986 Index copying, 177 pools, 167–168 media access control (MAC), 237, 300 Media Services, improvement in Windows Server 2003, 10–11 memory leaks, 244 minimum system requirements for operating systems (table), 67–68 and performance bottlenecks, 244–245 required configuration, 16 requirements per site, 532 virtual, and system performance, 245 messages DHCP warning, 240 error. See error messages IGMP warning, 236 Microsoft Cluster Service (MSCS), 6–7 Microsoft Exchange and e-mail distribution groups, 404 Microsoft Knowledgebase, 106 Microsoft Licensing Program Reseller Web page, 14 Microsoft Metadirectory Services, 13 Microsoft Passport authentication, 442 Microsoft Point-to-Point Encryption (MPPE), 858 Microsoft Resource Centre, 14 Microsoft SQL Server, 78 Microsoft Systems Management Server (SMS), 19, 292 migration of Windows 2000 to Windows Server 2003, 3 MIME (Multipurpose Internet Mail Extension) and IIS, 923 mirrored volumes creating, 144–146 described, 111 troubleshooting, 187–188 MMC (Microsoft Management Console) Active Directory administration, 347 adding snap-ins, 89–91 Computer Management, 35–36 console modes (table), 29 custom snap-ins described, 29 disk management, using, 115–116 installing media services from, 10 Remote Storage, 174 System Monitor. See System Monitor models AGDLP, 445–446 AGGUDLP, 446–447 cluster, 192–193 extensive defense, 432 OSI reference (table), 884 remote access by user, by policy, 853 modes and functional levels (Active Directory), 370 MMC console (table), 29 Terminal Services Administration, 34 modifications, software packages, 606 modifying See also changing data in AD database, 629 existing listener connections, 957–965 objects in Active Directory, 359 password policies, 435–436 monitoring AD database, 636–640 client Internet connections, 309–310 disk quotas, 159–160 DNS servers, 705–710 IPSec, 813–814 IPSec connections, 318–320 NAT activity, 308 Network Load Balancing (NLB), 233–234 network traffic and devices, 756 performance counters, 251 replication, 525–526 servers with Event Viewer, 260–267 servers with System Monitor, 247–257 and troubleshooting Internet connectivity, 304–318 mounted drives, 208, 645 mountvol command, 178 MOVETREE command, moving objects in forests, domains, 359–360, 427–429 moving AD database, 633–635 log files, 633–635 objects in domains, 359–360, 427–429 MPIO (multipathing input/output), 9 MPPE (Microsoft Point-to-Point Encryption), 858 mrinfo command, 791 .msc files, 29 .msi files, 602, 606 MSI install package, 101 MsiInstaller messages, 623 .msp files, 607 .mst files, 606 multi-masters, 55 Multi-Win component,Terminal Services, 932 multicast communications, 743 IP addresses, 760 multihomed computer route descriptions (table), 744–745 multilink connections, 853 multimaster replication, 345 multipathing input/output (MPIO), 9 multiprocessing described, 245 Multipurpose Internet Mail Extension (MIME) and IIS 6.0, 923 multithreading described, 245 mutual authentication, 439 My Documents folder, redirecting, 589 N N-node failover pairs, server cluster deployment option, 196–197 name collisions, 490 name resolution host. See host name resolution troubleshooting, 310–314, 732–739 names logon. See logon names NetBIOS, 710 namespaces Active Directory, 381 discontinuous, 456 disjointed, 669 DNS. See DNS namespace guidelines for internal domain, 672 multiple, support for, 668 NetBIOS, 710–711 naming Active Directory scheme, 328–329 conventions, security principals and SIDs, 381–384 distinguished names, 62 GPOs (Group Policy Objects), 578 host conventions, 666 logon names, 382 renaming. See renaming schema objects, 555 schemes, and Active Directory, 330–331 NAT (Network Address Translation) components of, 761 and Internet connectivity, 292 and IPSec, 796, 800–801 services described, 873–877 troubleshooting, 304–310 NAT traversal (NAT-T), 8 NBMA (non-broadcast multiple access) network type, 769 nbstat command, 737 NBTStat, 312 nesting security groups, 455 .NET Framework, support for, 6 .NET passport authentication, 922 Net share command, 471 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 986 Index 987 NetBIOS disabling encapsulation, 757 name resolution, troubleshooting, 311, 710–713, 736–737 renaming, 3 and WINS service security, 730–731 NetBIOS over TCP/IP (NetBT), 77 netdiag.exe, 320, 814 netdom query fsmo command, 429 Netdom.exe, 486 NETMON.exe, protocol analyzer described, 790 netsh command utility administering routing servers, 770–772 controlling IPSec, 805 described, 319–320, 752 monitoring IPSec, 813 troubleshooting remote connections, 886 netstat utility, 309–310 Network Access Quarantine Control (NAQC), 316–318, 867 network address translation. See NAT network authentication, 438 network components and system performance, 246–247 network interface cards. See NICs network interface controllers and server clustering, 206 Network Load Balancing (NLB) best practices, 234–242 creating NLB clusters, 236–242 described, 6–7, 224 error detection, handling, 232–233 introduction, 113–114 managing clusters, 228–233 relationship to clustering, 227–228 terminology, concepts, 225–227 Network Monitor Capture Window, 