibility at Microsoft's web site

UPGRADE PATHS
Listed below are important upgrade paths that you will need to know:

There is no upgrade path from Windows 3.x

INSTALLING
As in NT 4.0, there are 2 installation options. You can use WINNT.EXE or WINNT32.EXE depending on your situation. Winnt.exe is used for a clean installation on a computer running DOS or Windows 3.x and can use the following installation switches:

WINNT.EXE:
/e: command	Executes a command before the last phase of setup.
/r: foldername	Creates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders.
/rx: foldername	Creates a folder to be copied as a part of setup - into the Windows 2000 directory, but the folder IS DELETED as setup finishes.

Use Winnt32.exe for a clean installation or upgrade on an NT 4.0 server. This is the option that most of you will be using. There are a number of switches that can be used with winn32.exe. Below are a couple of the important ones:

WINNT32.EXE:
/copydir: foldername	Creates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders. Same as /r for winnt.exe.
/copysource: foldername	Creates a folder to be copied as a part of setup - into the Windows 2000 directory, but the folder IS DELETED as setup finishes. Same as /rx for winnt.exe.
/cmd:	Executes a command before the last phase of setup. Same as /e: for winnt.exe.
/cmdcons	Installs the appropriate files to restart the system in command-line non-graphical mode for repair purposes.
/syspart	Prepares a hard disk to be transferred to another computer system. This switch installs setup files and marks the partition active. Requires the use of /tempdrive switch.
/tempdrive	Specifies which drive to install Windows 2000 temporary files during setup.
/makelocalsource	Copies all of the Windows 2000 source files to the target drive during installation.
/noreboot	Avoids reboot after installation so that another command can be run.
/checkupgradeonly	Checks your system for incompatibilities that will prevent a successful upgrade.
/unattend	Upgrades your previous version of Windows by using unattended Setup mode. All user settings are taken from the previous installation so that no user intervention is required during Setup. You can also use this command in an unattended installation by specifying the [seconds][:answer_file] variables.

Windows 2000 supports unattended installations, of course. Setup Manager is used to create unattended setup files which will work with Windows 2000 Professional and server, but not for a domain controller. For more in depth information on unattended installations, read our tutorial Windows 2000 Unattended Installations.

Windows 2000 includes a new utility called SysPrep.exe, which an installation "image" that can be duplicated using imaging software while avoiding problems with duplicated SIDS, computer names etc.

For the most part you will find Windows 2000 installation is very similar to NT 4.0. which is why the following instructions are going to be fairly brief. The installation is so easy that you probably won't even need this guide, however, if you do need further help, read our step-by-step tutorial Installing Windows 2000 Server.

By default, all Win2K servers are installed as Standalone Member Servers. DCPROMO.EXE is the Active Directory Installation Wizard and is used to promote a non-domain controller to a DC and vice versa.

BACKUP AND RECOVERY
Recovery Console:
Now that you have installed Windows 2000, you should immediately take steps to protect your installation by installing the Recovery Console. Recovery Console is similar to the emergency repair disk in NT 4.0, but with many functionality enhancements. Recovery Console will allow you to You can start and stop services, read and write data on a local drive (including drives formatted with the NTFS file system), copy data from a floppy disk or CD, format drives, fix the boot sector or master boot record, and perform other administrative tasks. With Windows NT 4.0, many administrators would create a FAT partition that would allow them to boot to a DOS prompt. The recovery console eliminates the need to create a FAT partition for this purpose.

Recovery Console is set up as follows:
Insert the installation CD and switch to the I386 directory. Type C:\>winnt32 /cmdcons. When asked for confirmation, answer "yes". The file will be copied to the hard disk. After rebooting the computer you will be able to select "Microsoft Windows 2000 Command Console" and start Windows 2000 in command mode. You will be prompted for a Windows 2000 installation that you wish to repair and will be prompted for the Adminstrator password. Once you are in, there is a wide variety of commands that you will be able to perform. Type HELP for a list of all of the commands. Some of the more important commands are:

Backup:
The Backup program has been greatly enhanced in order to support Active Directory and a much wider variety of backup media including removable disks, network drives, logical drives and tape devices are now supported. Another nice feature is that an integrated scheduling option has been added which relieves the need to use AT or other scheduling utility. For more in depth information on backing up Windows 2000, read our tutorial Backing Up and Restoring Windows 2000.

