Shapiro ffirs.tex V2 - 06/13/2008 Windows Server 2008 Bible ® Jeffrey R Shapiro Wiley Publishing, Inc 5:46pm Page iii Shapiro ffirs.tex V2 - 06/13/2008 12:31pm Page ii Shapiro ffirs.tex Windows Server 2008 Bible ® V2 - 06/13/2008 12:31pm Page i Shapiro ffirs.tex V2 - 06/13/2008 12:31pm Page ii Shapiro ffirs.tex V2 - 06/13/2008 Windows Server 2008 Bible ® Jeffrey R Shapiro Wiley Publishing, Inc 5:46pm Page iii Shapiro ffirs.tex V2 - 06/13/2008 12:31pm Windows Server® 2008 Bible Published by Wiley Publishing, Inc 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-17069-4 Manufactured in the United States of America 10 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (800) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 572-4002 Library of Congress Cataloging-in-Publication Data is available from the publisher Trademarks: Wiley, the Wiley logo, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Page iv Shapiro f01.tex V1 - 06/13/2008 12:32pm About the Author Jeffrey R Shapiro (Orlando and Miami, Florida) has worked in Information Technology for nearly 20 years He has published more than 18 books on IT, network administration, and software development, and has written for numerous publications over the years He also regularly speaks at events, and frequently participates in training courses on Microsoft systems In 2003, he was selected to lead Broward County’s NetWare to Windows Server 2003 migration project Over the course of many years, Jeffrey authored several newsletters, which included the Java Developers newsletter for Network News magazine, Online Business Today (Home Page Press), and was a contributor to Server Pipeline newsletter He was also a contributor to Computer Telephony Magazine for several years Jeffrey has specialized in Microsoft technologies since 1989 From 1992 to 1998 he was CTO for a leading software development company specializing in telephony solutions for business and was credited with developing one of the first Windows LAN-based computer telephony platforms In early 2003 he was selected to lead Broward County’s (Florida) NetWare to Windows Server 2003 migration project The mandate was to replace NDS with Active Directory to support more than 80 agencies and to architect three mission-critical high-performance data centers supporting about 6,000 users serving one of the largest population centers in the USA One of his key missions for Broward County was to consolidate from hundreds of NetWare Servers to about 50 high-performance Windows Server 2003 Servers He was also tasked to architect the county’s SQL Server 2003 data tier comprising multiple data centers He is a highly effective engineer with a distinguished career leading all facets of software development, systems implementation, migration, analysis, network administration, systems architecture and design, deployment, and support He has consulted for a large number of corporations of various sizes from small insurance agencies and motels to the likes of IBM, Disney, Gartner, ProSource, AmeriServe, Sun International, Microsoft, Old Mutual, Universal Property, KLM Airlines, Philips, State of Idaho, and more Besides various ongoing consulting projects, Jeffrey has his hands full authoring a number of highly specific deployment, operations and maintenance manuals, reports, and training material covering Microsoft infrastructure and software engineering technologies He can be contacted at his company, Jacaranda Communications, Inc at www.misiq.com Page v Shapiro f02.tex V1 - 06/13/2008 12:28pm Credits Acquisitions Editor Katie Mohr Production Manager Tim Tate Senior Development Editor Tom Dinse Vice President and Executive Group Publisher Richard Swadley Technical Editors Doug Holland, Andrew Edney Production Editor Angela Smith Vice President and Executive Publisher Joseph B Wikert Project Coordinator, Cover Lynsey Stanford Copy Editor Kim Cofer Proofreader Publication Services, Inc Editorial Manager Mary Beth Wakefield Indexer Jack Lewis Page vi Shapiro fack.tex V1 - 06/13/2008 12:33pm God knows how hard writing a book is and then to get it published I am thankful for the team that has helped me bring this baby into the world I would first like to thank my agent, Carole McClendon, for her effort over the past few years in bringing me together with the team at Wiley Publishing Special honors also go to the Wiley Publishing editorial team In particular, I would like to ‘‘flag’’ my development editor, Tom Dinse, who did an outstanding job of bringing together the pieces of the puzzle The technical editor ‘‘Oscar’’ goes to Doug Holland and Andrew Edney, not only for reading my lines, but for reading in between them as well In addition, I would no doubt have gotten no farther than this acknowledgments page without the expert cyber-pencil of copy editor Kim Cofer For every hour spent writing these words, at least ten were spent testing and toying with Windows Server 2008 How you get this far? Simple — you gather around you a team of dedicated professionals who help you build a killer lab and then help you test everything from the logon screen to the shutdown command The ‘‘home’’ team always gets the last mention, but without their support, input, and love, the soul in this work would not have taken flight Special thanks to Kim and Kevin Shapiro vii Page vii Shapiro bindex.tex separate, 682–683 split, 681–682 uniqueness of, 684 namespaces, DFS creating/managing, 471–472 domain-based vs standalone, 467–468 standalone namespace, 466 NAP (Network Access Protection), 175–176, 558 NAS (Network Attached Storage), 414 NAT (Network Address Translation), 252–255 configuring, 253–255 IP addresses and, 100 overview of, 252–253 services and ports for, 255–257 setting up, 258 native mode vs mixed mode, 850–851 Windows 2000 Server, 662 navigation, task types, 45 NBNS (NetBIOS Name Service), 213 nbtstat utility, 132–133 NDS (Novell Directory Service), 607 neighbors, IPv6, 115 neighbors, RIP, 247 nesting groups, 843–844 NET FILE, file management, 316 NET Framework, 361–368 application domains, 366–367 CLR, 364–365 CTS, 365–366 GAC, 368 garbage collection, 367 integrating with Windows Server 2008, 32 JVM compared with, 367 NET initiative and, 364 overview of, 361–363 security, 366 summary, 368 versions, 361 Windows PowerShell and, 94 NET initiative, 364 net print command, 377 NET SESSIONS, 316 NET SHARE command connecting to shares, 507 creating shares, 498 NetBEUI, legacy networking protocols, 133–134 NetBIOS (Network Basic Input Output System) DNS naming practices and, 685 name resolution on Active Directory networks, 786 TCP/IP and, 98 WINS and, 107, 114, 213 NetBIOS Name Service (NBNS), 213 Netlogon service, 209 NETLOGON share, 514–515 NetMeeting, Internet Options applet, 85 netsh configuring IPv6, 121 managing Windows Firewall, 145–146 netstat switches, 127–128 troubleshooting TCP/IP, 126–127 Network Access Protection (NAP), 175–176, 558 Network Address Translation See NAT (Network Address Translation) network administrators, 658 See also administrators Network and Sharing Center applet, Control Panel, 86 Network Attached Storage (NAS), 414 network cards, detecting, 18 Network Connections folder, TCP/I, 109 network connections, naming, 166 network file systems See SNFS (Services for Network File System) network IDs, route properties, 238 network installation process, Windows Server 2008, 18–19 Network Interface Connections (NICs), 218 network interface devices, print