46993214-Windows-Server-2003
Content
Disabling Application Error Reporting on Windows Server 2003 (and XP, also)
Preface:
There is absolutely no good reason to disable this service in pre-release or released software. If a program or computer crashes, then once the computer recovers it makes a detailed report (with no personally identifiable information it) about how the crash happened and sends it off to Microsoft. They then look over it, and try to fix it, which makes a better OS for everyone. This is not a recommended procedure.
Method:
Click the Start button and right-click My Computer and click Properties from the pop-up menu
In the System Properties dialog that has come up, click the advanced tab, and then the Error Reporting button
In the next dialog click the Disable radio button, and optionally, so you don't get any notices of system failures at all, uncheck but notify me...
Now press OK, Apply, and OK, and Error Reporting has now been disabled.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Disabling Automatic Updates on Windows Server 2003, step-by-step
Preface:
Windows comes with a built-in feature to keep your computer always up to date with windowsupdate by including a program called Automatic Updates. Personally, I want to know when I'm updating my server and not let some program do it for me, so in this case we would disable it.
Method:
Click the Start button, then right click My Computer and click Properties
Now, go to the Automatic Updates tab, and click the checkbox (to de-select) "Keep my computer up to date..." and click Apply then OK
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Creating the first Windows Server 2003 Domain Controller in a domain
Preface:
One of the greatest features of Windows Server 2003 is its ability to be a Domain Controller (DC). The features of a domain extend further than this tutorial ever could, but some of its most well known features are its ability to store user names and passwords on a central computer (the Domain Controller) or computers (several Domain Controllers). In this tutorial we will cover the "promoting" (or creating) of the first DC in a domain. This will include DNS installation, because without DNS the client computers wouldn't know who the DC is. You can host DNS on a different server, but we'll only deal with the basics.
Method:
Click Start -> Run...
Type "dcpromo" and click "OK"
You will see the first window of the wizard. As it suggests, I suggest reading the help associated with Active Directory. After this, click "Next"
Click "Next" on the compatibility window, and in the next window keep the default option of "Domain Controller for a new domain" selected, and click "Next"
In this tutorial we will create a domain in a new forest, because it is the first DC, so keep that option selected
Now we have to think of a name for our domain. If you own a web domain like "visualwin.com", you can use it, but it isn't suggested because computers inside of your domain may not be able to reach the company website. Active Directory domains don't need to be "real" domains like the one above - they can be anything you wish. So here I will create "visualwin.testdomain"
Now in order to keep things simple, we will use the first part of our domain ("visualwin"), which is the default selection, as the NetBIOS name of the domain
The next dialog suggests storing the AD database and log on separate hard disks, and so do I, but for this tutorial I'll just keep the defaults
The SYSVOL folder is a public share, where things like .MSI software packages can be kept when you will distribute packages (as I said, AD has a lot of different features). Once again, I will keep the default selection but it can be changed if you wish to use the space of another drive
Now we will get a message that basically says that you will need a DNS server in order for everything to work the way we want it (i.e., our "visualwin.testdomain" to be reachable). As I mentioned earlier, we will install the DNS server on this machine as well, but it can be installed elsewhere. So keep the default selection of "Install and configure", and click "Next"
Because, after all, this is a Windows Server 2003 tutorial website, we'll assume there are no pre-Windows 2000 servers that will be accessing this domain, so keep the default of "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems" and click "Next"
The restore mode password is the single password that all administrators hope to never use, however they should also never forget it because this is the single password that might save a failed server. Make sure it's easy to remember but difficult to guess
Now we will see a summary of what will happen. Make sure it's all correct because changing it afterwards can prove to be difficult
After the previous next was clicked, the actual process occurs. This can take several minutes. It's likely that you will be prompted for your Windows Server 2003 CD (for DNS) so have it handy
If your computer has a dynamically assigned address (from DHCP) you will be prompted to give it a static IP address. Click ok, and then in the Local Area Connection properties, click "Internet Protocol (TCP/IP)" and then "Properties"
In the next window select "Use the following IP address" and select the information that you will use for your domain (and 127.0.0.1 for the primary DNS, because your computer will host DNS. I still suggest setting up an alternate as well.) Click "OK" and then "Close" on the next window
And after a while you will see
And we're finished. You may also want to see the other Active Directory tutorials on the main page.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Applying Extra Security Using the Group Policy Object Editor
Preface:
Windows Server 2003 comes very locked down by default. What I will show you is how to go even further and tighten up logging in.
Method:
Setting Account lockout Durations Setting a Minimum Password Length Logging Failed Log-in Attempts Securing Security Options
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting Account Lockout Durations
Preface:
This will show you how to set up Windows Server 2003 to watch for invalid log-in attempts, and lock the account against more unsuccessful log-ins for a certain amount of time. This is extraordinarily helpful for remote logging in via Remote Desktop and the such.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy and click Account lockout
Double click on Account lockout threshold and put in a desired "max log-in attempt", I'll use 5 for the sake of this tutorial
When you click OK you will get a dialog box saying it will enable 2 other things with recommended settings, click OK, we'll be changing those anyway
Double click Account lockout duration. This will be the amount of time after 5 unsuccessful log-ins the account will be locked for. I will be locking the account for one hour (60 minutes). Put in the value you'd like and press OK
Double click Reset account lockout counter after: . This is how long you want Windows Server 2003 to remember invalid log-ins for lockout. For example, we will set it to be 60 minutes. That means, after 5 unsuccessful log-ins to a single account within 60 minutes time, the account will be locked for 60 minutes, per our previous settings
Done! We have now blocked against a certain amount of unsuccessful log-ins (5) that occur within a certain amount of time (60 minutes) and Windows Server 2003 will lock that account for a certain amount of time (60 minutes)
Uh oh, I locked myself out!
Don't worry, it happens to the best of us. Sure, you could wait the hour to log in, or you can log in with a user in the Administrator's group, click Start -> Run...
Type "lusrmgr.msc" and press OK
Click the users folder and then double click the locked out user. You will see a checkbox checked by "Account is locked out". Un-checking that will unlock the account
My reasoning
Q: Why do you set the invalid log-in attempt to only 5? That could lock out more users than I'm wishing to unlock A: It was merely for the sake of an example. I believe 5 should be more than enough to correct a mistyped letter or so in a password. If you start to see that it isn't enough, you can change it by going back, just as easy as it was set. Q: I think I was locked out but I'm really not sure. What will the dialog look like at log on? A: Well it basically says you've been locked out, here's a picture:
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting a Minimum Password Length
Preface:
Users can change their own passwords at anytime by pressing Ctrl-ALT-Del, clicking the Change Password button, typing their old one, and their new desired one. This isn't bad and it's a good habit for users to get into (don't want other people figuring out the users' passwords, do you? :-/). While setting passwords can be a good thing you don't want your users setting their passwords to, let's say, "h" or something way to easy to guess. Unfortunately, the way Windows Server 2003 ships, users can do this. In this tutorial we will set a minimum length, not difficult, but something that needs to be done, but gets over-looked a bit too much.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy, then Password Policy
Double click Minimum password length and set a good sized password. I will use 7 characters
That's it. Users trying to change their passwords to one under the minimum length will now be presented with this very odd looking error
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Logging Failed Log-in Attempts
Preface:
This will show you how to set up Windows Server 2003 to log failed attempts at logging into the system, along with the failed passwords, etc.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies, and click Audit Policy
Double click Audit account logon events, make sure success is checked, then check failure also
Do the same for Audit logon events
Now, any unsuccessful log-ins will be shown in the Security section of the Event Viewer. The following information about the log-in failure will be displayed: Reason User Name Domain (or computer name if no domain is present)
Logon Type Logon Process Authentication Package Workstation Name Caller User Name Caller Domain (or workgroup) Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port If you notice this repeatedly from the same computer (it shows the workstation name and IP) then you can take appropriate actions.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Securing Security Options
Preface:
I thought about making a separate page for each one of the settings I will be dealing with in this section of the Group Policy Management Console but instead, I've decided to put them into one page. If you do not want to mess with a particular setting, pressing the "next section" link will automatically bring you down to the next section.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies then click on Security options Disabling the Administrator account (next section)
Since we have already created a secondary administrator in the New User tutorial you may not want Administrator account enabled, therefore, we have the option to disable it. This may cause problems, so instead of disabling it, you may just want to make a really secure password (that you still remember!) for it and not use it. Double click Accounts: Administrator account status and set the radio button to Disabled
Not showing the last user at the log-in screen (next section) If you are worried about people seeing the user name of the last person logged in (at the Ctrl-ALT-DEL log in screen) then you can disable the showing. Double click Interactive Logon: Do not display last user name. Set the radio button to Enabled
Setting a message to show up in a dialog box after users press Ctrl-ALT-DEL at the login screen (next section) Double click Interactive Logon: Message text for users attempting to logon. Type in the message you want displayed and press OK
Setting a title for the log-in message Well, we have the message text to show up after pressing Ctrl-ALT-DEL at log-in. How about we set up a title to go with that. Double click Interactive Logon: Message title for users attempting to logon. Now type in what you want to display at the title bar
That's all! Feel free to look around the other settings in this tree if you are curious. Most of the other settings are secure already.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Enabling Audio Mapping for Remote Desktop/Terminal Services
Preface:
When connecting to RD (Remote Desktop) or TS (Terminal Services) using the built-in Windows client (mstsc), even with "Remote computer sound" set to "Bring to this computer", you won't hear anything from the remote computer by default. Thanks to John Losey and his post to microsoft.public.windows.server.networking (mirrored here for download) this problem is solved. Update January 19th, 2005: In addition to the instructions below, the server (as well as the client) must have a sound card, or this will not work
Method:
Start -> Run...
Type "tscc.msc" without the quotes, and press OK
On the left side you should see that "Connections" is selected, on the right side you should see, under the "Connection" tab, RDP-Tcp. Right click that, and press properties
Go to the Client Settings tab, and under "Disable the following:" you will see "Audio mapping" checked. Uncheck it. Now press OK and you should be set!
Special thanks to John Losey on the Windows Server groups for posting the original message (I was kind of wondering how to do it myself ;-)
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Enabling Remote Desktop
Preface:
Remote Desktop is a great way to work on your computer from basically anywhere (if you set up your internet connection sharing device properly). The port it runs on is 3389, forward that on your router to be available from anywhere in the world.
Method:
Click the Start button, and right-click My Computer and click Properties from the pop-up menu
Go to the "Remote" tab and check "Allow users to connect remotely to this machine"
At this point, only Administrators can access the machine. To allow more users, click "Select Remote Users..." and click the "Add" button in the new dialog
In the next dialog, type in the name of a regular user and press OK
And that's all! To connect to a virtual desktop (2 are allowed in Windows Server 2003) run "mstsc" from a Windows XP/2003 machine and type the address (for other systems you can download the RD client 5.2 from this address http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=a8255ffc4b4a-40e7-a706-cde7e9b57e79 ). To connect to the console session, you must either have logged in locally to the machine, then try accessing it, or be an Administrator. You run either "mstsc /console" or connect to <machine name> /console. At this point, you want to enable audio mapping for TS/RD, Check here for information on how to do so.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
ADS Adding users to Active Directory
Preface:
As you know, if you try to add AD users using lusrmgr.msc you will receive the following error:
And since I cover creating a local user (lusr) I thought it would only be right to cover creating an Active Directory user.
Method:
Click Start, highlight "Administrative Tools" and select "Active Directory Users and Computers"
Now, expand your domain name on the left side, and go to the bottom where it says "Users". Once you click on that, you will see all of the automatically created users, you will also see all of the users you made before you ran dcpromo - that's because they all stay through the promotion to DC. Anyway, to add a user, you can either right click the "Users" folder on the left side, or the blank area on the right side, and highlight "New" then click "User"
In the next dialog we can set the user's First name, Last name and various other pieces of information, including their log-on name, and domain to which we want to add them
After clicking "Next" you are presented with the password-settings screen. You can set the user's password and then have them change it on their first log-on by selecting "User must change password at next logon". But in this tutorial, I will set it as their password, and not allow them to ever change it without asking me (the administrator) to change it for them
In the next dialog, we get a summary of the user to be created. Click "Finish" and the user has been created
And we're finished! Now, you might want to check out the tutorial on how to add a computer to Active Directory, that will help you get the full benefits of AD. Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding a computer to Active Directory
Preface:
Earlier, I showed you how to add users to your Active Directory domain. This tutorial will focus on how to add computers. This step is not "really" necessary for workstation computers - at least, I was able to add a Windows XP machine to my domain without adding the computer name first. This is section is really for looking at which computers join, and allow other servers to join as DC's, etc. I will show you how to add the computer using "Active Directory Users and Computers", then in other tutorials, I will demonstrate how to add a Windows 2000 computer and Windows XP computer to this domain.
Update:
Brian Desmond (Windows Server MVP) emailed me with the following information on why someone might want to add a computer to AD manually: "By default a computer will get dumped in the Computers container, unless a Windows 2003 Native Mode Domain is inplace, and redircomp has been run to change this. Precreating computer accounts in OUs will ensure that when the unit is joined, it is in the correct OU, which guarantees policy consistency, and other administrative things. One can also specify who can reset the machine’s password. This will allow an admin to create an account for a computer, and let a normal user join the machine with their credentials."
Method:
Click Start, highlight "Administrative Tools" and select "Active Directory Users and Computers"
Expand your domain name, and right-click "Computers", highlight "New" then click "Computer"
In this dialog we have to type the name of the computer we want to add
In the next dialog just click "Next", then you will see a final report of what will be added, and you can click "Finish". And, we're done!
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding a Windows 2000 computer to a Windows Server 2003 domain
Preface:
I have already shown you how to add AD users and computers to a Windows Server 2003 Active Directory domain, in this tutorial I will show you how to add a Windows 2000 computer to the domain. The method for adding Windows XP is basically the same, but I have created another tutorial for XP which is available here.
Method:
On the Windows 2000 computer, go to the desktop and right click "My Computer" and select "Properties"
In the dialog that comes up, go to the "Network Identification" tab and press the "Properties" button
Under "Member of" click the "Domain" radio button, then type the name of your domain without the trialing extension (for example, my domain name is "hello.test" but I only typed in "hello"
Now you will be prompted to put in the user name and password of a Domain Administrator. Enter the correct information, and press "OK"
Now, wait for about a minute or two and you should receive this message welcoming you to the domain
That's it, press "OK" then "OK", then "OK" in the configuration dialog, and finally "Yes" to reboot and you will be able to log onto the domain using an AD user name and password (not the local 2000 password) to log on.
Additive:
After the 2000 computer boots to Control-Alt-Delete you may need to change it from logging onto itself (which will use the local info) to logging onto the domain. To do this, press Ctrl-Alt-Del, then the "Options >>>" button on the log on screen. Then select the domain from the drop-down box
After that you can log on using domain credentials
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding a Windows XP computer to a Windows Server 2003 domain
Preface:
This is basically the same procedure as the Windows 2000 tutorial. Some things to note about adding a Windows XP computer to a domain are the following:
• •
•
You need Windows XP Professional to join a XP computer to a domain. Home can't be used fully for this You will loose the "fancy" log on screen and you will receive the "classic" log on screen instead. This is for security and cannot be changed, unless you revert to workgroup mode You will loose the "Fast User Switching". This cannot be restored, except by reverting back to workgroup mode.
Method:
Click Start, right click "My Computer" and click "Properties"
Go to the "Computer Name" tab and click "Change..."
Select the "Domain" radio button then put in your domain name, not including the . extension (in my example I used the domain "hello.test" but when joining the computer to a domain, I will only type "hello")
Press "OK". Then you will be presented with a user name and password prompt. Enter the user name and password of a Domain Administrator
Press "OK" and after a minute or two you will receive a message welcoming you to the domain. Then you will receive a message telling you that a reboot is required, click "OK" to that, and the properties window. Then click "Yes" when you are prompted to reboot.
And we're finished. You have just learnt how to add a Windows XP computer to a Windows Server 2003 domain
Additive:
After the XP computer boots to Control-Alt-Delete you may need to change it from logging onto itself (which will use the local info) to logging onto the domain. To do this, press Ctrl-Alt-Del, then the "Options >>>" button on the log on screen. Then select the domain from the drop-down box
After that you can log on using domain credentials
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Creating the first Windows Server 2003 Domain Controller in a domain
Preface:
One of the greatest features of Windows Server 2003 is its ability to be a Domain Controller (DC). The features of a domain extend further than this tutorial ever could, but some of its most well known features are its ability to store user names and passwords on a central computer (the Domain Controller) or computers (several Domain Controllers). In this tutorial we will cover the "promoting" (or creating) of the first DC in a domain. This will include DNS installation, because without DNS the client computers wouldn't know who the DC is. You can host DNS on a different server, but we'll only deal with the basics.
Method:
Click Start -> Run...
Type "dcpromo" and click "OK"
You will see the first window of the wizard. As it suggests, I suggest reading the help associated with Active Directory. After this, click "Next"
Click "Next" on the compatibility window, and in the next window keep the default option of "Domain Controller for a new domain" selected, and click "Next"
In this tutorial we will create a domain in a new forest, because it is the first DC, so keep that option selected
Now we have to think of a name for our domain. If you own a web domain like "visualwin.com", you can use it, but it isn't suggested because computers inside of your domain may not be able to reach the company website. Active Directory domains don't need to be "real" domains like the one above - they can be anything you wish. So here I will create "visualwin.testdomain"
Now in order to keep things simple, we will use the first part of our domain ("visualwin"), which is the default selection, as the NetBIOS name of the domain
The next dialog suggests storing the AD database and log on separate hard disks, and so do I, but for this tutorial I'll just keep the defaults
The SYSVOL folder is a public share, where things like .MSI software packages can be kept when you will distribute packages (as I said, AD has a lot of different features). Once again, I will keep the default selection but it can be changed if you wish to use the space of another drive
Now we will get a message that basically says that you will need a DNS server in order for everything to work the way we want it (i.e., our "visualwin.testdomain" to be reachable). As I mentioned earlier, we will install the DNS server on this machine as well, but it can be installed elsewhere. So keep the default selection of "Install and configure", and click "Next"
Because, after all, this is a Windows Server 2003 tutorial website, we'll assume there are no pre-Windows 2000 servers that will be accessing this domain, so keep the default of "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems" and click "Next"
The restore mode password is the single password that all administrators hope to never use, however they should also never forget it because this is the single password that might save a failed server. Make sure it's easy to remember but difficult to guess
Now we will see a summary of what will happen. Make sure it's all correct because changing it afterwards can prove to be difficult
After the previous next was clicked, the actual process occurs. This can take several minutes. It's likely that you will be prompted for your Windows Server 2003 CD (for DNS) so have it handy
If your computer has a dynamically assigned address (from DHCP) you will be prompted to give it a static IP address. Click ok, and then in the Local Area Connection properties, click "Internet Protocol (TCP/IP)" and then "Properties"
In the next window select "Use the following IP address" and select the information that you will use for your domain (and 127.0.0.1 for the primary DNS, because your computer will host DNS. I still suggest setting up an alternate as well.) Click "OK" and then "Close" on the next window
And after a while you will see
And we're finished. You may also want to see the other Active Directory tutorials on the main page.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service
Preface:
VSS (Volume Shadow Service) is a new feature in Windows Server 2003 that allows you to revert a networked file back to a previous version (or just look at it in an older state, if you wish). I use VSS on my web server in case I upload a new version of my website then say "uh oh" because a section isn't done or I wasn't ready for the update yet. It's a very simple service to use, and this will be a 3 part tutorial.
Parts:
• • •
Setting up Shared Folders Setting up the Volume Shadow Service Restoring Previous Versions
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service Setting up Shared Folders (Part 1 of 3)
Preface:
Here I will demonstrate how to share a folder, this is a very important part of VSS
Method:
Click Start then "My Computer"
Go to the directory above the one you wish to share. In this example I will share the folder "folder" on G:
Right click the folder and click "Sharing and Security"
Click "Share this folder" than if you would like, change the name of the desired share. After you do that, click the "Permissions" button
Now you can change who will have access to what on this shared resource, but for the sake of this tutorial, we will give "Everyone" "Full Control". After you select "Allow" for "Full Control", Click "OK" and "OK" on the Share window
Go back to the folder above the shared one in Explorer and you will see a hand under the folder icon which shows that the folder is now shared
And that's it for the sharing section. Continue on to part 2 for setting up VSS.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service Setting up the Volume Shadow Service (Part 2 of 3)
Preface:
Now we will configure VSS to take "snapshots" twice a day this way we can revert to files from those different times
Method:
Click Start then "My Computer"
In "My Computer" right click a drive (doesn't matter which) and click "Properties"
Go to the "Shadow Copies" tab, scroll down to the drive with the share(s) on it that you wish to have VSS'ed and click "Enable". The next process will take some time because it is making the first shadow copy. All other times it makes shadow copies will take about as long, and if more content is added, it will take even longer because it needs to copy that extra as well
Now we will move onto scheduling copies to be made. You can also change the amount of space devoted to shadow copies if you would like (if it ever exceeds that limit it will automatically delete the oldest copies first). Click "Settings" on the Shadow Copies window
On the next window, click "Schedule"
As you can see, some defaults have already been put into place but what if you don't like those? Well, click "Delete" to delete one of the existing (or both) defaults, then click "New" and it will put in one another default, which we can change to our likings. Now you can set it to your liking. Let's say your server's lowest load is at 4:37 AM, then you want to make it 4:37 AM everyday like so:
But wait a second - nobody's in the office on the weekends and very few people VPN in to do their work then also, so how about we make a 10:00 AM volume copy every Saturday and Sunday. Click "New" again, then select "Weekly" and check off Saturday and Sunday
Click "OK" 3 times and you're back to your desktop. For restoring from backups, continue on to part 3
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service Restoring Previous Versions (Part 3 of 3)
Preface:
This is part 3 of this 3 part tutorial. I will now show you how to restore the previous version of a file. Be sure to have another backup of the file(s) just in case! I won't be held responsible for this.
Method:
Browse to one of your VSS enabled shares over a network from another computer
Open a file in it's appropriate program. In this case I will open right-click-share.png in MSPAINT
Now erase everything in it and save the file
"WHAT?!?!?! You erased the contents of that file?!?!!?! I needed that to complete this tutorial!". We've all said some version of that to ourselves after making an enormous mistake. Lucky us, we'll just restore it to this morning's backup. Back in Explorer, right click the file and click "Properties"
Go to the "Previous Versions" tab and behold, there is that file in all of it's glory, not the version that was completely whited out! From here you can view, copy and/or restore it. We'll just restore it, so click the "Restore" button
In the warning, it tells you that you will loose any changes made to the file since that snapshot was taken, but that's ok, because that means we will get the file as it was this morning (in it's original form) and replace the empty one
Ready for the magic? Click the file in Explorer again and look at the preview
And that's it! It works the same for text documents, Word documents, and most other file formats. Now that we have the original file restored, we can finish this tutorial! I hope you found this informational
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Securing Printer Usage in Windows Server 2003
Figure A: Windows gives you a choice of connecting to a local printer or a network printer You will now see a screen similar to the one that’s shown in Figure B. As you can see in the figure, Windows assumes that the printer is connected to the server through a parallel port (LPT1). You can’t use the LPT1 option since the printer is not connected directly to the server (most printers don’t even have a parallel port any more anyway). All of the other options on the Use the Following Port drop down list also refer to local ports. You will therefore have to select the Create a New Port option.