296–297 configuring, 298–304 determining IPSec protocol in use, 798 installing, 292–298 monitoring network traffic, 319–320 troubleshooting IPSec, 819 Network News Transfer Protocol. See NNTP network protocols, Windows Server 2003, 742 network security settings, 84–88 network topology and network performance, 247 planning, 755–756 network traces, interpreting, 301–304 network traffic, monitoring, 756 networking, wireless. See wireless networking networks bridges, 773–774 determining bandwidth requirements, 757 directory services, 322 gateways, 764 hubs, 772–773 lease time, determining, 318 minimizing attack points, 784–785 monitoring generally, 291–292 perimeter, 782 planning infrastructure, 17–21 subnets and, 508 updates. See software updates using convergence, 766–767 New Delegation Wizard, 665 New Partition Wizard, 121 New RADIUS Client Wizard, 871 New Server Cluster Wizard, 218 New SMTP Virtual Server Wizard, 912–913 New Trust Wizard, 486, 496 New Volume Wizard, 136–139, 142, 146 next-hop IP address, 762 NICs (network interface cards) IPSec and system performance, 247 and listener connections, 956 NLB support, 7 redundancy in, 288 NLB. See Network Load Balancing (NLB) NLB Manager described, using, 7, 228–229 enabling logging, 233–234 logging entries, 241 NLB (Network Load Balancing), 6–7 NLB query, display commands, 234 NLB.exe, 229–232 NNTP (Network News Transfer Protocol) and IIS 6.0, 913 protocol described, 59 NNTP servers, setting up, 913–914 No Terminal Server user SID security template, 83–84 nodes multiple interconnections, 211 NetBIOS (table), 311–312 recovering from failed cluster, 205 in server clusters, 190 non-broadcast multiple access (NBMA) network type, 769 nonrecursive servers, 677 Notssid.inf, 83 Novell, NDS structure, leaf objects, 341 NSLookup tool described, 662 troubleshooting remote connections, 887 using to monitor DNS servers, 709 NT LAN Manager network authentication option, 441–442 version 2 (NTLMv2), 84 Ntbackup, 641 NTBackup.exe, 275 NTDS performance object counters, monitoring Active Directory, 638 NTDS.dit, 55, 326 ntds.dit, 628 NTDSUTIL tool command options, 649–658 described, 362, 632–635, 647–648 managing SIDs with, 380–381 transferring FSMO roles, 476 NTFS file system and clustered disks, 208 converting partitions to, 74 and data restoration, 645 formatting basic volume with, 130–131 managing, 119–120 NTFS permissions in server clusters, 216 NTLMv2 (NT LAN Manager version 2), 84 O Oakley key-determination protocol, 801 object classes in Active Directory, 551–552 object counters, using to monitor Active Directory, 637–639 Object Identifier (OID) and naming schema objects, 555 object inheritance, 364–365 objects in Active Directory, 326 adding to Active Directory, 358 attributes and properties, 344 expiration of, 630 identifiers, and SIDs, 376 locating by distinguished names, 383–384 modifying in Active Directory, 359 moving in Active Directory, 425–428 setting permissions on Active Directory, 366–367 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 987 988 Index site-link, 346, 515 user, creating in Active Directory, 389–390 Office XP and Terminal Services, 66 offline defragmentation, 631–633 Open Shortest Path First (OSPF), 759, 768–770 operating systems choosing, 66–67 running multiple, 22 operations masters, 55–57, 539 organizational units (OUs) adding to Active Directory, 358 creating and managing, 500–503 delegating control of, 503 described, 327, 340, 495 and distinguished names, 330 planning structure and strategy, 503–505 organizations, administrative structure and physical network structure, 510–511 OSI reference model (table), 884 OSPF (Open Shortest Path First), 759, 768–770 out-of-band DoS attacks, 701 out-of-band operations, 37 P packet event logging, troubleshooting IPSec, 817 packet filtering configuring RRAS, 855–858 controlling IP filters, 883 and firewalls, 788–789 IPSec, 821 packet sniffers, 819 paging and system performance, 245 PAP (Password Authentication Protocol), 865 partitioning physical sites and logical domains, 511 partitions application, 452, 491–494 application directory, using, 483 defragmenting, 149–155 directory. See directory partitions disk and directory, 325 types and logical drives, 110–111 Passport authentication, 442, 922 Passport Integration described, 9 Password Authentication Protocol (PAP), 865 password policies components of, 431 creating for domain users, 431–437 defining, 433–437 passwords See also permissions changing Directory Services Restore Mode, 657–658 creating, editing, 356 and logons, 389–390 policies. See password policies and remote connections, 865 setting LM values, 85 strong, 74, 230, 433 patches, security, 95, 605, 607 path rules (Group Policy), 592 pathping command, 314–316, 790, 889 PDC Emulator, 56, 343, 475 PDC Masters, locating, transferring, and seizing role, 479–481 PEAP (Protected EAP), 867–868 performance administration tool. See System Monitor bottlenecks, 244–247 DC functions affecting (table), 531–532 DNS servers, issues, 674 establishing baseline, 251 and fault tolerance, 631 mirrored volumes and, 113 monitoring with System Monitor, 637–638 optimizing