Other:
Windows 2000 has several other utilities to aid in the event of a failure, many of which are included in "Advanced Options" which are accessed by pressing F8 at the boot menu. In order to troubleshoot failures, it is a good idea to understand the boot process which occurs in the following steps:

Ntbootdd.sys is required only if you are using a SCSI-controlled boot partition, and the SCSI adapter does not have a SCSI BIOS enabled. Bootsect.dos is required only for multiple booting.

When working with the boot.ini file, you need to understand ARC naming conventions. ARC is an architecture-independant way of naming drives for x86, risc, alpha, etc. NT uses this convention in its boot.ini file to determine which disk holds the OS. The table below will explain the different options.

Multi(x)	Specifies an EIDE disk or a SCSI disk if the bios is enabled to detect it. Can only be used on x86 systems. "x" is the number of the controller.
SCSI(x)	Defines a SCSI controller if the BIOS is not enabled to do so. Again, "x" is the number of the controller.
Disk(x)	Defines which SCSI disk the OS is on. If SCSI(x) was used then x=the SCSI ID of the drive. If Multi(x) was used then x=0.
Rdisk(x)	Defines disk which the OS is on when it is on an EIDE disk. x=0-1 if on primary controller. x=2-3 if on multi-channel EIDE controller.
Partition(x)	Specifies the partition that the operating system is located on. (x)=the partition's number.

· ERD - Emergency Repair Disk. The RDISK utility found in NT 4.0 is gone. An ERD is now created using the ntbackup utility and no longer backs up registry data.

· Enable VGA Mode - Located in the advanced options menu, this utility allows one to fix display settings or drivers that have caused the display to become unviewable.

· Last Known Good Configuration - Tells Windows 2000 to forget any changes that you have made since the previous boot, by looking for the last configuration that did not cause system critical errors at boot. Good to try if you have made a change to the system and then rebooted with problems.

· Safe Mode - Loads a minimal version of Windows 2000 with only the drivers needed to boot the computer. Because this option does not load any network services or drivers, it is a good tool to use when you suspect that the problem lies in this area.

· Safe Mode With Networking - Same as Safe Mode, but includes networking support.

· Safe Mode With Command Prompt - Safe Mode in which EXPLORER.EXE is replaced by CMD.EXE. From the command prompt it is still possible to run Explorer and other GUI applications from a command line. No networking support in this mode.

FILE SYSTEM
Disk systems now support FAT32, NTFS, and FAT. The convert.exe utility can be used to convert a FAT or FAT32 partition to NTFS. NTFS partitions cannot be converted to FAT or FAT32. If such a need exists, the partition must be deleted and recreated as FAT or FAT32.

The NTFS file system has many new capabilities as follows:

· EFS - Encrypted File System. Windows 2000 NTFS volumes have the ability to encrypt data on the disk itself. This is based on public key and private key encryption procedures. Only the user that stored the file can open it again or a recovery agent. Taking ownership of an encrypted file will not let you read it. Cipher.exe is a command line utility that allows for bulk or scripted file encryption. To enable a folder to have any new contents encrypted, simply view the property page for the folder and select "Encrypt contents to secure data".

· Disk Quotas - Provides the ability to set space limitations on users on a per volume basis. The ownership of a file determines which user to charge the space used against. You must enable quota management from the properties dialog - quota tab of a given disk. You can then set thresholds for individual users including a warning level when their files exceed a certain amount of storage that is approaching their quota limit.

· Defragmentation - Windows 2000 now includes a disk defragmenter that can be used on NTFS partitions.

· Volume Mount Points - Provides the ability to add new volumes to the file system without having to assign a drive letter to them. This feature is only available on an NTFS partition using dynamic volumes.