Figure B: The Add Printer Wizard tries to connect to a locally attached printer by default The Create a New Port drop down list contains two options; Local Port and Standard TCP/IP port. Choose the Standard TCP/IP port option and click Next. When you do, Windows will launch the Add Standard TCP/IP Printer Port wizard. Click Next to bypass the wizard’s Welcome screen and you will see a screen similar to the one that’s shown in Figure C, asking you for a printer name or IP address and a port name.
Figure C: You must enter the printer’s IP address and a port name The printer should already have an IP address assigned to it, so just enter that address into the space provided. You can enter anything that you want for the port name, but keep in mind that the port name must be unique. By default, Windows will create a port name of IP_ followed by the printer’s IP address. You can use this port name, or create your own. Click Next and you will see a summary screen displaying the options that you have entered, as shown in Figure D. Notice in the figure that the port that you are configuring is set to accept RAW print data over port 9100, and that Windows assumes that the printer uses an HP Jet Direct interface.
Figure D: Windows displays a summary of the options that you have chosen Click Finish, and you will be returned to the Add Printer wizard. The next screen that you will see asks you what type of printer you are setting up. You can either select the correct printer type from the list, or use the Have Disk option to supply a print driver of your own. Click Next and you will be taken to a screen asking you for a printer name and whether or not you want Windows to use this as the default printer. The answers to these questions are totally up to you. After making your selections, click Next. You will now see a screen similar to the one shown in Figure E, asking you if you want to share the printer. Up to this point, Windows has assumed that you are only setting up the printer so that you can print to it from the server console. If your goal is to audit printer use, then you must share the printer.
Figure E: You must share the printer Your goal is to direct all jobs that are destined for the printer through the server that you are currently configuring. By doing so, you will be able to restrict access to the printer (if necessary), and you will be able to audit the printer’s use. I should also mention that it is important that you only set up one server to share this printer. Otherwise, it will be possible for multiple servers to spool jobs to the printer simultaneously, and the printer can get confused. Click Next and you will be prompted to enter the printer’s location and an optional comment. This information is intended to help users to figure out which physical printer the print queue belongs to. Click Next and you will be given the opportunity to print a test page. After doing so, click Next one more time, followed by Finish. The server is now set up to manage print jobs for the printer. Remember that you must redirect your workstations so that they print to the server’s UNC share name (\\server name\share name) rather than printing to the printer directly.
Advanced TCP/IP Settings – The IP Settings Tab
The IP addresses box at the top allows you to assign additional IP Addresses to a single network card. This is useful if you are hosting multiple websites on the same web server and want to give each its own IP Address for example. Simply click the Add button to add an IP Address and Subnet Mask. Click Edit to modify the currently selected item and Remove to delete the currently selected item from the list.
Figure 1: The IP Settings Tab The Default gateways box in the middle is used if you want the network connection to use multiple default gateways. Click the Add button to add a Default gateway and assign it a Metric value. A metric value is the cost of a specific route. Cost can reflect speed, reliability and number of hops. The route with the lowest metric value is used, so if you have two Default Gateways set up, one with a metric of 10 and the other with a metric of 20, the one with 10 will be chosen first. Leaving the metric at automatic means that the
route metric for this default gateway will be calculated automatically, and the fastest route chosen. Note: If you fire up the Command Prompt and type “route print” with no quotes, the IP Routing table is displayed with the metric value listed as one of the properties of each IP Address and its associations. The Edit and Remove buttons in the Default gateways box do exactly the same as for the IP addresses box (explained above). At the bottom of the IP Settings tab you can set whether you want the Interface to have a specific metric or to be assigned one automatically. By default this option is checked. Uncheck it if you wish to input an Interface metric value of your choice.
Advanced TCP/IP Settings – The DNS Tab
The "DNS server addresses, in order of use box" at the top of the DNS tab is used to list the IP Addresses of the DNS Servers that will be used for name resolution. These servers are ordered and used in priority, meaning if one server does not work then it will move to the next one down the list. To set the order of IP Addresses, select an IP Address and press the up and down button on the right hand side. It is important to keep in mind that TCP/IP will not move on to the next server if it fails to resolve the request. It will only move to the next server if the first server it tries is unavailable (perhaps down for maintenance or in the middle of a reboot). Append primary and connection specific DNS suffixes, and Append parent suffixes of the primary DNS suffix are enabled by default. These options are used for resolution of unqualified names. The first option is used to resolve unqualified names using the parent domain. For example, if you had a computer name of “andrew” and a parent domain called ztabona.com it would resolve to andrew.ztabona.com. The query would fail if andrew.ztabona.com does not exist in the parent domain. The second option is used to resolve unqualified names using the parent-child domain hierarchy. A DNS query will move one step up the domain hierarchy if it fails at the current level. It will do this until it reaches the root of the hierarchy. If you have an environment which consists of a client machine forming part of multiple domains then you can add a bunch of domains to the Append these DNS suffixes (in order) list so these will be searched as part of the DNS query, instead of using the parent domain.
Figure 2 The textbox on the right of the DNS suffix for this connection is used to explicitly set a DNS suffix that will override any other setting already specified for this connection. Register this connection’s addresses in DNS will register all this connection’s IP Addresses in DNS under the computer’s FQDN. Using this connection’s DNS suffix in DNS registration will register all IP Addresses for this connection in DNS under the parent domain.
Advanced TCP/IP Settings – The WINS Tab
The WINS tab is used to specify WINS related settings such as the list of WINS servers to be used for NETBIOS name to IP resolution, the LMHOSTS file to be used as an alternate means of lookups and the NETBIOS settings for the network connection. Pre-Windows 2000 machines and applications use NETBIOS to IP name resolution. If you have a Windows 2003 machine that acts as a file or print server and any client machines want to communicate with it, you will have to make use of NETBIOS. It is unlikely that you will have no pre-Windows 2000 machines on your network but if you
do, then go ahead and disable NETBIOS over IP; you’ll save on memory and CPU consumption and free up resources. Use the "WINS addresses, in order of use box" at the top to add the WINS servers you want the system to use for IP to name resolution. Press the Add button for a small dialog box to appear waiting for you to enter the IP Address of the WINS server. Use the Edit and Remove buttons to modify or delete a selected item respectively. If you have more than one WINS server in the list, press the up and down arrow buttons to adjust the priority of which servers will be queried first. If one server is not available then the next one down will be used, and so on and so forth.
Figure 3 Check the Enable LMHOSTS lookup checkbox so that if WINS cannot resolve a name then the local LMHOSTS file will be used. The LMHOSTS file can be found in \WINDOWS\system32\drivers\etc. It goes by the name of lmhosts.sam and can be modified in a text editor. Entries are placed at the bottom of the file and when used, the listed IP Addresses are matched against a specified host name. If you already have an LMHOSTS file defined on another machine on the network, use the Import LMHOSTS button to select this file and import it to the local machine.
The NETBIOS settings at the bottom allow you to explicitly define how NETBIOS will be used on the system. Choose Default if you want the DHCP server to assign the NETBIOS setting, Enable NETBIOS over TCP/IP if you use a static IP Address or the DHCP Server does not give NETBIOS settings, and Disable NETBIOS over TCP/IP if you do not use NETBIOS or WINS on your network.
Advanced TCP/IP Settings – The Options Tab (TCP/IP Filtering)
The Options tab allows you to configure TCP/IP Filtering settings; you can define which ports or protocols are permitted. Select the Permit Only radio button and use the Add button to add TCP/UDP port numbers or a protocol version to the respective list. If you permit traffic only from a defined set of ports, all other traffic will be dropped.
About Disk Quotas
Unfortunately, in Windows NT Disk Quotas didn’t exist, which was much to the disappointment of Windows Administrators. Along came Windows 2000 and with the introduction of Disk Quotas it meant Administrators had the ability to track and control user disk usage. The only problem was that they didn’t really have a sufficient way of managing disk quotas. Scripting, reporting and remote usage methods were somewhat limited and ambiguous. Windows 2003 offers better all round functionality and easier enterprise-wide disk quota manageability. Disk quotas are used in conjunction with NTFS, Group Policy and Active Directory technology. NTFS is the file system on which disk quotas can be set, Group Policy is what is used to set disk quotas on a specific set of users and computers, and Active Directory is used to gather a list of users to which the disk quota group policy will be set. It is important to note that disk quotas can only be used with NTFS; setting them up on FAT or FAT32 drives is not possible. Disk quotas are configured on a per volume basis and cannot be set on a file or folder level. Each volume would have its individual settings which do not affect any other volumes. You may have a single disk partitioned into two volumes (drives C and D for example) with each having their own quota settings. Disk quotas can also be configured on a per user basis and different groups of users can have different limits set. Administrators are the only ones to whom a disk quota does not apply; by default there are no limits for an Administrator. There are numerous reasons you may wish to make use of disk quotas. Based on the requirements of your organization you might choose to configure disk quotas if you have a restricted amount of disk space on a specific server, a limited number of servers, or perhaps the need to monitor user disk space usage without actually enforcing a quota. You might be wondering why you’d want to just monitor user disk space usage. Well, let’s say you have a fileserver set up with multiple users in your organization using it everyday to store temporary files. As time goes by and perhaps people forget to delete the files from the server, the amount of available disk space will continue to decrease. If nothing is done about it then users will be denied the right to add more files on the server (until some old files are removed). By monitoring user disk space usage with Microsoft’s disk quotas, you can be notified of when space is running out and then increase the allocated space on the server accordingly or notify your users that they need to delete their files from the server. Additionally, setting a quota warning level will allow for a system event log to be written for your review.
Setting a Group Policy
The most practical means of configuring disk quotas on a large scale would be through a domain-level group policy. This will configure the settings automatically on any of the
volumes you wish to have disk quotas enabled, saving you the need to have to configure each volume independently. Open the Group Policy Object Editor (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > System > Disk Quotas. On the right hand pane you will see a list of policies that can be applied. Double click the “Default Quota Limit and Warning Level Properties” setting.
Figure 1: The Default Quota Limit and Warning Level Properties Dialog The default quota limit is the maximum amount of space assigned per default quota, whereas the warning level is the amount of space at which a warning is triggered. Normally 90-95% of the total value is a good limit to set as a warning. Now configure any other settings you wish to be applied by selecting them from the right hand pane. To have your changes applied immediately you can enable the “Disk Quota Policy Processing” policy and choose “Process Even If The Group Policy Objects Have Not Changed” from Administrative Templates > System > Group Policy.
Figure 2: The Disk Quota Policy Processing Dialog You may also want to manually force a group policy update using the gpupdate utility. Simply go to Start > Run and type gpupdate followed by the return key. This will refresh both the computer and user policies. Whatever changes you make in the group policy will be reflected on the Quota properties tab of each volume you wish to configure in your domain. The options will appear grayed out and non-editable.
Configuring Disk Quotas and Disk Quota Entries
Using the Computer Management console, you can configure disk quotas for a local or remote volume from a central location. To open Computer Management, you have three choices; either right click My Computer and select Manage, type compmgmt.msc in the Run bar or select Computer Management from the Administrative Tools folder. Select which computer you wish to manage from the root node. To select a remote machine right click the “Computer Management” node, select “Connect to another computer…” and choose the computer you wish to manage. Now, navigate to Storage > Disk Management and select the volume you want to configure from the right hand pane
and open the properties dialog. Click the Quota tab and enable the options you want to be enforced.
Figure 3: The Disk Quota Properties Dialog The traffic lights icon at the top indicate the status of the disk quota; red means quotas are disabled, orange signifies a changeover is taking place (while it rebuilds the disk information), and green means disk quotas are enabled. A textual representation of the status is shown on the right of the image. Check “Deny disk space to users exceeding quota limit” to have Windows restrict users from adding more data to their allocated disk space when the quota limit has been reached. Users will be unable to add more data until some space is freed up. As you can see from Figure 3 above, the quota limit for new users is greyed out. This is because we have already set it from the group policy, which overrides any customizable settings on the quota tab of a volume. In this case we have limited the user’s disk space to 500MB and set a warning level to 450MB. You may choose not to limit disk usage and just enable quotas to track disk space usage on a per volume basis by leaving the “Deny disk space to users exceeding quota limit”
checkbox unchecked and logging a warning when a user exceeds the warning level defined as part of the quota limit. Whenever a user exceeds this limit a Warning event log will be written to the Application Event Log and shown in the Event Viewer.
Figure 4: A warning event log for disk quotas As per http://support.microsoft.com/kb/915182 there is a known issue in the pre service pack version of Windows 2003 in that the Warning event log is incorrectly shown as an Information log in Event Viewer. In the Quota Entries application however, it is correctly displayed as a Warning. When you press the Apply button on the Disk Quota Properties Dialog you are notified that the volume will be rescanned to update the statistics and that this operation may take several minutes. Simply press OK to continue and have disk quotas enabled on that volume.
Quota Entries
Click the Quota Entries button on the Disk Quota Properties Dialog to view a list of individual disk quota entries. From this section you can create, delete and manage quota entries for specific users or groups. If a user requires more space than others then you can set this from here.
Go to Quota > New Quota Entry and the Active Directory User Picker will appear. Choose a user from Active Directory and press OK. You will be given the option to limit disk space and set a warning level or not limit disk usage at all.
Figure 5: Adding a new quota entry Once you have chosen your preferred settings, press OK and the user will be added to the list. You can monitor a user’s disk usage by looking at the properties of each of the columns. ‘Status’ indicates whether the user is within their limit, if a warning has been logged or if the limit has been exceeded; the icon will change accordingly.
Implementing Access-Based Enumeration in Windows Server 2003
That's the whole rationale behind Access-Based Enumeration (ABE), a new technology included in Windows Server 2003 R2. (ABE was actually first included in Service Pack 1 for Windows Server 2003, but this service pack forms the basis of the R2 version of the platform.) What ABE does is just what Windows admins have always been wishing Windows file servers would do—hide files and folders from users who don't have access to them. In other words, with ABE enabled and configured for the BUDGETS share, Bob can try browsing the BUDGETS folder using My Network Places, but when he looks inside BUDGETS he doesn't see anything there—his NTFS permissions on the file and folder present don't allow him to access these items, so they're not even visible to him. Note that this behavior is the same regardless of whether you explicitly assign a Deny ACE to Bob while granting Allow to the Users group, or whether you remove the ACE for Users and grant an Allow ACE only to groups of users that need it (groups that don't include Bob as a member) and have no ACE at all for Bob. The result? If ABE had been available to me to use back in old NT 4 days, only senior management and HR personnel would have known about the existence of the Layoffs folder within the HR share, and no one but these personnel would have known about the existence of a document named NextMonthsLayoffs.doc. In other words, with ABE there wouldn't have been rumors of impending layoffs flying about—unless they were started by HR personnel or by a manager of course!
Installing and Enabling ABE
When I say that ABE was included with Windows Server 2003 R2 (or SP1), I also need to explain that in order to use ABE you still need to download and install something on your file server. This something is a component that provides a user interface (both graphical and command-line) that allows you to enable and configure ABE on your server. You can download this component here from the Microsoft Download Center, but make sure you download the correct version depending upon your processor platform (x86, AMD64 or IA64). Once you've downloaded the appropriate Windows Installer package, install it on all R2/SP1 file servers you want to enable ABE functionality on. Installing the ABE user interface component is a straightforward process (Figure 1):
Figure 1: Installing the ABE user interface The only significant decision you need to make during the install process is whether you want to automatically enable ABE retroactively on all existing shared folders on your server, or whether you prefer to configure this manually later on a per-folder basis (Figure 2):
Figure 2: Deciding whether to retroactively configure ABE on existing shares or not Note that choosing the first option in Figure 2 doesn't mean that future shares you create will automatically have ABE enabled on them—you still have to manually configure ABE on future shares you choose to create on your server. Once the ABE user interface is installed on your server, opening the properties sheet for a shared folder will display a new tab for enabling ABE on that share (Figure 3). Note that this tab won't appear on the properties sheets of folders that haven't yet been shared.
Figure 3: The ABE tab on the properties sheet for a shared folder Select the first checkbox in Figure 3 to enable ABE on the shared folder. (Select the second chechbox to do the same to all existing shares on your server). It's basically as simple as that. To check that ABE is working, compare Figure 4 below, which shows what Bob would see when he browsed the BUDGETS share from his XP machine before ABE is enabled on this share, with Figure 5 showing the same view on Bob's computer after ABE is enabled on the share.
Figure 4: Before ABE is enabled on BUDGETS, Bob can see everything in it—even if he has Deny ACE on all items present
Configuring a Virtual Server
Before you can deploy a virtual server, the first thing that you will have to do is to download a copy of the Virtual Server software. Microsoft Virtual Server 2005 R2 Enterprise Edition is available for free. Please be aware that there is both a 32-bit version and a 64-bit version available. You must download the version that matches your server’s existing Windows operating system. After downloading Virtual Server, you must verify that IIS is installed and running on the server. After doing so, double click on the file that you have downloaded to begin the installation process. When the Microsoft Virtual Server 2005 R2 Enterprise Edition splash screen appears, click the Install Microsoft Virtual Server 2005 R2 button. At this point, you will be prompted to accept the software’s end user license agreement. After doing so, click Next and enter your user name and organization name. Click Next one more time and you will be asked if you would like to perform a complete installation or a custom installation. Select the Complete option and click Next. Since Virtual Server is a Web application, you will be asked what port you want to access it through. I recommend using the default port number (1024). In most cases, you should also use the option to configure the administration Web site to always run as the authenticated user. Click Next and you will be asked if you would like to enable Virtual Server exceptions in Windows Firewall. Assuming that the virtual servers will be accessed from across the network and not just locally from the physical server that you are working with, you will need to enable these exceptions. Clicking Next, followed by Install and Setup will copy the necessary files to the server. When the installation process completes, Setup will provide you with a link to Virtual Server’s Web Interface. I recommend clicking on this link and then adding the URL to your Web browser’s Favorites list. If you plan on accessing the Virtual Server management console directly from the server then I recommend disabling Internet Explorer’s Enhanced Security Configuration.
Creating a Virtual Machine
Now that Virtual Server is up and running, it’s time to create a virtual machine. I recommend starting out by defining a virtual hard disk. To do so, select the Create command found in the Virtual Disks section of the management console. You can create a fixed size virtual hard disk or a dynamically expanding virtual hard disk. Just pick the option that is the most appropriate for the virtual server that you are deploying. To create a virtual hard disk, select a location from the Location drop down list, shown in Figure A, and then enter a disk file name in the place provided. I recommend using a name that is descriptive of the disk’s purpose. The default disk size is 16 GB, but you can
set the size to anything that you want. Click the Create button to create the virtual hard disk.
Figure A: Begin by creating a virtual hard disk After creating a virtual hard disk, click the Create option found in the virtual server management console’s Virtual Machines section. When you do, you will see a screen that’s similar to the one that’s shown in Figure B.
Figure B: This is the interface that you will use to create a virtual server Begin the process by entering a name for the virtual machine that you are creating. The name should be as descriptive as possible. For example, I have a Windows Server that’s hosting a handful of virtual machines. On my server, I use descriptive names that reflect the server’s operating system and purpose. After entering a name for the virtual server, you must enter the amount of memory that will be available to the virtual server. Keep in mind that your server has a finite amount of memory available. You must enter an amount of memory that is sufficient for the virtual server’s use, but that will still leave adequate memory for the underlying operating system and for any virtual machines that may eventually be running simultaneously with the virtual machine that you are creating. The next thing that the interface asks you about is the virtual hard disk. You have already created a virtual hard disk, so just select the option to use an existing virtual hard disk and then select the virtual hard disk that you created earlier. The last thing that you must select is which network adapter you want the virtual machine to use to connect to your network. You do however have the option of isolating the virtual machine from the network if you so desire, by selecting the Not Connected option. Click the Create button and the virtual machine will be created.
Using your Virtual Machine
Now that you have created a virtual machine, you must install an operating system onto it. When the machine creation process completes, you will be taken to the screen shown in Figure C. Insert the operating system installation into your CD / DVD drive and then click the thumbnail that’s shown in the figure. When you do, Windows will turn the virtual server on. It’s worth noting that when you power up the virtual machine, the screen that’s shown in Figure C comes alive with various performance statistics, as shown in Figure D.
Figure C: This is the screen that you will see after creating a virtual server
Figure D: This is what it looks like when you power up a virtual server As you can see in Figure D, you are supposed to be able to click on the virtual machine’s thumbnail to be able to access the virtual machine’s console. However, you still have a little bit of setup work to do before you can actually view your virtual machine. Specifically, you must install the Virtual Machine Remote Control ActiveX component. To do so, just click on the thumbnail as if you were attempting to access your virtual machine. When you do, you will see the screen shown in Figure E. There are lots of options that you can set, but if you are looking to just access your virtual server with a minimum of effort, then just select the Enable button and click OK. When you do, you will see the yellow bar appear at the top of the browser window, telling you that you need to click on the bar to install the ActiveX Control. Click on the bar and follow the prompts, and you are in business. The virtual session will look something like what you see in Figure F.
Figure E: Select the Enable check box and click OK
Figure F: Notice that Windows is running inside of a Web browser
Troubleshooting File System Problems
A corrupt or damaged file system can result in various effects ranging from data loss to rendering your system unbootable. Smart IT pros will therefore take steps to maintain their servers' file systems and will know how to systematically troubleshoot disks when things go wrong. This article discusses both preventive disk maintenance and provides some tips for using various tools to maintain and troubleshoot file systems on Windows servers.
Seven Golden Rules for Disk Maintenance
Let's begin with a proactive approach to file system maintenance. What steps should an administrator take to help prevent file system problems from happening in the first place? Here are my seven golden rules on the subject, in no particular order: 1. Upgrade your servers to Windows Server 2003. There's real value in doing this as far as disk maintenance is concerned, for example:
•
•
•
The chkdsk command in Windows Server 2003 runs a lot faster than the Windows 2000 version of this utility, plus it can fix things like a corrupt Master File Table (MFT) that the previous version of the utility would choke on. Powerful new command-line tools like DiskPart.exe, Fsutil.exe and Defrag.exe give you more flexibility for managing disks from the command-line instead of the GUI. These tools can be scripted to automate common disk management tasks you need to perform on a regular basis. The new Automated System Recovery (ASR) feature greatly simplifies the task of restoring your system/boot volume in the event of catastrophic disk failure.
2. Use hardware redundancy. RAID 1 disk mirroring lets you recover from catastrophic system volume failure with zero downtime, while RAID 5 is a great way of protecting your data volumes. Windows servers include support for built-in software RAID but you'll get better performance and true hot-swap redundancy by investing more money and buying a hardware RAID controller for your system instead. Don't forget though, keep a few spare drives handy so you can swap them during an emergency—redundancy is useless if you don't have the redundant hardware around to use it. Note that if you do choose to go with the software RAID provided by Windows, mirroring your boot and system volumes requires that these volumes be one and the same i.e. one volume is both your boot volume (contains operating system files) and your system volume (contains hardware-specific boot files). 3. Use a good antivirus program. Viruses can be nasty, and one of the things they can do when they infect a machine is to corrupt the Master Boot Record (MBR) and other critical portions of your hard drives. Not only should you have AV installed on your servers, you should also avoid risky behaviors such as running scripts from untrusted sources, browsing the web, and so on. These are just the kinds of behavior that can lead to infecting your system, so avoid doing things like this on your production servers.
