976 Index server clusters, 215–216 server management responsibilities, 27–28 wizards, when to use, 31–32 administrative control, delegating, 581–582 Administrative Templates, Group Policy settings, 564–565 administrative tools Active Directory Domains and Trusts console, 496 Terminal Services. See Terminal Services Windows NT vs. Windows Server 2003 (table), 490 Administrative Tools menu, management consoles available, 27–29 Administrative Tools Pack, 34 Administrator accounts, 386–387 Administrators and Backup Operators group, 269 adminpak.msi, 34 adprep.exe, 17 ADUC (Active Directory Users and Computers tool), 3–4 Advanced Digest Authentication, 900 advertising and Group Policy software installation, 602 affinity options, Network Load Balancing, 226 threads, and processors, 246 AH (IP Authentication Header), 319–320, 799–800 alerts, monitoring Active Directory, 637–638 analyzing baseline security, 88–93 anti-replay, IPSec, 797 antivirus software, installing, 73 APIPA (Automatic Private IP Addressing), 852–853 AppleTalk protocol, Windows Server 2003 support for, 742 troubleshooting server connections, 888 application assignment scripts, 607 application certificates, 828 application directory, using partitions, 483 Application Management messages, 623 application media pools, 167–168 application memory tuning, 245 application packages, 605–606 application partitions, 452, 491–494 application pools, 925 application servers securing, 80 and server roles, 64–66 applications assigning resources to (IIS), 919 and IIS Worker Process isolation mode, 902–903 managing properties, 619–621 published, and assigned(Group Policy), 602 removing managed, 618–621 ‘this initial program cannot be started’ error message, 973 upgrading with Group Policy deployment, 616–617 architecture bus, 245 IIS 6.0 and HTTP.SYS kernel mode driver, 903 revised IIS, 6 area border router (ABR), 769 arrays and disks, 246 .asp pages, 328 ASP.NET and IIS integration, 904 troubleshooting connection errors, 924–926 ASPs, restricting Web server access, 78 ASR (Automated System Recovery), using, 75 ASR Wizard, 285 asset assessment, 69 assigned applications, 602 assigning new drive letters, 128–129 software to groups, 613–614 attacks deliberate, 69 Denial of Service (DoS), 442, 701–702 DoS, 730 elevation of privilege, 499 footprinting, 699 on IKE protocol, 320 minimizing with network topology, 784–785 preventing by disabling accounts, 73 redirection, 700, 730 attributes of object classes, 341 and object properties, 344 schema, 550, 552–555 authentication Active Directory, 368–369 Advanced Digest Authentication, 900 client and server settings (table), 85 configuring IIS settings, 921 creating user strategies, 437–438 cross-forest, forest-wide, 3, 453–454 developing strategies for, 431 disabling password-based methods, 865 domain, creating in test environment, 23 EAP support, 9 and IPSec, 797 IPSec configuration, 810 Kerberos, 75 network, 438 NTLMv2, 84 PEAP (Protected EAP), 867–873 RADIUS. See RADIUS RADIUS/IAS vs. Windows, 865–866 restricting remote access, 881–882 selecting for remote access, 864–867 selective, 454 setting delegation, 422 and shortcut trusts, 497 SIDs and, 376 single sign-on feature, 438, 508 smart card, 443, 843–844 types of, 439–442 UPN, and Global Catalog, 542 and user access, 364 authoritative restore, 647–648 authorization and authentication, 437–438 IIS 6.0, improved framework, 902 roles, 367 Authorization Manager described, 368 auto-enrollment (PKI), 841 autoenrollment for user and computer certificates, 584–585 automated update and notification tool, 72–73 Automated System Recovery (ASR), using, 75, 283–287 automatic client update settings, 101–104 Automatic Private IP Addressing (APIPA), 852–853, 885 B back-end server clustering, 227–228 Back Office, Health Monitor, 35 backing up See also backups Active Directory, 640–649 domain controllers (DCs), 538–539 IPSec policies, 812 system state, 538 WINS database, log files, 731–732 XML metabase (IIS), 919 backup and recovery strategies, 268 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 976 Index 977 backup domain controllers (BDCs), 56 Backup or Restore Wizard, 275 Backup Utility, 268–275 backups See also backing up Install from backups feature, 452 performing regular, 75 planning a strategy, 268–283 restoring from, 277 scheduling, 277, 279–283 selecting media, 276–277 types and logical drives, 269–272 volume shadow copy, 272 bandwidth allocation protocol. See BAP determining network requirements, 757 and replication, 548 BAP (bandwidth allocation protocol) and dial-in access, 853 and PPP Multilink, 860–862 baseline performance, 251 basic disks, troubleshooting, 178–181 basic volume, formatting, 130–131 Berkeley Internet Name Domain. See BIND best practices defragmentation, 155 disk quota, 163 Group Policy, 594 installing IIS 6.0, 900 Network Load Balancing (NLB), 234–242 RAID, 165–166 Remote Storage, 177–178 security groups, 443–447 server clustering, 205–224 software restriction policies, 593 BGP (Border Gateway Protocol), 784 binary format, IP address format, 760 BIND (Berkeley Internet Name Domain) and other DNS server implications, 690 supporting Active Directory with, 694 and