services, 383–384 network latency, second-level domains and, 687–688 network layer, change control at, 865 Network Location Awareness, 859 Network objects, 813 Network Policy and Access Services, 23 Network Policy Server See NPS (Network Policy Server) network routes, 238 V1 - 06/13/2008 1:28pm Page 957 Index N network services, 795–796 network settings, routers, 245 Network Solutions, 180 network topology, diagramming, 720–721 networked model, PKI trust models, 587 networking anycast addresses, 119 arp utility, 130–131 assigning IP addresses, 104 CIDR, 103–104 components, 18 configuring TCP/IP, 108–110 DHCP and, 106 DLC and, 134–135 DNS settings, 112–113 domain names, 106–108 gateways and routing, 104–105 hostname utility, 128–129 installing/configuring IPv6, 120–121 IP addresses, 99–100 IP settings, 110–112 ipconfig utility, 126–127 IPv6, 115–116 IPX/SPX, 134 legacy protocols and, 133 logical units, 671 multicast addresses, 118–119 nbtstat utility, 132–133 NetBEUI, 133–134 netstat utility, 126–128 overview of, 97 ping utility, 123–126 printers, 386 route utility, 131–132 SNMP and, 135–140 subnetting, 101–103 summary, 147–148 TCP/IP and, 97–99 tracert utility, 129–130 troubleshooting TCP/IP, 122–123 unicast addresses, 116–118 users and groups and, 813 Windows Firewall and, 140–147 WINS settings, 113–114 NeuStar, 180 New Scope Wizard, 155–156 Next Generation TCP/IP stack, 97 NFS (Network File System), 501 See also SNFS (Services for Network File System) 957 Shapiro bindex.tex N V1 - 06/13/2008 1:28pm Index NICs (Network Interface Connections), 218 nodes, Group Policy, 878 nodes, Internet, 177 nodes, IPv6, 115 nodes, Services, 57–61 nonlocal GPOs, 881 non-resident attributes, NTFS, 454 nontransitive trusts, 577–578, 702 no-recovery policy, EFS, 533 normal backups, 290 normal restores, 654 notebook/docking station, 867 Novell Directory Service (NDS), 607 NPS (Network Policy Server) access policies in RRAS, 231 creating new policies, 275–278 overview of, 274–275 prioritizing policies, 279 NS (Name Server) record configuring zone properties, 199 created automatically, 194 root hints and, 203 NSLOOKUP, testing DNS installation in AD, 763 NT domains, 629 NT File System See NTFS (NT File System) NT LAN Manager (NTLM), 564, 573–574 NTBackup, 309 ntdutil.exe ensuring AD database integrity, 783 moving database to another file system, 783–784 restoring system state data, 655 NTFS (NT File System), 452–460 cluster sizes, 453 copying/moving encrypted files, 536 creating simple volumes, 430 directory injunctions, 458–459 disk quotas, 457 EFS and, 458, 533 encryption and, 529 FAT16/32 compared with, 461 HSM and, 458 Indexing Service and, 62–63 metadata, 456 mounted volumes, 459 optimizing cluster size, 462 overview of, 452 reparse points, 457–458 958 security access levels, 488 structure of NTFS volumes, 453–456 Transactional NTFS, 459–460 Windows OSs and, 505 NTFS permissions See also permissions accumulation of share permission, 506 attributes, 524–525 deny access, 506 file and folder access and, 489 file permissions, 523 folder permissions, 522 object permissions, 452 securing files and folders, 520–521 setting, 500 shared folders, 505–506, 510 strategies for managing, 527–528 NTLM (NT LAN Manager), 564, 573–574 NTP client, 84–85 NTP server, 85 O Oakley key management, 570 Object Identifiers (OIDs), 610, 822 object-based OU model, 643 object-level backup and recovery, 309 objects auditing access to, 354–356, 906 NTFS permissions, 452 performance objects, 921 objects, AD attributes, 618 classes, 617–618 container and leaf objects, 616–617 database objects, 613 domain objects, 621–623 GUIDs, 621 implementing security, 648 OUs, 623–624 overview of, 616–618 planning security, 648–649 properties, 616 scopes and object visibility, 649 OCSP (Online Certificate Status Protocol), 594–595 octets, IP addresses, 186 ODBC (Open Database Connectivity) Component Checker, 80 Connection Pooling page, 81 data source definition, 76 database connectivity and, 30 Drivers page, 80 DSN definitions, 76 overview of, 75 SQL Server data source setup, 76–80 Tracing page, 80 offline access, files and folders, 517–519 offline locations, physical storage, 293–295 OFM (Open File Manager), 308 OIDs (Object Identifiers), 610, 822 On-Call schedules, in disaster recovery, 326 one-way trusts, 702 Online Certificate Status Protocol (OCSP), 594–595 online management, with LDM, 416 online security, 285 Open Database Connectivity See ODBC (Open Database Connectivity) Open File Manager (OFM), 308 open files, backup and restore and, 306–308 Open Shortest Path First (OSPF), 239 open standards, AD based on, 609 Open System Interconnect (OSI) AD and, 602 change control by stack layers, 864–865 operation master roles Group Policy and, 889 in root domain, 646 operational environments, planning LDS and, 665–667 Operations unit, logical units, 670 operator requests, Removable Storage service, 298 optical drives, removable storage, 419 organizational charts, LDS, 667–668 organizational model, LDAP, 605 organizational OU model, 643 organizations names, 17, 641–642 user account properties, 834–835 OSI (Open System Interconnect), 602, 864–865 OSPF (Open Shortest Path First), 239 Page 958 Shapiro bindex.tex OSs (operating systems) change control, 870 recovering, 331 SPOF (single point of failure), 913 Windows OSs See Windows OSs OUs (organizational units) in AD topology, 633 as administrative principal of domain, 691–693 creating, 642, 766–767 delegation of administration, 648, 767–768, 790–792 as domain objects, 623–624 groups compared with, 811, 813 groups vs individual accounts and, 693–694 location of, 873 models for, 643 organizing computer accounts with, 893–894 planning, 640 recovery policy and, 546 X.500 spec and, 604 Outlook, 811 Outlook Express, 85, 811 overhead requirements, performance monitoring, 935 ownership backing up and, 310–311 disk quota and, 436–437 files and folders, 489–490, 526–527 printers, 405 shares and, 507 P PAP (Password Authentication Protocol), 268 paper sizes, printer administration and, 399 paperless office, 371 parallel interface, local print monitor, 380 partitions basic disks, 448 creating FAT, 19 extended, 421 hard drives, 12–14 primary, 421 styles, 418 Password Authentication Protocol (PAP), 268 passwords for administrator accounts, 17, 800 Group Policy options, 902–904 login and, 575–576 policies for, 557 for restores, 759–760 SQL Server data source and, 77 user accounts, 825–826 patches/fixes, RTM (release to manufacturing) and, path names, AD, 618–620 PC Support, logical units, 671 PDC (Primary Domain Controller) Emulators Group Policy and, 889 overview of, 717 securing, 724–725 PDCs (Primary Domain Controllers) operation master roles, 646 upgrading Windows NT and, 778 Windows NT and, 698 performance disk compression in NTFS and, 464 SLM and, 916–918 storage management and, 412–413 tools for, 918 tuning Indexing Service, 64 performance counters Add Counters dialog box, 928 how they work, 921 overhead requirements, 935 selecting, 926 system thresholds, 932–934 Performance Logs and Alerts, 928–931 Performance Monitor, 924–928 Computer Management console, 52 configuring, 925–927 features of, 924–925 overhead requirements, 935 overview of, 924 remote monitoring, 935 saving data, 927–928 Performance options, System applet, 90–91 permissions ACLs and, 632 applied to registry keys, 347–348 backups and, 310–311 built-in security groups, 789 V1 - 06/13/2008 1:28pm