disk, 149–155 optimizing network, 757 WINS servers, 726–730 Performance Console monitoring DNS servers, 708 using to monitor Active Directory, 637–638 performance counters analyzing, 256 commonly referenced (table), 249–251 Performance Logs and Alerts function, 251–252 permissions See also passwords access control in Active Directory, 364–368 access for Web sites, 909 Active Directory, when adding packages (table), 621 configuring group, 414–415 and FAT16, FAT32, 327 granting to non-administrators, 583 inheritance, allowing, 402 NTFS, 216 printer, setting, 76–77 for security groups, 404 setting for access to objects, 401–403 setting on listener connections, 964–965 setting on objects, 365–367 setting printer, 40 SIDs. See SIDs standard, for listener connections (table), 965 viewing, modifying, 355–356 personal information tabs, user accounts, 393–395 physical vs. logical disks, 108 PIN numbers and Kerberos authentication, 439–440 ping command, 747, 753, 754 capturing ICMP, 303–304 enabling in IIS 6.0, 920 pathping, 790 troubleshooting IP addressing, 314–318 troubleshooting remote connections, 887 PKI (Public Key Infrastructure) Active Directory, protocol use, 368–369 auto-enrollment, 841 certificate revocation, 837 described, 825 function of, components, 826–827 lost keys, solution, 835–836 to support L2TP over IPSec for VPNs, 859 planning backup and recovery strategy, 268–283 baseline security, 70 CA hierarchy, 835 certificates enrollment and distribution, 838–843 and deploying domain controllers, 529–538 DNS forwarding, 683–685 DNS server deployment, 672–678 for fault tolerance, 287–290 Group Policy strategy, 568–575 group strategies for forests, 443–447 for host name resolution, 660–665 IP addressing strategy, 746 NetBIOS name resolution, 710–713 network infrastructure, 17–21 network topology, 755–756 OU structure and strategy, 503–505 remote access security, 864–867 replication topology, 520 routing strategy, 759–760 running RSoP query, 573 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 988 Index 989 security group strategies, 443–447 security in depth, 432 server roles, security, 51 server security strategy, 66–69 sites and site links, 511–518 system recovery with ASR, 283–287 Windows Server 2003 certificate- based PKI, 825–830 Windows Server 2003 test network, 22–24 WINS server deployment, 713 zone replication, 678–683 point-to-point network type, 769 Point-to-Point Protocol over Ethernet (PPPoE), 8 Point-to-Point Protocol (PPP), Multilink and BAP, 860–862 Point-to-Point Tunneling Protocol (PPTP), 785, 798, 858 policies configuring IPSec, 803 DNS Security levels, 702–704 Group. See Group Policy IPSec, configuring, 805–808 network security configurations, 84–88 password. See password policies remote access, administrative model, 854 remote access, creating, 878–884 remote access wireless, 863 security. See security in security templates, 82 software restriction, 591–594 policy-based administration, 327 pooling print jobs, 41 POP3 (Post Office Protocol) on mail servers, 60 and SPA, 79 port rules adding, editing, 237 and NLB, 226 port switching, 775–776 ports and hubs, 772 POSIX-compliant applications, 403, 422 Post Office Protocol. See POP3 posts, limiting, 926 power-saving features of Windows Server 2003, 209 power supply redundant, 290 secure, 71 PPP (Point-to-Point Protocol) dial-in, 884 Multilink and BAP, 860–862 PPPoE (Point-to-Point Protocol over Ethernet), Windows Server 2003 support for, 8 PPTP (Point-to-Point Tunneling Protocol), 785, 798, 858 pre-shared keys and IPSec, 821–822 primary domain controller (PDC) emulator DC role, 343 and server roles, 56 primary master DNS server, 675 primary restore method, 648 print servers described, using, 57 securing, 76–77 printers, creating, 39, 40 printing enhancement in Windows Server 2003, 4–6 managing, 38–46 priority of program threads, 246 private networks in server clusters, 214–215 processes, terminating, 48–49 processor affinity, 246 processor object counters, monitoring Active Directory, 638 processors minimum system requirements for operating systems (table), 67–68 requirements per site, 532 and system performance, 245–246 profiles remote access, 878 server roles, 52 setting for user accounts, 396–397 Terminal Services, 400 programs, scheduling, 47 properties accessing user object, 393 and object attributes, 344 viewing Active Directory object, 358–359 Protected EAP (PEAP), 867–868 protocols See also specific protocol authentication, 368–369 IEEE 802.1X, 9 Internet printing, 46 Network Load Balancing (NLB), 234–235 routing, 764–770, 793 Web server, 58–59 Windows Server 2003 network, 742 wireless security, 867–873 proxy servers, 289 Public Key Infrastructure. See PKI publishing applications (Group Policy), 602–603 applications using .zap setup files, 610–611 services in Active Directory, 509 pull model, software deployment, 605, 718–719, 739 pull replication, 521 push model, software deployment, 605, 716–718, 739 Q queries Global Catalog, example, 543 and nonauthoritative responses, 674 RSoP, 573, 599–600 Quota administration, 452 quotas, disk. See disk quotas R RADIUS (Remote Authentication Dial- In User