Windows DNS compatibility comparison (table), 691–692 zone transfers with, 693 binding and network protocols, 742 binding order in server clustering, 213 block ciphers, 820 booting your disk, 109–110 Border Gateway Protocol (BGP), 784 bottlenecks, performance, identifying, 244–247 bridgehead servers, configuring, 524 bridges network, described, 773–774 site link, 511 broadcast addresses, 760 buffer overflow difficulties, 82 built-in domain user accounts, 386–388 Builtin container, default groups in, 407 burst handling and WINS servers, 726–727 bus architecture, 245 businesses, planning infrastructure, 17–21 C cache pollution, poisoning, 700, 703 caching flexible (IIS), 903 name servers, 676 shared disks, 207 cacls tool, 355–356 callback security and dial-in access, 866 canceling print jobs, 41 canonical names, 331, 384 certificate authorities (CAs) described, using, 61 establishing validity period of, 63 implementing, configuring, 830–838 securing, 79–80 Certificate Request Wizard, 841 certificate requests, 841–842 Certificate Revocation Lists (CRLs), 9, 61, 837 certificate rules (Group Policy), 592 Certificate Services, described, using, 61–64 certificate templates, 838–841 certificates autoenrollment policy, 9, 584–585 revoking, 837 setting user account properties, 400–401 certification authorities (CAs), 828–829 CGI (Common Gateway Interface), 78 chaining CAs, 61 changing See also modifying password policies, 435–436 printer permissions, 40 characters, reserved, logon names, 382 child domains, 449, 470 chkdsk.exe, 5, 180 ciphers, editing SSL/TLS, 441 ciphertext, 820 circular transaction logging, 629 Citrix and Terminal Services, 930 Citrix clients, 10 classes dynamically linked auxiliary, 373 object, described, 341 object, in Active Directory, 551–552 Client Access Licenses (CALs), 14–15 client authentication (SSL), 440 client configurations, troubleshooting, 737 clients configuring connections with Terminal Services, 962–964 relationship with Active Directory and other servers, 323–324 and server, authentication settings (table), 85 setting automatic update for, 101–104 Terminal Services, 66 clipboard problems, 973–974 clock speed of processors, 245 cluster administrator utility, 201–202 cluster groups, 192 cluster IP addresses, 225 cluster.exe, 201–204 clustering server. See server clustering server fault-tolerance solution, 289 WINS server cluster nodes, 721 clusters described, 6–7 cmdkey tool, 356–357 command-line interface described, 5 command-line scripts for managing printers, 43–45 for managing Web server, 6 command-line utilities See also specific utility or command Backup Utility, 276, 641 chkdsk.exe, 180–181 cluster.exe, 201–204 described, 31 disk management utilities, 117–120 DNS server maintenance and monitoring, 709–710 DSADD command, 389–393 DSMOVE, 425–427 esentutl.exe, 656 fsutil.exe, 163–164 IIS 6.0, new, 927–928 Ipseccmd, 320 for managing Active Directory, 355–363 MOVETREE, 425, 427–429 Netdom.exe, 486 netsh utility, 319, 770–772, 805 NLB.exe, 229–232 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 977 978 Index NTDSUTIL tool, 380–381, 632–635 ping, tracert, 314–318 for Quota administration, 452 Terminal Services, 971–972 commands See also specific commands printer management tasks (table), 45 server management tools, 47–50 Common Gateway Interface (CGI), 78 Common Language Runtime (CLR) software engine, 8 Compatible security template, 83 Compatws.inf, 83 computer accounts and Active Directory, 329 adding services, 422–423 creating, 415–420 delegating services, 422 managing, 420–423 managing multiple, 423–429 troubleshooting, 429 working with Active Directory, 415–416 computer availability, 288 computer configuration roles and access control, 367 Computer Management, using to manage remote computer, 35–36 computers adding to domains, 415–415 deploying software to (Group Policy), 608 displaying group memberships of, 421 managed, and RIS, 418 security settings, 588–591 conditional forwarding, 684 configuration partitions, 325–326 Configuration tool,Terminal Services, 956 Configure Your Server Wizard configuring roles, 53–54 configuring Web servers with, 59 installing IIS 6.0, 897–899 starting, 52 configuring automatic update for clients, 102 bridgehead servers, 524 certificate authorities (CAs), 830–833 clustered disks, 208 disk quotas, 155–163 DNS servers for use with Active Directory, 491–492 GPOs (Group Policy Objects), 576–579 group policy user and computer environments, 571–573 IAS, 891–893 interconnect interface, 212 interconnect networks, 210 IPSec policy, 803 network adapter with multiple IP addresses, 234–235 Network Monitor, 298–304 Network Monitor filters, 299–301 OSPF routers, 769 Remote Assistance (RA), 33, 934–938 Remote Desktop Connection (RDC) utility, 942–946 Remote Storage, 171–174 replication between sites, 522–524 RIP Version 2, 780–781 servers, 52–59 site link costs, 517 software update infrastructure, 96–101 terminal servers, 938–940 Web servers, 59–60 Windows 2003 dial-in RRAS servers, 855–858 Windows Server 2003 computer as static router, 778–780 wireless access points (WAPs), 862–864 wireless networking, 870–872 wireless security protocols, 867–873 connecting computers