4. Defragment your file systems on a regular basis. This is especially important on servers on which a high number of transactional operations occur as the file systems can quickly become fragmented, dragging down the performance of applications running on your server. To perform a successful defrag you should really have at least 15% free space left on your disk, so make sure you don't let critical system or data disks fill up too much or they'll be harder to maintain. The new command-line Defrag.exe tool of Windows Server 2003 is useful here since you can schedule regular running of this tool during off-hours using the Schtasks.exe command instead of having to defrag manually or buy a third-party defrag tool. 5. Run chkdsk /r on a regular basis. This command finds bad sectors on your disk and tries to fix them by recovering data from them and moving it elsewhere. You can run this command either from a command-prompt window or from the Recovery Console if you can't boot your system normally. Remember that when you try and run chkdsk.exe on your system or boot volume, Windows configures autochk.exe (the boot version of chkdsk.exe) to run at your next reboot. This means you'll need to schedule downtime for your server when you perform this kind of maintenance so that autochk.exe can run. 6. Check your event logs regularly for any disk-related events. Windows sometimes determines on its own when a disk is "dirty" i.e. there are file system errors present on it. In that case, Windows automatically schedules autochk.exe to run at the next reboot, but it also writes an event to the Application log using either the source name "Chkdsk" or "Winlogon". So filter your Application log to view these kinds of events on a regular basis or collect them using Microsoft Operations Manager (MOM) or whatever other systems management tool you use on your network. 7. Back up all your volumes regularly. As a last recourse in the event of a disaster, having working backups of both your system/boot volume and data volumes is critical. ASR in Windows Server 2003 makes backing up the boot/system volume easier, while backing up your data volumes can be done using the Windows Backup (ntbackup.exe) tool or any other backup tool such as one from a third-party vendor. Whatever way you choose to back up your system, do it regularly and verify your backups to ensure you can recover your system using them. I should also add an eighth and final rule as well: 8. (the Platinum rule) If your disk starts to make funny sounds, don't ignore them— do something. Disk failure is often preceded by funny sounds emanating from your computer. These clicking, scraping, screeching, or other types of sounds mean trouble, so when you hear them it's time to make sure you've got a recent backup and a spare disk handy just in case. And it's also time to check your event logs, run chkdsk –r, and use other maintenance and troubleshooting tools to check the health of your disks. Don't ignore these funny sounds!
Tips for Troubleshooting
While a proactive approach to maintaining disks and their file systems is important, it's also inevitable that disasters will occur and you'll need to react to them appropriately. Here are some tips to using one of the key maintenance tools for disk and file systems that is included with Windows Server 2003, namely Chkdsk.exe:
• • •
•
•
Make sure you know you have a good recent backup before you run chkdsk.exe. Never interrupt Chkdsk.exe while it's doing its job. Make sure you have enough time during your maintenance downtime window to run Chkdsk.exe—on very large volumes this command can take a long time to finish its work. To speed up the operation of Chkdsk.exe on very large volumes, you can run it in a "light" form by specifying chkdsk drive_letter /f /c /i before you try running the slower chkdsk /r. Chkdsk.exe can't run on the boot/system volume when Windows is running, and it also can't run on data volumes when file handles are open on the volume. The reason being that in both of these situations Chkdsk.exe is unable to lock the volume for its exclusive use. In these cases, Chkdsk.exe will be scheduled to run at the next system restart. If you think your volume may be dirty but you don't want Autochk.exe to run when it reboots—for instance, if your server is heavily used and you can't afford the downtime while Autochk.exe runs—you can use the Chkntfs.exe command to first determine whether the volume is dirty or not, and second to find out whether Autochk.exe is currently schedule to run at the next restart. If you determine that the volume is dirty and Autochk.exe is scheduled to run at next restart, you can delay running Autochk.exe using the chkntfs /d command. Note however that doing this is risky—if your volume is dirty you should deal with it as soon as possible and not procrastinate.
Troubleshooting Group Policy Processing
Start With The Basics
Before you start running various Group Policy troubleshooting tools and techniques however, take a moment to step back and ask some simple questions. This phase of the troubleshooting process is based on the motto that a minute of thinking is worth an hour of brute force effort. Below are some simple questions you should ask yourself before you dive into the troubleshooting process. 1. Should the policy be applied to the affected users and computers? That’s a great question to begin with, isn’t it. Say a user comes to you and says he can’t install a certain application by invoking a shortcut on the Start menu. His neighboring workers can do this, but his machine must be broken because he doesn’t have the shortcut for that program. So he complains and you scratch your head wondering why the software installation policy that installs this program isn’t being applied to that user. But should it apply in the first place? What does the user mean by his “neighboring workers”? Maybe other employees on the same floor but belonging to a different department, and while users in that department need that particular program, the complaining user doesn’t and perhaps shouldn’t have access to the program. So actually Group Policy is working just fine in this situation—it’s the user that’s broken! Users are particularly envious of other users’ privileges, and this sort of thin happens a lot in some companies. The key troubleshooting question here is “Who should this policy apply to? 2. What is common to the users or computers to whom the policy is not being applied? This question is applicable if several people or machines aren’t getting the policy they’re supposed to receive. Five people in the Marketing Department come to you and complain that they can’t access Control Panel anymore from the Start menu. What does this tell you? Check the GPO linked to the OU for Marketing users and see whether the policy “Prohibit access to the Control Panel” is Enabled (this policy is found under User Configuration\Administrative Templates\Control Panel). If this policy is Disabled or Not Configured, check GPOs linked to parent OUs to Marketing or linked to the domain and see whether security filtering is mistakenly configured so that users in the Marketing security group have this policy applied. 3. When did users start complaining about the issue? Was it immediately after you made some change to your Group Policy settings, for example by creating and linking a new GPO to an OU? That should tell you something right away. Or did it happen when you made some administrative change to Active Directory, for example moving some computer accounts out of the default Computers container into an OU created specially for such accounts. In this case, the computer accounts were previously receiving their policy from domain-linked GPOs, but now any GPOs linked to the new OU will affect them as well. Or did the
complaints start coming with no warning out of the blue and you’ve made no changes to any GPOs for several months? In that case something else is interfering with Group Policy processing for the affected users or computers, and you’ll need to use some of the tools described below to try and find the cause. Or maybe users haven’t been complaining to you at all. 4. When did you actually configure the policy in question? In this situation what happened is that you configured a policy and then checked with the targeted users to see if the policy has been applied and it hasn’t. Well, don’t forget that Group Policy refreshes in the background only periodically, so maybe everything is fine and you just have to wait a while for Group Policy to refresh itself automatically. Or maybe the policy you configured is one that can’t be applied during background refresh and requires the user to log off and on again or to restart their machine. Examples of such policies include those for software installation, folder redirection, and scripts. In that case to ensure the new policy is processed you’ll have to wait until users log off at the end of the day, send them an email asking them to log off and then on again, or forcible reboot their machines remotely and face their wrath if they lose any of their work. Or maybe you configured a folder redirection policy and users rebooted their machines and the policy is still not applied. In that case asking the earlier question “What do they have in common” might reveal that the affected users all work at a remote site and receive their policy over a WAN connection from domain controllers at company headquarters. In that case, slow link processing for Group Policy may have come into effect, which can again prevent certain kinds of policy from being processed due to the bandwidth constraints of WAN links.
Bring On The Tools
Once you’ve asked these preliminary questions, which are essential to ask as they can often pinpoint the problem exactly but usually at least help to narrow the scope of what you need to investigate, it’s time to start testing things using tools ranging from ping to userenv logging. It’s difficult to cover such a broad topic in a short article, so I’ll just give you some tips to point you in the right direction: 1. Check the network connection for the affected machine. Maybe it’s not just Group Policy processing that’s not working; maybe the affected user can’t even connect to the network because the network cable for her computer is unplugged! It’s amazing how something as simple like this can be the source of what seems at first to be a complex problem. For Group Policy is quite complicated in how it operates, and an understanding of how it works can help you pinpoint problems more easily. For a good explanation of how Group Policy works, see the new Group Policy Guide from Microsoft Press, which is part of the recently released Microsoft Windows Server 2003 Resource Kit. I worked as tech editor on this title, and its an excellent resource on all things Group Policy that Windows administrators should be sure to have on their bookshelf. 2. Check if the affected machines can correctly perform DNS resolution. Probably half of all Group Policy processing issues are related to DNS problems such as
corrupt resource records on DNS servers, misconfigured DHCP options on DHCP servers, users changing DNS settings on their machines, and so on. Remember that to process Group Policy a computer must first obtain a list of GPOs that apply to it. To do this, they need to query a domain controller. And to locate a domain controller, they need correct client DNS settings so they can obtain SRV records by querying the DNS server. So if DNS is broken then Group Policy is also. Tools for verifying and testing DNS include ipconfig, nslookup, netdiag, and Network Diagnostics in Help and Support. 3. If you’re using the Group Policy Management Console (GPMC) to work with Group Policy, run the Group Policy Results wizard, specifying an affected user and computer on the wizard pages. This will query WMI on the affected machine and create an HTML report that displays which GPOs have been processed and which policy settings have been applied. You can save these reports and view them on any machine using Internet Explorer, and it’s a great way to troubleshoot Group Policy issues. An alternative to using the wizard is to run the commandline tool Gpresults.exe on the affected machine, see the article by Brien Posey on this topic right here on WindowsNetworking.com. In addition to generating RSoP reports, the GPMC can also help you troubleshoot Group Policy problems in other ways. For example, if you right-click on a GPO you can select Save Report to generate an HTML report showing all the configured settings in the GPO. This makes it simple to find out what effect a particular GPO actually has on the accounts in the container it’s linked to—a heck of a lot easier than opening the GPO in the Group Policy Object Editor and expanding all the nodes to see what policies are configured. Another benefit of the GPMC over the out of the box Group Policy tools included with Windows Server 2003 is that you can easily see what GPOs are linked where and which GPOs are disabled, which containers have inheritance blocking configured on them, which GPO links are enforced, and so on. Get the GPMC today from Microsoft’s website and use it for managing Group Policy on your network.
How to: Disable the Shutdown Event Tracker in Windows 2003
Introduction
"The Shutdown Event Tracker is a Microsoft Windows Server 2003 and Microsoft Windows XP feature that you can use to consistently track the reason for system shutdowns. You can then use this information to analyze shutdowns and to develop a more comprehensive understanding of your system environment." microsoft.com The idea behind the shutdown event tracker is that a server isn’t meant to be restarted or shutdown regularly. Therefore, when it is, Administrators should keep a log of exactly why the machine was powered down. Essentially, this can be a good thing since it allows you to store a database of shutdown events for future reference. For some people, especially those that use Windows 2003 as a client operating system or in a test environment - where restarting or shutting down a machine can be a common procedure - it might get to be quite annoying. Note: This feature does come with Windows XP Professional as well, but is disabled by default. When you click on Shut Down… from the Start menu, the Shutdown Event Tracker pops up asking whether you want to Log Off, Restart or Shut down the computer.
Note: When logging off, the Shutdown Event Tracker is grayed out. If you decide to Shut down or Restart the machine, you will be given seven Shutdown Event Tracker options to choose from. These will allow you to best describe why the computer is to be shutdown or restarted. You can also add a comment in the Comment box which is very useful for helping you to determine the reason for the shutdown. The following are the seven event tracker options available, and an example of what might normally be written in the Comment box. Other (Planned) – A shutdown or restart for an unknown reason. This is usually chosen when the other options do not describe why a shutdown or restart of the machine is taking place. Comment: Shut down virtual test machine. Time to go home! Hardware: Maintenance (Planned) – A restart or shutdown to service hardware on the system. Choose this option when you want to carry out planned maintenance on the machine’s
hardware. Comment: Change Serial ATA cable. Hardware: Installation (Planned) – A restart or shutdown to begin or complete hardware installation. Choose this option when you plan to upgrade or install additional hardware on the machine. Comment: Install a new 200GB hard drive. Operating System: Reconfiguration (Planned) – A restart or shutdown to change the operating system configuration. This option is for when you have made operating system changes that require a restart or shutdown of the machine. When you rename a computer or install an additional component, for example. Comment: Installation of DNS Server Service. Application: Maintenance (Planned) – A restart or shutdown to perform planned maintenance on an application. This option would be chosen when a planned upgrade or re-configuration of an application took place. Comment: Upgraded to ISA 2004 Service Pack 1. Restart required. Application: Installation (Planned) – A restart or shutdown to perform application installation. Choose this option when a planned installation of a new application has taken place. Comment: Installed SQL Server 2000. Restart required. Security issue – The computer needs to be shut down due to a security issue. This option would be chosen when the machine needs to be restarted or shut down for security reasons. Comment: DOS Attack.
Viewing Shutdown Event Tracker events
To view previous Shutdown Event Tracker event logs, go to the Event Viewer (Start > Programs > Administrative Tools > Event Viewer or Control Panel - Administrative Tools - Event Viewer) and under the System Log, search for Information Events with ID 1074 or 1076. Double click the event to bring up the Event Properties page. Note: 1074 Events are logged when you manually shutdown the machine using the Event Tracker. 1076 Events are logged when the machine shuts down unexpectedly and the Event Tracker pops up when the Administrator (or first user with shutdown rights) logs on to the machine.
As you can see in the image above, the Description indicates the reason for the shutdown, the time, the user that initiated the shutdown, as well as the comment that was typed in the Comment box.
Disable the Shutdown Event Tracker
If the event tracker is of no use to you then you can disable it. To do this, open the Group Policy Object Editor Console. Go to Start > Run…, type gpedit.msc and press OK. Navigate to Computer Configuration > Administrative Templates > System and in the right hand pane, select the “Display Shutdown Event Tracker” setting.
Double Click this setting to open the Properties page. You are now given the option to leave it in a default state of Not Configured, set it to Always Enabled, Enabled for Servers/Workstations (Windows XP Pro) or Disabled completely (as the image below demonstrates).
Note: When you enable the Group Policy for Server only, the Shutdown Event Tracker appears when you shut down a computer running Windows 2003, whereas for Workstation only, the Shutdown Event Tracker appears when a computer running Windows XP Professional is shut down. After you make the change to the Group Policy, open the Command Prompt and run the gpupdate /force command to refresh the policy and have your settings be applied straight away. Alternatively you can just restart the machine. When you next attempt to shutdown or restart the machine, the Shutdown event tracker will no longer be visible and the normal shutdown prompt will appear (as seen in the image below).
How to Implement Group Policy Security Filtering Understanding Security Filtering
Security filtering is based on the fact that GPOs have access control lists (ACLs) associated with them. These ACLs contain a series of ACEs for different security principals (user accounts, computer accounts, security groups and built-in special identities), and you can view the default ACL on a typical GPO as follows: 1. 2. 3. 4. Open the Group Policy Management Console (GPMC) Expand the console tree until you see the Group Policy Objects node. Select a particular GPO under the Group Policy Objects node. Select the Delegation tab in the right-hand pane (see Figure 1).
Figure 1: Viewing the ACL for the Vancouver GPO using the Delegation tab For a more detailed view of the ACEs in this GPO ACL, click the Advanced button to display the familiar ACL Editor (Figure 2):
Figure 2: Viewing the ACL for the Vancouver GPO using the ACL Editor An obvious difference between these two views is that the ACL Editor displays the Apply Group Policy permission while the Delegation tab doesn’t. This is because the Delegation tab only displays ACEs for security principles that actually process the GPO, and that implicitly means those security principals have the Apply Group Policy permission set to Allow. More specifically, if you want a GPO to be processed by a security principal in a container linked to the GPO, the security principal requires at a minimum the following permissions:
• •
Allow Read Allow Apply Group Policy
The actual details of the default ACEs for a newly created GPO are somewhat complex if you include advanced permissions, but here are the essentials as far as security filtering is concerned: Security Principal Authenticated Users CREATOR OWNER Domain Admins Read Allow Allow (implicit) Allow Apply Group Policy Allow
Enterprise Admins ENTERPRISE DOMAIN CONTROLLERS SYSTEM
Allow Allow Allow
Note that Domain Admins, Enterprise Admins and the SYSTEM built-in identity have additional permissions (Write, Create, Delete) that let these users create and manage the GPO. But since these additional permissions are not relevant as far as security filtering is concerned, we’ll ignore them for now. The fact that Authenticated Users have both Read and Apply Group Policy permission means that the settings in the GPO are applied to them when the GPO is processed, that is, if they reside in a container to which the GPO is linked. But who exactly are Authenticated Users? The membership of this special identity is all security principals that have been authenticated by Active Directory. In other words, Authenticated Users includes all domain user accounts and computer accounts that have been authenticated by a domain controller on the network. So what this means is that by default the settings in a GPO apply to all user and computer accounts residing in the container linked to the GPO.
Using Security Filtering
Let’s now look at a simple scenario where you might use security filtering to resolve an issue in Group Policy design. Figure 3 below shows an OU structure I developed in a previous article. Note that the Vancouver top-level OU has three departments under it defined as second-level OUs, with user and computer accounts stored below these departments in third-level OUs:
Figure 3: Sample OU structure for Vancouver office Let’s say that of the fifteen users who work in the Sales and Marketing Department in Vancouver, three of them are senior people who have special requirements, for example access to certain software that other people in the department shouldn’t have access to. Such software could be provided to them by publishing it in Add or Remove Programs using a user policy-based software installation GPO. The trouble is, if you link this GPO to the Sales and Marketing Users OU then all fifteen users in the department will have access to it through Add or Remove Programs. But you only want this special group of three users to be able to access the software, so what do you do? You could create another OU beneath the Sales and Marketing Users OU and call this new OU the Senior Sales and Marketing Users OU. Then you could move the user accounts for the three senior employees to this new OU and create your software installation GPO and link it to the new OU. While this approach will work, it has several disadvantages:
• •
It makes your OU structure deeper and more complicated, making it harder to understand. It disperses user accounts into more containers making them more difficult to manage.
A better solution is to leave your existing OU structure intact and all fifteen Sales and Marketing users in the Sales and Marketing Users OU, create your software installation GPO and link it to the Sales and Marketing Users OU (see Figure 4), and then use
security filtering to configure the ACL on the software installation GPO to ensure that only the three senior users receive the policy.
Figure 4: Senior Sales and Marketing Users Software Installation GPO To filter the software installation GPO so that only users Bob Smith, Mary Jones, and Tom Lee receive it during policy processing, let’s first use Active Directory Users and Computers to create a global group called Senior Sales and Marketing Users that has only these three users as members (see Figure 5):
Figure 5: Membership of the Senior Sales and Marketing Users global group Note that you can store this security group in any container in the domain, but for simplicity you’ll probably want to store it in the Sales and Marketing Users GPO since that’s where its members reside. Now go back to the GPMC with the software installation GPO selected in the left-hand pane, and on the Scope tab of the right-hand pane, remove the Authenticated Users special identity from the Security Filtering section and then add the Senior Sales and Marketing Users global group (Figure 6):
Figure 6: Filtering the GPO so it only targets the Senior Sales and Marketing Users group That’s it, we’re done! Now when policy is processed for a user account residing in the Sales and Marketing Users OU, the Group Policy engine on the client will first determine which GPOs need to be applied to the user. If the user is a member of the Senior Sales and Marketing Users security group, the following GPOs will be applied in the following order (assuming we haven’t used blocking or enforcement anywhere): 1. 2. 3. 4. 5. Default Domain Policy Vancouver GPO Sales and Marketing GPO Sales and Marketing Users GPO Senior Sales and Marketing Users GPO
If however the user is one of the other twelve (junior) members of the Sales and Marketing Department, then the last policy above (Senior Sales and Marketing Users GPO) will not be applied to them. In other words, the published software will only be made available to Bob, Mary and Tom as desired.
The Power of Security Filtering
The power of security filtering is that it allows us to simplify our OU structure while still ensuring that Group Policy is processed as designed. For example, in my original OU structure for Vancouver (see Figure 3 above) I created separate OUs for three
departments in that location, namely the IT Department, Management, and Sales and Marketing. In Toronto however I could have taken a different approach and lump all my users and computers together like this (Figure 7):
Figure 7: Toronto has a simpler OU structure than Vancouver Then I could group user and computer accounts in Toronto into global groups like this:
• • • • • •
IT Department Users IT Department Computers Management Users Management Computers Sales and Marketing Users Sales and Marketing Computers
I could then create GPOs for each group of users and computers in Toronto, link these GPOs to the appropriate container, and use security filtering to ensure they are applied only to the desired security principals (Figure 8):
Figure 8: Using Group Policy to manage users in Toronto The main downside of this approach is that as you flatten your OU structure you can end up with lots of GPOs linked to each OU, which can make it harder at first glance to figure out which policies are processed by each user or computer unless you examine in detail the security filtering setup.
Optimizing Group Policy Performance
In my previous article Best Practices for Designing Group Policy, I described how to get Group Policy right from the start by planning your Active Directory structure carefully. The reason is, if you don’t take Group Policy into consideration before you start creating your domains, OUs and sites, you may end up having to employ so-called “advanced” Group Policy features like Block Inheritance, Enforced, or Loopback to make your Group Policy implementation do what you want it to do, and using these features makes troubleshooting more difficult later on. A well-designed Group Policy implementation however can usually get along fine without having to use any of these “advanced” features (apart from the use of security filtering and occasionally WMI filters) and the result is a simple GPO structure that is easy to understand and troubleshoot. Part of Group Policy design however is consideration of end-user experience. In a poorly designed Group Policy Implementation, users may experience long delays before the Welcome To Windows box appears inviting them to press CTRL+ALT+DEL to log on, or they may experience additional long delays after they have entered their logon credentials and before their desktop appears so they can begin their work. In fact, long
logon delays are usually the most frustrating aspect of a user’s experience as far as Group Policy is concerned, although a close second is when users complain that administrators have locked down their desktops too tightly using Group Policy to the point that users feel they can’t do their jobs properly. Let’s look then at some tips for how Group Policy can be optimized to speed logon performance while still maintaining the level of security an implementation of Group Policy is intended to provide.