The Distributed File System has also been enhanced. There are two types of DFS implementations: Stand-alone and Fault Tolerant. Stand-alone DFS stores the configuration information on a single node (server). Child nodes can only go one level below root, and can exist on any server. Fault Tolerant DFS stores the DFS configuration information in Active Directory. There can be two identical shares on different servers configured as a single child node to provide fault tolerance. You can have multiple levels of child volumes and file replication is supported. Clients must have DFS software installed. Windows NT4, Windows 2000 and Windows 98 include this software while Windows 95 clients must download the appropriate DFS client software from Microsoft.com

Windows 2000 features a new storage type is called "dynamic disks". Dynamic disks' advantages include an unlimited number of volumes created per disk. NTFS Volumes can be extended and we can now include space from different disks. Perhaps the most important item is that the disk configuration is stored on the disk itself. This means that we can move disks between computers (within reason) and have the data available with little additional effort. If you perform an upgrade from NT4, or do a fresh install the disk type is still "Basic", but can be converted to dynamic. If you had RAID of any type set up on the NT4 server that was upgraded, you can continue to maintain those configurations with basic disks. However, if you want to add a new array or mirror set, you will be required to convert to dynamic disks. In a fresh install you will also need to convert before implementing any mirroring or RAID configurations. Once you have converted to dynamic disks, there is no reverse conversion. You must delete and start again.

FAULT TOLERANCE
In order to understand how fault tolerance works it is first best to understand the following concepts regarding hard disk configurations.

· Disk Striping Without Parity - Distributes data across 2-32 hard disks. This provides the fastest read/write performance as the system can access the data from more than one place. This level of RAID does not provide any redundancy. This means that if one of the disks fails you lose all of the data and have to delete the stripe set and start over once the bad disk is replaced. System and boot partitions cannot be included in a stripe set.

· Disk Mirroring - Disk mirroring writes exact copies of data to more than one disk. Each disk or partition of a disk will contain the exact same data. If one hard disk fails, the data still exists on the other disk. This level of RAID also increases disk read performance as it can pull the data off of both disks. Disk mirroring in Windows 2000 also uses disk duplexing whereby each disk has it's own disk controller. This provides redundancy in the case of a controller failure. When a basic disk that is part of a mirror set is disconnected or dies, you will need another basic disk of the same size to repair the mirror set. A dynamic disk cannot be used. When you repair the set, Disk Management creates a new mirror on a separate basic disk and resynchronizes the new mirror set. To break a mirror set, right-click on the mirror set you wish to break and choose "Break Mirror".

· Disk Striping With Parity - Very similar to RAID level 0, however, parity information is written to each of the 3-32 disks in the array. If one of the disks fails, the data can be reconstructed by installing a working hard disk and using the Disk Management Tool. The parity information will be used to reconstruct the data that was lost. If more than one disk fails then you have a real problem will spend your weekend fixing this. RAID 5 offers increased disk read speeds, but slower write speeds because it has to write the parity info. System and boot PARTITIONS cannot be included in a stripe set.

NTFS PERMISSIONS
File and Directory Permissions:
NTFS permissions are largely the same. The following tables will break down each of the permissions types. The following table displays the different permissions for files.

The Read & Execute and List Folder Contents folder permissions appear to be exaclty the same, however, they are inherited differently, thus are different permissions. Files can inherit the Read & Execute permissions but can't inherit the List Folder Contents permission. Folders can inherit both.

So you may be wondering what is really different from NT 4.0. NT 4.0 gave the options of granting access or not specifying. Windows 2000 has the new option of denying a user or users a particular permission. For example, if you wanted to make sure that Bob is unable to read any file, then simply deny him read permissions. Permissions are cumulative, except for Deny, which overrides everything.

The next table shows what happens to files when they are copied or moved within or across NTFS partitions.

Files moved from an NTFS partition to a FAT partition do not retain their attributes or security descriptors, but will retain their long filenames.

As with NT 4.0, Windows 2000 also supports special access permissions which are made by combining other permissions. The following tables will show special access permissions and how the recipe to make them.

Remember that file permissions override the permissions of its parent folder. Anytime a new file is created, the file will inherit permissions from the target folder.