Service) authentication described, 862 configuring IAS, 891–893 configuring WAPs as clients, 864 IAS vs. Windows authentication, 865–866 improvement in Windows Server 2003, 8 RAID controllers, 206 solutions, implementing, 164–166 troubleshooting, 187–188 RAID-5 volumes creating, using, 146–149 described, 114–115 RAM (random access memory) and performance bottlenecks, 244–245 required for installation, 16 RCP-Tcp connections, configuring, 956 RD (Remote Desktop) for Administration, 34 RDC utility. See Remote Desktop Connection RDN (Relative Distinguished Name), 383 RDP (Remote Desktop Protocol), 10, 931–932 realm trusts, 353, 497 recovering from cluster node failure, 205 transactions, 651–653 Recovery Console described, using, 75 redirection attacks, 700, 730 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 989 990 Index redundancy and fault tolerance, 287 regedit.exe, 105 Registration Agent (RA), 835–836 registry category in security templates, 82 configuring for SUS clients, 103–104 and system state backup, 273 regulatory considerations, network design, 19 relative distinguished names (RDNs), 330–331, 383 relative ID master (RID), 56 Relative ID Masters. See RID Masters relnotes.htm, 16 remote access configuring dial-in accounts, 401 configuring policies for wireless connections, 863–864 creating policies, 878–884 restriction methods, 880–882 troubleshooting client connections, 884–887 troubleshooting server connections, 888–890 types and strategies for, 850–852 using smart cards for VPNs, 847 Remote Access Quarantine Agent service, 881 remote administration of cluster nodes, 215 deciding which tool to use, 37 managing remote computers with Computer Management, 35–36 NLB, 229, 236 shutting down, restarting computers, 48 using Terminal Services components for, 933–938 using Web interface for, 33–34 Remote Assistance (RA), 32–33, 387, 931, 934–938 Remote Authentication Dial-In User Service. See RADIUS Remote Control tab, user accounts, 399 Remote Desktop Connection (RDC) utility, 940–942 Remote Desktop Protocol (RDP), 10, 931–932 Remote Desktop (RD) for Administration, 34, 930–931, 934 Remote Desktops (RD) MMC snap-in (Terminal Services), 946–949 Remote Desktop Web Connection utility, 949–953 Remote Installation Services (RIS) managed computers, 418 Remote Storage best practices, 177–178 described, 166, 316–317 managing remotely, 120 troubleshooting, 186–187 using, 174–177 Remote Storage Setup Wizard, 171 Removable Storage, using, 167 Remove Administrative mode, 10 removing managed applications, 618–621 users from groups, 403 renaming DC renaming tool, 372 domains, 372–373 domains in forests, 486–489 NetBIOS, DNS names, 3 objects within domains, 359–360 sites, 513 replicating AD information to other domain controllers, 75 directory data, 373 replication Active Directory improvements, 373 bandwidth and network traffic considerations, 548 configuring between sites, 522–524 described, 508 and directory partitions, 324 Global Catalog, 546 inter-site, 520, 680 linked value, 452 managing with Active Directory Sites and Services console, 354 managing with multiple domains, 337 models of, 719–722 multi-masters, 55 planning for zone, 678–683 site. See site replication topology, and Active Directory, 345–346 troubleshooting failure, 524–525 WINS partnership configuration, 715–719 WINS, troubleshooting, 738 Replication Monitor, using, 525–526 Replmon.exe, 528 report view, System Monitor, 248–249 reporting defragmentation, 151–153 with GPMC, 4 reports, RSoP, 575, 596 Res1.log, Res2.log, 628 resources licensing issues, 14–15 NAT (Network Address Translation) information, 304 and server clustering, 191 TechNet site, 106 WMI (Windows Management Instrumentation), 35 restarting computers remotely, 48 restoration options, backup utility, 276–277 Restore Wizard, 473 restores, performing ASR, 286–287 restoring Active Directory, 640–649 default domain policies, 358 Directory Services Restore Mode, 632 domain controllers (DCs), 538–539 IPSec policies, 812 restrictions remote access, 880–882 software policies (Group Policy), 592–594 restructuring forests, and renaming trusts, 486–89 Resultant Set of Policy (RSoP) Group Policy tool, 19 and IPSec security, 822–823 logging and planning mode, 582 planning and troubleshooting policies, 595–597 tool, using to evaluate group policy design, 568 Resultant Set of Policy Wizard, 568 reverse lookup zones configuring, 663–665 described, 662 updating, 686 and WINS reverse lookup records, 697 RID Masters DC role, 343 described, 475 locating, transferring, and seizing role, 479–481 relative identifier generation, 376 troubleshooting, 429 ring topology, replication and, 519, 719 RIP (Routing Information Protocol) configuring Version 2, 780–781 protocol described, 759, 765–768 RIS (Remote Installation Services) and managed computers, 418 risk assessment, 69 rogue servers, 77, 895 role-based access control, 367 role-based administration, PKI (Public Key Infrastructure), 843 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 990 Index 991 roles, server See also server roles assigning (IIS), 897–899 Terminal Server, 930–931, 938–940 root authorities (root