A Common Myth
A common myth regarding Group Policy is that the more Group Policy Objects (GPOs) you have, the longer it takes for them to be processed during startup and logon. In fact, a Microsoft Knowledge Base article actually says that “startup and logon times are directly proportional to the number of GPOs that must be processed.” This is somewhat misleading for the following reasons. First, the article is indeed right when it says that startup and logon times can depend on “the number of GPOs that must be processed.” The key word here is “processed.” In other words, it’s not how many GPOs you’ve created on your network that matters, it’s how many GPOs that are actually processed during startup or logon that matter. So for example, say you have twenty top-level OUs in your domain and each top-level OU has two lower-level OUs beneath it (one for user accounts and one for computer accounts) and that every OU has a unique GPO linked to it. And let‘s say also that you only have one domain-linked GPO (the Default Domain Policy) and no site-linked GPOs. So altogether you will have 20 + 40 + 1 = 61 GPOs, which seems like a lot. But for each particular user/computer combination, the startup/logon process will only see four GPOs processed: the Default Domain Policy, a GPO linked to a top-level OU, and GPOs linked to the two lower-level OUs beneath the top-level OU. More precisely, during startup three GPOs are processed (Default Domain Policy, top-level GPO policy, and computer account GPO policy) while during logon three GPOs are likewise processed (Default Domain Policy, top-level GPO policy, and user account GPO policy). So while you have 61 GPOs, few are actually processed for any particular user or computer. So remember, it’s not how many GPOs you have, but how many are processed that actually matters. Secondly, the statement that startup/logon times are “directly proportional” to the number of GPOs processed is also somewhat misleading. What actually happens is that if x is the default logon time with no GPOs processed and y is the time to process any one GPO, then total logon time is approximately x+Ny where N is the number of GPOs processed during logon (the same applies to startup but we’ll focus here on logon for simplicity). This formula is only approximate however since the value of y can differ for each GPO. In fact, the more policy settings you’ve enabled or disabled within a GPO, the bigger y is for that GPO. Furthermore, when only a few settings are configured in a GPO, the value of y for that GPO is usually much less than x, and in that case total logon time is just x plus a wee bit longer rather than x+Ny.
The Reality
What really affects logon time then is not how many GPOs are processed but rather how many settings are configured within each GPO. If you have only a few GPOs processed during logon but those GPOs have hundreds of settings configured, with conflicting settings in one GPO overwriting those of another GPO during processing, then users are likely to experience frustrating logon delays—at least when users log on the first time after you’ve configured a large number of settings in a GPO they process during logon. But even with hundreds of settings enabled or disabled in a GPO this might only cause the “Applying your personal settings” box to be displayed for a few additional seconds and thus add only a few seconds to a logon process that usually takes a few seconds anyway, so even having lots of GPOs with lots of settings configured won’t always draw the ire of your users and cause them to complain that “the network sure seems slow today” and so on. What’s even more important than the number of GPOs processed during startup/logon and the number of settings configured in those GPOs is what the settings in those GPOs are designed to do. For example, if you configure a new Folder Redirection setting then users targeted by that setting may experience an initial delay as their folders are redirected to a network file server. Or if you assign software using a GPO then users will experience a startup delay as the new program is installed. But simple security settings or desktop lockdown settings generally don’t cause excessive startup or logon delays for users.
Other Performance Tips
Another thing that can significantly affect start or logon time is the size of the GPOs being processed. By size of a GPO, I mean the number and size of the administrative templates (.adm files) you’ve imported into your GPOs. For example, if you manage Microsoft Office using Group Policy then you’ve imported some of the office .adm files into your GPOs, and this can significantly increase the size of the GPOs and hence the time it takes Windows to process them on client machines. So the moral here is, only import such additional .adm files into GPOs that target users and computers which actually need those settings. This is especially true for managing user and computer settings remotely over a slow WAN link, as any way you can minimize the amount of Group Policy process you can achieve over WANs can definitely help remote users avoid frustrating delays. Another performance tip that can speed up Group Policy processing is to disable either the User or Computer portion of a GPO if this portion is not needed during processing. For example, if a GPO is linked to an OU that contains only computer accounts and no user accounts, then there’s no reason for the User portion of that GPO to be enabled since no settings configured in that portion will be processed by computer accounts anyway. Similarly, if a GPO is linked to an OU that contains only user accounts and no computer accounts, there’s no reason for the Computer portion of that GPO to be enabled since no settings configured in that portion will be processed by user accounts. To disable the User or Computer portion of a GPO, do the following:
1. Open the Group Policy Management Console (see this article on WindowsSecurity.com for more info) and expand the domain node until you find the GPO link for your GPO. 2. Select the Details tab in the right-hand pane. 3. Click the GPO Status drop-down box and choose whether to disable user or computer settings accordingly (see Figure 1).
Figure 1: Disabling the User portion of a GPO that targets only computer accounts Another tip for optimizing Group Policy processing is this: use WMI filters judiciously. What I mean is this: WMI filters are a powerful tool that let you target Group Policy to highly specific things. For example, you could create a WMI filter that would apply a certain GPO only to those computers that are running a Pentium III processor, that have 256 MB RAM or less, and so on. While WMI filters make it possible to be incredibly specific in how you target policy, you should realize that executing a WMI filter against a collection of remote machines can take a significant amount of time, so it’s best to avoid using this advanced feature of Group Policy unless you have some absolutely compelling reason to do so. Finally, if your client machines are running Windows XP Professional then by default they have Fast Logon Optimization enabled (unless you’re using roaming user profiles in which case this feature is disabled). Fast Logon Optimization makes startup/logon processing of Group Policy behave exactly the same way that background refresh of Group Policy takes place, in other words, asynchronously. The result of having Fast Logon Optimization enabled on Windows XP computers is that users will be able to log on to their computers before Group Policy has finished processing. The reason this
feature was introduced in XP was to resolve the issue of long delays users often experienced when they logged on to their Windows 2000 Professional. These delays were caused by the fact that Windows 2000 processed Group Policy in a synchronous fashion during startup/logon, which meant that processing of machine policy had to finish before the logon screen was displayed and processing of user policy had to be finished before the user’s desktop appeared. Unfortunately, while Fast Logon Optimization speeds the time it takes for a user to reach their desktop from booting their machine, it can have some negative side effects. Most obviously, if a user reaches their desktop before policy has finished processing, they may be able to briefly do certain things that policy was designed to prevent. For example, you may have enabled a policy to prevent users from accessing Control Panel, but if that policy is applied a few seconds after their desktop appears, they may have a brief window in which they are able to access their Control Panel, which kind of defeats the whole purpose of policy, right? So while Fast Logon Optimization can have a big effect on speeding Group Policy processing, it can also introduce a security risk into your desktop environment by giving users an opportunity to perform actions you don’t want them to perform. For more information on this feature and how to disable it if desired, see this article in the Microsoft Knowledge Base.
Best Practices for Designing Group Policy
This article summarizes best practices for planning the implementation of Group Policy in an Active Directory environment. Topics covered include designing an OU structure to facilitate management by Group Policy, minimizing use of blocking and enforcement, and more. The bottom line with Group Policy is that it’s only as good as your Active Directory design. If you’ve implemented your sites, domains and OUs in the wrong way, Group Policy will be difficult to use and troubleshoot. So the first step in planning how you’re going to implement Group Policy on your network is to plan how you’re going to implement Active Directory itself. Such planning includes decisions like: How many forests you will deploy (one or several)? How many domain trees? Will there be child domains? What kind of OU structure will each domain have? And so on. Each of these decisions should always be made by asking the question: What impact will my decision have on how Group Policy is implemented in my enterprise? Let’s look at some guidelines that can help you design Active Directory effectively as far as Group Policy is concerned.
K.I.S.S.
The first and obvious principle is to “Keep It Simple, Stupid!” or “K.I.S.S.” In the context of Group Policy planning, this means two things:
•
•
If a single domain will meet all your company’s needs, then use only one domain. The reason simply is that the number of Group Policy Objects (GPOs) you will need to create is roughly proportional to the number of domains you have in your forest. For while linking a GPO residing in one domain to a container (domain, site or OU) in a different domain does reduce the total number of GPOs you need to deploy, it can have a significant performance impact and shouldn’t generally be done. Keep your OU structure relatively simple, for example two or three levels of OUs at most. The reason is similar here to why you should keep your number of domains as low as possible: administrative overhead.
So let’s say you begin your Active Directory design by deciding you’re going to us a single domain (see Figure 1) with two or maybe three levels of OUs within it. That’s a good place to start. What’s next?
Figure 1: Have only one domain if possible
Server OUs
Group Policy isn’t just for managing desktops; it’s also terrific for locking down servers to ensure they’re secure and working properly. And by servers I mean both member servers (which include file servers, print servers, web servers, DHCP servers, and so on) and domain controllers. The best way to lock down domain controllers is to leave them in the default Domain Controllers OU and configure a GPO linked to that OU. There are two ways you can do this:
• •
Configure the settings in the Default Domain Controllers Policy. Create a new GPO, link it to the Domain Controllers OU, and configure it.
Which approach is better? Some experts recommend leaving the default GPO untouched and creating a new GPO and moving it to the top of the link order for GPOs linked to the OU. That way if something goes wrong later you at least have your default GPO in place and untouched. On the other hand, if you run the new Security Configuration Wizard (SCW) of Windows Server 2003 Service Pack 1 on a domain controller, then in addition to other changes it will modify certain settings in the Default Domain Controllers Policy to make your domain controller more secure. So either approach works fine, but personally I prefer the second approach. What about your member servers? The trick here is to realize that the different member server roles are basically incrementally different from a baseline (having no role) member server. So a good approach is to create a top-level Member Servers OU and then beneath it add additional OUs for each role (Figure 2):
Figure 2: OU structure for member servers. The advantage of this approach is that you can now create a baseline Member Servers GPO that generally secures any member server and link it to the Member Servers OU. That way all of the member servers in child OUs will automatically inherit this policy. Then you can create a Print Servers GPO and link it to the Print Servers OU, a File Servers GPO and link it to the File Servers OU, and so on. These different GPOs linked to child OUs of the Member Server OU can be used to incrementally harden security for each server role over the basic hardening provided by the Member Servers GPO. Here’s a tip: if you want to find out more about using the above approach to harden servers using Group Policy, read the Windows Server 2003 Security Guide which is available from the Microsoft Download Center. This Guide has terrific suggestions on how to secure different server roles and it’s well worth plowing through its almost 300 pages of content. If you don’t have time to read the whole Guide, check out my blog ITreader.net and click Group Policy under Topics and you’ll find lots of useful information that I’ve culled from my own reading of the Guide as well as other Microsoft resources.
Desktop and User OUs
The OU structure you plan for your domain can depend on various things including your company org chart, branch offices, number of departments, and so on. There’s no hard and fast single best way of designing OUs for a domain, but the following tips can help you avoid problems later on when you start creating GPOs to lock down users and their desktop computers. First off, you should only create an OU if there is some compelling reason for it to exist. For example, if users in the Sales, Marketing, and Reference departments all have similar needs as far as security goes, group their accounts into a single OU instead of three. Then if Sales users have some minor difference in security requirements from the other two departments, you can create and link another GPO to the OU and use security filtering to ensure only members of the Sales group have that GPO setting applied to them. Next, you should try to create your OUs along departmental lines rather than geographical location. That way you can make more effective use of delegation when you need to use it. If you must have geographical OUs, make them the top-level OUs and then create child OUs beneath them for each division or department (Figure 3):
Figure 3: A typical OU structure.
Next, create separate OUs for computer accounts and user accounts (Figure 4). That way you can use separate OUs to lock down machine settings and user settings. Of course, you could achieve the same thing by lumping together computer and user accounts into a single OU, linking two GPOs to that OU, and disabling the machine settings in one OU and the user settings in the other OU. But keeping your computer and user accounts in separate OUs will make it easier for you to troubleshoot when Group Policy doesn’t do what you expected, and it makes mistakes in configuring policy less likely also.
Figure 4: Use separate OUs for computer and user accounts. Also, try to avoid using Blocking, Enforced, Loopback, and other ways of modifying the default Group Policy inheritance order. That’s because using these features can make it really hard to troubleshoot why Group Policy isn’t doing what you intend it to do. If you find you absolutely must use these features in your Group Policy design, you probably haven’t designed your Active Directory structure very well. The one exception to this rule is security filtering, which is a powerful tool that can help make GPO targeting more accurate without complicating the design. I’ll cover security filtering in a future article on WindowsNetworking.com. Finally, avoid making changes to the Default Domain Policy. Instead, create a new GPO, link it to the domain, and configure its settings as needed. But be very careful what you configure in any GPO linked to a domain because any settings you configure will be inherited by all computer and user accounts in all OUs in the domain. So the moral is,
wherever possible configure policy at the OU level and not at the domain level, and use domain GPOs only for configuring account policy for the domain.
Installing and Configuring Virtual PC (Part 1)
In this two part article I will guide you through the installation of Microsoft’s virtual PC. The article will also focus on how virtual PC should be installed so that your system functions correctly. In the evolving interlude of fast processors and the increased size of volatile memory (RAM) and the amplified concentration and vast sizes of hard disk storage the trends point to greater power systems than ever before. However server computers still cost a premium and are not easily approved for testing and DR purposes. This has given rise to the virtual PC era. When the terminal computing phase of IT phased out, stand alone machines and micro computing server technologies boomed, and with this explosion many personal computers landed on people’s desks and sever computers in server rooms. These computers have been installed with many services and applications and often form part of an organizations critical information technology operation. With this in mind consolidation becomes a thought. One server running virtual PC with the correct configuration can be installed to consolidate and replace many computers, and could in effect simulate your entire active directory. This type of installation not only requires extensive planning but many hours of testing and configuration. Once an optimal system has been created and is running in a stable form it is recommended that a mirror image be made and coppiced onto an alternate bootable device for recovery purposes.
Possible uses for virtual PC
Test environments Test environments require hardware and software per computer that is installed, by using virtual PC you are able to install more than one version of the operating system on one machine running simultaneously as a window within the operating system. You are also able to switch from one operating system to another seamlessly. This solution helps the professional to minimize hardware requirements and consolidates the test solution onto one manageable unit. The configuration of such a server is also effective and the viability of such an operation increases. The virtual machine solution can also be configured to run on a workstation and with the speed of the processors, RAM and hard drives today the system performs comfortably with three servers on one modern
workstation. Many IT professionals need to test patches and new software upgrades on systems before applying a critical change. The evidence of this is clear when investigating problems caused by patches that have been written incorrectly or have not been applied in the intended sequence or that react to the custom configuration within a unique environment. If the change is applied without testing the result can be crippling to the organization and this is why it is a good idea to apply the change to the virtual machine first and test for a predetermined duration and have a check list of functionality that the patches will need to pass before the patch is applied to the production environment. Antivirus software and other more protective security software sometimes if installed on the fly can cause other software on the system to stop functioning. For this reason it is important that any software that is installed is first tested on a test virtual system. Making your production system more robust means that most risks are reduced thorough testing by using virtual systems. New solutions like arbitrary software can be installed on the test system while evaluating. Evaluation software can some times cause problems as it may conflict with software that is already installed or it can leave residual dlls and other files on the machines that cause problems and these are difficult to trace as the software is often removed or deleted and then it is not taken into account when troubleshooting. Installing evaluation software on live systems also breaks all best practice rules. Ever wanted to install software on a machine but been to afraid to because of unknown repercussions? With virtual PC replicating a system over and over is not a problem and this gives the IT professional flexibility and offer peace of mind though the organizations testing is performed “offline”. The testing side of software installation is often overlooked and only highlighted once the changes have been made. Virtual PC makes the testing process a reality and assists the IT professional in making the testing of all software on the virtual system a viable option. Honey pots Honey pots are systems that are installed and positioned in vulnerable locations to deliberately allow intruders to gain access and to lure them away to a system that they perceive to be legitimate operational and live. By using this technique you are able to counter attacks as the intruders are attacking fake systems while the security professional is monitoring the intruder activity. The monitoring must be done in a discrete unconventional manner to avoid detection. You can use virtual PC to create a full network or what looks like a full network on one machine. By crating multiple interfaces on the client windows XP machine that you create you are able to assign multiple IP addresses virtually and this will give the attacker the impression that there are many machines connected together. Software has been released that creates virtual services and computers on one machine specifically aimed at honeypots so that one machine emulates a few networked machines if you use this software in conjunction with Virtual PC you are able to create an interconnected WAN
Creating honey pots using windows and virtual PC article is being created and will be released soon. Business continuity environments Establishing a business continuity strategy is necessary for most security policies and IT and operational business units. These types of systems are most effective when they run concurrently with the live system so that all data is mirrored real time to the disaster recovery site machines. These configuration may require extensive hardware and for this reason you want to design a solution for disaster recovery that is cost effective easy to install and easy to bring up on one piece of hardware. This solution is cost effective as it does not require the demanding hardware specifications required by multiple system installations. It is far more cost effective to purchase a server and bump up its processor RAM and disk space than to buy a multitude of servers. Development environments Some developers develop locally on their systems and sometimes they develop on development environments and some even want to develop live to avoid this risk development environments have been installed. These environments are not cost effective and to reduce TCO virtual PC can be installed on a system that has been highly specified. This opens new door as new systems can be reinstalled in minutes and mounted as different machines.
Installing virtual PC
Before installing virtual PC it is recommended that you backup your files to a remote location other that the machine that you will be installing on. It is also recommended that you cease any jobs applications or other installation processes. If you have previous versions of virtual PC it is recommended that you remove them from the computer. Note that virtual disks may not run on different versions of VPC. IT is recommended that you be at the console when installing virtual PC to avoid reconnection issues cause if you are using remote access when the TCP stack is rebuilt.
Resources
When designing a virtual PC system that will be integrated into a live environment it is vital that the network professional ensures that the Host machine resources are appropriately specified. The table below is Microsoft’s recommendation as of the 1st April 2004. Please note that recommendations are tested with specifications and with general environments in mind. What I recommend is that the basic specification be observed and improved upon as some specifications do not specifically cater for unique environments like those found in most organizations. These recommendations are guidelines that should be tested in the lab before going into a live environment.
Remember to also allocate appropriate resources to your guest operating system as not doing so will result in your installed operating systems to suffer from low recourses. Virtual PC supports up to 3.6 GB of RAM per virtual machine, up to a total of 4 GB of RAM on the physical machine.
Host operating system Windows XP Professional Windows XP Tablet PC Edition Windows 2000 Professional RAM 128 MB 128 MB 96 MB Disk space 2 GB 2 GB 2 GB
Guest operating system Windows XP Professional. Windows XP Home Edition. Windows 2000 Professional Windows NT Workstation 4.0, Service Pack 6 or higher Windows Millennium Edition. Windows 98. Windows 95. MS-DOS 6.22. OS/2 Warp 4 OS/2 Fixpack 15, OS/2 Warp Convenience Pack 1 OS/2 Warp Convenience Pack 2
RAM 128 MB 128 MB 96 MB 64 MB 96 MB 64 MB 32 MB 32 MB
Disk space 2 GB 2 GB 2 GB 1 GB 2 GB 500 MB 500 MB 50 MB
64 MB
500 MB
To install virtual PC double click the setup icon within the disc or insert the disc and the auto play function will start the installation automatically. Please note that a restart is required after the installation of Virtual PC.
Once you click install the screen above will be presented then click next.
Read the license agreement and then click I accept then click next.
Type in a user and organization and a serial number then ensure that anyone that uses this computer is selected then click next. IF you choose to install the virtual PC for only the user that is logged in be aware that the software will run in the context of the installation. It may be more secure but if it is installed as a user that has restrictive rights then access to certain resources may be denied and settings will not be inherited from profile to profile.
Select the location of where to install your virtual PC then click next remember that you will need to ensure that there is enough space on drive selected. It is recommended that the drive selected be quick and has redundancy be supplied and enabled. This will minimize risk in event of failure.
The virtual PC then takes some time to initialize and install and during this time you will be presented with a status screen that displays the progress of the installation if the bar freezes for a while it is recommended that you wait several minutes as some time initialization take a little while depending on the hardware you are installing the virtual PC on, if this condition persists cancel the installation, restart the machine and restart the installation. Click next to continue.
This screen is then presented next and it will require a restart click on the yes button if you would like the machine to restart, this is recommended.
Installing and configuring virtual PC (Part 2)
In the first part of this article I took you through the installation of Virtual PC, in this article I will guide you through the configuration of Microsoft’s virtual PC. The article will focus on how virtual PC should be configured so that your system functions effectively and makes use of the hardware efficiently. It is fundamental to the Virtual PC arena that all hardware purchased and installed is of a reliable standard and it is imperative that the hardware be compatible and designed to function efficiently with all aspects of the system. It is essential that the hardware be installed and working before attempting configuration. Non standard hardware that requires non supported drivers should be avoided and all hardware should be tested before using it in a live environment. These guidelines are recommended to thwart loss of data and to insure continuation of service after installing and configuring a virtual PC in a production environment. Please ensure that you always backup the entire system and ensure that you are able to restore the backup if you are dealing with critical data and configurations.
Multiple virtual machines
Using virtual PC enables the network professional by providing the flexibility of running several virtual machines and different combinations and configurations of operating systems and applications on one physical computer. This methodology eliminates the necessity of setting up different physical machines, and allows organizations the elasticity needed when consolidation is a consideration, however it introduces new problems and scenarios to consider when planning for VPC deployments. Using Virtual PC allows the organization to share hardware that it would otherwise have to purchase individually for each respective machine or task and this may be beneficial from a financial perspective but introduces another level of risk to be considered regarding single point of failure. Do not overlook this point as a restart of the host operating system will result in all of the virtual machines installed becoming unavailable and the IT professional will then have to reinitialize the host operating system and guest operating systems to get them to function correctly as intended. Also note that shared recourses, if not tested properly, may function differently than expected. Inexpensive items like NICs and CD drives may function erratically if shared, and will not perform at the normal speed. CD drives have locking mechanisms that are linked to software that locks the drive on the corresponding guest operating system; some
systems that reference a CD in a drive and that have files in use while another operating system is attempting access can cause the main operating system to require a restart. Being aware of these ramifications will assist the IT professional in designing a robust and well thought out VPC solution that can be used safely in production. Some guidelines that will clarify installation and configuration settings follow:
• • •
• • • • • • •
•
Before installing and configuring VPC ensure that you have administrative control of the host OS. Ensure that each virtual machine has a unique name and make it descriptive in order to identify it at a later stage. Ensure that there are enough resources for both the operating system and guest operating system to run. If more than one VPC session is open assign appropriate resources to each virtual machine. Remember that resources are shared on the VPC and that when moving from machine to machine captured drives and resources alternate. Remember to share your data between virtual machines. When using virtual machines it is a good idea to make a small banner in MSpaint to facilitate identification of each VPC. Set all resolutions to a Std resolution to make transition between VPCs easier. It is also possible to use remote desktop to terminal into the machines to administrate these machines. It is a good idea to use NTFS on the Host OS. Each virtual machine needs patches and security updates, and each VPC needs an antivirus, Note if this point is overlooked it may result in the comprimising of the entire system. Licensing can be tricky and it is the IT professional’s prerogative to check the agreement with the respective vendor. Accessing shared folders on other machines or on the host can be achieved by mapping a folder to a drive from the virtual machine to the shared folder on the host machine. This is an efficient way to transfer files from guest system to host system or from guest to guest.
After installing the Virtual PC you will need to run the new virtual PC wizard. This will allow you to create a virtual drive. This drive consists of one file that contains all of the system and boot files found in ordinary installations of operating systems. The file's extension is .vhd if you enable undo disks, these disks allow you to make changes to the virtual PCs for test purposes and let you back track to a point in time before the changes. These disks have the .vud extension. .vmc is temporary; a disk that stores information in a non volatile state like the hibernation file in windows. This screen also allows you to use the default configuration and this will create an automatic version of the virtual hard disk, or you can select previous Virtual drives to boot off. Please note: previous versions of Virtual PC sometimes create virtual drive files that are not readable or accessible by newer versions of virtual PC. When you have made your selection, please click next.
It is a good idea to assign each virtual machine a unique name that is descriptive and easy to understand. When you have chosen a name click next.