with Computer Management, 35 printers, 41, 46 to Terminal Services, 940 connections clients unable to make, 925–926 configuring with Terminal Services, 946–-949 listener, understanding, 956–957 managing dial-in or VPN, 867 modifying properties of existing, 957 monitoring client Internet, 309–310 monitoring IPSec, 318–320 multilink support, 853 subnets, 335 troubleshooting errors, 924–926 consistency checking, scheduling for WINS servers, 728 container objects. See organizational units containers created with Active Directory installation, 385–386 controllers, HBAs, SCSI, 206–207 convergence and heartbeats (NLB), 226–227 convergence time and WINS replication, 714 convert.exe, 74 converting basic to dynamic disks, 119–120, 133–135 group types, 405–406 partitions to NTFS, 74 copies, shadow, 5 copying your media, 177 costs site link, configuring, 517 Total Cost of Ownership (TCO), 20–21 CPUs and system performance, 245 minimum system requirements for operating systems (table), 67–68 creating account lockout policies, 436–437 backup schedule, 279–283 certificate templates, 838–841 clusters, 216–224 computer accounts, 415–420 and configuring site links, 515–518 custom MMCs, 30–31 DCs, 533–536 disk partitions, logical drives, 121–130 forest and domain structure, 466–489 GPOs (Group Policy Objects), 576–579 group accounts, 408–415 IPSec policies, 808–811 and managing GC servers, 545–546 NLB clusters, 236–242 objects from directories, 360–361 organizational units (OUs), 500–503 password policies, 433–437 passwords, 356 printers, 39 RAID-5 volumes, 146–149 remote access policies, 878–884 replication topology, 520–524 simple volumes, 136–139 site links, 354 sites, 512 software installation distribution points, 611 spanned volumes, 139–141 subnets, 513–515 trusts, 499 user accounts, 388–393 user authentication strategies, 437–438 Web sites with IIS Manager, 906 Windows Installer packages, 609 Credential Manager described, 9 Critical Update Notification (CUN), 101, 104 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 978 Index 979 CRLs (certificate revocation lists), 837 cryptography IPSec, 797–798 Server-Gated (SGC), 901 CSP (Select Cryptographic Service Provider), 901 csvde tool, 357–358 CUN (Critical Update Notification), 101, 104 custom MMCs, 29–31 customizing Global Catalog, 544 IPSec policies, 807 server security, 70–79 D DACLs (discretionary access control lists), 364, 404–405 data capturing with Network Monitor, 296–297 making reliable, secure, accessible, 292 modification to AD database, 629–630 protecting Active Directory, 326–327 system state, 631 data backup, 273 data store,Active Directory, 323 database compaction, WINS servers, 728 database servers securing, 78 and server roles, 60 Datacenter Edition, Windows Server 2003, 12–14 DC renaming tool, 372 dcgpofix tool, 358 DCPROMO tool, 55 DDNS standard, 686–687 deactivating schema classes and attributes, 558 Debug Logging, DNS server setting, 706 Default security template, 83 defense in depth security plan, 432 defrag.exe, 149, 184 defragmentation of AD database, 631–633 best practices, 155 tool, in Windows Server 2003, 5 of volumes, partitions, 149–155 delegating Group Policy administrative control, 581–582 delegation described, 503 lame, 670 Delegation of Control Wizard, 504 deleting objects from directories, 360–361 demand dial routing, 304, 785 demilitarized zones (DMZs), 783–784 demoting DC to member server, 530 Denial of Service (DoS) attacks, 442, 701–702 deploying applications, 608–611 designing DNS namespace, 666–672 network, and documentation, 25–26 VPNs, 858–860 wireless remote access, 862 Device CALs, 15 DFS (Distributed File Service), using, 57 DHCP (Dynamic Host Configuration Protocol) and IP addressing, 748 for dial-in IP addressing, 852 managing IP addressing, 317–318 DHCP servers securing, 77, 687 and server roles, 57–58 troubleshooting, 308 DHCPACK (acknowledgement), 317–318 dial-in access configuring user accounts, 401 designing, configuring, 852–854 setting computer account properties, 423 vs. other remote access types, 851 differential backups, 269, 271 Diffie-Hellman groups, 821 Diffie-Hellman key-exchange algorithm, 801 digest authentication Advanced Digest Authentication, 900 described, 442 IIS 6.0 configuration, 922 digital certificates, use in PKI system, 827 digital signing, 86 Dijkstra algorithm, 769 direct memory access (DMA), 246 directories creating objects from, 360–361 described, 325 Directory Access Protocol (DAP) and Active Directory, 328 directory information search, 543 directory information tree, 330 directory partitions application partition support, 4 and replication, 324 using application, 483 directory services described, 322 Directory Services Restore Mode, 632, 642, 657–658 disabling accounts, 73 DNS recursion, 701 password-based authentication, 865 disaster recovery and Layer 3 switches, 777 discontinuous namespace, 456, 490 discretionary access control lists (DACLs), 364, 377–379, 455 disjointed namespaces, 669 Disk Defragmenter tool, 149–154 disk duplexing, 113 disk fault-tolerance solutions, 289 disk management assigning new drive letters, 128–129 basic vs. dynamic, 107–110 command-line utilities, 117–120 defragmenting, 