Share Permissions:
Shares are administered through the MMC, My Computer or through Explorer and permissions can be set on a share in the "Share Permissions" tab. Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions:

Read	View files and subdirectories. Execute applications. No changes can be made.
Change	Includes read permissions and the ability to add, delete or change files or subdirectories
Full Control	Can perform any and all functions on all files and folders within the share.

These permissions are identical to NT 4.0, however, there is one new change. As we discussed above the Deny permission can also be applied to shares. The Deny permission overrides all others. When folders on FAT and FAT32 volumes are shared, only the share level permissions apply as these systems do not support file and directory permissions. When folders on NTFS volumes are shared, the effective permission of the user will be the most restrictive of the two. This means that if Bob is trying to access a file called mystuff located on myshare and he has share permissions of read and file permissions of full control, his effective permissions would be read. Conversely, if his share permissions are full control and his file permissions are read, he will still only have read permissions to mystuff

OPTIMIZATION AND TUNING
Performance Monitor is included in Windows 2000 and is an MMC snap-in. Just as in NT 4.0, there are performance counters that can be used to determine the source of performance problems. The following is a list of important counters and suggested thresholds.

Processor:

· Object = Processor. Counter = % Processor Time - If this value is consistently at or above 80% and disk and network counter values are low, a processor upgrade may be necessary

· Object = System. Counter = % Processor Queue Length - A sustained processor queue length that is over 2 may indicate a processor bottleneck.
Memory:

· Object = Memory. Counter = Pages/sec - If value is consistently over 20 the system may need a memory upgrade.

· Object = Memory. Counter = Commited bytes - Should be less than amount of RAM in the computer.
Physical Disk:

· Object = PhysicalDisk. Counter = % Disk Time - If over 90%, add more disk drives and partition the files among all of the drives.

· Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2 drive access may be a bottleneck.
Logical Disk:

· Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2 drive access may be a bottleneck.
Network:

· Object = Server. Counter = Bytes Total/sec - If the sum of Bytes Total/sec for all servers is about equal to the max transfer rates of your network, the network may need to be further segmented.

Windows 2000 Performance Monitor has several different logging methods. Many 3rd party performance applications utilize the Trace log feature. Counter logs allow you to log performance values at a designated interval for local or remote Win2K computers. Alert logs can send a message or run a script/program when a pre-determined threshold has been surpassed.

Performance Monitor now offers more flexibility for exporting data as it can now be saved in HTML, binary, binary circular, .csv, and .tsv.

NETWORK CONNECTIONS
Windows 2000 supports many industry standard protocols including:

· IrDA - Infrared Data Association

Like Windows 98, Windows 2000 supports a new feature called Automatic Private IP Addressing. When "Obtain An IP Address Automatically" is enabled, but the client cannot obtain an IP address from a DHCP server, Automatic Private IP addressing assigns an address in the form of 169.254.x.x and a class B subnet mask of (255.255.0.0). The computer broadcasts this address to its local subnet and if no other computer responds to the address, the computer allocates this address to itself. Remember that a computer that picks up one of these addresses will only be able to communicate with other computers have compatible addresses and subnet masks.

RAS Policies are a new feature in Windows 2000. Now it is possible to build an entire set of rules called a RAS Policy to dictate several conditions that must exist before a user can connect. It allows the flexibility to require that a user must be dialing from a specific IP address or from a range of addresses, during the right time of day, from the appropriate caller id location using the appropriate protocol. We can restrict access by group membership or the type of service requested. All of these are configurable and optional. Once the user has met all of the conditions, we can apply a profile, which can include items such as the IP address to use for this session, the authentication type that is allowed, any restrictions such as idle time and the rules for BAP with multilink sessions.

Windows 2000 now provides support for VPNs. A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can create a connection between two computers across a shared or public network that emulates a point-to-point private link. Windows 2000 supports a couple of different VPN protocols. Point to Point Tunneling Protocol(PPTP) creates an encrypted "tunnel" through an untrusted network and is supported by Windows 95/98/NT4/2000. Layer Two Tunneling Protocol(L2TP) works like PPTP in that it creates a "tunnel", but uses IPSec encryption in order to support non-IP protocols and authentication. The table below illustrates the features of each:

Windows 98 supported Internet Connections Sharing(ICS) which is now also supported in Windows 2000. ICS allows multiple PCs to share a single connection with the aid of Network Address Translation(NAT) and is intended for small office/home office(SOHO) environments. You should not use this feature on a computer running DNS server, DHCP server or a Windows 2000 Domain Controller. When you enable ICS, the network adapter connected to the network is given a new static IP address configuration. Existing TCP/IP connections on the computer are lost and need to be re-established.