Virtual PC is able to host and run software that is compatible with x86 standards. This makes virtual PC flexible and empowers the professional to install a range of software on one machine for testing purposes. Once you have selected the respective operating system click next.
When this screen is presented you will be able to specify how much RAM your guest operating system will use. I recommend you double the RAM from the recommendation displayed if your budget allows.
This screen is simple yet important when assigning your virtual disk a name and location it is important to turn on undo disks if you require the machine for testing or if you will be making changes that you are unsure of. Although this option uses up some free space it is well worth it and saves you from reinstalling if you make an uncalculated mistake. When you have completed your selections then click next.
This screen is the follow up screen that defines where the virtual drive is installed. When you have completed your selection click next.
This screen will summarize your settings if you are content with your selections then click finish to create your virtual machine. Once you click finish, your virtual machine will have been created and configured. You will now need to install a guest operating system on the virtual machine once it is started. Treat the machine as you would a normal computer. You will be able to boot from CD to install the operating system within the virtual machine. Open the Virtual PC Console to begin.
This is the virtual PC console; you will need to get familiar with this console if you are going to be using virtual PC. It is very simple and has four options that will be expanded on. The New button facilitates the creation of new virtual PCs. Once you have created new virtual PCs they are displayed on the left panel. From the file option you are able to initiate the disk wizard. The settings option when clicked reflects the settings of the selected virtual machine, and are fully applied to the machine once the virtual machine is restarted if it the VPC is open. Some of the key settings are described below. The remove button removes virtual PCs that have been created. The start button initiates the virtual machine and this in turn emulates a computer booting with its own virtual BIOS and booting process. Also note by using the action menu you are able to pause and resume a virtual machine. This option is useful if you want to quickly suspend an operating system so that you can shutdown the host operating system and when you restart the host you can resume the virtual PC back to the point you were at before you started. Some settings screenshots follow that will help in the configuration of VPC.
This screen is presented once settings are clicked in the VPC console. You are able to configure the name of the VPC RAM memory allocation some of these settings are only available with in wizards and are restricted by the physical resources available within your host machine.
Each virtual machine can be setup to use no network adapter or four network adaptors. These can be configured to access internal network machines, other virtual PC machines and internet machines. This technology functions as a great tool when testing a networked environment.
This screen displays the amount of RAM that has been assigned to the virtual machine.
You can quickly get to the virtual PC console by right clicking on the tray icon near to the time and selecting show Virtual PC console.
By clicking options you are able to control global settings that apply to all of the virtual PCs that have been created. You are then able to make single changes that apply though out the subsidiary virtual machines. Note: Ref: MS CHM file. If you replicate or image a vhd file you will need to change the MAC address. Edit the .vmc file to remove the MAC address. Find the following line: <ethernet_card_address type="bytes">0003FFxxxxxx</ethernet_card_address> Remove the number so the line appears as follows: <ethernet_card_address type="bytes"></ethernet_card_address> After you remove the number, Virtual PC will create a new MAC address the next time you start the virtual machine.
Setting up a client based VPN connection via PPTP Introduction
Although VPN's are considered as an extension of a private network, in reality they are nothing close to the equivalent of a private network. This is so because you can't compare physically connected devices in a closed environment to a remote connection. Some advantages of a VPN connection are as follows:
• • •
Expensive long distance leased lines are not required, thus lowering costs Compared with alternatives, it is relatively easy to setup on both the client and server side Flexibilty; for the simple reason that you can connect to a VPN server from anywhere in the world that has internet access.
However, it does have a couple of disadvantages, namely:
•
•
If a fast and reliable internet connection is not available then the performance of the VPN connection can be negatively effected. Unfortunately, this is something out of the organization's control Due to all the encryption that takes place, although compressed, one may notice a slight decrease in speed.
A VPN is composed of two parts: VPN Server The VPN Server is the machine that accepts VPN connections from VPN clients. A VPN server provides remote access connections or router-to-router VPN connections. In Windows 2003, this can be setup from the RRAS (Routing and Remote Access Server) Administrative Tool. VPN Client The VPN Client can be the remote user who wishes to connect to the VPN Server to establish a session on the network. The interface required by the VPN Client can be that of a dial-in modem or a dedicated connection to the internet (ADSL for example). The diagram below illustrates the basic anatomy of a typical VPN connection.
The cloud in the middle signifies the public intranet, which in the case of a dedicated connection to the internet interface, the VPN client uses to connect to the server.
A step-by-step guide
The following is a step-by-step guide of how to setup a client based VPN connection using the Point to Point Tunneling protocol. The first thing you must do is right click the My Network Places icon and select Properties.
This will bring you to the Network Connections window which displays a list of your current network connections. Double click the New Connection Wizard icon.
You are faced with three options - choose the second one, "Connect to the network at my workplace" and click Next.
Now choose the second option, "Virtual Private Network connection" and click Next. This will bring you to the window in which you should enter the name of the company or server you will be connecting to. After you have typed the name in, press Next.
This will bring you to the following window in which you must enter the host name or IP address of the VPN server. Tip: Entering the IP address is recommended (the IP address can be obtained from the server administrator).
And finally, the "Connection Availability" window will allow you to select who is authorized to use the VPN connection. "Anyone's use" will permit anyone who logs onto the system to use the connection, whereas "My use only" will limit it's use to you only.
Once you click Next and Finish, your new connection will be visible in the Network Connections window (as seen below).
Right click the new connection and select properties to open the properties window. Here, you can configure, amongst others, the network settings and general options. Select the Networking tab and in the "Type of VPN" drop down list, choose PPTP VPN. It is not necessary to configure any other options on this page, unless otherwise specified by the VPN server administrator. File and Printer Sharing for Microsoft Networks is the service required for you to be able to share files and printers once a connection has been established to the organizational network.
Now move onto the Options tab. You are able to configure dialing and redialing options on this page.
If you are using the same logon at your company network as you are for the VPN server, then select the "Include Windows logon domain" check box. Go to the security tab and verify that the screen looks like the one below. Only select the first check box if the local computer you are logged on to has the same log on account and password as the account you have on the VPN server.
If you select the General tab you can change the IP or Host Name of the VPN server and select whether or not you want another connection to be established first before initiating the VPN connection. You would do this if, for example, you had an ADSL connection you wanted to connect to first before dialing into the VPN server.
Press OK to close the window and return to the network connections window. If you double click your VPN connection the logon window will appear.
Enter your username and password and click Connect. After the authentication process is complete, you will be logged on to the VPN Server and two computers will appear at the bottom right hand corner of your screen (default).
Congratulations! You have now successfully been connected to the VPN server.
Windows 2003 Active Directory: An overview Times gone by
Some years ago, you could have been excused for thinking that selecting the right server software for your Windows network was a tough job. Microsoft hasn’t always been the toughest dog in the pound. On one hand Microsoft’s NT4 platform provided good integration and, more importantly, a platform that IT managers were immediately familiar with. On the other hand, Novell had a rock solid, lean, and world proven product in Novell Netware (4.1 or 5). The secret at the heart of the world dominance of Novell, and the foot blocking the door of Microsoft in the critical international corporate server market, was the inclusion of a directory service called NDS (Novell Directory Services). Such a directory allowed for scalable and more easily managed networks, and lent itself well to multi-office, global networks, at least it was the better alternative to the provisions in Windows NT4.
Fig 1: Novells NDS was world class…at the time. For those of you knew to the idea of a Directory in network terms, you can think of it as a telephone directory, with each entry being a network object, such as a user or a printer or a network share, rather than a piece of contact information. This information can be structured in to logical containers, called Organisational Units (OU’s) allowing for a more manageable environment when dealing with large numbers of users and other objects. This directory can be duplicated and replicated across multiple servers, allowing for redundancy and a distributed structure to be built in to the network design. This directory, like its paper based name sake, can be searched quickly an easily, though this can be done far faster than turning the pages of the book. Allowing for a logical structure and design allows IT Departments to apply policies to groups of users or computers based upon the needs of the business. Clearly, in order for Microsoft to gain global dominance in the server field, they had to rework the server platform, and make it scalable, reliable and resilient from the ground up, and without completely reinventing the wheel. Thus Active Directory was born.
Learning the basics
Before we begin, lets quickly cover the basics of Active Directory. Any Active Directory installation goes hand in hand with a correctly setup DNS server running on your network. The reliance on DNS is apparent in Windows 2000, and it’s almost impossible to run a Windows 2000 network with out it being underpinned by DNS. This is very different from the old NT networks, which could do without, or would most likely use WINS which was a Microsoft ‘alternative’ to DNS offered up at the time. Such is the reliance on DNS, that it should be the first point of call when fault finding an issues with AD working or replication issues. Active Directory itself is made up of three ‘logical’ partitions, these being ‘Domain’, ‘Configuration’ and ‘Schema’. Within the file system these are stored in the NTDS.DIT on any domain controller. The Domain partition stores information relating to the domain, while the Configuration partition holds information relating to the forest structure. Finally the Schema holds information on the definition of objects within the network. These can roughly be associated, in order, with the following tools; Active Directory Users and Computers, Active Directory Sites and Services, and ADSIEdit.
Is there a spin doctor in the house?
You’re not going to be bowled over by swathes of new features in Active Directory 2003, the most visible new features are to be found in the management tools which, as part of the Admin Pak, can be installed on a Windows XP machine and will work quite happily with Windows 2000. One of the most useful features of the new AD tools, for the general IT person, is the ability to create and store queries in Active Directory Users and Computers. You can now create queries to display users, computers, or any other object you can think of, based on pretty much any attribute you can think of. Microsoft have wisely included some predefined criteria, for performing the most common searches, which include; Disabled Accounts, Accounts not logged for xx days, Username (which can be the usual starts with, ends with, or contains etc), Description, and Expired Passwords. These queries alone should be able to help most IT folk, but the list of objects and attributes are endless.
Fig 2: Queries let you quickly find common groups of objects We will be covering queries in further detail in a future article. There are also significant changes to the Group Policy management facilities of AD Users and Computers. Again, these features will be covered in further detail in future articles. There are also, however, several overhauls under the bonnet as well that should be given due attention. Clearly the priority with which you regard these new features will depend squarely upon the kind of network you have, it’s structure, and your job role.
AD/AM
One of the most interesting features of this release is in actual a separate release balancing on the coat tails of Active Directory 2003. Active Directory / Application Mode (or ADAM to it’s closest friends) is a separate application that should proof to be a boon to application developers and IT Managers alike. As Active Directory is a customisable database that allows for replication across various internet links and connections, many applications (bespoke and otherwise) can use it to store data relating to a package and its users, as well as for authorisation of users. This means that the programmers of such applications needn’t reinvent the wheel when it comes to creating distributed data stores, and development cycles can be reduced. It does, however, introduce several massive problems in turn mainly a big increase in bandwidth and big lag. Network links between branch offices are often slow, the additional data added by such applications can easily result in these lines crawling to halt. Even in the biggest of offices, with the fastest of lines, replication data management can be black art, and additional replication data is never needed. In addition to this issue is that of replication speed. In a busy office with multiple branches (the kind of network that could well make use of such bespoke applications running on distributed data stores such as AD) the
replication of all this new data means that none of the offices are ever going to be seeing the latest of information. Due to these issues most application developers have turned away from using AD as an application data store. Microsoft seeks to change that by introducing a stand alone version of Active Directory tailored towards application data storage. ADAM is available as a download from Microsoft and is installable on either a Windows 2003 server or a Windows XP workstation. When installed it runs in the context of a nominated account, and as it’s separate to Active Directory replication schedules can be configured separately. On top of that, multiple instances of ADAM can run on the same machine, which should allow developers and others alike to test different schema setups far more easily that before.
Fig 3: Active Directory running under XP, who would of thought it! It should be said that Microsoft has included a new Application Directory Partition feature in AD2003, which allows for a new fourth ‘logical’ partition, called ‘Application’. This new partition is tailor made to store data from 3rd party AD aware programs, and means that data for Ad aware programs can be stored outside of the main three partitions, and can have separate replication schedules. This obviously has several of the advantages that benefit the ADAM approach, but with ADAM you are able to run multiple instances, something which cannot be done with a normal AD installation.
Setting up a DHCP server in Windows 2003
"Dynamic Host Configuration Protocol (DHCP) is an IP standard designed to reduce the complexity of administering IP address configurations." - Microsoft's definition. A DHCP server would be set up with the appropriate settings for a given network. Such settings would include a set of fundamental parameters such as the gateway, DNS, subnet masks, and a range of IP addresses. Using DHCP on a network means administrators don't need to configure these settings individually for each client on the network. The DHCP would automatically distribute them to the clients itself. The DHCP server assigns a client an IP address taken from a predefined scope for a given amount of time. If an IP address is required for longer than the lease has been set for, the client must request an extension before the lease expires. If the client has not requested an extension on the lease time, the IP address will be considered free and can be assigned to another client. If the user wishes to change IP address then they can do so by typing "ipconfig /release", followed by "ipconfig /renew" in the command prompt. This will remove the current IP address and request a new one. Reservations can be defined on the DHCP server to allow certain clients to have their own IP address (this will be discussed a little later on). Addresses can be reserved for a MAC address or a host name so these clients will have a fixed IP address that is configured automatically. Most Internet Service Providers use DHCP to assign new IP addresses to client computers when a customer connects to the internet - this simplifies things at user level.
The above diagram diplays a simple structure consisting of a DHCP server and a number of client computers on a network. The DHCP Server itself contains an IP Address Database which holds all the IP addresses available for distribution. If the client (a member of the network with a Windows 2000 Professional/XP operating system, for example) has "obtain an IP address automatically" enabled in TCP/IP settings, then it is able to receive an IP address from the DHCP server.
Setting up a DHCP Server
This will serve as a step-by-step guide on how to setup a DHCP server. Installing the DHCP server is made quite easy in Windows 2003. By using the "Manage your server" wizard, you are able to enter the details you require and have the wizard set
the basics for you. Open to "Manage your server" wizard, select the DHCP server option for the list of server roles and press Next. You will be asked to enter the name and description of your scope. Scope: A scope is a collection of IP addresses for computers on a subnet that use DHCP.
The next window will ask you to define the range of addresses that the scope will distribute across the network and the subnet mask for the IP address. Enter the appropriate details and click next.
You are shown a window in which you must add any exclusions to the range of IP addresses you specified in the previous window. If for example, the IP address 10.0.0.150 is that of the company router then you won't want the DHCP server to be able to distribute that address as well. In this example I have excluded a range of IP addresses, 10.0.0.100 to 10.0.0.110, and a single address, 10.0.0.150. In this case, eleven IP's will be reserved and not distributed amongst the network clients.
It is now time to set the lease duration for how long a client can use an IP address assigned to it from this scope. It is recommended to add longer leases for a fixed network (in the office for example) and shorter leases for remote connections or laptop computers. In this example I have set a lease duration of twelve hours since the network clients would be a fixed desktop computer in a local office and the usual working time is eight hours.
You are given a choice of whether or not you wish to configure the DHCP options for the scope now or later. If you choose Yes then the upcoming screenshots will be of use to you. Choosing No will allow you to configure these options at a later stage.
The router, or gateway, IP address may be entered in next. The client computers will then know which router to use.
In the following window, the DNS and domain name settings can be entered. The DNS server IP address will be distributed by the DHCP server and given to the client.
If you have WINS setup then here is where to enter the IP Address of the WINS server. You can just input the server name into the appropriate box and press "Resolve" to allow it to find the IP address itself.
The last step is to activate the scope - just press next when you see the window below. The DHCP server will not work unless you do this.
The DHCP server has now been installed with the basic settings in place. The next stage is to configure it to the needs of your network structure.
Configuring a DHCP server
Hereunder is a simple explanation of how to configure a DHCP server. The address pool displays a list of IP ranges assigned for distribution and IP address exclusions. You are able to add an exclusion by right clicking the address pool text on the left hand side of the mmc window and selecting "new exclusion range". This will bring up a window (as seen below) which will allow you to enter an address range to be added. Entering only the start IP will add a single IP address.
DHCP servers permit you to reserve an IP address for a client. This means that the specific network client will have the same IP for as long as you wanted it to. To do this you will have to know the physical address (MAC) of each network card. Enter the reservation name, desired IP address, MAC address and description - choose whether you want to support DHCP or BOOTP and press add. The new reservation will be added to the list. As an example, I have reserved an IP address (10.0.0.115) for a client computer called Andrew.
If you right click scope options and press "configure options" you will be taken to a window in which you can configure more servers and their parameters. These settings will be distributed by the DHCP server along with the IP address. Server options act as a default for all the scopes in the DHCP server. However, scope options take preference over server options. In my opinion, the DHCP server in Windows 2003 is excellent! It has been improved from the Windows 2000 version and is classified as essential for large networks. Imagine having to configure each and every client manually - it would take up a lot of time and require far more troubleshooting if a problem was to arise. Before touching any settings related to DHCP, it is best to make a plan of your network and think about the range of IPs to use for the computers.
http://www.windowsnetworking.com/articles_tutorials/Windows_2003/
Preface:
There is absolutely no good reason to disable this service in pre-release or released software. If a program or computer crashes, then once the computer recovers it makes a detailed report (with no personally identifiable information it) about how the crash happened and sends it off to Microsoft. They then look over it, and try to fix it, which makes a better OS for everyone. This is not a recommended procedure.
Method:
Click the Start button and right-click My Computer and click Properties from the pop-up menu
In the System Properties dialog that has come up, click the advanced tab, and then the Error Reporting button
In the next dialog click the Disable radio button, and optionally, so you don't get any notices of system failures at all, uncheck but notify me...
Now press OK, Apply, and OK, and Error Reporting has now been disabled.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Disabling Automatic Updates on Windows Server 2003, step-by-step
Preface:
Windows comes with a built-in feature to keep your computer always up to date with windowsupdate by including a program called Automatic Updates. Personally, I want to know when I'm updating my server and not let some program do it for me, so in this case we would disable it.
Method:
Click the Start button, then right click My Computer and click Properties
Now, go to the Automatic Updates tab, and click the checkbox (to de-select) "Keep my computer up to date..." and click Apply then OK
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Creating the first Windows Server 2003 Domain Controller in a domain
Preface:
One of the greatest features of Windows Server 2003 is its ability to be a Domain Controller (DC). The features of a domain extend further than this tutorial ever could, but some of its most well known features are its ability to store user names and passwords on a central computer (the Domain Controller) or computers (several Domain Controllers). In this tutorial we will cover the "promoting" (or creating) of the first DC in a domain. This will include DNS installation, because without DNS the client computers wouldn't know who the DC is. You can host DNS on a different server, but we'll only deal with the basics.
Method:
Click Start -> Run...
Type "dcpromo" and click "OK"
You will see the first window of the wizard. As it suggests, I suggest reading the help associated with Active Directory. After this, click "Next"
Click "Next" on the compatibility window, and in the next window keep the default option of "Domain Controller for a new domain" selected, and click "Next"
In this tutorial we will create a domain in a new forest, because it is the first DC, so keep that option selected
Now we have to think of a name for our domain. If you own a web domain like "visualwin.com", you can use it, but it isn't suggested because computers inside of your domain may not be able to reach the company website. Active Directory domains don't need to be "real" domains like the one above - they can be anything you wish. So here I will create "visualwin.testdomain"
Now in order to keep things simple, we will use the first part of our domain ("visualwin"), which is the default selection, as the NetBIOS name of the domain
The next dialog suggests storing the AD database and log on separate hard disks, and so do I, but for this tutorial I'll just keep the defaults
The SYSVOL folder is a public share, where things like .MSI software packages can be kept when you will distribute packages (as I said, AD has a lot of different features). Once again, I will keep the default selection but it can be changed if you wish to use the space of another drive
Now we will get a message that basically says that you will need a DNS server in order for everything to work the way we want it (i.e., our "visualwin.testdomain" to be reachable). As I mentioned earlier, we will install the DNS server on this machine as well, but it can be installed elsewhere. So keep the default selection of "Install and configure", and click "Next"
Because, after all, this is a Windows Server 2003 tutorial website, we'll assume there are no pre-Windows 2000 servers that will be accessing this domain, so keep the default of "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems" and click "Next"
The restore mode password is the single password that all administrators hope to never use, however they should also never forget it because this is the single password that might save a failed server. Make sure it's easy to remember but difficult to guess
Now we will see a summary of what will happen. Make sure it's all correct because changing it afterwards can prove to be difficult
After the previous next was clicked, the actual process occurs. This can take several minutes. It's likely that you will be prompted for your Windows Server 2003 CD (for DNS) so have it handy
If your computer has a dynamically assigned address (from DHCP) you will be prompted to give it a static IP address. Click ok, and then in the Local Area Connection properties, click "Internet Protocol (TCP/IP)" and then "Properties"
In the next window select "Use the following IP address" and select the information that you will use for your domain (and 127.0.0.1 for the primary DNS, because your computer will host DNS. I still suggest setting up an alternate as well.) Click "OK" and then "Close" on the next window
And after a while you will see
And we're finished. You may also want to see the other Active Directory tutorials on the main page.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Applying Extra Security Using the Group Policy Object Editor
Preface:
Windows Server 2003 comes very locked down by default. What I will show you is how to go even further and tighten up logging in.
Method:
Setting Account lockout Durations Setting a Minimum Password Length Logging Failed Log-in Attempts Securing Security Options
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting Account Lockout Durations
Preface:
This will show you how to set up Windows Server 2003 to watch for invalid log-in attempts, and lock the account against more unsuccessful log-ins for a certain amount of time. This is extraordinarily helpful for remote logging in via Remote Desktop and the such.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy and click Account lockout
Double click on Account lockout threshold and put in a desired "max log-in attempt", I'll use 5 for the sake of this tutorial
When you click OK you will get a dialog box saying it will enable 2 other things with recommended settings, click OK, we'll be changing those anyway
Double click Account lockout duration. This will be the amount of time after 5 unsuccessful log-ins the account will be locked for. I will be locking the account for one hour (60 minutes). Put in the value you'd like and press OK
Double click Reset account lockout counter after: . This is how long you want Windows Server 2003 to remember invalid log-ins for lockout. For example, we will set it to be 60 minutes. That means, after 5 unsuccessful log-ins to a single account within 60 minutes time, the account will be locked for 60 minutes, per our previous settings
Done! We have now blocked against a certain amount of unsuccessful log-ins (5) that occur within a certain amount of time (60 minutes) and Windows Server 2003 will lock that account for a certain amount of time (60 minutes)
Uh oh, I locked myself out!
Don't worry, it happens to the best of us. Sure, you could wait the hour to log in, or you can log in with a user in the Administrator's group, click Start -> Run...