Page 959 Index P files and folders See NTFS permissions group accounts, 848–850 inheritance and, 649 local GPOs, 885 printer access, 403–405 persistent connections, WINS, 217 physical architecture, AD creating DC sites, 722 DCs, 704–707 DDNS architecture, 727 deploying DCs, 722–723 deploying DHCP servers, 729–732 deploying DNS servers, 726–727 deploying GC servers, 725 deploying WINS servers, 728–729 design decisions, 711 designing/configuring sites, 720 diagramming network topology, 720–721 directory synchronization, 719 Domain Naming Master, 724 forests, 699–704 GCs, 707–709 hub sites, 727–728 Infrastructure Master, 725 locator services for DCs and GCs, 709–710 past, present, and future of, 697–699 PDC Emulators, 724–725 placing DCs, 711 replication, 716–719 replication within sites, 713–714 RID Master, 724 Schema Master, 723 securing DCs, 723 site link bridges, 715–716 site link costs, 736–740 site links, 714–715 sites, 712, 732–736 summary, 743 time synchronization, 740–742 trusts, 699–703 physical environment, print services, 382 physical layer, change control at, 864 physical storage, 293–295 physical units, identifying, 671 ping utility connectivity testing, 124 IPv6 and, 126 switches, 125 959 Shapiro bindex.tex P V1 - 06/13/2008 1:28pm Index ping utility (continued) testing WINS installation, 763 troubleshooting TCP/IP, 123–124 PKI (Public Key Infrastructure) AD CS and, 573, 583–584 AD integration with CAs, 591–592 CA keys and certificate safety, 590–591 certificate policies, 593 CP, 589–590 CPS, 590 deploying, 585–586 enrolling with CAs, 592–593 IPSec integration with, 570 OCSP and, 594–595 overview of, 582–583 public key services supported by, 572 public keys and, 562 revoking certificates, 593–594 sharing encrypted data, 537 trust model, 586–589 user certificates, 595 validating certificates, 591 planning Active Directory administrative roles, 649–650 backup and recovery, 654–655 benefits of, 658 branch offices, 643–647 delegating administration, 647–648 delegating forests, trees, and OUs, 648 deployment, 655, 746 design principles, 634 domains, 634–636, 642–643 forests, 638–639 migration tools, 652 naming strategy, 640–642 object security, 648–649 OUs, 640, 642–643 overview of AD and, 633–634 restructuring plan, 652 site topology, 636–637 summary, 655 test-lab, 652–653 trusts, 639 upgrades, 650–651 planning disaster recovery, 323 planning Group Policy, 893, 898–900 planning security, 580 960 Pointer (PTR), DNS resource record, 185 Point-to-Point Multilink Protocol (PPMP) See Multilink protocol Point-to-Point Protocol (PPP), 232–233, 264 Point-to-Point Tunneling Protocol (PPTP), 234, 270 policies See also Group Policy account policies, 821 AD security, 580–581 audit policies, 353–354 certificates, 589–590, 593 disaster recovery, 323–324 network access See NPS (Network Policy Server) password, 557 Terminal Services, 797–798 policy-based administration, Exchange Server services, 28 pooling printers, 393–394 ports configuring for inbound connections, 259–260 configuring NAT, 255–257 configuring VPN, 271–272 loading print ports, 394–396 print services, 378 troubleshooting print ports, 406–407 post-upgrading tasks, 650 Power Options applet, Control Panel, 86 power supplies, fault tolerance and, 328 PPMP (Point-to-Point Multilink Protocol) See Multilink protocol PPP (Point-to-Point Protocol), 232–233, 264 PPTP (Point-to-Point Tunneling Protocol), 234, 270 predefined accounts, 840–843 list of, 841 overview of, 840 types of user accounts, 817–818 predefined groups logon rights, 851 privileges, 849–850 Primary Domain Controllers See PDCs (Primary Domain Controllers) primary master, name servers, 182 primary partitions, 421, 448 primary restore, 654 print devices, 382–383 Print Management console, 372 Print Management dialog, 399 Print Management role, types of server roles, 23 print managers, 397 print monitors local, 380 LPR, 380–381 overview of, 378–379 TCP/IP, 381 third-party, 381 print processors, 377–378 print queues, 377 print routers, 374–375 print services access control, 403–405 administering/managing printers, 396–397 auditing printers, 409 bi-directional printing, 408 client-side problems, 408 driver updates, 386 drivers, 375 grouping printers, 385–386 hiding printers, 393 installing local printers, 387–391 job management, 400 loading printer ports, 394–396 local print monitor, 380 locating printers in AD, 391–392 locating printers over Web, 392–393 logical environment, 373–374 LPR print monitor, 380–381 network interface devices, 383–384 networking, 386 overview of, 371–372 physical environment and, 382 pooling printers, 393–394 ports, 378 print devices, 382–383 print monitors, 378–379 print processors, 377–378 print queues, 377 print routers, 374–375 print servers, 382 printer taxonomy, 384–385 publishing printers, 391 separator page setup, 397–399 Page 960 Shapiro bindex.tex server-side print problems, 406–408 spool options, 401–403 spooler output files, 376–377 spooler service stack, 375–376 strategy for, 384 summary, 409 TCP/IP print monitor, 381 third-party print monitors, 381 tray/form management, 399 troubleshooting, 405–406 Printers Control Panel applet, Control Panel, 86 privacy, Internet Options applet, 85 private key encryption See symmetric key encryption privileges auditing use of, 907 list of, 849–850 overview of, 848 remote access, 827 users and groups and, 856 processes auditing, 907 managing, 51 processing, Group Policy, 885–889 DCs specified for, 888–889 low bandwidth and, 887–888 merge mode, 885 optional settings, 887 refresh rate, 886–887 replace mode, 886 streams, 886 processors, print processor, 377–378 profiles See user profiles promotion to DC member servers, 24 process of, 753–762 registry settings, 336 role servers, 26 root domain controller, 770–775 propagation dampening, replication and, 718 properties, groups General tab, 845–846 Managed By tab, 847 Member Of tab, 846 Members tab, 846 properties, user accounts, 829–835 Account tab, 831–833 Dial-in tab, 835 General tab, 831 Logon Hours controls, 833–834 Member Of tab, 835 Organization tab, 834–835 Profile tab, 834 protocol, for disaster recovery, 323–324 protocols configuring dial-up connections, 283 configuring for remote access, 260–263 proxy agents, WINS, 220 proxy servers, 582 PTR (Pointer), DNS resource record, 185 Public Key Infrastructure See PKI (public key infrastructure) public-key encryption EFS employing, 530 PKI support for, 572 publishing printers overview of, 391 pooling printers, 393–394 Q QA (Quality Assurance), 775 quality of capture, Backup-Restore utility, 303–304 Quality of Service (QoS), 115 quality of support backups and, 299–303 change control and, 863 queries GCs facilitating, 749 Indexing Service and, 64 recursive and iterative by name servers, 190–192 reverse lookup, DNS, 186–187, 194 searching AD, 626–627 queues, system monitoring, 920 Quota Management group, File Server Resource Management console, 492 quotas, disk See disk quotas quotas, files and folders, 492 QWORD value, 342 R RADIUS (Remote Authentication Dial-In User Server) accounting, 269–270, 280 configuring, 280 EAP-RADIUS and, 265–267 V1 - 06/13/2008 1:28pm Page 961 Index R network access policies, 278 overview of, 279–280 RRAS and, 231, 258 RAID (Redundant Array of Independent Disks) backup bandwidth and, 317 creating/managing RAID volumes, 432–434 fault tolerance and, 329–330 hardware RAID, 427 for high availability, 415 levels, 414, 425–427 mirroring