NAT can be configured separately from ICS and provides the following features and benifits that are do not exist when used with ICS alone:

· Multiple public IP addresses - NAT can use more than one range of public addresses.

· Configurable address range - NAT allows manual configuration of IP addresses and subnet masks, whereas ICS uses a fixed IP address range. Any range of IP addresses can be configured using the NAT properties in Routing and Remote Access Manager. A DHCP allocator provides the mechanism for distributing IP addresses, the same way that DHCP does this. NAT can also use IP addresses distributed from a DHCP server by selecting the Automatically assign IP addresses by using DHCP check box in the NAT properties sheet.

· DNS and WINS proxy - Name resolution can be established by using either DNS or WINS. You can configure this by selecting the appropriate check boxes in the NAT properties sheet under the Name Resolution tab.

· Multiple network interfaces - You can distribute NAT functionality on more than one network interface by adding the interface to NAT in the Routing and Remote Access Manager.

REMOTE ACCESS
RAS has changed rather dramatically. Several new RAS protocols are now available to make our communications over dial up lines or the Internet much more secure and more flexible. These new protocols include Extensible Authentication Protocol (EAP), Layer Two Tunneling Protocol (L2TP), Bandwidth Allocation Protocol (BAP), Internet Protocol Security (IPSec) and Remote Authentication Dial-In User Service (RADIUS).

EAP gives the ability to use Transport Level Security, another encryption methodology for usernames and passwords.

L2TP enables to create a tunnel through a public network that is authenticated on both ends, uses header compression, and relies on IPSec for encryption of data passed through the tunnel.

Bandwidth Allocation Protocol allows to set up Multilink capabilities, but if a user isn’t using the bandwidth of multiple lines, we can drop one of the lines assigned to that user and use it for another user.

IPSec is essentially a driver at the IP layer that provides encryption very low down in the protocol stack.

RADIUS is an RFC based standard that allows us to provide authentication services from the corporate network to a client that is attaching to an ISP that wants access to our server. The ISP’s dial up server that hosts the client is a client to the Radius Server Service (IAS) on the corporate network. The IAS server allows the user to connect.

TERMINAL SERVICES
Terminal Services are now a core function built in to every version of Windows 2000 from Server and above. There have also been some enhancements to the old "Windows NT 4.0 Terminal Server Edition" including the ability to "Shadow" or "remote control" client systems.

Terminal Services is installed through the "add/remove programs" applet. Once you've done this and installed the Client software (also provided), the workstation connects to the server and starts a virtual session on the server. Only screen, keyboard, and mouse information is exchanged between the client and server making it an ideal solution for remote dial up networking - or using a shared application on a single server. RDP (Remote Desktop Protocol) is the client-to-server protocol that supports this functionality.

The client doesn't need to be an extremely capable system in that the execution of the program happens at the server. There are clients available for Windows 3.1, Windows 95/98, and NT.

Applications that can run on Terminal Services are many, but the preferred applications are Windows 32 bit programs because they can be tailored to use memory more efficiently. Don't undersize the server for this program. Add at least 8MB of RAM per user that you're going to support to the Terminal Services server. Microsoft states that a quad processor Pentium Pro with 512MB of RAM will concurrently support about 60 typical users. Each client must have a Client access license for Terminal Server and one for NT server (two licenses per client).

After installing Terminal Services, you should re-install any applications on the server that you would like clients to use while connected to Terminal Services. When you "add/remove" programs, the system changes into a "program installation" mode that enables all users access to the application while attached. You can accomplish the same by issuing a "change user" command at the command prompt and performing the installation from there. Some programs require an application compatibility script to be run in the terminal services environment. Microsoft supplies such a script for Office 2000 in the Office 2000 Resource Kit.