Type "lusrmgr.msc" and press OK
Click the users folder and then double click the locked out user. You will see a checkbox checked by "Account is locked out". Un-checking that will unlock the account
My reasoning
Q: Why do you set the invalid log-in attempt to only 5? That could lock out more users than I'm wishing to unlock A: It was merely for the sake of an example. I believe 5 should be more than enough to correct a mistyped letter or so in a password. If you start to see that it isn't enough, you can change it by going back, just as easy as it was set. Q: I think I was locked out but I'm really not sure. What will the dialog look like at log on? A: Well it basically says you've been locked out, here's a picture:
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting a Minimum Password Length
Preface:
Users can change their own passwords at anytime by pressing Ctrl-ALT-Del, clicking the Change Password button, typing their old one, and their new desired one. This isn't bad and it's a good habit for users to get into (don't want other people figuring out the users' passwords, do you? :-/). While setting passwords can be a good thing you don't want your users setting their passwords to, let's say, "h" or something way to easy to guess. Unfortunately, the way Windows Server 2003 ships, users can do this. In this tutorial we will set a minimum length, not difficult, but something that needs to be done, but gets over-looked a bit too much.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy, then Password Policy
Double click Minimum password length and set a good sized password. I will use 7 characters
That's it. Users trying to change their passwords to one under the minimum length will now be presented with this very odd looking error
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Logging Failed Log-in Attempts
Preface:
This will show you how to set up Windows Server 2003 to log failed attempts at logging into the system, along with the failed passwords, etc.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies, and click Audit Policy
Double click Audit account logon events, make sure success is checked, then check failure also
Do the same for Audit logon events
Now, any unsuccessful log-ins will be shown in the Security section of the Event Viewer. The following information about the log-in failure will be displayed: Reason User Name Domain (or computer name if no domain is present)
Logon Type Logon Process Authentication Package Workstation Name Caller User Name Caller Domain (or workgroup) Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port If you notice this repeatedly from the same computer (it shows the workstation name and IP) then you can take appropriate actions.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Securing Security Options
Preface:
I thought about making a separate page for each one of the settings I will be dealing with in this section of the Group Policy Management Console but instead, I've decided to put them into one page. If you do not want to mess with a particular setting, pressing the "next section" link will automatically bring you down to the next section.
Method:
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies then click on Security options Disabling the Administrator account (next section)
Since we have already created a secondary administrator in the New User tutorial you may not want Administrator account enabled, therefore, we have the option to disable it. This may cause problems, so instead of disabling it, you may just want to make a really secure password (that you still remember!) for it and not use it. Double click Accounts: Administrator account status and set the radio button to Disabled
Not showing the last user at the log-in screen (next section) If you are worried about people seeing the user name of the last person logged in (at the Ctrl-ALT-DEL log in screen) then you can disable the showing. Double click Interactive Logon: Do not display last user name. Set the radio button to Enabled
Setting a message to show up in a dialog box after users press Ctrl-ALT-DEL at the login screen (next section) Double click Interactive Logon: Message text for users attempting to logon. Type in the message you want displayed and press OK
Setting a title for the log-in message Well, we have the message text to show up after pressing Ctrl-ALT-DEL at log-in. How about we set up a title to go with that. Double click Interactive Logon: Message title for users attempting to logon. Now type in what you want to display at the title bar
That's all! Feel free to look around the other settings in this tree if you are curious. Most of the other settings are secure already.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Enabling Audio Mapping for Remote Desktop/Terminal Services
Preface:
When connecting to RD (Remote Desktop) or TS (Terminal Services) using the built-in Windows client (mstsc), even with "Remote computer sound" set to "Bring to this computer", you won't hear anything from the remote computer by default. Thanks to John Losey and his post to microsoft.public.windows.server.networking (mirrored here for download) this problem is solved. Update January 19th, 2005: In addition to the instructions below, the server (as well as the client) must have a sound card, or this will not work
Method:
Start -> Run...
Type "tscc.msc" without the quotes, and press OK
On the left side you should see that "Connections" is selected, on the right side you should see, under the "Connection" tab, RDP-Tcp. Right click that, and press properties
Go to the Client Settings tab, and under "Disable the following:" you will see "Audio mapping" checked. Uncheck it. Now press OK and you should be set!
Special thanks to John Losey on the Windows Server groups for posting the original message (I was kind of wondering how to do it myself ;-)
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Enabling Remote Desktop
Preface:
Remote Desktop is a great way to work on your computer from basically anywhere (if you set up your internet connection sharing device properly). The port it runs on is 3389, forward that on your router to be available from anywhere in the world.
Method:
Click the Start button, and right-click My Computer and click Properties from the pop-up menu
Go to the "Remote" tab and check "Allow users to connect remotely to this machine"
At this point, only Administrators can access the machine. To allow more users, click "Select Remote Users..." and click the "Add" button in the new dialog
In the next dialog, type in the name of a regular user and press OK
And that's all! To connect to a virtual desktop (2 are allowed in Windows Server 2003) run "mstsc" from a Windows XP/2003 machine and type the address (for other systems you can download the RD client 5.2 from this address http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=a8255ffc4b4a-40e7-a706-cde7e9b57e79 ). To connect to the console session, you must either have logged in locally to the machine, then try accessing it, or be an Administrator. You run either "mstsc /console" or connect to <machine name> /console. At this point, you want to enable audio mapping for TS/RD, Check here for information on how to do so.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
ADS Adding users to Active Directory
Preface:
As you know, if you try to add AD users using lusrmgr.msc you will receive the following error:
And since I cover creating a local user (lusr) I thought it would only be right to cover creating an Active Directory user.
Method:
Click Start, highlight "Administrative Tools" and select "Active Directory Users and Computers"
Now, expand your domain name on the left side, and go to the bottom where it says "Users". Once you click on that, you will see all of the automatically created users, you will also see all of the users you made before you ran dcpromo - that's because they all stay through the promotion to DC. Anyway, to add a user, you can either right click the "Users" folder on the left side, or the blank area on the right side, and highlight "New" then click "User"
In the next dialog we can set the user's First name, Last name and various other pieces of information, including their log-on name, and domain to which we want to add them
After clicking "Next" you are presented with the password-settings screen. You can set the user's password and then have them change it on their first log-on by selecting "User must change password at next logon". But in this tutorial, I will set it as their password, and not allow them to ever change it without asking me (the administrator) to change it for them
In the next dialog, we get a summary of the user to be created. Click "Finish" and the user has been created
And we're finished! Now, you might want to check out the tutorial on how to add a computer to Active Directory, that will help you get the full benefits of AD. Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding a computer to Active Directory
Preface:
Earlier, I showed you how to add users to your Active Directory domain. This tutorial will focus on how to add computers. This step is not "really" necessary for workstation computers - at least, I was able to add a Windows XP machine to my domain without adding the computer name first. This is section is really for looking at which computers join, and allow other servers to join as DC's, etc. I will show you how to add the computer using "Active Directory Users and Computers", then in other tutorials, I will demonstrate how to add a Windows 2000 computer and Windows XP computer to this domain.
Update:
Brian Desmond (Windows Server MVP) emailed me with the following information on why someone might want to add a computer to AD manually: "By default a computer will get dumped in the Computers container, unless a Windows 2003 Native Mode Domain is inplace, and redircomp has been run to change this. Precreating computer accounts in OUs will ensure that when the unit is joined, it is in the correct OU, which guarantees policy consistency, and other administrative things. One can also specify who can reset the machine’s password. This will allow an admin to create an account for a computer, and let a normal user join the machine with their credentials."
Method:
Click Start, highlight "Administrative Tools" and select "Active Directory Users and Computers"
Expand your domain name, and right-click "Computers", highlight "New" then click "Computer"
In this dialog we have to type the name of the computer we want to add
In the next dialog just click "Next", then you will see a final report of what will be added, and you can click "Finish". And, we're done!
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding a Windows 2000 computer to a Windows Server 2003 domain
Preface:
I have already shown you how to add AD users and computers to a Windows Server 2003 Active Directory domain, in this tutorial I will show you how to add a Windows 2000 computer to the domain. The method for adding Windows XP is basically the same, but I have created another tutorial for XP which is available here.
Method:
On the Windows 2000 computer, go to the desktop and right click "My Computer" and select "Properties"
In the dialog that comes up, go to the "Network Identification" tab and press the "Properties" button
Under "Member of" click the "Domain" radio button, then type the name of your domain without the trialing extension (for example, my domain name is "hello.test" but I only typed in "hello"
Now you will be prompted to put in the user name and password of a Domain Administrator. Enter the correct information, and press "OK"
Now, wait for about a minute or two and you should receive this message welcoming you to the domain
That's it, press "OK" then "OK", then "OK" in the configuration dialog, and finally "Yes" to reboot and you will be able to log onto the domain using an AD user name and password (not the local 2000 password) to log on.
Additive:
After the 2000 computer boots to Control-Alt-Delete you may need to change it from logging onto itself (which will use the local info) to logging onto the domain. To do this, press Ctrl-Alt-Del, then the "Options >>>" button on the log on screen. Then select the domain from the drop-down box
After that you can log on using domain credentials
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Adding a Windows XP computer to a Windows Server 2003 domain
Preface:
This is basically the same procedure as the Windows 2000 tutorial. Some things to note about adding a Windows XP computer to a domain are the following:
• •
•
You need Windows XP Professional to join a XP computer to a domain. Home can't be used fully for this You will loose the "fancy" log on screen and you will receive the "classic" log on screen instead. This is for security and cannot be changed, unless you revert to workgroup mode You will loose the "Fast User Switching". This cannot be restored, except by reverting back to workgroup mode.
Method:
Click Start, right click "My Computer" and click "Properties"
Go to the "Computer Name" tab and click "Change..."
Select the "Domain" radio button then put in your domain name, not including the . extension (in my example I used the domain "hello.test" but when joining the computer to a domain, I will only type "hello")
Press "OK". Then you will be presented with a user name and password prompt. Enter the user name and password of a Domain Administrator
Press "OK" and after a minute or two you will receive a message welcoming you to the domain. Then you will receive a message telling you that a reboot is required, click "OK" to that, and the properties window. Then click "Yes" when you are prompted to reboot.
And we're finished. You have just learnt how to add a Windows XP computer to a Windows Server 2003 domain
Additive:
After the XP computer boots to Control-Alt-Delete you may need to change it from logging onto itself (which will use the local info) to logging onto the domain. To do this, press Ctrl-Alt-Del, then the "Options >>>" button on the log on screen. Then select the domain from the drop-down box
After that you can log on using domain credentials
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Creating the first Windows Server 2003 Domain Controller in a domain
Preface:
One of the greatest features of Windows Server 2003 is its ability to be a Domain Controller (DC). The features of a domain extend further than this tutorial ever could, but some of its most well known features are its ability to store user names and passwords on a central computer (the Domain Controller) or computers (several Domain Controllers). In this tutorial we will cover the "promoting" (or creating) of the first DC in a domain. This will include DNS installation, because without DNS the client computers wouldn't know who the DC is. You can host DNS on a different server, but we'll only deal with the basics.
Method:
Click Start -> Run...
Type "dcpromo" and click "OK"
You will see the first window of the wizard. As it suggests, I suggest reading the help associated with Active Directory. After this, click "Next"
Click "Next" on the compatibility window, and in the next window keep the default option of "Domain Controller for a new domain" selected, and click "Next"
In this tutorial we will create a domain in a new forest, because it is the first DC, so keep that option selected
Now we have to think of a name for our domain. If you own a web domain like "visualwin.com", you can use it, but it isn't suggested because computers inside of your domain may not be able to reach the company website. Active Directory domains don't need to be "real" domains like the one above - they can be anything you wish. So here I will create "visualwin.testdomain"
Now in order to keep things simple, we will use the first part of our domain ("visualwin"), which is the default selection, as the NetBIOS name of the domain
The next dialog suggests storing the AD database and log on separate hard disks, and so do I, but for this tutorial I'll just keep the defaults
The SYSVOL folder is a public share, where things like .MSI software packages can be kept when you will distribute packages (as I said, AD has a lot of different features). Once again, I will keep the default selection but it can be changed if you wish to use the space of another drive
Now we will get a message that basically says that you will need a DNS server in order for everything to work the way we want it (i.e., our "visualwin.testdomain" to be reachable). As I mentioned earlier, we will install the DNS server on this machine as well, but it can be installed elsewhere. So keep the default selection of "Install and configure", and click "Next"
Because, after all, this is a Windows Server 2003 tutorial website, we'll assume there are no pre-Windows 2000 servers that will be accessing this domain, so keep the default of "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems" and click "Next"
The restore mode password is the single password that all administrators hope to never use, however they should also never forget it because this is the single password that might save a failed server. Make sure it's easy to remember but difficult to guess
Now we will see a summary of what will happen. Make sure it's all correct because changing it afterwards can prove to be difficult
After the previous next was clicked, the actual process occurs. This can take several minutes. It's likely that you will be prompted for your Windows Server 2003 CD (for DNS) so have it handy
If your computer has a dynamically assigned address (from DHCP) you will be prompted to give it a static IP address. Click ok, and then in the Local Area Connection properties, click "Internet Protocol (TCP/IP)" and then "Properties"
In the next window select "Use the following IP address" and select the information that you will use for your domain (and 127.0.0.1 for the primary DNS, because your computer will host DNS. I still suggest setting up an alternate as well.) Click "OK" and then "Close" on the next window
And after a while you will see
And we're finished. You may also want to see the other Active Directory tutorials on the main page.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service
Preface:
VSS (Volume Shadow Service) is a new feature in Windows Server 2003 that allows you to revert a networked file back to a previous version (or just look at it in an older state, if you wish). I use VSS on my web server in case I upload a new version of my website then say "uh oh" because a section isn't done or I wasn't ready for the update yet. It's a very simple service to use, and this will be a 3 part tutorial.
Parts:
• • •
Setting up Shared Folders Setting up the Volume Shadow Service Restoring Previous Versions
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service Setting up Shared Folders (Part 1 of 3)
Preface:
Here I will demonstrate how to share a folder, this is a very important part of VSS
Method:
Click Start then "My Computer"
Go to the directory above the one you wish to share. In this example I will share the folder "folder" on G:
Right click the folder and click "Sharing and Security"
Click "Share this folder" than if you would like, change the name of the desired share. After you do that, click the "Permissions" button
Now you can change who will have access to what on this shared resource, but for the sake of this tutorial, we will give "Everyone" "Full Control". After you select "Allow" for "Full Control", Click "OK" and "OK" on the Share window
Go back to the folder above the shared one in Explorer and you will see a hand under the folder icon which shows that the folder is now shared
And that's it for the sharing section. Continue on to part 2 for setting up VSS.
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service Setting up the Volume Shadow Service (Part 2 of 3)
Preface:
Now we will configure VSS to take "snapshots" twice a day this way we can revert to files from those different times
Method:
Click Start then "My Computer"
In "My Computer" right click a drive (doesn't matter which) and click "Properties"
Go to the "Shadow Copies" tab, scroll down to the drive with the share(s) on it that you wish to have VSS'ed and click "Enable". The next process will take some time because it is making the first shadow copy. All other times it makes shadow copies will take about as long, and if more content is added, it will take even longer because it needs to copy that extra as well
Now we will move onto scheduling copies to be made. You can also change the amount of space devoted to shadow copies if you would like (if it ever exceeds that limit it will automatically delete the oldest copies first). Click "Settings" on the Shadow Copies window
On the next window, click "Schedule"
As you can see, some defaults have already been put into place but what if you don't like those? Well, click "Delete" to delete one of the existing (or both) defaults, then click "New" and it will put in one another default, which we can change to our likings. Now you can set it to your liking. Let's say your server's lowest load is at 4:37 AM, then you want to make it 4:37 AM everyday like so:
But wait a second - nobody's in the office on the weekends and very few people VPN in to do their work then also, so how about we make a 10:00 AM volume copy every Saturday and Sunday. Click "New" again, then select "Weekly" and check off Saturday and Sunday
Click "OK" 3 times and you're back to your desktop. For restoring from backups, continue on to part 3
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Setting up and Using the Volume Shadow Copy Service Restoring Previous Versions (Part 3 of 3)
Preface:
This is part 3 of this 3 part tutorial. I will now show you how to restore the previous version of a file. Be sure to have another backup of the file(s) just in case! I won't be held responsible for this.
Method:
Browse to one of your VSS enabled shares over a network from another computer
Open a file in it's appropriate program. In this case I will open right-click-share.png in MSPAINT
Now erase everything in it and save the file
"WHAT?!?!?! You erased the contents of that file?!?!!?! I needed that to complete this tutorial!". We've all said some version of that to ourselves after making an enormous mistake. Lucky us, we'll just restore it to this morning's backup. Back in Explorer, right click the file and click "Properties"
Go to the "Previous Versions" tab and behold, there is that file in all of it's glory, not the version that was completely whited out! From here you can view, copy and/or restore it. We'll just restore it, so click the "Restore" button
In the warning, it tells you that you will loose any changes made to the file since that snapshot was taken, but that's ok, because that means we will get the file as it was this morning (in it's original form) and replace the empty one
Ready for the magic? Click the file in Explorer again and look at the preview
And that's it! It works the same for text documents, Word documents, and most other file formats. Now that we have the original file restored, we can finish this tutorial! I hope you found this informational
Copyright ©2002-2006 Jonathan Maltz. For trademark/copyright information, click here. About me. Main page. Contact me.
Securing Printer Usage in Windows Server 2003
Figure A: Windows gives you a choice of connecting to a local printer or a network printer You will now see a screen similar to the one that’s shown in Figure B. As you can see in the figure, Windows assumes that the printer is connected to the server through a parallel port (LPT1). You can’t use the LPT1 option since the printer is not connected directly to the server (most printers don’t even have a parallel port any more anyway). All of the other options on the Use the Following Port drop down list also refer to local ports. You will therefore have to select the Create a New Port option.
Figure B: The Add Printer Wizard tries to connect to a locally attached printer by default The Create a New Port drop down list contains two options; Local Port and Standard TCP/IP port. Choose the Standard TCP/IP port option and click Next. When you do, Windows will launch the Add Standard TCP/IP Printer Port wizard. Click Next to bypass the wizard’s Welcome screen and you will see a screen similar to the one that’s shown in Figure C, asking you for a printer name or IP address and a port name.
Figure C: You must enter the printer’s IP address and a port name The printer should already have an IP address assigned to it, so just enter that address into the space provided. You can enter anything that you want for the port name, but keep in mind that the port name must be unique. By default, Windows will create a port name of IP_ followed by the printer’s IP address. You can use this port name, or create your own. Click Next and you will see a summary screen displaying the options that you have entered, as shown in Figure D. Notice in the figure that the port that you are configuring is set to accept RAW print data over port 9100, and that Windows assumes that the printer uses an HP Jet Direct interface.
Figure D: Windows displays a summary of the options that you have chosen Click Finish, and you will be returned to the Add Printer wizard. The next screen that you will see asks you what type of printer you are setting up. You can either select the correct printer type from the list, or use the Have Disk option to supply a print driver of your own. Click Next and you will be taken to a screen asking you for a printer name and whether or not you want Windows to use this as the default printer. The answers to these questions are totally up to you. After making your selections, click Next. You will now see a screen similar to the one shown in Figure E, asking you if you want to share the printer. Up to this point, Windows has assumed that you are only setting up the printer so that you can print to it from the server console. If your goal is to audit printer use, then you must share the printer.
Figure E: You must share the printer Your goal is to direct all jobs that are destined for the printer through the server that you are currently configuring. By doing so, you will be able to restrict access to the printer (if necessary), and you will be able to audit the printer’s use. I should also mention that it is important that you only set up one server to share this printer. Otherwise, it will be possible for multiple servers to spool jobs to the printer simultaneously, and the printer can get confused. Click Next and you will be prompted to enter the printer’s location and an optional comment. This information is intended to help users to figure out which physical printer the print queue belongs to. Click Next and you will be given the opportunity to print a test page. After doing so, click Next one more time, followed by Finish. The server is now set up to manage print jobs for the printer. Remember that you must redirect your workstations so that they print to the server’s UNC share name (\\server name\share name) rather than printing to the printer directly.
Advanced TCP/IP Settings – The IP Settings Tab
The IP addresses box at the top allows you to assign additional IP Addresses to a single network card. This is useful if you are hosting multiple websites on the same web server and want to give each its own IP Address for example. Simply click the Add button to add an IP Address and Subnet Mask. Click Edit to modify the currently selected item and Remove to delete the currently selected item from the list.
Figure 1: The IP Settings Tab The Default gateways box in the middle is used if you want the network connection to use multiple default gateways. Click the Add button to add a Default gateway and assign it a Metric value. A metric value is the cost of a specific route. Cost can reflect speed, reliability and number of hops. The route with the lowest metric value is used, so if you have two Default Gateways set up, one with a metric of 10 and the other with a metric of 20, the one with 10 will be chosen first. Leaving the metric at automatic means that the
route metric for this default gateway will be calculated automatically, and the fastest route chosen. Note: If you fire up the Command Prompt and type “route print” with no quotes, the IP Routing table is displayed with the metric value listed as one of the properties of each IP Address and its associations. The Edit and Remove buttons in the Default gateways box do exactly the same as for the IP addresses box (explained above). At the bottom of the IP Settings tab you can set whether you want the Interface to have a specific metric or to be assigned one automatically. By default this option is checked. Uncheck it if you wish to input an Interface metric value of your choice.
Advanced TCP/IP Settings – The DNS Tab
The "DNS server addresses, in order of use box" at the top of the DNS tab is used to list the IP Addresses of the DNS Servers that will be used for name resolution. These servers are ordered and used in priority, meaning if one server does not work then it will move to the next one down the list. To set the order of IP Addresses, select an IP Address and press the up and down button on the right hand side. It is important to keep in mind that TCP/IP will not move on to the next server if it fails to resolve the request. It will only move to the next server if the first server it tries is unavailable (perhaps down for maintenance or in the middle of a reboot). Append primary and connection specific DNS suffixes, and Append parent suffixes of the primary DNS suffix are enabled by default. These options are used for resolution of unqualified names. The first option is used to resolve unqualified names using the parent domain. For example, if you had a computer name of “andrew” and a parent domain called ztabona.com it would resolve to andrew.ztabona.com. The query would fail if andrew.ztabona.com does not exist in the parent domain. The second option is used to resolve unqualified names using the parent-child domain hierarchy. A DNS query will move one step up the domain hierarchy if it fails at the current level. It will do this until it reaches the root of the hierarchy. If you have an environment which consists of a client machine forming part of multiple domains then you can add a bunch of domains to the Append these DNS suffixes (in order) list so these will be searched as part of the DNS query, instead of using the parent domain.
Figure 2 The textbox on the right of the DNS suffix for this connection is used to explicitly set a DNS suffix that will override any other setting already specified for this connection. Register this connection’s addresses in DNS will register all this connection’s IP Addresses in DNS under the computer’s FQDN. Using this connection’s DNS suffix in DNS registration will register all IP Addresses for this connection in DNS under the parent domain.
Advanced TCP/IP Settings – The WINS Tab
The WINS tab is used to specify WINS related settings such as the list of WINS servers to be used for NETBIOS name to IP resolution, the LMHOSTS file to be used as an alternate means of lookups and the NETBIOS settings for the network connection. Pre-Windows 2000 machines and applications use NETBIOS to IP name resolution. If you have a Windows 2003 machine that acts as a file or print server and any client machines want to communicate with it, you will have to make use of NETBIOS. It is unlikely that you will have no pre-Windows 2000 machines on your network but if you
do, then go ahead and disable NETBIOS over IP; you’ll save on memory and CPU consumption and free up resources. Use the "WINS addresses, in order of use box" at the top to add the WINS servers you want the system to use for IP to name resolution. Press the Add button for a small dialog box to appear waiting for you to enter the IP Address of the WINS server. Use the Edit and Remove buttons to modify or delete a selected item respectively. If you have more than one WINS server in the list, press the up and down arrow buttons to adjust the priority of which servers will be queried first. If one server is not available then the next one down will be used, and so on and so forth.