CAs), 61, 829 root domains in forests, 450 root hints file, 661 root zones on DNS servers, 670–671 Rootsec.inf, 83 route command, 890 router-to-router VPNs, 785–788 routers analyzing components, 783–784 bridge, 773 ICMP discovery, 877–878 RIP, 765–766 Windows Server 2003 as, 777–781 routes, tracing, 889 routing See also IP routing adjacencies, 768 administering with netsh commands, 770–772 common problems, 792 demand dial, 304 described, 762–763 evaluating options, 772–777 IP, basics of, 760–764 logging level, 789–790 packet filtering and firewalls, 788–789 planning strategy for implementing and maintaining, 759–760 security considerations, 782–790 segment, and port switching, 775–776 static vs. dynamic, 763–764 Routing and Remote Access console, using for troubleshooting, 790 Routing and Remote Access Services. See RRAS Routing and Remote Access utility, viewing routing tables with, 762–763 Routing Information Protocol. See RIP routing protocols See also specific protocol ICMP (Internet Control Message Protocol), 761 NAT (Network Address Translation), 761 routing tables configuration problems, 794 ICMP and, 761 RQC.exe, RQS.exe, 316–317 RQS.EXE, RQC.EXE, 881 RRAS (Routing and Remote Access Service) configuration, and routing problems, 792 configuring packet filtering, 855–858 described, 304 and dial-in access, 852–854 NAT services, 873–877 packet filtering and firewalls, 788–789 protocol described, 759 when to use, 772 RRAS servers configuring dial-up, 855–858 configuring as routers, 792 rss.exe, 115 rules port. See port rules precedence of policies, 593 for Remote Storage file management, 175 Run as command, 32 Runaway call limit, Remote Storage, 176 S SACLs (security access control lists), 364 Safe Mode startup, 284 SAM database and Active Directory authentication, 368 SAs (security associations) and IPSec, 797 saving log files, 266 sc.exe program described, 47 scheduling backups, 277 file-copy for Remote Storage, 176 printers, 42–43 programs, tasks, 47 Windows Update, 98–101 Schema Masters DC role, 343 described, 344, 475 Schema MMC snap-in, 545, 556 Schema Operations Masters, locating and transferring, 476–477 schema partitions, 325–326 schemas and Active Directory, 344 defunct and reused, 450 modifying, extending, 556–557 object classes and attributes, 550 redefining, 4 troubleshooting, 559 working with Active Directory, 550–559 schtasks.exe program described, 47 scope described, 405 group, in Active Directory, 405–406 of problems, determining, 429 screened subnets, 783 scripting command-line, 6 printer, printing management, 43–45 scripts, application assignment, 605, 607 SCSI controllers, 207 searching directory information search, 543 secedit.exe, 93–94 Secure Password Authentication (SPA), 79 Secure security template, 83–84 Secure Sockets Layer (SSL) Active Directory, protocol use, 368–369 encryption process described, 440–441 Secure Sockets Layer/Transport Layer Security (LLS/TLS), 440–441 securedc.inf, 89 Secure*.inf, 83 securing application and terminal servers, 80 backups, 268 certificate authorities (CAs), 79–80 database servers, 78 DNS deployment, 494 domain controllers, 75 file and print servers, 76–77 mail servers, 79 servers according to server roles, 71 trusts using SID filtering, 499 Web servers, 78 zone replication, 682 security analyzing baseline, 88–93 and authentication strategies, 431 callback, 866 DNS issues, levels, 699–705 and DNS namespaces, 666 Group Policy settings for users and computers, 588–591 IIS 6.0 new features, 900–902 implementing Active Directory, 363–369 improvement in Windows Server 2003, 8–9 IPSec considerations, 803, 820–823 Local Security Policy utility, 269 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 991 992 Index managing IIS, 920–923 minimum requirements for your organization, 68–70 network settings, 84–88 and NLB, 235–236 patches, 95 planning baseline, 70 planning CA, 836–837 planning remote access, 864–867 planning server strategy, 66–69 Remote Assistance issues, 937 Remote Desktop (RD) for Administration, 934 routing considerations, 782–790 and RSoP, 822–823 in server clusters, 214–216 setting user object, 400–403 specific policies for, 69 security access control lists (SACLs), 364 Security Accounts Manager (SAM), 328–329, 384 security associations (SAs) and IPSec, 797 Security Configuration and Analysis, applying security templates with, 93–95 Security Configuration Manager (SCM), 81 security groups best practices, 443–447 described, 404 nesting, 455 universal, 446 Security Identifiers. See SIDs security parameters index (SPI), 797 security principals, naming conventions, limitations, 381–384 security templates applying, 93–95 configuration areas, 82 generally, 81 types of, 83–84 segment switching, 775–776 Select Cryptographic Service Provider (CSP), 901 selective authentication, 454 semantic database analysis, 653–655 server authentication (SSL), 440 server clustering administration, 201–216 backup and recovery, 274–275 binding order, 213 cluster groups, models, 191–195 cluster network configuration, 209–216 clusters, creating, 216–224 deployment options, 196–201 failover ring option, 199–200 and high-availability