149–155 disk quotas, configuring and managing, 155–163 generally, 107 managing basic disks, 120–121 managing dynamic disks, 133–149 optimizing disk performance, 149–155 partition types and logical drives, 110–111 physical vs. logical, 108 Remote Storage, 166–178 using disk management tools, 115–120 volume types, 111–115 disk partitions vs. directory partitions, 325 disk quotas best practices, 163 configuring and managing, 155–163 troubleshooting, 184–186 diskpart.exe, 115, 117–119, 178 disks checking with chkdsk, 180 converting basic to dynamic, 119–120 initializing, 179 monitoring usage, 153 optimizing performance, 149–155 and system performance, 246 and volumes, 111–115 distance-vector protocols, 764, 765 Distinguished Names (DNs), 62, 330, 383 Distributed File Service (DFS), 4–5, 57, 611 Distributed Management Task Force (DMTF), 35 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 979 980 Index Distribution Groups described, 404–405, 455–456 distribution of services, Active Directory, 508–510 distribution points, creating (software deployment), 611 DMZs (demilitarized zones), 783–784 DNs (Distinguished Names), 62, 330, 383 dncmd command-line tool, 492–494 DNS (domain name system) and Active Directory, 328 and BIND compatibility comparison (table), 691–692 deploying internal root zone, 670 domain names, 336 implementing in Active Directory network environment, 490–494 interoperability with other DNS servers and Windows Server 2003 services, 689 multiple namespace support, 668 names, renaming, 3 namespace, designing, 666–672 records, settings of aging and scavenging, 689 role in Active Directory environment, 449 securing deployment, 494 security issues, levels, 699–705 servers. See DNS servers Service. See DNS Service split configuration, 694–695 testing, 24 troubleshooting name resolution, 732–739 zone replication scope (table), 680 DNS databases, backups, 273–274 DNS infrastructure, security guidelines for, 704–705 DNS Resource Records (RRs), 660 DNS Server log, 267 DNS servers BIND and other considerations, 690 and cache pollution, 700, 703 conditional forwarding, 684–685 forwarders, 683 IP address resolution process described, 660–662 monitoring, 705–710 planning deployment of, 672–678 planning roles, 675–677 recursion, enabling and disabling, 701 securing, 77 and server roles, 57–58 testing configuration, 706 DNS Service installing, 662–663 troubleshooting problems, 735–736 DNS zones and Active Directory integration, 491 DNScmd tool, using to monitor DNS servers, 709 DNS/DHCP interaction, updating zone records, 686 DNSLint utility, using to monitor DNS servers, 710 DnsUpdateProxy group, 688 document invocation (Group Policy), 604 documentation for network design process, 25–26 for network infrastructure planning, 17–21 domain accounts, 385 domain and forest functional levels, 456–465 domain controller rename, 454 domain controllers (DCs) Active Directory and, 323 backing up, restoring, 538–539 changing computer into, 55 creating additional, 466, 470–474, 533–536 described, 323–324, 342 determining number of, 531–532 and distinguished names, 330 function of, 530 and the Global Catalog, 541 installing, 467–484 inter-site replication, 520 new system state backup method, 472–476 placing within sites, 537–538 planning and deploying, 529–538 renaming, 372, 489 securing, 75 and server roles, 54–55 and sites, 335 standalone, 648 upgrading to Windows Server 2003, 536–537 vs. member servers, 677–678 domain functional levels, verifying and raising, 463–464 domain functionality described, 457–459 Domain Guests global group, membership in, 387 domain local groups, 406, 446–447 Domain Masters, 475 Domain Name System. See DNS Domain Naming Masters, 343, 478–479 domain partitions, 325–326 domain password policies, 434–437 domain trees creating in existing forest, 469 described, 326, 337–339, 456 scope in, 405 domains and Active Directory namespace, 381–382 adding workstations to, 415–416 creating additional DCs for, 533–536 creating domain controller for, 466 creating in test environment, 23 creating password policy for users, 431–437 described, relationship with sites, 336 and domain controllers, 529 and forests, 449–465 managing with ntdutil, 362 name collisions, 490 origin of, 697 parent, child, 337 raising functional levels of, 354, 462–465 raising functionality, 373–374 relationship with sites, 510–511 rename limitations in forests, 486–489 renaming, 359–360, 372 scope in, 405 and server roles, 55–57 DoS attacks, 442, 730, 784 DSADD command creating computer accounts with, 419–420 creating groups with, 409–410 creating users with, 389–393 dsadd, dsget, dsmod tools, 358–359 DSMOVE command, 425–427 dsmove tool, 359–360 duplex, full, communications, 247 duplexing, disk, 113 dynamic BAP, 861 dynamic disks, 108–109, 181–183 dynamic DNS (DDNS) updates, 667–668 Dynamic Host Configuration Protocol. See DHCP dynamic routing, 763–764 dynamic updates with DHCP servers, 686–688 and DNS servers, 466 dynamically linked auxiliary classes, 373 E e-commerce and Credential Manager, 9 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 980 Index 981 e-mail and POP3, 60 and security groups, 404 EAP-MS-CHAP v2, 867 EAP-TLS protocol, 