services, data, and hardware, 332 troubleshooting RAID failures, 443–444 RAID-1 (mirrors) creating/managing RAID volumes, 433 for high availability, 415 overview of, 425 volumes, 424 RAID-5 (fault-tolerant stripes) creating/managing RAID volumes, 434 for high availability, 415 overview of, 425 volumes, 424 RAID-O (striping), 432 RAM fault tolerance and, 330 performance monitoring and, 919 print service requirements, 382 RAS (Remote Access Service) See also RRAS (Routing and Remote Access Service) configuring for inbound connections, 257 connection types and protocol, 233 integration with RRAS, 227 user account privileges, 827 WINS install and, 218 RDC (Remote Desktop Connection), RDC (Remote Differential Compression), 465 RDNs (relative distinguished names), 619–620 Read permissions, shares, 505 read-only domain controllers See RODCs (read-only domain controllers) realms, KDCs, 564 961 Shapiro bindex.tex R V1 - 06/13/2008 1:28pm Index record keeping, backing up data and, 288 recovery See also disaster recovery AD, 332–333 from backups, 331 configuration, 332 DHCP database, 172–173 DNS, 333 encrypted data, 543 features for, 415–416 OSs, 331 registry, 333 services, 60–61 storage management and, 415–416 recovery agents, EFS, 531 recovery key, securing, 544 Recovery Mode Console, boot options, 12 recovery plan, AD, 654–655 recovery policies, EFS configuring, 543–546 encryption recovery policy, 532–533 types of, 533 recovery-agent policy, EFS, 533 recursion, DNS, 190–192 redundant (standby) system, server recipes, Redundant Array of Independent Disks See RAID (Redundant Array of Independent Disks) redundant systems backup quality of support and, 300 DRS replication features and, 468–469 fault tolerance and, 328–329 referrals, DNS, 190–192 refresh rate, Group Policy, 886–887 regedit.exe See Registry Editor regional sites, conventions for referring to, 733–734 registration, WINS, 215 registry AD and, 608–610 auditing access to, 347–349 components making use of, 336–337 editing remote registry, 346 flushing, 339 hive files, 340–341 962 importing/exporting keys, 344–346 keys and values, 342 loading/unloading hives, 346 modifying, 343–344 overview of, 335 permissions applied to keys, 347 preventing access to, 347 purpose of, 335–336 recovering, 333 securing, 346–347 securing remote access, 350 structure, 337–340 summary, 350 Registry Editor editing remote registry, 346 importing/exporting keys, 344–346 modifying registry, 343–344 overview of, 342–343 preventing access to registry, 347 registry settings and, 337 registry file, in hives, 338 relational databases, AD and, 613–614 relative distinguished names (RDNs), 619–620 relative ID (RID) Master See RID (relative ID) Master Relative IDs (RIDs), as part of SIDs, 822 release to manufacturing (RTM), Reliability and Performance Computer Management console, 52 Data Collector Sets and, 929–931 as monitoring tool, 922 overview of, 924 Performance Logs and Alerts, 928–929 Performance Monitor, 924–928 remote access See also RAS (Remote Access Service); RRAS (Routing and Remote Access Service) to encrypted data, 537 user account privileges, 827 VPN or dial-up for, 258 Remote Access Service See RAS (Remote Access Service); RRAS (Routing and Remote Access Service) Remote Assistance, 92–94 Remote Authentication Dial-In User Server See RADIUS (Remote Authentication Dial-In User Server) Remote Desktop, 92–94 Remote Differential Compression (RDC), 465 remote registry editing, 346 securing access to, 350 remote storage, HSM and, 419–420 Remote tab, System, 92–94 remote workstations, 797, 867 Removable Storage See RS (Removable Storage) Removable Storage Service See RSS (Removable Storage Service) repaadmin.exe, 778 reparse points, NTFS features based on, 458–459 mounted volumes and, 475 overview of, 457–458 replace mode, Group Policy, 886 replication benefits of DFS, 465 connection objects, 739–740 directory synchronization compared with, 719 features in DFS for, 468–469 how it works, 717–719 managing, 778 managing in DFS, 471, 474–475 overhead issues of second-level domains, 687–688 partners, 687 planning for AD, 644–645 schedule and notification, 738 site topology and, 637 within sites, 713–714, 737 between sites, 737 reports, auditing, 356–358 reports, DHCP, 153 reservations, IP addresses creating, 159–160 DHCP scope configuration and, 156 for root domain, 770 reserve area, FAT control areas, 449 resident attributes, NTFS structure, 453 resolvers, DNS, 181–183, 189 resource files, length of backups and, 305 Page 962 Shapiro bindex.tex resource records, 183–186 creating, 194–197 list and description of, 184–185 TTL property and, 186 verifying before installing AD, 779 zones containing, 183 resources Device Manager for assigning, 54–55 hiding/publishing, 690 identifying in disaster recovery, 326 trusting, 702 response plans, disaster recovery developing, 326–327 testing, 327–328 response time, system monitoring, 920–921 restores administrative password for, 759–760 determining cost of backed up data, 300 overview of, 290–291 procedures, 315–316 quality of support and, 302–303 restricted enrollment agent, digital certificates, 592–593 restricting shares, 516 restructuring plan, AD, 652 Resultant Set of Policy (RSoP), 898–900 reusable code, 32 reverse lookup, DNS, 186–187, 194 revoking certificates, 593–594 RFC822 naming convention, 610 RID (relative ID) Master operation master roles, 646 overview of, 717 securing, 724 RIDs (Relative IDs), as part of SIDs, 822 rights See also permissions; privileges backups, 310–311 group accounts, 848–850 logon, 850 RIP (Routing Information Protocol) configuring, 245–248 IP routing with, 239 RippleTech, LogCaster, 357–358 roaming profiles, 90, 537 RODCs (read-only domain controllers) DNS support for, 558 securing domain controllers and, 723 security enhancements in Active Directory Domain Controller role, 557 role servers installing Windows Server 2008 and, 21–23 promoting, 26 root directory table, FAT control areas, 450 root domains forests, 635–636 function of/issues with, 678–683 installing during AD deployment, 747–749 IP address reservations, 770 managing, 180 naming, 675–678, 683–685 operation master roles, 646 promoting root domain controller, 770–775 root hints, DNS servers, 203 root servers, managing root domains, 180 rooted trust model, PKI trust models, 587–588 rotation schemes, Backup-Restore utility, 313–315 route utility, 131–132 routers configuring demand-dial settings, 242–244 configuring dial-out and dialing settings, 244 configuring router address, 240 configuring security settings, 244–245 configuring static routes, 240–242 enabling/disabling routing, 245 gateways as dedicated router, 104–105 modifying network settings, 245 network traffic and, 236–237 print routers, 374–375 routing tables and, 238 static routes and, 239 routes/routing dynamic routing, 245 enabling/disabling, 245, 268 IP routing, 236–239 RIP configuration, 246 routing tables and, 238 V1 - 06/13/2008 1:28pm Page 963 Index R RRAS providing routing service, 229, 239–240 static routing, 239 TCP/IP and, 104–105 Routing and Remote Access console, 232–233 Routing and Remote Access Service See RRAS (Routing and Remote Access Service) Routing Information Protocol (RIP), 239, 245–248 RRAS (Routing and Remote Access Service) configuring authentication, 263–268 configuring basic router, 240–242 configuring demand-dial interface, 242–244 configuring inbound connections, 257–259 configuring modems and ports, 