planning, 190 introduction, 189–190 Network Load Balancing (NLB). See Network Load Balancing (NLB) nodes, heartbeats, 190–191 random deployment option, 200–201 relationship to NLB, 227–228 Server-Gated Cryptography (SGC), 901 server roles configuring, 53–54 described, 50 described, setting up, 52 planning, 51 securing servers according to, 71 server security, planning, 51 servers See also specific servers application, and terminal, 64–66 and client, authentication settings (table), 85 clustering. See server clustering configuring, managing with wizards, 50 customizing security for, 70–79 database, 60 DHCP, 57–58, 686–688 DNS, 57–58 file, 57 FTP, setting up, 909–911 hot-swappable components, 289 mail, 60–61 managing remotely, 32–37 monitoring with Event Viewer, 260–267 monitoring with System Monitor, 247–257 NNTP, setting up, 913–914 planning security strategy for, 66–69 print, 57 promoting, 457 rogue, 77 SMTP, setting up, 912–913 SUS, 96 synchronizing Windows Update, 98–101 terminal, configuring, 938–940 WINS, 57–58 Service Level Agreements (SLAs), 20 Service Pack 3 (SP3), 101 Service Pack 4 (SP4), 81 service packs and system updates, 71–72 services, removing unnecessary, 73 session keys and digest authentication, 442 sessions configuring with Terminal Services, 959–960, 967–968 resetting, 972 Setup security.inf, 83 setx.exe program described, 48 sever fault-tolerance solutions, 289–290 SGC (Server-Gated Cryptography), 901 shadow copies, improvement in Windows Server 2003, 5 sharing printers, 5–6, 39 shortcut trusts, 497 shortest path first (SPF) protocols, 765 shutdown.exe program described, 48 shutting down remote computers, 48 SID filtering for securing trusts, 499 SIDs (Security Identifiers) described, using, 376–378 managing, 362 resolving to logon names, 160 and RIDs, 343 and security groups, 404 well-known (table), 379–380 Simple Access Protocol (SOAP), 3 Simple Authentication Security Layer (SASL), 442 Simple Mail Transfer Protocol (SMTP) protocol described, 59 and site links, 354 simple volumes, 111–112, 136–139 Single Instance Store (SIS), 453 single node server cluster, 193 single quorum device service cluster, 194 single sign-on feature, 508 site link bridges, 511, 523 site-link objects, 346 site links configuring availability, 522–523 creating and storing, 354 planning, creating, configuring, 511–518 site replication configuring site link bridges, 523 creating topology, 521 described, types, 518 planning, creating and managing topology, 520–524 sites in Active Directory described, 508 configuring replication between, 522–524 creating, 512 creating topology for replication, 507 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 992 Index 993 described, 335 minimum memory, processor requirements (table), 532 placing DCs within, 537–538 placing GC servers within, 547 relationship with domains, subnets, 510–511 and site links, planning, 511–518 slave servers, 675 sliding window method of transmitting data, 757 smart cards authentication, 443, 843–848 using for remote access, 867 SMS (Microsoft Systems Management Server (SMS), 19, 292, 605 SMTP servers, setting up, 912–913 snap-ins Active Directory Domains and Trusts console, 351–354 Active Directory Sites and Services console, 354 Active Directory Users and Computers tool (ADUC), 385 adding to MMC, 89–91 ADUC (Active Directory Users and Computers tool), 349–351 Authorization Manager, 368 in Computer Management (table), 36 Disk Management, 35–36 multiple, and MMC interface, 347 SOAP (Simple Access Protocol) support, 3 soft associations, 822 soft lockouts, 436 software deployment. See Group Policy software installation push and pull models of deployment, 605 restriction policies, 591–594 software packages See also application packages adding, removing modifications for, 622–623 declared upgrade relationship, 616–617 described, 602 software policies (Group Policy), 563 Software Update Service (SUS) described, 81 managing software updates with, 95 software updates Group Policy deployment, 617 managing, 95–106 testing, 106 SPA (Secure Password Authentication), 79 space, disk enabling disk quotas, 155–163 extending with Remote Storage, 166 ‘insufficient disk space’ message, 186 planning for applications, 208 setting desired free, Remote Storage, 175 spanned volumes, 112, 138 special permissions, 365 speed clock, or processors, 245 performance. See performance speed-buffering bridges, 774–775 SPF (shortest path first) protocols, 765 SPI (security parameters index), 797 split DNS configurations, 694–695 spooler service, printer management, 45 SSL/TLS protocol described, 440–441 stand-alone CAs, 831 Standard Edition, Windows Server 2003, 12–13 standards 802.11 wireless, 851, 862 authentication, 368–369 starting Active Directory Users and Computers tool (ADUC), 388 Backup Utility, 275 MMCs, 347 NLB Manager, 229 Safe Mode startup, 284 static address pools, 852 static packet filters, 304 static vs. dynamic routing, 763 static WINS entries, 722, 737 statistics, capturing network data with Network Monitor, 296–297 stealth servers, 676 stopping processes remotely, 48–49 Storage Area Networking (SAN) and clustering