Figure 3 Check the Enable LMHOSTS lookup checkbox so that if WINS cannot resolve a name then the local LMHOSTS file will be used. The LMHOSTS file can be found in \WINDOWS\system32\drivers\etc. It goes by the name of lmhosts.sam and can be modified in a text editor. Entries are placed at the bottom of the file and when used, the listed IP Addresses are matched against a specified host name. If you already have an LMHOSTS file defined on another machine on the network, use the Import LMHOSTS button to select this file and import it to the local machine.
The NETBIOS settings at the bottom allow you to explicitly define how NETBIOS will be used on the system. Choose Default if you want the DHCP server to assign the NETBIOS setting, Enable NETBIOS over TCP/IP if you use a static IP Address or the DHCP Server does not give NETBIOS settings, and Disable NETBIOS over TCP/IP if you do not use NETBIOS or WINS on your network.
Advanced TCP/IP Settings – The Options Tab (TCP/IP Filtering)
The Options tab allows you to configure TCP/IP Filtering settings; you can define which ports or protocols are permitted. Select the Permit Only radio button and use the Add button to add TCP/UDP port numbers or a protocol version to the respective list. If you permit traffic only from a defined set of ports, all other traffic will be dropped.
About Disk Quotas
Unfortunately, in Windows NT Disk Quotas didn’t exist, which was much to the disappointment of Windows Administrators. Along came Windows 2000 and with the introduction of Disk Quotas it meant Administrators had the ability to track and control user disk usage. The only problem was that they didn’t really have a sufficient way of managing disk quotas. Scripting, reporting and remote usage methods were somewhat limited and ambiguous. Windows 2003 offers better all round functionality and easier enterprise-wide disk quota manageability. Disk quotas are used in conjunction with NTFS, Group Policy and Active Directory technology. NTFS is the file system on which disk quotas can be set, Group Policy is what is used to set disk quotas on a specific set of users and computers, and Active Directory is used to gather a list of users to which the disk quota group policy will be set. It is important to note that disk quotas can only be used with NTFS; setting them up on FAT or FAT32 drives is not possible. Disk quotas are configured on a per volume basis and cannot be set on a file or folder level. Each volume would have its individual settings which do not affect any other volumes. You may have a single disk partitioned into two volumes (drives C and D for example) with each having their own quota settings. Disk quotas can also be configured on a per user basis and different groups of users can have different limits set. Administrators are the only ones to whom a disk quota does not apply; by default there are no limits for an Administrator. There are numerous reasons you may wish to make use of disk quotas. Based on the requirements of your organization you might choose to configure disk quotas if you have a restricted amount of disk space on a specific server, a limited number of servers, or perhaps the need to monitor user disk space usage without actually enforcing a quota. You might be wondering why you’d want to just monitor user disk space usage. Well, let’s say you have a fileserver set up with multiple users in your organization using it everyday to store temporary files. As time goes by and perhaps people forget to delete the files from the server, the amount of available disk space will continue to decrease. If nothing is done about it then users will be denied the right to add more files on the server (until some old files are removed). By monitoring user disk space usage with Microsoft’s disk quotas, you can be notified of when space is running out and then increase the allocated space on the server accordingly or notify your users that they need to delete their files from the server. Additionally, setting a quota warning level will allow for a system event log to be written for your review.
Setting a Group Policy
The most practical means of configuring disk quotas on a large scale would be through a domain-level group policy. This will configure the settings automatically on any of the
volumes you wish to have disk quotas enabled, saving you the need to have to configure each volume independently. Open the Group Policy Object Editor (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > System > Disk Quotas. On the right hand pane you will see a list of policies that can be applied. Double click the “Default Quota Limit and Warning Level Properties” setting.
Figure 1: The Default Quota Limit and Warning Level Properties Dialog The default quota limit is the maximum amount of space assigned per default quota, whereas the warning level is the amount of space at which a warning is triggered. Normally 90-95% of the total value is a good limit to set as a warning. Now configure any other settings you wish to be applied by selecting them from the right hand pane. To have your changes applied immediately you can enable the “Disk Quota Policy Processing” policy and choose “Process Even If The Group Policy Objects Have Not Changed” from Administrative Templates > System > Group Policy.
Figure 2: The Disk Quota Policy Processing Dialog You may also want to manually force a group policy update using the gpupdate utility. Simply go to Start > Run and type gpupdate followed by the return key. This will refresh both the computer and user policies. Whatever changes you make in the group policy will be reflected on the Quota properties tab of each volume you wish to configure in your domain. The options will appear grayed out and non-editable.
Configuring Disk Quotas and Disk Quota Entries
Using the Computer Management console, you can configure disk quotas for a local or remote volume from a central location. To open Computer Management, you have three choices; either right click My Computer and select Manage, type compmgmt.msc in the Run bar or select Computer Management from the Administrative Tools folder. Select which computer you wish to manage from the root node. To select a remote machine right click the “Computer Management” node, select “Connect to another computer…” and choose the computer you wish to manage. Now, navigate to Storage > Disk Management and select the volume you want to configure from the right hand pane
and open the properties dialog. Click the Quota tab and enable the options you want to be enforced.
Figure 3: The Disk Quota Properties Dialog The traffic lights icon at the top indicate the status of the disk quota; red means quotas are disabled, orange signifies a changeover is taking place (while it rebuilds the disk information), and green means disk quotas are enabled. A textual representation of the status is shown on the right of the image. Check “Deny disk space to users exceeding quota limit” to have Windows restrict users from adding more data to their allocated disk space when the quota limit has been reached. Users will be unable to add more data until some space is freed up. As you can see from Figure 3 above, the quota limit for new users is greyed out. This is because we have already set it from the group policy, which overrides any customizable settings on the quota tab of a volume. In this case we have limited the user’s disk space to 500MB and set a warning level to 450MB. You may choose not to limit disk usage and just enable quotas to track disk space usage on a per volume basis by leaving the “Deny disk space to users exceeding quota limit”
checkbox unchecked and logging a warning when a user exceeds the warning level defined as part of the quota limit. Whenever a user exceeds this limit a Warning event log will be written to the Application Event Log and shown in the Event Viewer.
Figure 4: A warning event log for disk quotas As per http://support.microsoft.com/kb/915182 there is a known issue in the pre service pack version of Windows 2003 in that the Warning event log is incorrectly shown as an Information log in Event Viewer. In the Quota Entries application however, it is correctly displayed as a Warning. When you press the Apply button on the Disk Quota Properties Dialog you are notified that the volume will be rescanned to update the statistics and that this operation may take several minutes. Simply press OK to continue and have disk quotas enabled on that volume.
Quota Entries
Click the Quota Entries button on the Disk Quota Properties Dialog to view a list of individual disk quota entries. From this section you can create, delete and manage quota entries for specific users or groups. If a user requires more space than others then you can set this from here.
Go to Quota > New Quota Entry and the Active Directory User Picker will appear. Choose a user from Active Directory and press OK. You will be given the option to limit disk space and set a warning level or not limit disk usage at all.
Figure 5: Adding a new quota entry Once you have chosen your preferred settings, press OK and the user will be added to the list. You can monitor a user’s disk usage by looking at the properties of each of the columns. ‘Status’ indicates whether the user is within their limit, if a warning has been logged or if the limit has been exceeded; the icon will change accordingly.
Implementing Access-Based Enumeration in Windows Server 2003
That's the whole rationale behind Access-Based Enumeration (ABE), a new technology included in Windows Server 2003 R2. (ABE was actually first included in Service Pack 1 for Windows Server 2003, but this service pack forms the basis of the R2 version of the platform.) What ABE does is just what Windows admins have always been wishing Windows file servers would do—hide files and folders from users who don't have access to them. In other words, with ABE enabled and configured for the BUDGETS share, Bob can try browsing the BUDGETS folder using My Network Places, but when he looks inside BUDGETS he doesn't see anything there—his NTFS permissions on the file and folder present don't allow him to access these items, so they're not even visible to him. Note that this behavior is the same regardless of whether you explicitly assign a Deny ACE to Bob while granting Allow to the Users group, or whether you remove the ACE for Users and grant an Allow ACE only to groups of users that need it (groups that don't include Bob as a member) and have no ACE at all for Bob. The result? If ABE had been available to me to use back in old NT 4 days, only senior management and HR personnel would have known about the existence of the Layoffs folder within the HR share, and no one but these personnel would have known about the existence of a document named NextMonthsLayoffs.doc. In other words, with ABE there wouldn't have been rumors of impending layoffs flying about—unless they were started by HR personnel or by a manager of course!
Installing and Enabling ABE
When I say that ABE was included with Windows Server 2003 R2 (or SP1), I also need to explain that in order to use ABE you still need to download and install something on your file server. This something is a component that provides a user interface (both graphical and command-line) that allows you to enable and configure ABE on your server. You can download this component here from the Microsoft Download Center, but make sure you download the correct version depending upon your processor platform (x86, AMD64 or IA64). Once you've downloaded the appropriate Windows Installer package, install it on all R2/SP1 file servers you want to enable ABE functionality on. Installing the ABE user interface component is a straightforward process (Figure 1):
Figure 1: Installing the ABE user interface The only significant decision you need to make during the install process is whether you want to automatically enable ABE retroactively on all existing shared folders on your server, or whether you prefer to configure this manually later on a per-folder basis (Figure 2):
Figure 2: Deciding whether to retroactively configure ABE on existing shares or not Note that choosing the first option in Figure 2 doesn't mean that future shares you create will automatically have ABE enabled on them—you still have to manually configure ABE on future shares you choose to create on your server. Once the ABE user interface is installed on your server, opening the properties sheet for a shared folder will display a new tab for enabling ABE on that share (Figure 3). Note that this tab won't appear on the properties sheets of folders that haven't yet been shared.
Figure 3: The ABE tab on the properties sheet for a shared folder Select the first checkbox in Figure 3 to enable ABE on the shared folder. (Select the second chechbox to do the same to all existing shares on your server). It's basically as simple as that. To check that ABE is working, compare Figure 4 below, which shows what Bob would see when he browsed the BUDGETS share from his XP machine before ABE is enabled on this share, with Figure 5 showing the same view on Bob's computer after ABE is enabled on the share.
Figure 4: Before ABE is enabled on BUDGETS, Bob can see everything in it—even if he has Deny ACE on all items present
Configuring a Virtual Server
Before you can deploy a virtual server, the first thing that you will have to do is to download a copy of the Virtual Server software. Microsoft Virtual Server 2005 R2 Enterprise Edition is available for free. Please be aware that there is both a 32-bit version and a 64-bit version available. You must download the version that matches your server’s existing Windows operating system. After downloading Virtual Server, you must verify that IIS is installed and running on the server. After doing so, double click on the file that you have downloaded to begin the installation process. When the Microsoft Virtual Server 2005 R2 Enterprise Edition splash screen appears, click the Install Microsoft Virtual Server 2005 R2 button. At this point, you will be prompted to accept the software’s end user license agreement. After doing so, click Next and enter your user name and organization name. Click Next one more time and you will be asked if you would like to perform a complete installation or a custom installation. Select the Complete option and click Next. Since Virtual Server is a Web application, you will be asked what port you want to access it through. I recommend using the default port number (1024). In most cases, you should also use the option to configure the administration Web site to always run as the authenticated user. Click Next and you will be asked if you would like to enable Virtual Server exceptions in Windows Firewall. Assuming that the virtual servers will be accessed from across the network and not just locally from the physical server that you are working with, you will need to enable these exceptions. Clicking Next, followed by Install and Setup will copy the necessary files to the server. When the installation process completes, Setup will provide you with a link to Virtual Server’s Web Interface. I recommend clicking on this link and then adding the URL to your Web browser’s Favorites list. If you plan on accessing the Virtual Server management console directly from the server then I recommend disabling Internet Explorer’s Enhanced Security Configuration.
Creating a Virtual Machine
Now that Virtual Server is up and running, it’s time to create a virtual machine. I recommend starting out by defining a virtual hard disk. To do so, select the Create command found in the Virtual Disks section of the management console. You can create a fixed size virtual hard disk or a dynamically expanding virtual hard disk. Just pick the option that is the most appropriate for the virtual server that you are deploying. To create a virtual hard disk, select a location from the Location drop down list, shown in Figure A, and then enter a disk file name in the place provided. I recommend using a name that is descriptive of the disk’s purpose. The default disk size is 16 GB, but you can
set the size to anything that you want. Click the Create button to create the virtual hard disk.
Figure A: Begin by creating a virtual hard disk After creating a virtual hard disk, click the Create option found in the virtual server management console’s Virtual Machines section. When you do, you will see a screen that’s similar to the one that’s shown in Figure B.
Figure B: This is the interface that you will use to create a virtual server Begin the process by entering a name for the virtual machine that you are creating. The name should be as descriptive as possible. For example, I have a Windows Server that’s hosting a handful of virtual machines. On my server, I use descriptive names that reflect the server’s operating system and purpose. After entering a name for the virtual server, you must enter the amount of memory that will be available to the virtual server. Keep in mind that your server has a finite amount of memory available. You must enter an amount of memory that is sufficient for the virtual server’s use, but that will still leave adequate memory for the underlying operating system and for any virtual machines that may eventually be running simultaneously with the virtual machine that you are creating. The next thing that the interface asks you about is the virtual hard disk. You have already created a virtual hard disk, so just select the option to use an existing virtual hard disk and then select the virtual hard disk that you created earlier. The last thing that you must select is which network adapter you want the virtual machine to use to connect to your network. You do however have the option of isolating the virtual machine from the network if you so desire, by selecting the Not Connected option. Click the Create button and the virtual machine will be created.
Using your Virtual Machine
Now that you have created a virtual machine, you must install an operating system onto it. When the machine creation process completes, you will be taken to the screen shown in Figure C. Insert the operating system installation into your CD / DVD drive and then click the thumbnail that’s shown in the figure. When you do, Windows will turn the virtual server on. It’s worth noting that when you power up the virtual machine, the screen that’s shown in Figure C comes alive with various performance statistics, as shown in Figure D.
Figure C: This is the screen that you will see after creating a virtual server
Figure D: This is what it looks like when you power up a virtual server As you can see in Figure D, you are supposed to be able to click on the virtual machine’s thumbnail to be able to access the virtual machine’s console. However, you still have a little bit of setup work to do before you can actually view your virtual machine. Specifically, you must install the Virtual Machine Remote Control ActiveX component. To do so, just click on the thumbnail as if you were attempting to access your virtual machine. When you do, you will see the screen shown in Figure E. There are lots of options that you can set, but if you are looking to just access your virtual server with a minimum of effort, then just select the Enable button and click OK. When you do, you will see the yellow bar appear at the top of the browser window, telling you that you need to click on the bar to install the ActiveX Control. Click on the bar and follow the prompts, and you are in business. The virtual session will look something like what you see in Figure F.
Figure E: Select the Enable check box and click OK
Figure F: Notice that Windows is running inside of a Web browser
Troubleshooting File System Problems
A corrupt or damaged file system can result in various effects ranging from data loss to rendering your system unbootable. Smart IT pros will therefore take steps to maintain their servers' file systems and will know how to systematically troubleshoot disks when things go wrong. This article discusses both preventive disk maintenance and provides some tips for using various tools to maintain and troubleshoot file systems on Windows servers.
Seven Golden Rules for Disk Maintenance
Let's begin with a proactive approach to file system maintenance. What steps should an administrator take to help prevent file system problems from happening in the first place? Here are my seven golden rules on the subject, in no particular order: 1. Upgrade your servers to Windows Server 2003. There's real value in doing this as far as disk maintenance is concerned, for example:
•
•
•
The chkdsk command in Windows Server 2003 runs a lot faster than the Windows 2000 version of this utility, plus it can fix things like a corrupt Master File Table (MFT) that the previous version of the utility would choke on. Powerful new command-line tools like DiskPart.exe, Fsutil.exe and Defrag.exe give you more flexibility for managing disks from the command-line instead of the GUI. These tools can be scripted to automate common disk management tasks you need to perform on a regular basis. The new Automated System Recovery (ASR) feature greatly simplifies the task of restoring your system/boot volume in the event of catastrophic disk failure.
2. Use hardware redundancy. RAID 1 disk mirroring lets you recover from catastrophic system volume failure with zero downtime, while RAID 5 is a great way of protecting your data volumes. Windows servers include support for built-in software RAID but you'll get better performance and true hot-swap redundancy by investing more money and buying a hardware RAID controller for your system instead. Don't forget though, keep a few spare drives handy so you can swap them during an emergency—redundancy is useless if you don't have the redundant hardware around to use it. Note that if you do choose to go with the software RAID provided by Windows, mirroring your boot and system volumes requires that these volumes be one and the same i.e. one volume is both your boot volume (contains operating system files) and your system volume (contains hardware-specific boot files). 3. Use a good antivirus program. Viruses can be nasty, and one of the things they can do when they infect a machine is to corrupt the Master Boot Record (MBR) and other critical portions of your hard drives. Not only should you have AV installed on your servers, you should also avoid risky behaviors such as running scripts from untrusted sources, browsing the web, and so on. These are just the kinds of behavior that can lead to infecting your system, so avoid doing things like this on your production servers.
4. Defragment your file systems on a regular basis. This is especially important on servers on which a high number of transactional operations occur as the file systems can quickly become fragmented, dragging down the performance of applications running on your server. To perform a successful defrag you should really have at least 15% free space left on your disk, so make sure you don't let critical system or data disks fill up too much or they'll be harder to maintain. The new command-line Defrag.exe tool of Windows Server 2003 is useful here since you can schedule regular running of this tool during off-hours using the Schtasks.exe command instead of having to defrag manually or buy a third-party defrag tool. 5. Run chkdsk /r on a regular basis. This command finds bad sectors on your disk and tries to fix them by recovering data from them and moving it elsewhere. You can run this command either from a command-prompt window or from the Recovery Console if you can't boot your system normally. Remember that when you try and run chkdsk.exe on your system or boot volume, Windows configures autochk.exe (the boot version of chkdsk.exe) to run at your next reboot. This means you'll need to schedule downtime for your server when you perform this kind of maintenance so that autochk.exe can run. 6. Check your event logs regularly for any disk-related events. Windows sometimes determines on its own when a disk is "dirty" i.e. there are file system errors present on it. In that case, Windows automatically schedules autochk.exe to run at the next reboot, but it also writes an event to the Application log using either the source name "Chkdsk" or "Winlogon". So filter your Application log to view these kinds of events on a regular basis or collect them using Microsoft Operations Manager (MOM) or whatever other systems management tool you use on your network. 7. Back up all your volumes regularly. As a last recourse in the event of a disaster, having working backups of both your system/boot volume and data volumes is critical. ASR in Windows Server 2003 makes backing up the boot/system volume easier, while backing up your data volumes can be done using the Windows Backup (ntbackup.exe) tool or any other backup tool such as one from a third-party vendor. Whatever way you choose to back up your system, do it regularly and verify your backups to ensure you can recover your system using them. I should also add an eighth and final rule as well: 8. (the Platinum rule) If your disk starts to make funny sounds, don't ignore them— do something. Disk failure is often preceded by funny sounds emanating from your computer. These clicking, scraping, screeching, or other types of sounds mean trouble, so when you hear them it's time to make sure you've got a recent backup and a spare disk handy just in case. And it's also time to check your event logs, run chkdsk –r, and use other maintenance and troubleshooting tools to check the health of your disks. Don't ignore these funny sounds!
Tips for Troubleshooting
While a proactive approach to maintaining disks and their file systems is important, it's also inevitable that disasters will occur and you'll need to react to them appropriately. Here are some tips to using one of the key maintenance tools for disk and file systems that is included with Windows Server 2003, namely Chkdsk.exe:
• • •
•
•
Make sure you know you have a good recent backup before you run chkdsk.exe. Never interrupt Chkdsk.exe while it's doing its job. Make sure you have enough time during your maintenance downtime window to run Chkdsk.exe—on very large volumes this command can take a long time to finish its work. To speed up the operation of Chkdsk.exe on very large volumes, you can run it in a "light" form by specifying chkdsk drive_letter /f /c /i before you try running the slower chkdsk /r. Chkdsk.exe can't run on the boot/system volume when Windows is running, and it also can't run on data volumes when file handles are open on the volume. The reason being that in both of these situations Chkdsk.exe is unable to lock the volume for its exclusive use. In these cases, Chkdsk.exe will be scheduled to run at the next system restart. If you think your volume may be dirty but you don't want Autochk.exe to run when it reboots—for instance, if your server is heavily used and you can't afford the downtime while Autochk.exe runs—you can use the Chkntfs.exe command to first determine whether the volume is dirty or not, and second to find out whether Autochk.exe is currently schedule to run at the next restart. If you determine that the volume is dirty and Autochk.exe is scheduled to run at next restart, you can delay running Autochk.exe using the chkntfs /d command. Note however that doing this is risky—if your volume is dirty you should deal with it as soon as possible and not procrastinate.
Troubleshooting Group Policy Processing
Start With The Basics
Before you start running various Group Policy troubleshooting tools and techniques however, take a moment to step back and ask some simple questions. This phase of the troubleshooting process is based on the motto that a minute of thinking is worth an hour of brute force effort. Below are some simple questions you should ask yourself before you dive into the troubleshooting process. 1. Should the policy be applied to the affected users and computers? That’s a great question to begin with, isn’t it. Say a user comes to you and says he can’t install a certain application by invoking a shortcut on the Start menu. His neighboring workers can do this, but his machine must be broken because he doesn’t have the shortcut for that program. So he complains and you scratch your head wondering why the software installation policy that installs this program isn’t being applied to that user. But should it apply in the first place? What does the user mean by his “neighboring workers”? Maybe other employees on the same floor but belonging to a different department, and while users in that department need that particular program, the complaining user doesn’t and perhaps shouldn’t have access to the program. So actually Group Policy is working just fine in this situation—it’s the user that’s broken! Users are particularly envious of other users’ privileges, and this sort of thin happens a lot in some companies. The key troubleshooting question here is “Who should this policy apply to? 2. What is common to the users or computers to whom the policy is not being applied? This question is applicable if several people or machines aren’t getting the policy they’re supposed to receive. Five people in the Marketing Department come to you and complain that they can’t access Control Panel anymore from the Start menu. What does this tell you? Check the GPO linked to the OU for Marketing users and see whether the policy “Prohibit access to the Control Panel” is Enabled (this policy is found under User Configuration\Administrative Templates\Control Panel). If this policy is Disabled or Not Configured, check GPOs linked to parent OUs to Marketing or linked to the domain and see whether security filtering is mistakenly configured so that users in the Marketing security group have this policy applied. 3. When did users start complaining about the issue? Was it immediately after you made some change to your Group Policy settings, for example by creating and linking a new GPO to an OU? That should tell you something right away. Or did it happen when you made some administrative change to Active Directory, for example moving some computer accounts out of the default Computers container into an OU created specially for such accounts. In this case, the computer accounts were previously receiving their policy from domain-linked GPOs, but now any GPOs linked to the new OU will affect them as well. Or did the
complaints start coming with no warning out of the blue and you’ve made no changes to any GPOs for several months? In that case something else is interfering with Group Policy processing for the affected users or computers, and you’ll need to use some of the tools described below to try and find the cause. Or maybe users haven’t been complaining to you at all. 4. When did you actually configure the policy in question? In this situation what happened is that you configured a policy and then checked with the targeted users to see if the policy has been applied and it hasn’t. Well, don’t forget that Group Policy refreshes in the background only periodically, so maybe everything is fine and you just have to wait a while for Group Policy to refresh itself automatically. Or maybe the policy you configured is one that can’t be applied during background refresh and requires the user to log off and on again or to restart their machine. Examples of such policies include those for software installation, folder redirection, and scripts. In that case to ensure the new policy is processed you’ll have to wait until users log off at the end of the day, send them an email asking them to log off and then on again, or forcible reboot their machines remotely and face their wrath if they lose any of their work. Or maybe you configured a folder redirection policy and users rebooted their machines and the policy is still not applied. In that case asking the earlier question “What do they have in common” might reveal that the affected users all work at a remote site and receive their policy over a WAN connection from domain controllers at company headquarters. In that case, slow link processing for Group Policy may have come into effect, which can again prevent certain kinds of policy from being processed due to the bandwidth constraints of WAN links.