863, 867–873 edb.chk, edb*.log, 628 editions of Windows XP, 2 of Windows Server 2003, 12–14 EFS (Encrypted File System) backup and recovery strategy, 268 described, 57 sharing of encrypted files, 8 elevation of privilege attacks, 499 emergency disk repair (EDR), 283 Emergency Management Services, using, 37–38 enabling disk quotas, 156–159 DNS recursion, 701 IKE events, 320 encryption 3DES (strong encryption algorithm), 820 controlling remote access strength, 883 improvement in Windows Server 2003, 8 and IPSec, 319 MPPE, 858 and NTFS partitions, 75 reversible, 435 selecting VPN level, 866 encrypted connections, SSL and, 440 Encrypted File System. See EFS End User License Agreement (EULA), 100 enterprise CAs, 61, 831 Enterprise Edition, Windows Server 2003, 12–13 error logs, specifying file path, 92 error messages ‘file not found,’ 926–927 ‘insufficient disk space’ message, 186 terminal server licensing issues, 974 ‘this initial program cannot be started,’ 973 errors ‘401,’ 926 ‘404,’ 923–924 ‘503,’ 925 and log files, 260–261 NLB, detection and handling, 232–233 esentutl.exe, 656 ESP (IP Encapsulating Security Payload), 319–320, 799 Ethernet, choosing switches or hubs, 247 EULA (End User License Agreement), 100 event headers and log files, 263 Event Log in security templates, 82 troubleshooting Group Policy software deployment, 623 update synchronization entries, 100 event logging configuring Event Viewer, 526–527 DNS service, 708 packet, and IPSec, 817 event logs, 264–265, 636 Event Viewer configuring Active Directory event logging, 526–527 monitoring Active Directory with, 636–637 monitoring servers with, 260–267 troubleshooting Group Policy software deployment, 623 troubleshooting IPSec, 816–817 viewing IKE events, 320 exporting data from Active Directory, 357–358 disk quota settings, 160–161 user and group information, 360–361 extended partitions, 111 Extensible Authentication Protocol (EAP), 9 Extensible Markup Language (XML) and HTTP, 58 Extensible Storage Engine (ESE), 629 extensions Active Directory, 344 Link Control Protocol (LCP), 861 extensive defense model of security, 432 external trusts, 353, 484, 497–498 F failback in server clusters, 192 failover network fault-tolerance solutions, 288 N-Node, 197 in server clusters, 192 failover ring in server clusters, 199 failure tolerance, majority node set server cluster (table), 196 fast streaming, Media Services support for, 11 fast zone transfers, 678, 693 FAT file system, managing, 119–120 fault tolerance and performance, 631 planning for, 287–290 RAID-5 volumes, 114 in RIP networks, 767 server clustering and load balancing, 189–190 simple, striped volumes, 111–112 faxes, Printers and Faxes folder, 39–40 features overview, Windows Server 2003, 1–12 Federated Forest, 453–454 Fibre Channel interface, 192–193 file encryption and NTFS partitions, 75 file encryption key (FEK), 8 file extension activation (Group Policy), 604 ‘file not found’ errors, 926–927 File Replication Service (FRS) enhancement in Windows Server 2003, 4–5 log files, 260 file servers described, using, 57 securing, 76–77 file spooling and improved printer performance, 5–6 file systems basic and dynamic disk support, 109 category in security templates, 83 managing FAT and NTFS, 119–120 File Transfer Protocol. See FTP FileAuthorizationModule class, 902 files, helper, 770–771 filtering data, 300 event log data, 263–264 mode, port rules and, 226 SID, and securing trusts, 499 filters configuring VPN, 859–860 Network Monitor, configuring, 299–301 packet filtering and firewalls, 788–789 RRAS packet, configuring, 855–858 static packet (NAT), 305 Windows Management Instrumentation (WMI), 569, 575 FIPS (Federal Information Processing Standard), 958 firewalls configuring VPN filters, 859–860 Internet Connection Firewall (ICF), 8, 896 NAT, configuration, 306 and packet filtering, 788–789, 821 protecting Web servers with, 78 VPN configurations, 859–860 FireWire (IEEE 1394), 109 five nines (fault tolerance), 288 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 981 982 Index Flexible Single Master of Operations (FSMO), 55, 342, 539 flooding described, 769 folders, Group Policy redirection, 586–588 footprinting, mitigating risk of, 699–700 forest-level functionality new Active Directory feature, 371 verifying and raising levels, 464 forest-level trusts, Windows Server 2003 support for, 3 forest root domain, creating, 467–468 forest trusts described, 352, 373, 497 and federated forests, 453 forests creating new domain tree in, 469–470 cross-forest authentication, 453–454 described, 326, 339 and domain functional levels, 456–465 domain rename limitations in forest, 486–488 functionality explained, 449–465 planning group strategy for multiple domain, 445–447 planning group strategy for single domain, 443–444 raising functional levels of, 462–465 raising functionality, 373–374 raising levels, 354 restructuring, 451, 486–89 role of, new features, 450–456 scope in, 405 formatting basic volumes, 130–131 forward lookup zones configuring, 663–665 described, 662 updating, 686 forward-only servers, 684–685 forwarders, forwarding servers, 676, 758 FQDN (Fully Qualified Domain Names) and host name resolution, 382, 660–665 