technology, 6–7 storage devices and server clustering, 206 strategies planning and implementing routing, 759–760 planning DNS, 659–660 planning remote access, 850–852 streaming, fast, 11 striped volumes, 112–113, 141–144 strong encryption algorithm (3DES) and IPSec security, 820 strong passwords, 74, 230, 433 stub zones, 670 subnets associating with sites, 514 creating, 513–515 creating scheme for IP addressing, 746 described, 335 and networks, 508 relationship with sites, 511 screened, 783 storing information about, 354 subordinate CAs, 61 suffixes, UPNs (user principal names), 382, 424–425 Support Tools for managing sites, subnets, and networks, 527–528 Support_388945a0 account, 386–388 SUPTOOLS.MSI, 428 switches described, 775–776 in Ethernet networks, 247 synchronizing media copies, 177 servers with Microsoft Windows Update servers, 98–101 SYS command, 283 syskey command, 433 System Compatibility wizard, 16 System Equivalency licenses, 15 system key utility (syskey), 432–433 system media pools, 167–168 System Monitor comparisons with multiple systems, 256 creating console, 257–260 described, using, 247–257 managing print performance with, 6 monitoring network traffic with, 756–757 monitoring Active Directory with, 639–640 system object counters, monitoring Active Directory, 639 system performance, 244–247 System root security template, 83–84 system state data backing up, 538, 631, 641 and new system state backup method, 472–476 Systems Management Server (SMS), 35 T tape backups, 277 taskkill.exe program described, 48–49 tasks managing, 48–49 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 993 994 Index scheduling, 47 taskslist.exe program described, 48 TCO (Total Cost of Ownership), 20–21 TCP/IP automatic interface metric determination, 744 configuration problems, 794 default protocol, 246 infrastructure planning, implementing, maintaining, 741 interconnect settings, 213 IPv6, 743 troubleshooting IP addressing, 314–318 Windows Server 2003 enhancements, 742–745 TechNet site, 106 technologies, determining costs of, 20–21 Telnet, stopping service, 47 templates certificate, 838–841 security. See security templates Terminal Server Client Access License (TS CAL), 14–15 terminal servers logging on with smart cards, 848 securing, 80 security template setting, 84 and server roles, 64–66 Terminal Services command-line tools (table), 971–972 configuration server settings, 965–966 improvement in Windows Server 2003, 9–10 introduction to, 929–930 listener connection, managing, 957–965 Remote Assistance (RA), 931 setting properties, 398–400 and terminal servers, 66 troubleshooting, 972–974 using administrative tools, 953–972 using client tools, 940–953 using Configuration tool, 956 using for remote administration, 933–938 using group policy settings to control users, 970–971 Terminal Services Administration mode, 34 Terminal Services Manager. See TS Manager testing developing Windows Server 2003 test environment, 21–25 DNS server configuration, 706 software updates, 106 ‘this initial program cannot be started’ error message, 973 threads in programs, 245 three-hop rule of intra-site replication, 518–520 ticket-granting service (TGS) and Kerberos authentication, 440 time-outs, troubleshooting, 926 Time To Live (TTL), dynamic data, 362 TLS (Transport Layer Security), 369 Token Ring networks, 247 tombstone interval and WINS servers, 712 tombstone process, interval, 630 tools See also specific tool Active Directory Object Manager, 427 Active Directory Support, 527–528 Backup Utility, 269–275 cluster administrator, 201–202 command-line utilities. See command- line utilities defrag.exe, 154 Disk Defragmenter, 149–154 disk management command-line, 117–120 NLB Manager, 228–229 NSLookup diagnostic, 662 NTDSUTIL, 380–381 Resultant Set of Policy (RSoP), 568 software installation diagnostics tool, 625 Terminal Services administrative, 953–972 for viewing, managing security identifiers, 380–381 topology Active Directory, 326 convergence, 766 and network availability, 289 and network performance, 247 and physical directory structure, 341 planning network, 755–756 replication, 345–346, 520–524 simplifying network to minimize attack points, 784–785 Web site, for optimizing replication, 507 Total Cost of Ownership (TCO), 20–21 tracert command, 314–318, 748, 889–890 traces, interpreting network, 301–304 traffic distributing within NLB cluster, 225–226 management planning, 756 monitoring IPSec, 318–320 transaction logging, 629 transactional database, 628 transactions recovering, 651–653 and tombstone interval, 630 transforms applying to software packages, 622 described, 602 and software packages, 605–607 transitive relationships described, 338, 496 and trusts, 484–486 transitive site links, 523 translating bridges, 774 Transport Layer Security (TLS), 369, 440 trees and forests, 450 troubleshooting account problems, 429 Active Directory availability, 649–658 Active Directory schema issues, 559 basic disks, 178–181 disk quotas, 184–186 disk space problems, 149 dynamic volumes, 181–183 fragmentation problems, 184 Global Catalog issues, 549–550 Group Policy, 595–600 Group Policy software deployment, 623–625 