259–260 configuring protocols, 260–263 configuring RIP, 245–248 configuring VPN ports, 271–272 configuring VPN server, 270 DHCP relay agents, 248–250 dialing properties, 244 dial-out settings, 244 dial-up networking, 280–285 disabling routing, 268 dynamic routing, 245 enabling and configuring, 235–236 enabling L2TP for VPN, 272–273 enabling/disabling routing, 245 IGMP multicast forwarding, 250–252 IP routing, 236–239 L2TP and, 235 logging and accounting and, 268–270 multilink and BAP and, 273–274 NAT and, 252–255 network settings, 245 new features, 230–232 OSPF and, 239 overview of, 227–230, 279–280 Policy Server See NPS (Network Policy Server) PPMP and, 233–234 PPP and, 232–233 PPTP and, 234 prioritizing policies, 279 963 Shapiro bindex.tex R V1 - 06/13/2008 1:28pm Index RRAS (Routing and Remote Access Service) (continued) RADIUS and, 279–280 RIP and, 239 Routing and Remote Access console, 232–233 routing with, 239–240 security settings, 244–245 summary, 285 TCP/IP and, 235 RS (Removable Storage) Computer Management console, 56 database, 293 labeling media, 298 media for, 419 overview of, 291 physical location for, 293–295 RSA encryption algorithm, 570 RSoP (Resultant Set of Policy), 898–900 RSOP.MSC tool, 899 RSS (Removable Storage Service) Operator Request node, 298 overview of, 291–293 recoverability features, 415 Work Queue node, 297 RTM (release to manufacturing), Run dialog box, 508 RunAs application, 824 runs, NTFS structure, 454 S SACLs (System Access Control Lists), 906–907 Safe Mode with Networking, boot options, 12 SAM (Security Account Manager) ACLs and, 632 AD database structure and, 615 built-in security groups stored in, 787 LSA authentication, 823 registry and, 608 security and, 703 validating local accounts, 817 SANs (Storage Area Networks) EFS and, 529 overview of, 414–415 Storage Explorer and, 444–445 save sets, advanced backups, 298–299 scalability, of AD, 611–612 964 scavenging, configuring DNS for, 211–213 schannel (Secure Channel), 583 scheduling backups, 304, 313 schema, AD directory schema, 723 forest plan and, 638 overview of, 618 schema table in AD database structure, 615 Schema Master See SM (Schema Master) scope global and domain local, 649 group accounts, 837–840 scopes, DHCP activation/deactivation, 161 creating, 154–156 global properties, 160–161 IPv6 addresses, 119 multicast scopes, 168–169 options, 156–159 splits, 731 superscopes, 166–168 scratch sets, advanced backups, 298–299 scripts, policies, 875 SCSI backup bandwidth and, 317 RAID solutions, 330 SCW (Security Configuration Wizard) configuring server roles, 557 enabling audit policies, 353–354 key areas, 71–74 overview of, 70 policy actions, 71 policy names, 74 security templates, 74 Viewer page showing policy settings, 75 searches, GC (global catalog), 626–627 secondary master, name servers, 183 second-level domains autonomous divisions, 688 decentralized administration model, 688 domain policy, 688–689 information hiding and resource publication, 690 international partitions, 689 partitioning directory and, 690 reasons for creating, 685–686 replication overhead and network latency, 687–688 security requirements, 689–690 separate departments, 686–687 secret keys See symmetric key encryption sector slack, optimizing cluster size, 462 sectors, disk structure and, 447–448 Secure Channel (schannel), 583 Secure HTTP (HTTPS), 583 Secure Sockets Layer (SSL), 581 Secure Sockets Layer/Transport Layer Security (SSL/TLS), 571 security access control See access control Active Directory Domain Controller role, 557–558 Active Directory security policy, 580–581 AD CS, 571–573, 583–584 AD trusts See trusts, AD advanced options, in Windows Firewall, 146–147 auditing See auditing authentication See authentication Certificate Authorities See CAs (Certificate Authorities) change control See change management cryptography See cryptography data input and data transport and, 553 DHCP Server role, 558 dial-up connections, 281–282 digital signatures, 563 DNS servers, 206–207, 558 domain controllers, 723, 768–769 domains, 574–575, 694–696 encryption See encryption Exchange Server services, 28 external environment and, 554–555 firewalls, 580 internal environment and, 555–556 Internet Options applet, 85 IPSec See IPSec (IP Security) Kerberos See Kerberos logical units and, 671 logon and, 575–576 mechanisms, 556 need for, 552 NET Framework, 366 Page 964 Shapiro bindex.tex NTFS, 461 NTLM, 573–574 online security, 285 overview of, 551–552 PKI See PKI (public key infrastructure) planning, 580 proxies and bastions and, 582 RIP configuration, 247 router settings, 244–245 second-level domains for managing, 689–690 server roles and, 556–557 smart cards See smart cards SNMP configuration, 137 SSL, 581 SSL/TLS, 571 staffing domain security position, 662 summary, 595 templates, 74 threats list, 553–554 security, registry auditing access, 347–349 overview of, 346–347 permissions applied to keys, 347 preventing access, 347 securing remote access, 350 Security Account Manager See SAM (Security Account Manager) security administration, AD, 798–805 administrative workstations, 803–804 administrator account abuse, 798–801 administrator account use, 801–802 console access, 804 member servers/workstations, 804–805 overview of, 798 security associations, IPSec, 570 Security Configuration Wizard See SCW (Security Configuration Wizard) security groups, AD built-in, 787–789 group membership and, 792–795 implementation-specific, 792 types of groups, 837 security identifiers See SIDs (security identifiers) security levels, AD users and groups, 856 security model, LDAP, 606 security policies See also Group Policy actions, 71 names, 74 overview of, 875 Viewer page showing policy settings, 75 security principals computer accounts, 836 in domain plan, 634 KDCs and, 581 Kerberos and, 565 locations of, 873 logon authentication and, 821 users viewed as, 810 seek time, hard disk parameters affecting capacity, 413 separator pages, printer management, 397–399 serial interface, local print monitor, 380 Server Core install benefits of, 4–5 performing, 14 server recipes, unattended install, 14–15 Server Manager installing server roles with, 21 installing Windows Server 2008 features, 23 Server Principal Names (SPNs), 694–695 server recipes, Windows Server 2008, 6–10 hardware guide, 10 types of, 6–9 server roles domain controllers, 23–27 member servers, 20–21 overview of, 19 role servers, 21–23 security enhancements in, 556–557 standalone servers, 19–20 servers application See application servers backing up, 305–306 configuring server support during AD deployment, 769–770 creating server objects during AD deployment, 765 installing, 770 IP address reservations, 770 V1 - 06/13/2008 1:28pm Page 965 Index S monitoring for bottlenecks, 932–934 naming DC machine, 752 overview of, 931–932 print servers, 382 root servers, 180 server extensions, 70 static addressing, 752 workload monitoring, 934–935 servers, Windows DDNS support, 210–211 domain functional levels and, 662 server-side print problems, 406–408 service level See SL (service level) service level agreements See SLAs (service level agreements) service level management See SLM (service level management) Service Location records See SRV (Service Location) records services AD integration with, 784–785 application services, 31–33 bare bones installation of, 753 database, 30–31 delegating administration, 648 dependencies, 61 DHCP service, 150 Exchange and communication