troubleshooting client configurations, 734 fragmentation problems, 184 frames capturing with Network Monitor, 296–298 performing network traces, 301–304 front-end server clustering, 227–228 FrontPage extensions, adding, 65 FRS (File Replication Service), 4–5 FSMO (Flexible Single Master of Operations) placing, 479–483 server role, 55 fsutil.exe, 115, 119–120, 163–164 FTP (File Transfer Protocol) described, 59 FTP servers, setting up, 909–911 full-duplex communications, 247 full zone transfers (AXFR), 678–679 Fully Qualified Domain Names (FQDNs), 382, 660–665, 734 G garbage collection process and tombstone interval, 630 gateways described, 764 GC servers. See Global Catalog Generic Routing Encapsulation (GRE) packets, 789 Global Catalog (GC) and Active Directory, 344–345 adding attributes to, 547 customizing using Schema MMC snap-in, 544–545 described, 541 functions of, 542–543 placing servers within sites, 547–549 replication, 4, 546–547 servers, creating and managing, 545–546 troubleshooting issues, 549–550 global groups, 405–406 Globally Unique Identifier (GUID), 418, 451 GPMC (Group Policy Management Console) enhancement in Windows Server 2003, 4 exploring, 24–25 new management features, 19 GPOs (Group Policy Objects) described, updating, 565 gpresult.exe, monitoring policies with, 4, 597–599 GPT (GUID partitioning table), 110 graphical defragmenter, 149–154 Graphical Interface for printer management, 38–39 Gray, Jim, 288 GRE (Generic Routing Encapsulation) packets, 789 group accounts built-in, 406–408 creating, 408–415 managing, 410–415 troubleshooting, 429 types of, 404–405 working with Active Directory, 403–415 group membership adding users to, 411 controlling, 75 displaying for a computer, 421 Domain Guests, 387 removing users from, 403 in security templates, 82 group nesting, 455 Group Policy administrative tasks, 584–594 applying to OUs, 502 applying security templates with, 93–95 assigning and applying IPSec policies, 812 best practices, 594 configuring application of, 579–581 configuring SUS server redirection, 102–104 controlling Terminal Services users with, 970–971 described, 327 folder redirection, 585–588 and forest restructuring, 451 implementing, 576–584 planning strategy for, 568–575 scope and application order of policies, 565–567 setting up in test environment, 23 software deployment, troubleshooting, 623–625 software installation. See Group Policy software installation tasks performed by, terms and concepts, 562–568 troubleshooting, 595–600 user and computer security settings, 588–591 Windows settings, 564 Group Policy Management Console. See GPMC Group Policy Object Editor, using, 576 Group Policy Objects (GPOs) backup and restoration, 4 creating, configuring, managing, 576–579 and GMPC, 24–25 links, security, 580–581 and moving OUs between domains, 427 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 982 Index 983 and policy-based administration, 327 viewing, 571 Group Policy software installation assigning applications, 602–603 components, 605–607 configuring installation properties, 614–616 deploying applications, 608–611 document invocation, 604 managing application properties, categories, 619–622 publishing applications, 602–605 removing managed applications, 618–621 upgrading applications, 616–617 vs. SMS software deployment, 605 WinINSTALL LE 2003, 609 working with GPO Editor, 611–621 Group Policy Wizard, 577 groups AGDLP, 445–446 configuring remote access, 879 creating with DSADD command, 409–410 default in Builtin, Users containers, 407–408 Managed by, setting property, 413 nesting, 455 planning security strategy, 443–447 scope in, 405, 409 Universal, 454–456 Guest user accounts, 386–387 GUID (Globally Unique Identifier), 418, 451 GUID partitioning table (GPT), 110 H hard lockouts, 436 hardware minimum system requirements for operating systems (table), 67–68 required configuration, 16 requirements and network topology, 755 hardware-based RAID, 165–166 Hardware Compatibility Lists (HCLs), 206 hash rules, Group Policy, 592 hash value, setting for password, 441 headless operations, 37 Health Insurance Portability and Accountability Act (HIPAA), 19 Health Monitor (Back Office), 35 heartbeats, 190, 226–227, 236 Help See also Remote Assistance information on command-line utilities, 31 Help and Support Center, 32, 387–388 HelpAssistant account, 386–387 helper files, 770–771 hexadecimal IP address format, 760 high availability and downtime, 243 and fault tolerance, 287 Highly Secure security template, 83–84 hisecdc.inf, 91 hisec*.inf, 83 host bus adapters (HBAs), 206 host name resolution planning, 660–665 troubleshooting, 311, 733–734 hostile workplaces, 19 hot fixes, managing, 95 hot-standby server/N+1, server cluster deployment option, 197–199 hot-swappable server components, 289 HTML (Hypertext Markup Language), 58 HTTP (Hypertext Transfer Protocol), 58–59 HTTP.sys, 903 hub-and-spoke replication model, 719–720 hubs in Ethernet networks, 247 network, 772–773 Hypertext Markup Language (HTML), 58 Hypertext Transfer Protocol (HTTP), 58–59 hyperthreading described, 245 I IAS (Internet Authentication Services), configuring, 891–893 ICMP (Internet Control Message Protocol) configuring router