IIS 6.0, 923–927 installation, 16–17 IP addresses, 314–318 IP routing, 790–794 IPSec, 814–820 and monitoring Internet connectivity, 304–318 name resolution, 310–314, 732–739 NAT (Network Address Translation), 304–310 NetBIOS name resolution, 736–737 performance issues, 251 RAID, 187–188 remote access client and server connections, 884–890 Remote Storage, 186–187 replication failure, 524–525 software updates, 106 Terminal Services, 972–974 trust relationships described, 495 and domain trees, 338 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 994 Index 995 establishing, 484–486 types of, 496 trusts direction and transitivity, 484 forest-level, 3 realm, 353 renaming after forest restructuring, 486–89 securing using SID filtering, 499 shortcut, forest, 352 types of, 486 working with, 496–503 TS Manager, connecting servers, managing users and processes, 954–956 tunneling, 6to4, 753 U UCS Transformation Format (UTF) and IIS 6.0, 904 UDDI (Universal Description, Discovery, and Integration Services), 13 underscore character in NetBIOS names, 667 unicast addresses, 760 Unicode Transformation Format, 667, 904 Uniform Resource Locators. See URLs uninstalling applications, 618–621 Uninterruptible Power Supplies (UPSs), 71, 290 Universal Description, Discovery, and Integration Services (UDDI), 13 Universal Group caching, 452, 548–549 Universal Group membership, 345, 544, 546 Universal Groups and group conversions, 454–456 Universal Naming Convention (UNC) and Active Directory, 328 universal security groups, 405, 446 Unix and IIS errors, 926–927 ‘unreadable’ disk message, 180 updates automatic, 72–73 deploying with Group Policy, 617 dynamic, and DNS servers, 466 dynamic DNS (DDNS), 667–668 managing software, 95–106 replication and, 324 and software packages, 607 for Windows operating systems, 71–72 updating forward and reverse lookup zones, 686 upgrades, Windows Server 2003, issues, 16–17 upgrading applications, 616–617 DCs to Windows Server 2003, 536–537 domain or forest functional level, 23–24 UPN (User Principal Name), 328, 382, 424–425, 798 UPN authentication and Global Catalog, 542 UPSs (Uninterruptible Power Supplies), 71 URLs (Universal Resource Locators) accessing resources via, 329 and Active Directory, 328 user accounts Account tab, 396–398 Active Directory server objects, 376 built-in domain, 386–388 configuring with Terminal Services, 966 creating in test environment, 23 creating, managing, 385 disabling, 73 lockout policies, creating and applying, 436–437 managing, 393–403 passwords. See passwords for Remote Assistance, 935 restricting hours of access, 396 troubleshooting, 429 working with, 384–386 user and computer policies (Group Policy), 563–565 User CALs, 15 user certificates use in PKI system, 828 User Datagram Protocol (UDP), 798 user logons, processing policy settings (Group Policy), 566 User Principal Name (UPN) and Active Directory, 328 creating alternative suffixes, 424–425 in forests, 381 user rights, viewed from Local Security Policy, 269 userenv, 623 usernames, creating and editing, 356 users accounts. See user accounts adding to Active Directory, 358 deploying software to (Group Policy), 607–608 displaying information about logged- on, 362–363 educating about security, 442 managing with TS Manager, 954 remote access, administration of, 854 removing from groups, 403 security settings, 589 single sign-on authentication, 438 software restriction policies, 591–594 Users container, default groups in, 407–408 UTF (UCS Transformation Format) and IIS 6.0, 904 V VDS (Virtual Disk Service), 9 verbose logging, 624–625 verifying forest-root, 468–469 Group Policy, 582 viewing group membership, 411 information about groups, 414 IP policy assignment information, 815–816 IPSec statistics, 814 policy maps, 594 printer queue, 46 RSoP results, 570–571 security identifiers, 380–381 Virtual Directory Creation Wizard, 916 Virtual Disk Service (VDS), 9 virtual LANs (VLANs), 864 virtual memory (VM) and system performance, 245 virtual private networks. See VPNs VMware, 22 volume shadow copy (backup), 272, 641 volumes defragmenting, 149–155 extending basic, 132–133 managed, 166, 174 mirrored, 111, 113–114, 144–146 mounting, 178 RAID-5, 114–115, 146–149 spanned, 112, 138–139 striped, 112–113, 141–144 VPNs (virtual private networks) design considerations, 858–860 PPP Multilink and BAP, 860–862 router-to-router, 785–788 troubleshooting connections, 884–886 using smart cards for remote, 847–848 vs. other remote access types, 851 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 995 . 432 server roles, security, 51 server security strategy, 66–69 sites and site links, 511–518 system recovery with ASR, 283–287 Windows Server 2003 certificate- based PKI, 825–830 Windows Server 2003. of Windows Server 2003, 209 power supply redundant, 290 secure, 71 PPP (Point-to-Point Protocol) dial-in, 884 Multilink and BAP, 860–862 PPPoE (Point-to-Point Protocol over Ethernet), Windows Server. Authentication Dial- In User Service) authentication described, 862 configuring IAS, 891–893 configuring WAPs as clients, 864 IAS vs. Windows authentication, 865–866 improvement in Windows Server 2003,