services, 27–29 general properties, 58–59 IIS and ASP.NET integration, 31 logon options, 59–60 mirroring, 332 name resolution, 33–35 NAT configuration, 255–257 overview of, 57 print See print services recovery options, 60–61, 332–333 RS (Removable Storage), 291–293 starting/stopping, 57–58 system monitoring, 29–30 Services for Network File System See SNFS (Services for Network File System) Services for Unix See SFU (Services for Unix) session keys, Kerberos, 562, 568 session tickets, Kerberos, 567–568 Setup, registry settings and, 336 Setup Wizard, 16–17 965 Shapiro bindex.tex S V1 - 06/13/2008 1:28pm Index SFU (Services for Unix) configuring authentication, 481–482 configuring file locking, 482 configuring filename translation, 483 configuring logging, 482 SNFS compared with, 478–479 translating NTFS permission to Unix file modes, 481 SHA encryption algorithm, 570 shadow copies, 308, 318–321 shadow file (.shd), 376 Share and Storage Management console, 498–504, 512 Share and Storage Manager, 491 shared folders See shares sharepoints application sharepoints, 516–517 data sharepoints, 517 DFS, 468 installing from network sharepoints, 18–19 overview of, 488 shares administrative, 514–515 attributes, 504–505 connecting to, 508–509 creating, 498–504 data, 488–489 denying access, 506 encrypted data, 537–540 hidden, 507 intradomain, 507 local folders, 495–498 moving/copying, 506 offline access and caching, 517–519 overview of, 488 ownership and, 489–490 publishing, 391, 495 redirecting shared folders, 414 restricting, 516 setting up application sharepoints, 516–517 setting up data sharepoints, 517 shared folders, 52–53, 505–506 SNFS and, 484–485 strategies for, 515 who can share folders, 507 shd (shadow file), 376 shell command, 45 Shiva Password Authentication Protocol (SPAP), 267–268 966 shortcut trusts, between trees, 636 shut down, Domain Admins lockdown and, 911 SIDs (security identifiers) renaming user accounts and, 835 securing administrator accounts, 800 for user accounts, 822 Simple Management Protocol See SNMP (Simple Management Protocol) simple volumes creating, 430 extending, 431–432 overview of, 423 single master DCs, 716 single point of access/administration AD, 630–631 Exchange Server services, 28 single point of failure (SPOF), OSs (operating systems), 913 Single Sign-On See SSO (Single Sign-On) site link bridges, 715–716, 766 site links costs, 736–740 creating site link objects during AD deployment, 766 overview of, 714–715 planning site topology, 637 sites as AD component, 633 architecture of, 732–736 in CITYHALL domain example, 750 creating DC sites, 722 creating during AD deployment, 763–766 defined, 711 deploying DCs and, 722–723 design and configuration, 720 functions controlled by, 712 in GENESIS example, 749 hub sites, 727–728 layout and topology of, 740 network topology and, 720–721 planning site topology, 636–637 replication within, 713–714 security principal locations, 873 SL (service level) defined, 914 examples, 914–915 Microsoft System Center Operation Manager and, 936 overview of, 913–914 summary, 936–937 system monitoring See system monitoring Task Manager, 922–924 SLAs (service level agreements) administrators dealing with, 914 backups and, 300 overview of, 915 slaves, name servers, 189–190 SLM (service level management), 915–918 availability, 916 designing for, 916–918 overview of, 915 performance management, 916 problem detection, 915–916 Windows Server 2008 and, 918 SM (Schema Master) operation master roles, 646 overview of, 716 securing, 723 small file and print server, server recipes, 6–7 smart cards data input security and, 553 overview of, 574 securing administrator accounts, 801 SMB protocol, share options, 501–502 SMTP message routing, 28 snap-ins See also MMC (Microsoft Management Console) adding, 42 overview of, 37 types of, 41–42 using, 41–43 SNFS (Services for Network File System), 478–485 authentication renewal and case sensitivity settings, 483 configuring authentication, 481–482 configuring file locking, 482 configuring filename translation, 483 configuring logging, 482 overview of, 478–481 sharing folders, 484–485 Page 966 Shapiro bindex.tex SNMP (Simple Management Protocol), 135–140 agent properties, 136 exporting trap list, 139–140 general properties, 138–139 installing/configuring, 136 overview of, 135–136 security configuration, 137 translating events to traps, 138 trap configuration, 137 SOA (Start of Authority) record configuring zone properties, 198–199 created automatically, 194 overview of, 185 soft-box administrative model, 672 software compatibility, 10–11 for inventorying systems, 327 software policies change control, 889–890 overview of, 875 spanned volumes extending, 431–432 options for increasing storage capacity, 413 overview of, 423–424 SPAP (Shiva Password Authentication Protocol), 267–268 spl (spool file), 376 split namespaces, 681 SPNs (Server Principal Names), 694–695 SPOF (single point of failure), OSs (operating systems), 913 spool file (.spl), 376 spooler, print administering/managing printers, 401–403 output files, 376–377 print queues, 377 service stack, 375–376 troubleshooting print services, 407 SQL Server creating account for, 30 data source setup, 76–80 integrating AD with, 785 SRI (Stanford Research Institute), 178 SRV (Service Location) records creating, 195–197 overview of, 185 verifying resource records before installing AD, 779 SSL (Secure Sockets Layer), 581 SSL/TLS (Secure Sockets Layer/Transport Layer Security), 571 SSO (Single Sign-On) benefits of AD, 599–601 Kerberos and, 565 password protection and, 826 staging site, in AD planning process, 646 standalone DFS namespaces, 466–468 standalone servers, 19–20, 823 standalone snap-ins, 41 standard primary zone forward lookup zones, 193 types of zones, 209 standard secondary zone forward lookup zones, 194 types of zones, 209 Stanford Research Institute (SRI), 178 Start menu, Group Policy for managing, 895 Start New Task Wizard, 44 Start of Authority record See SOA (Start of Authority) record startup modes, services, 57 Startup/Shutdown options, System applet, 91–92 state files, length of backups and, 305 stateful autoconfiguration, DHCP, 121 stateless autoconfiguration, DHCP, 120–121 static addressing vs dynamic, 106 IPv6, 121 overview of, 149 RAS clients using static address pool, 261–262 WINS configuration, 218–220 static routes configuring, 240–242 overview of, 239 Storage Area Networks See SANs (Storage Area Networks) Storage Explorer, 415, 444–445 storage levels, HSM, 419 storage management analyzing disk quotas and disk space, 437–438 basic disks, 421–422 caveats for use of disk quotas, 437 converting basic disks to/from dynamic, 428–430 creating simple volumes, 430 V1 - 06/13/2008 1:28pm Page 967 Index S creating/managing RAID volumes, 432–434 defragmenting volumes, 463 disk compression, 463–464 Disk Management, 416–417, 420–421 disk quotas, 435–436 disk space requirements and, 413–414 dynamic disks, 422–425 extending simple and spanned volumes, 431–432 hard disk capacity and, 413 high availability and, 415 importing dynamic disks, 435 legacy systems and, 416 managing disk quotas, 440–441 managing dynamic disks, 427 optimizing cluster size, 461–462 overview of, 411–412 ownership as basis of disk quota calculation, 436–437 partitions and, 418 performance and capacity, 412–413 RAID options, 425–427 recoverability, 415–416 remote storage and HSM, 419–420 removable storage and, 419 SANs, 414–415 setting