discovery, 877–878 protocol described, 761 viewing network traffic, 302–303 identifying computers holding single operation master roles, 429 computers in domains, 416–417 identities and passwords, authentication, 431 idle timeout, controlling, 882–883 IEEE 802.11 wireless standards, 851, 862 IEEE 802.1X protocols, Windows Server 2003 support for, 9 IGMP multicast, 237–238, 743 IIS (Internet Information Services) buffer overflow difficulties, 82 described, 895–896 revised architecture of, 6 and system state backup, 273 IIS 6.0 answer file parameters for unattended setup (table), 899 authentication settings, 921–922 common administrative tasks, 914–920 default lockdown status, 902 enabling Web Service Extensions, 914–915 health detection, 920 hosting multiple Web sites, 917 IIS Manager Console, 906 installing and configuring, 896–900 managing, 905–920 managing security, 920–923 new features in, 900–905 troubleshooting, 923–927 unattended setup, 898–900 virtual directories, working with, 915–916 XML metabase, 905, 919 iisweb.vbs, iisvdir.vbs, iisftp.vbs, iistpdr.vbs, iisback.vbs, iiscnfg.vbs, 927–928 IKE (Internet Key Exchange) described, 319–320 and IPSec, 800–801, 818–819 importing data from Active Directory, 357–358 disk quota settings, 161–162 dynamic volumes, 183 user and group information, 360–361 in-band DoS attacks, 701 incremental backups, 269–271 incremental zone transfers (IXRF), 668, 678 indexing attributes in Active Directory, 554 inetinfo.exe, 903 InetOrgPerson accounts, 388 .inf files, 83 infrastructure DNS subdomains and zones, 672 master and server roles, 56–57 software update, configuring, 96–101 Infrastructure Masters, 343–344, 475 inheritance Group Policy, 566 permissions, 402 initializing disks, 179 Install from backups feature, 452 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 983 984 Index installation IIS, not by default, 6 and upgrade issues for Windows Server 2003, 16–17 installing Active Directory, 331–334 antivirus software, 73 applications through Group Policy deployment, 603–604 automatic client update settings, 101–104 Certificate Services, 830 domain controllers, 467–484 IIS, 59–60, 896–900 IP Security Policy and Management console, 804–805 IPv6, 750–755 MOVETREE, 428–429 Network Monitor, 292–298 Remote Desktop Connection (RDC) utility, 941 Remote Desktop Web Connection utility, 949–953 Remote Desktops MMC snap-in, 946–-949 Remote Storage, 168–171 snap-ins from console, 348 software update infrastructure, 96–101 Windows Server 2003 DNS Service, 662–663 Windows Server 2003 onto dynamic volume, 109 Windows Server 2003 VPN server, 785–788 ‘insufficient disk space’ message, 186 Integrated Windows Integration, 922 Intel, Itanium machines, and Enterprise Edition, 13 inter-site replication, 520 Inter-Site Topology Generator (ISTG), 520 interactive logons, 438 interfaces, setting binding order of, 213 interior gateway protocols (IGPs), 764 internal domain namespaces, 668–672 Internet access servers over, 33 connectivity, monitoring and troubleshooting, 304–318 fault-tolerance solutions, 289 and XML Web Services, 11–12 Internet Authentication Services (IAS), 13, 891–893 Internet Connection Firewall (ICF), 8, 896 Internet Control Message Protocol. See ICMP Internet Engineering Task Force (IETF), 795, 796 Internet Information Services. See IIS Internet Key Exchange (IKE) described, 319, 795 events, viewing, 320 and IPSec, 800–801 Internet Printing, 46 Internet Protocol Connection Protocol (IPXCP), 861 Internet Security Association and Key Management Protocol (ISAKMP), 319, 795, 800–801 Internet Server Application Programming Interface. See ISAPI Internet Service Providers (ISPs), and fault-tolerance solutions, 289 Internet zones, 592 interoperability with WINS, 696–699 interrupts described, 246 intersite replication, 680 Intra-site Automatic Tunnel Addressing Protocol (ISATAP), 7–8 intra-site replication, 345, 346, 518–520 IP (Internet Protocol) routing. See routing IP addresses assigning to Web site, 917–918 classes and ranges (table), 746 cluster, 225 private (table), 747 public and private, 760 routing. See routing RRAS assignment of, 852 troubleshooting, 314–318 troubleshooting name resolution, 310–314 IP addressing managing with DHCP, 317–318 and NLB, 234–235 planning strategy for, 746 IP Authentication Header (AH), 319 IP Encapsulating Security Payload (ESP), 319 IP (Internet Protocol), 508 IP masquerading, 873 IP packet filters, controlling, 883 IP routing. See routing IP Security Monitor snap-in described, 814 viewing IPSec information with, 816 IP Security Policy and Management console, installing, 804–805 IP Security Policy Wizard, 808 IPConfig command, troubleshooting name resolution with, 312–314, 886 IPSec addressing security considerations, 820–823 components, 801–802 cryptography, 797–798 deploying, 802–803 driver, 802 improvement in Windows Server 2003, 8 key exchange settings, 811 managing, 804–820 modes, protocols, 798–801 monitoring, 813–814 monitoring connections, 318–320 offloads, 820 open standards and, 292 policies, custom, 807–808 policies, default, 805–807 Policy Agent, service described, 801–802 policy assignment in Group Policy, 812 pre-shared keys, using, 821–822 