disk quotas, 438–439 Storage Explorer, 444–445 summary, 445 troubleshooting disk and volume status, 441–443 troubleshooting RAID failures, 443–444 storage media, labeling, 298 Storage Reports Management, File Server Resource Management console, 495 strata levels, Time Services, 742 strategic drivers, identifying, 669–670 strategies for auditing, 358–359 for print services, 384 for sharing folders, 515 for user and group management, 854 for Windows Server 2008 installation, 5–6 string value, 342 striped volumes, 424 967 Shapiro bindex.tex S V1 - 06/13/2008 1:28pm Index stripes, RAID-0 See RAID-O (striping) stripes, RAID-5 See RAID-5 (fault-tolerant stripes) structural planning process, AD, 644 subdomains delegating, 188, 208–209 domain names and, 178 installing during AD deployment, 749–751 overview of, 207 setting up, 208 subkeys, registry, 337, 340–341 subnet masks in CITYHALL domain example, 750 creating during AD deployment, 765–766 DHCP scope configuration and, 155 gateways and, 104–105 in GENESIS example, 749 IP addresses and, 101–103 multiple subnet support, 166–167 print networks and, 386 site topology and, 636–637 subtrees, in registry structure, 337 suffixes, DNS, 222–223, 676–677 superscopes, DHCP, 166–168 activating/deactivating/deleting, 168 creating, 167 overview of, 166–167 removing scope from, 168 surveying enterprise, in LDS planning process, 663 swap file size, 90–91 switches arp utility, 131 ipconfig utility, 127 nbtstat utility, 133 netstat utility, 127–128 ping utility, 125 route utility, 132 tracert utility, 130 symmetric key encryption Kerberos and, 566 overview of, 561 System Advanced page, 88 Computer Name tab, 87 Environment Variables, 91 Hardware page, 87–88 overview of, 87 Performance options, 90–91 968 registry settings and, 336 Remote tab, 92–94 Startup/Shutdown options, 91–92 user profiles, 88–90 System Access Control Lists (SACLs), 906–907 System applet, Control Panel, 87–94 system files, 288, 305 system hardware, Device Manager for managing, 53 system logs, viewing, 357–358 system monitoring, 918–922 See also Performance Monitor auditing system events, 907 overview of, 918–920 performance counters, 921 queues, 920 response time, 920–921 services for, 29–30 throughput, 920 tools for, 922 system partitions, naming conventions and, 412 system pools, media pools, 295–296 system state data, backups and, 654–655 system thresholds, performance counters and, 932–934 SYSVOL location of, 758, 760 replication, 644 T tape storage, 301–302, 317 target priorities, DFS, 473 Task Manager, 922–924 Application tab, 924 as monitoring tool, 922 options, 922–923 overview of, 922–924 Performance tab, 924 Processes tab, 923–924 starting, 922 Task Scheduler, 317 task-oriented workers, 866 taskpads creating, 43–44 modifying, 45 overview of, 43 task creation, 45 TCO (total cost of ownership), 661, 855 TCP/IP (Transmission Control Protocol/Internet Protocol) anycast addresses, 119 arp utility, 130–131 assigning IP addresses, 104 CIDR, 103–104 configuring, 108–110 configuring for remote access, 261 configuring root domain and, 771–772 DHCP and, 106 domain names, 106–108, 112–113 gateways and routing, 104–105 hostname utility, 128–129 installing/configuring, 120–121 IP addresses, 99–100 IP settings, 110–112 ipconfig utility, 126–127 IPv6 and, 115–116 LDAP and, 605 multicast addresses, 118–119 nbtstat utility, 132–133 netstat utility, 126–128 overview of, 97–99 ping utility, 123–126 preparing for installation, 108 print monitors, 380–381 print networks and, 386 route utility, 131–132 RRAS and, 235 subnetting, 101–103 tracert utility, 129–130 troubleshooting common problems, 122–123 unicast addresses, 116–118 WINS settings, 113–114 TCP/IP Sockets, 31 team, for planning logical domain structure, 660 Telephony node, Computer Management console, 57 templates Group Policy, 879–880 security, 74 Terminal Services AD policy for, 797–798 logon via, 911 managing separate departments, 687 operating modes, 17, 753 server recipes, 7–9 types of server roles, 23 testing response plans, 327–328 Page 968 Shapiro bindex.tex test-lab plan, planning AD and, 652–653 TGS (Ticket-Granting Service), 581 TGT (Ticket Granting Ticket), 564 third-party audit reports, 357–358 print monitors, 381 threats, 553–554 throughput, system performance and, 920 Ticket Granting Ticket (TGT), 564 Ticket-Granting Service (TGS), 581 Time Services, 740–742 time/date settings, basic install and, 17 time-to-live property (TTL) DNS, 185–186 WINS, 215–216 tombstoning WINS records, 216–218 top-level domains, 675–685 DNS and, 179, 683–685 function of root, 678–683 naming root, 675–678 overview of, 675 topological model, LDAP, 606 total cost of ownership (TCO), 661, 855 trace logs, Performance Logs and Alerts, 928–929 tracert utility, 129–130 Tracing page, ODBC, 80 tracks, disk structure and, 447–448 training, for disaster recovery, 325–326 transactional database system, 783 Transactional NTFS, 459–460 Transactional Registry, 459–460 transfer rate, hard disk capacity and, 413 transitive trusts in AD domains, 577–578 forests and, 701 trust relationships, 625–626 Transmission Control Protocol/Internet Protocol See TCP/IP (Transmission Control Protocol/Internet Protocol) transport protocols, 235 See also TCP/IP (Transmission Control Protocol/Internet Protocol) transports, for intersite replication, 738 traps, SNMP configuring, 137 exporting trap list, 139–140 translating events to traps, 138 trays/forms, managing printers, 399 Tree tab, MMC windows, 38 trees, AD delegating administration of, 648 DNS names and, 636 forests and, 624 overview of, 624 scalability of AD and, 612 troubleshooting Group Policy, 898–900 troubleshooting printers bi-directional printing, 408 client-side print problems, 408 overview of, 405–406 server-side print problems, 406–408 troubleshooting storage management, 441–444 troubleshooting TCP/IP arp utility, 130–131 hostname utility, 128–129 ipconfig utility, 126–127 list of common problems and solutions, 122–123 nbtstat utility, 132–133 netstat utility, 126–128 ping utility, 123–126 route utility, 131–132 tracert utility, 129–130 trust models, PKI, 586–589 trustees See security principals trusts, AD intra-domain, 631–632 nontransitive, 577–578, 702 overview of, 576 planning, 639 setting up, 578–579 shortcut trusts, 636 testing, 763 transitive, 577–578, 701 trust relationships, 625–626 types of, 700 uni-directional, bi-directional, 577–578 trusts, Kerberos, 568 TS See Terminal Services TTL (time-to-live property) DNS, 185–186 WINS, 215–216 V1 - 06/13/2008 1:28pm Page 969 Index U tunneling protocols, 270 tunnels, 270 two-way transitive trusts, 701 two-way trusts, 625 U UDDI (Universal Description, Discovery, and Integration), 23 UDMA/ATA133 RAID controller, 330 unattended install, Server Core, 14–15 unicast addresses multicast compared with, 152, 250 TCP/IP (IPv6), 116–118 uni-directional trusts, in AD domains, 577–578 uniform resources locators (URLs), 599 uninterrupted power supply (UPS), 86, 328 Universal Description, Discovery, and Integration (UDDI), 23 universal scope groups, 837, 839 object visibility and, 649 Unix case sensitivity, 481 file systems for See SNFS (Services for Network File System) filename conventions, 480–481 services for See SFU (Services for Unix) Windows/Unix interoperability, 478 Update Driver button, Device Manager, 54 update sequence number (USN), 469, 718 upgrade plan, planning AD, 650–651 UPNs (user principal names), 676–678, 828–829 