and print server security, 76–77 as protocol and framework, 795 routing security considerations, 782 support for, 247 troubleshooting, 814–820 viewing policy assignment information, 815–816 viewing statistics, 814 Windows Server 2003 deployment of, 796 IPSec Security Monitor, 318–320 Ipsec6.exe, 752 Ipseccmd tool, 320 IPv6, 7–8, 743, 749 IPXCP (Internet Protocol Connection Protocol), 861 IPX/SPX protocol, Windows Server 2003 support for, 742 ISAPI and Web server security, 78 ISATAP (Intra-site Automatic Tunnel Addressing Protocol), 7–8 ISTG (Inter-Site Topology Generator), 4, 520 IXRF (incremental zone transfers), 668 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 984 Index 985 K KCC replication service, 345–346, 453, 508 Kerberos authentication and CAs, 828 authentication described, 368–369, 439–440 and cross-forest authentication, 3 default authentication protocol, 75 setting group delegation, 422 V5, realm trusts, 484 Key Distribution Center (KDC) and Kerberos tickets, 439 Knowledge Consistency Checker. See KCC Knowledgebase, Microsoft, 106 L L2TP (Layer 2 Tunneling Protocol), 858–859 lame delegation, 670 LAN Manager (LM), 85, 86 Last Known Good boot mode, 284 Layer Two Tunneling Protocol (L2TP), 8, 785, 858–859 LDAP and directory services, 328 locating security principals, 383 and naming schema objects, 555 and X.500, 330 LDAP BIND requests, 86 LDAP/SSL, Active Directory, protocol use, 368–369 LDAP URL and Active Directory, 328–329 ldifde tool, creating objects from directory, 360–361 LDR (Logical Disk Manager), 110 leaf objects, 341 lease duration, DHCP, 748 legal considerations, network design, 19 licensing Remote Desktop Connection (RDC) utility, 941 terminal servers, 974 Terminal Services, 938–940 Windows Server 2003, 14–15 and your test network, 22–23 Lightweight Directory Access Protocol Uniform Resource Locator. See LDAP URL link-state advertisements (LSAs), 765 link-state database (LSDB), 768 link-state protocols, 764, 765 linked value replication, 452, 455 links and GPO properties, 580 site, 346 listener connections, 956–957 LMHOSTS files, 711, 722–724 load-balanced configurations, 288–289 load weight and NLB, 225 Local Character Sets, 904 local, non-local policies (Group Policy), 562–563 Local Policy, network security settings, 84–88 Local Security Authority (LSA), 369, 376 Local Security Policy utility, 269 lockout policies, 433, 436–437 log files backing up WINS, 731–732 cluster, 216 moving, 633–635 recovering transactions, 651–653 Windows Server 2003, described, 260–261 logging configuring with System Monitor, 251–255 DNS server Debug Logging, 707 DNS Server log, 267 event. See event logging NAT (Network Address Translation), 304–310 netsh command, 319–320 Network Load Balancing (NLB), 233–234, 241 planning strategy for, 789–790 transaction, 629 verbose, 624–625 Logical Disk Manager, 110 logical disks, 108 logical drives, 110–111, 125–128 logon names, resolving SIDs to, 160 logons automatic, troubleshooting, 973 configuring with Terminal Services, 958–959 controlling time of, 396 deploying smart card, 844–848 and directory services, 322 displaying information about users, 362–363 interactive, 438 and Local Security Authority (LSA), 369 naming conventions, limitations, 382–383 passwords, 389–390 lookup zones, reverse vs. forward, 662 LSA (Local Security Authority), 369 M MAC addresses, restricting access by, 882 MAC bridges, 773 machine certificates, 828, 859 Macintosh computers and group membership, 403 primary groups and, 422 magneto-optical (MO) disk library and Remote Storage, 166 mail servers securing, 79 and server roles, 60–61 majority node set (MNS) model, 194–195 Manage Your Server tool, using, 52 management, out-of-band, 37–38 managing Active Directory, 347 computer accounts, 420–429 disk quotas, 155–163 disks. See disk management dynamic disks, 133–149 GC servers, 545–546 GPOs (Group Policy Objects), 578–579 IIS 6.0, 905–920 IIS security, 920–923 IPSec, 804–820 network with server management tools, 27–28 NLB clusters, 228–233 operations masters, 539 organizational units (OUs), 500–503 printer tools, 41 printers, print queues, 38–46 printing, 6 Remote Storage, 120 security identifiers, 380–381 servers remotely, 32–37 site replication topology, 521 user accounts, 393–403 users, sessions, processes with TS Manager, 954–956 master boot record (MBR) operations when disk boots, 109 master roles, assigning and transferring, 474–476 master server roles, 55–57 MBR (master boot record (MBR), 109 measuring disk memory (table), 157 media backup, 276–277 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 985 . 96–101 Windows Server 2003 DNS Service, 662–663 Windows Server 2003 onto dynamic volume, 109 Windows Server 2003 VPN server, 785–788 ‘insufficient disk space’ message, 186 Integrated Windows. 780–781 servers, 52–59 site link costs, 517 software update infrastructure, 96–101 terminal servers, 938–940 Web servers, 59–60 Windows 2003 dial-in RRAS servers, 855–858 Windows Server 2003 computer. store,Active Directory, 323 database compaction, WINS servers, 728 database servers securing, 78 and server roles, 60 Datacenter Edition, Windows Server 2003, 12–14 DC renaming tool, 372 dcgpofix tool,