UPS (uninterrupted power supply), 86, 328 urgent restore level, 302 URLs (uniform resources locators), 599 USB interface, local print monitor, 380 User Access dialog box, 541 969 Shapiro bindex.tex U V1 - 06/13/2008 1:28pm Index user accounts account policies, 821 administrator accounts, 818–819 copying/moving, 835 creating, 827–828 deleting/disabling, 835 domain accounts, 816 general properties, 831 guest accounts, 819–820 Internet user account, 821 local accounts, 817 logon authentication, 822 logon process, 827 LSA authentication, 823 naming, 824–825 overview of, 816 passwords, 825–826 predefined accounts, 817–818 properties, 829–835 remote access privileges, 827 renaming, 835 RunAs application and, 824 security principals, 821 SIDs (security identifiers), 822 UPNs (user principal names), 828–829 User and Group objects, AD access and privileges and, 856 Active Directory Users and Computers snap-in, 814–816 ADSI and, 816 change and, 857 contacts defined, 810–811 delegating responsibility, 853–854, 857 group accounts See group accounts, AD groups defined, 811–813 local groups, 856–857 local users, 811 overview of, 809–810, 851–853 security levels and, 856 strategies for, 854 TCO (total cost of ownership) and, 855 tools for, 813 user accounts See user accounts users defined, 810 user certificates, PKI, 595 user classes, DHCP configuring, 165 creating, 165 overview of, 152, 164 970 User Configuration node, GPOs, 878 user interface, printers, 373 user mode, MMC, 39–40 user principal names (UPNs), 676–678, 828–829 user profiles, 88–90 copying, 89–90 creating, 89 mandatory, 90 overview of, 88–89 roaming, 90 user account properties and, 834 users adding to groups, 847 connecting to shares, 509 defined, 810 as focus of change control, 891–892 managing groups vs users, 855 mapping DFS namespace for, 510–514 types of users/workers, 866 Users and Passwords, 813 USN (update sequence number), 469, 718 V values, registry creating/modifying, 343 as data, 342 registry structure and, 337 VCNs (virtual cluster numbers), NTFS, 454–455 vendor classes, DHCP configuring, 162–164 creating, 162–163 overview of, 152, 162 video cards, fault tolerance and, 330 Viewer page, showing policy settings, 75 Vines OS, from Banyan Systems, 607 virtual cluster numbers (VCNs), NTFS, 454–455 virtual memory, performance options, 90–91 Virtual Private Networks See VPNs (Virtual Private Networks) viruses, 554 Visual Studio 2008, 32 void recovery time, 291 Volume Shadow Copy Service, 415–416 volumes basic, 422 creating simple, 430 creating/managing RAID, 432–434 defined, 448 defragmenting, 463 dynamic, 448–449 extending simple and spanned, 431–432 FAT sizes, 450–451 mounting, 477 NTFS, 453–456 options for increasing capacity of, 413 RAID, 424 simple, 423 spanned, 423–424 striped, 424 troubleshooting, 441–443 unmounting, 478 VPNs (Virtual Private Networks) configuring RRAS as VPN server, 258 configuring VPN ports, 271–272 configuring VPN servers, 270 enabling L2TP for, 272–273 W WAB (Windows Address Book), 811 WCF (Windows Communications Foundation), 361 WDM (Windows Driver Model), 29 Web See Internet Web controls, server-side, 32 Web Distributed Authoring and Versioning (WebDAV), 487 Web Server role, 23 Web services, security of, 555 WebDAV (Web Distributed Authoring and Versioning), 487 Web/Internet Information services, 935 well connected sites, 712 Windows accounting, RRAS, 269 Windows Address Book (WAB), 811 Windows Communications Foundation (WCF), 361 Windows Deployment Services, 23 Windows Driver Model (WDM), 29 Windows Explorer, 534–535 Page 970 Shapiro bindex.tex Windows Firewall, 140–147 advanced security options, 146–147 configuring, 141–145 managing with Group Policy, 145 managing with MMC console, 145–146 MMC consoles and, 48–49 overview of, 140–141 Windows logo, hardware and software compatibility and, 10–11 Windows name services DNS See DNS (Domain Name System) Hosts and LMHOSTS, 223–226 overview of, 177 WINS See WINS (Windows Internet Name Service) Windows network domain, 631 Windows Open Services Architecture (WOSA), 627 Windows OSs change control in Windows NT/9x, 860 clients See clients, Windows DDNS support in Windows 2000/2003, 210 domain functional levels, 662 Group Policy and, 861, 874, 896–897 initialization files (.ini), 335–336 issues with legacy systems, 416 legacy network requirements, 698 servers See servers, Windows support for DFS namespaces, 468 Unix interoperability, 478 upgrading Windows NT, 778 WINS and, 214 Windows PowerShell, 94, 361 Windows Server 2008 domains, 629 Windows Server Backup See WSB (Windows Server Backup) Windows Server Catalog, 10 Windows Software Update Services (WSUS), 769–770 Windows Update applet, Control Panel, 83–84 Windows Workflow Foundation (WWF), 361 WINIPCFTG utility, 159 WinLogon, 859 WinPrint, 377–378 WINS (Windows Internet Name Service) adding domain to during AD deployment, 762–763 configuring, 218–220 configuring TCP/IP, 113–114 configuring Windows clients, 220–223 configuring zone properties, 199 deploying WINS servers, 728–729 how it works, 214–215 installing, 218 managing Active Directory and, 786 mapping renewal, 216 as name resolution service, 34–35 overview of, 107, 213–214 persistent connections, 217 pros/cons, 216 registering, 215 TCP/IP and, 98 testing installation in AD, 763 tombstoning, 216–218 Winsock Direct, 415 wireless interface, local print monitor, 380 WMI (Windows Management Instrumentation) data collection with, 919 filters, 899 managing disk quotas, 440 system monitoring, 29–30 WMI Control node in Computer Management console, 57 work queues, Removable Storage service, 297 workers, types of users/workers, 866 workgroups networking and, 18 server installation and, 753 workload, monitoring server, 934–935 workstations backing up, 305–306 lockdown, 870 securing, 804–805 securing administrative, 803–804 types of users/workers, 867 World Wide Web See Internet WOSA (Windows Open Services Architecture), 627 V1 - 06/13/2008 1:28pm Page 971 Index Z WSB (Windows Server Backup) See also Backup-Restore utility overview of, 5, 309–310 performing back up with, 310–313 restoring data with, 315–316 WSUS (Windows Software Update Services), 769–770 WWF (Windows Workflow Foundation), 361 WWW (World Wide Web) See Internet X X.500 directory specification, 602–604, 607 naming conventions and, 611 X.509 certificates, 583 XCOPY command, 537 XPS (XML Paper Specification), 361, 371 Z ZAW (Zero Administration Windows), 894 ZIP disks, 419 zone files, DNS, 183–186 zone transfers, DNS caching and, 189 configuring zone properties, 199 overview of, 183 zones, DNS adding resource records to, 194–197 background zone loading, 558 configuring properties, 197–199 configuring scavenging on zone-by-zone basis, 212–213 creating forward-lookup zones, 193–194 creating reverse lookup zones, 194 locating authoritative DNS zone, 779 overview of, 182 records in zone files, 183–186 wizard for creating, 194 971 ... - 06/13 /2008 Windows Server 2008 Bible ® Jeffrey R Shapiro Wiley Publishing, Inc 5:46pm Page iii Shapiro ffirs.tex V2 - 06/13 /2008 12:31pm Page ii Shapiro ffirs.tex Windows Server 2008 Bible ®... Monitoring Using Windows Management Instrumentation 29 Windows Server 2008 for Database Services with SQL Server 30 Windows Server 2008 for IIS and ASP.NET 31 Windows Server 2008 for... Standalone servers .19 Member servers 20 Role servers 21 Windows Server 2008 as a domain controller 23 Windows Server 2008 as a Communications Server