Bring On The Tools
Once you’ve asked these preliminary questions, which are essential to ask as they can often pinpoint the problem exactly but usually at least help to narrow the scope of what you need to investigate, it’s time to start testing things using tools ranging from ping to userenv logging. It’s difficult to cover such a broad topic in a short article, so I’ll just give you some tips to point you in the right direction: 1. Check the network connection for the affected machine. Maybe it’s not just Group Policy processing that’s not working; maybe the affected user can’t even connect to the network because the network cable for her computer is unplugged! It’s amazing how something as simple like this can be the source of what seems at first to be a complex problem. For Group Policy is quite complicated in how it operates, and an understanding of how it works can help you pinpoint problems more easily. For a good explanation of how Group Policy works, see the new Group Policy Guide from Microsoft Press, which is part of the recently released Microsoft Windows Server 2003 Resource Kit. I worked as tech editor on this title, and its an excellent resource on all things Group Policy that Windows administrators should be sure to have on their bookshelf. 2. Check if the affected machines can correctly perform DNS resolution. Probably half of all Group Policy processing issues are related to DNS problems such as
corrupt resource records on DNS servers, misconfigured DHCP options on DHCP servers, users changing DNS settings on their machines, and so on. Remember that to process Group Policy a computer must first obtain a list of GPOs that apply to it. To do this, they need to query a domain controller. And to locate a domain controller, they need correct client DNS settings so they can obtain SRV records by querying the DNS server. So if DNS is broken then Group Policy is also. Tools for verifying and testing DNS include ipconfig, nslookup, netdiag, and Network Diagnostics in Help and Support. 3. If you’re using the Group Policy Management Console (GPMC) to work with Group Policy, run the Group Policy Results wizard, specifying an affected user and computer on the wizard pages. This will query WMI on the affected machine and create an HTML report that displays which GPOs have been processed and which policy settings have been applied. You can save these reports and view them on any machine using Internet Explorer, and it’s a great way to troubleshoot Group Policy issues. An alternative to using the wizard is to run the commandline tool Gpresults.exe on the affected machine, see the article by Brien Posey on this topic right here on WindowsNetworking.com. In addition to generating RSoP reports, the GPMC can also help you troubleshoot Group Policy problems in other ways. For example, if you right-click on a GPO you can select Save Report to generate an HTML report showing all the configured settings in the GPO. This makes it simple to find out what effect a particular GPO actually has on the accounts in the container it’s linked to—a heck of a lot easier than opening the GPO in the Group Policy Object Editor and expanding all the nodes to see what policies are configured. Another benefit of the GPMC over the out of the box Group Policy tools included with Windows Server 2003 is that you can easily see what GPOs are linked where and which GPOs are disabled, which containers have inheritance blocking configured on them, which GPO links are enforced, and so on. Get the GPMC today from Microsoft’s website and use it for managing Group Policy on your network.
How to: Disable the Shutdown Event Tracker in Windows 2003
Introduction
"The Shutdown Event Tracker is a Microsoft Windows Server 2003 and Microsoft Windows XP feature that you can use to consistently track the reason for system shutdowns. You can then use this information to analyze shutdowns and to develop a more comprehensive understanding of your system environment." microsoft.com The idea behind the shutdown event tracker is that a server isn’t meant to be restarted or shutdown regularly. Therefore, when it is, Administrators should keep a log of exactly why the machine was powered down. Essentially, this can be a good thing since it allows you to store a database of shutdown events for future reference. For some people, especially those that use Windows 2003 as a client operating system or in a test environment - where restarting or shutting down a machine can be a common procedure - it might get to be quite annoying. Note: This feature does come with Windows XP Professional as well, but is disabled by default. When you click on Shut Down… from the Start menu, the Shutdown Event Tracker pops up asking whether you want to Log Off, Restart or Shut down the computer.
Note: When logging off, the Shutdown Event Tracker is grayed out. If you decide to Shut down or Restart the machine, you will be given seven Shutdown Event Tracker options to choose from. These will allow you to best describe why the computer is to be shutdown or restarted. You can also add a comment in the Comment box which is very useful for helping you to determine the reason for the shutdown. The following are the seven event tracker options available, and an example of what might normally be written in the Comment box. Other (Planned) – A shutdown or restart for an unknown reason. This is usually chosen when the other options do not describe why a shutdown or restart of the machine is taking place. Comment: Shut down virtual test machine. Time to go home! Hardware: Maintenance (Planned) – A restart or shutdown to service hardware on the system. Choose this option when you want to carry out planned maintenance on the machine’s
hardware. Comment: Change Serial ATA cable. Hardware: Installation (Planned) – A restart or shutdown to begin or complete hardware installation. Choose this option when you plan to upgrade or install additional hardware on the machine. Comment: Install a new 200GB hard drive. Operating System: Reconfiguration (Planned) – A restart or shutdown to change the operating system configuration. This option is for when you have made operating system changes that require a restart or shutdown of the machine. When you rename a computer or install an additional component, for example. Comment: Installation of DNS Server Service. Application: Maintenance (Planned) – A restart or shutdown to perform planned maintenance on an application. This option would be chosen when a planned upgrade or re-configuration of an application took place. Comment: Upgraded to ISA 2004 Service Pack 1. Restart required. Application: Installation (Planned) – A restart or shutdown to perform application installation. Choose this option when a planned installation of a new application has taken place. Comment: Installed SQL Server 2000. Restart required. Security issue – The computer needs to be shut down due to a security issue. This option would be chosen when the machine needs to be restarted or shut down for security reasons. Comment: DOS Attack.
Viewing Shutdown Event Tracker events
To view previous Shutdown Event Tracker event logs, go to the Event Viewer (Start > Programs > Administrative Tools > Event Viewer or Control Panel - Administrative Tools - Event Viewer) and under the System Log, search for Information Events with ID 1074 or 1076. Double click the event to bring up the Event Properties page. Note: 1074 Events are logged when you manually shutdown the machine using the Event Tracker. 1076 Events are logged when the machine shuts down unexpectedly and the Event Tracker pops up when the Administrator (or first user with shutdown rights) logs on to the machine.
As you can see in the image above, the Description indicates the reason for the shutdown, the time, the user that initiated the shutdown, as well as the comment that was typed in the Comment box.
Disable the Shutdown Event Tracker
If the event tracker is of no use to you then you can disable it. To do this, open the Group Policy Object Editor Console. Go to Start > Run…, type gpedit.msc and press OK. Navigate to Computer Configuration > Administrative Templates > System and in the right hand pane, select the “Display Shutdown Event Tracker” setting.
Double Click this setting to open the Properties page. You are now given the option to leave it in a default state of Not Configured, set it to Always Enabled, Enabled for Servers/Workstations (Windows XP Pro) or Disabled completely (as the image below demonstrates).
Note: When you enable the Group Policy for Server only, the Shutdown Event Tracker appears when you shut down a computer running Windows 2003, whereas for Workstation only, the Shutdown Event Tracker appears when a computer running Windows XP Professional is shut down. After you make the change to the Group Policy, open the Command Prompt and run the gpupdate /force command to refresh the policy and have your settings be applied straight away. Alternatively you can just restart the machine. When you next attempt to shutdown or restart the machine, the Shutdown event tracker will no longer be visible and the normal shutdown prompt will appear (as seen in the image below).
How to Implement Group Policy Security Filtering Understanding Security Filtering
Security filtering is based on the fact that GPOs have access control lists (ACLs) associated with them. These ACLs contain a series of ACEs for different security principals (user accounts, computer accounts, security groups and built-in special identities), and you can view the default ACL on a typical GPO as follows: 1. 2. 3. 4. Open the Group Policy Management Console (GPMC) Expand the console tree until you see the Group Policy Objects node. Select a particular GPO under the Group Policy Objects node. Select the Delegation tab in the right-hand pane (see Figure 1).
Figure 1: Viewing the ACL for the Vancouver GPO using the Delegation tab For a more detailed view of the ACEs in this GPO ACL, click the Advanced button to display the familiar ACL Editor (Figure 2):
Figure 2: Viewing the ACL for the Vancouver GPO using the ACL Editor An obvious difference between these two views is that the ACL Editor displays the Apply Group Policy permission while the Delegation tab doesn’t. This is because the Delegation tab only displays ACEs for security principles that actually process the GPO, and that implicitly means those security principals have the Apply Group Policy permission set to Allow. More specifically, if you want a GPO to be processed by a security principal in a container linked to the GPO, the security principal requires at a minimum the following permissions:
• •
Allow Read Allow Apply Group Policy
The actual details of the default ACEs for a newly created GPO are somewhat complex if you include advanced permissions, but here are the essentials as far as security filtering is concerned: Security Principal Authenticated Users CREATOR OWNER Domain Admins Read Allow Allow (implicit) Allow Apply Group Policy Allow
Enterprise Admins ENTERPRISE DOMAIN CONTROLLERS SYSTEM
Allow Allow Allow
Note that Domain Admins, Enterprise Admins and the SYSTEM built-in identity have additional permissions (Write, Create, Delete) that let these users create and manage the GPO. But since these additional permissions are not relevant as far as security filtering is concerned, we’ll ignore them for now. The fact that Authenticated Users have both Read and Apply Group Policy permission means that the settings in the GPO are applied to them when the GPO is processed, that is, if they reside in a container to which the GPO is linked. But who exactly are Authenticated Users? The membership of this special identity is all security principals that have been authenticated by Active Directory. In other words, Authenticated Users includes all domain user accounts and computer accounts that have been authenticated by a domain controller on the network. So what this means is that by default the settings in a GPO apply to all user and computer accounts residing in the container linked to the GPO.
Using Security Filtering
Let’s now look at a simple scenario where you might use security filtering to resolve an issue in Group Policy design. Figure 3 below shows an OU structure I developed in a previous article. Note that the Vancouver top-level OU has three departments under it defined as second-level OUs, with user and computer accounts stored below these departments in third-level OUs:
Figure 3: Sample OU structure for Vancouver office Let’s say that of the fifteen users who work in the Sales and Marketing Department in Vancouver, three of them are senior people who have special requirements, for example access to certain software that other people in the department shouldn’t have access to. Such software could be provided to them by publishing it in Add or Remove Programs using a user policy-based software installation GPO. The trouble is, if you link this GPO to the Sales and Marketing Users OU then all fifteen users in the department will have access to it through Add or Remove Programs. But you only want this special group of three users to be able to access the software, so what do you do? You could create another OU beneath the Sales and Marketing Users OU and call this new OU the Senior Sales and Marketing Users OU. Then you could move the user accounts for the three senior employees to this new OU and create your software installation GPO and link it to the new OU. While this approach will work, it has several disadvantages:
• •
It makes your OU structure deeper and more complicated, making it harder to understand. It disperses user accounts into more containers making them more difficult to manage.
A better solution is to leave your existing OU structure intact and all fifteen Sales and Marketing users in the Sales and Marketing Users OU, create your software installation GPO and link it to the Sales and Marketing Users OU (see Figure 4), and then use
security filtering to configure the ACL on the software installation GPO to ensure that only the three senior users receive the policy.
Figure 4: Senior Sales and Marketing Users Software Installation GPO To filter the software installation GPO so that only users Bob Smith, Mary Jones, and Tom Lee receive it during policy processing, let’s first use Active Directory Users and Computers to create a global group called Senior Sales and Marketing Users that has only these three users as members (see Figure 5):
Figure 5: Membership of the Senior Sales and Marketing Users global group Note that you can store this security group in any container in the domain, but for simplicity you’ll probably want to store it in the Sales and Marketing Users GPO since that’s where its members reside. Now go back to the GPMC with the software installation GPO selected in the left-hand pane, and on the Scope tab of the right-hand pane, remove the Authenticated Users special identity from the Security Filtering section and then add the Senior Sales and Marketing Users global group (Figure 6):
Figure 6: Filtering the GPO so it only targets the Senior Sales and Marketing Users group That’s it, we’re done! Now when policy is processed for a user account residing in the Sales and Marketing Users OU, the Group Policy engine on the client will first determine which GPOs need to be applied to the user. If the user is a member of the Senior Sales and Marketing Users security group, the following GPOs will be applied in the following order (assuming we haven’t used blocking or enforcement anywhere): 1. 2. 3. 4. 5. Default Domain Policy Vancouver GPO Sales and Marketing GPO Sales and Marketing Users GPO Senior Sales and Marketing Users GPO
If however the user is one of the other twelve (junior) members of the Sales and Marketing Department, then the last policy above (Senior Sales and Marketing Users GPO) will not be applied to them. In other words, the published software will only be made available to Bob, Mary and Tom as desired.
The Power of Security Filtering
The power of security filtering is that it allows us to simplify our OU structure while still ensuring that Group Policy is processed as designed. For example, in my original OU structure for Vancouver (see Figure 3 above) I created separate OUs for three
departments in that location, namely the IT Department, Management, and Sales and Marketing. In Toronto however I could have taken a different approach and lump all my users and computers together like this (Figure 7):
Figure 7: Toronto has a simpler OU structure than Vancouver Then I could group user and computer accounts in Toronto into global groups like this:
• • • • • •
IT Department Users IT Department Computers Management Users Management Computers Sales and Marketing Users Sales and Marketing Computers
I could then create GPOs for each group of users and computers in Toronto, link these GPOs to the appropriate container, and use security filtering to ensure they are applied only to the desired security principals (Figure 8):
Figure 8: Using Group Policy to manage users in Toronto The main downside of this approach is that as you flatten your OU structure you can end up with lots of GPOs linked to each OU, which can make it harder at first glance to figure out which policies are processed by each user or computer unless you examine in detail the security filtering setup.
Optimizing Group Policy Performance
In my previous article Best Practices for Designing Group Policy, I described how to get Group Policy right from the start by planning your Active Directory structure carefully. The reason is, if you don’t take Group Policy into consideration before you start creating your domains, OUs and sites, you may end up having to employ so-called “advanced” Group Policy features like Block Inheritance, Enforced, or Loopback to make your Group Policy implementation do what you want it to do, and using these features makes troubleshooting more difficult later on. A well-designed Group Policy implementation however can usually get along fine without having to use any of these “advanced” features (apart from the use of security filtering and occasionally WMI filters) and the result is a simple GPO structure that is easy to understand and troubleshoot. Part of Group Policy design however is consideration of end-user experience. In a poorly designed Group Policy Implementation, users may experience long delays before the Welcome To Windows box appears inviting them to press CTRL+ALT+DEL to log on, or they may experience additional long delays after they have entered their logon credentials and before their desktop appears so they can begin their work. In fact, long
logon delays are usually the most frustrating aspect of a user’s experience as far as Group Policy is concerned, although a close second is when users complain that administrators have locked down their desktops too tightly using Group Policy to the point that users feel they can’t do their jobs properly. Let’s look then at some tips for how Group Policy can be optimized to speed logon performance while still maintaining the level of security an implementation of Group Policy is intended to provide.
A Common Myth
A common myth regarding Group Policy is that the more Group Policy Objects (GPOs) you have, the longer it takes for them to be processed during startup and logon. In fact, a Microsoft Knowledge Base article actually says that “startup and logon times are directly proportional to the number of GPOs that must be processed.” This is somewhat misleading for the following reasons. First, the article is indeed right when it says that startup and logon times can depend on “the number of GPOs that must be processed.” The key word here is “processed.” In other words, it’s not how many GPOs you’ve created on your network that matters, it’s how many GPOs that are actually processed during startup or logon that matter. So for example, say you have twenty top-level OUs in your domain and each top-level OU has two lower-level OUs beneath it (one for user accounts and one for computer accounts) and that every OU has a unique GPO linked to it. And let‘s say also that you only have one domain-linked GPO (the Default Domain Policy) and no site-linked GPOs. So altogether you will have 20 + 40 + 1 = 61 GPOs, which seems like a lot. But for each particular user/computer combination, the startup/logon process will only see four GPOs processed: the Default Domain Policy, a GPO linked to a top-level OU, and GPOs linked to the two lower-level OUs beneath the top-level OU. More precisely, during startup three GPOs are processed (Default Domain Policy, top-level GPO policy, and computer account GPO policy) while during logon three GPOs are likewise processed (Default Domain Policy, top-level GPO policy, and user account GPO policy). So while you have 61 GPOs, few are actually processed for any particular user or computer. So remember, it’s not how many GPOs you have, but how many are processed that actually matters. Secondly, the statement that startup/logon times are “directly proportional” to the number of GPOs processed is also somewhat misleading. What actually happens is that if x is the default logon time with no GPOs processed and y is the time to process any one GPO, then total logon time is approximately x+Ny where N is the number of GPOs processed during logon (the same applies to startup but we’ll focus here on logon for simplicity). This formula is only approximate however since the value of y can differ for each GPO. In fact, the more policy settings you’ve enabled or disabled within a GPO, the bigger y is for that GPO. Furthermore, when only a few settings are configured in a GPO, the value of y for that GPO is usually much less than x, and in that case total logon time is just x plus a wee bit longer rather than x+Ny.
The Reality
What really affects logon time then is not how many GPOs are processed but rather how many settings are configured within each GPO. If you have only a few GPOs processed during logon but those GPOs have hundreds of settings configured, with conflicting settings in one GPO overwriting those of another GPO during processing, then users are likely to experience frustrating logon delays—at least when users log on the first time after you’ve configured a large number of settings in a GPO they process during logon. But even with hundreds of settings enabled or disabled in a GPO this might only cause the “Applying your personal settings” box to be displayed for a few additional seconds and thus add only a few seconds to a logon process that usually takes a few seconds anyway, so even having lots of GPOs with lots of settings configured won’t always draw the ire of your users and cause them to complain that “the network sure seems slow today” and so on. What’s even more important than the number of GPOs processed during startup/logon and the number of settings configured in those GPOs is what the settings in those GPOs are designed to do. For example, if you configure a new Folder Redirection setting then users targeted by that setting may experience an initial delay as their folders are redirected to a network file server. Or if you assign software using a GPO then users will experience a startup delay as the new program is installed. But simple security settings or desktop lockdown settings generally don’t cause excessive startup or logon delays for users.
Other Performance Tips
Another thing that can significantly affect start or logon time is the size of the GPOs being processed. By size of a GPO, I mean the number and size of the administrative templates (.adm files) you’ve imported into your GPOs. For example, if you manage Microsoft Office using Group Policy then you’ve imported some of the office .adm files into your GPOs, and this can significantly increase the size of the GPOs and hence the time it takes Windows to process them on client machines. So the moral here is, only import such additional .adm files into GPOs that target users and computers which actually need those settings. This is especially true for managing user and computer settings remotely over a slow WAN link, as any way you can minimize the amount of Group Policy process you can achieve over WANs can definitely help remote users avoid frustrating delays. Another performance tip that can speed up Group Policy processing is to disable either the User or Computer portion of a GPO if this portion is not needed during processing. For example, if a GPO is linked to an OU that contains only computer accounts and no user accounts, then there’s no reason for the User portion of that GPO to be enabled since no settings configured in that portion will be processed by computer accounts anyway. Similarly, if a GPO is linked to an OU that contains only user accounts and no computer accounts, there’s no reason for the Computer portion of that GPO to be enabled since no settings configured in that portion will be processed by user accounts. To disable the User or Computer portion of a GPO, do the following:
1. Open the Group Policy Management Console (see this article on WindowsSecurity.com for more info) and expand the domain node until you find the GPO link for your GPO. 2. Select the Details tab in the right-hand pane. 3. Click the GPO Status drop-down box and choose whether to disable user or computer settings accordingly (see Figure 1).
Figure 1: Disabling the User portion of a GPO that targets only computer accounts Another tip for optimizing Group Policy processing is this: use WMI filters judiciously. What I mean is this: WMI filters are a powerful tool that let you target Group Policy to highly specific things. For example, you could create a WMI filter that would apply a certain GPO only to those computers that are running a Pentium III processor, that have 256 MB RAM or less, and so on. While WMI filters make it possible to be incredibly specific in how you target policy, you should realize that executing a WMI filter against a collection of remote machines can take a significant amount of time, so it’s best to avoid using this advanced feature of Group Policy unless you have some absolutely compelling reason to do so. Finally, if your client machines are running Windows XP Professional then by default they have Fast Logon Optimization enabled (unless you’re using roaming user profiles in which case this feature is disabled). Fast Logon Optimization makes startup/logon processing of Group Policy behave exactly the same way that background refresh of Group Policy takes place, in other words, asynchronously. The result of having Fast Logon Optimization enabled on Windows XP computers is that users will be able to log on to their computers before Group Policy has finished processing. The reason this
feature was introduced in XP was to resolve the issue of long delays users often experienced when they logged on to their Windows 2000 Professional. These delays were caused by the fact that Windows 2000 processed Group Policy in a synchronous fashion during startup/logon, which meant that processing of machine policy had to finish before the logon screen was displayed and processing of user policy had to be finished before the user’s desktop appeared. Unfortunately, while Fast Logon Optimization speeds the time it takes for a user to reach their desktop from booting their machine, it can have some negative side effects. Most obviously, if a user reaches their desktop before policy has finished processing, they may be able to briefly do certain things that policy was designed to prevent. For example, you may have enabled a policy to prevent users from accessing Control Panel, but if that policy is applied a few seconds after their desktop appears, they may have a brief window in which they are able to access their Control Panel, which kind of defeats the whole purpose of policy, right? So while Fast Logon Optimization can have a big effect on speeding Group Policy processing, it can also introduce a security risk into your desktop environment by giving users an opportunity to perform actions you don’t want them to perform. For more information on this feature and how to disable it if desired, see this article in the Microsoft Knowledge Base.
Best Practices for Designing Group Policy
This article summarizes best practices for planning the implementation of Group Policy in an Active Directory environment. Topics covered include designing an OU structure to facilitate management by Group Policy, minimizing use of blocking and enforcement, and more. The bottom line with Group Policy is that it’s only as good as your Active Directory design. If you’ve implemented your sites, domains and OUs in the wrong way, Group Policy will be difficult to use and troubleshoot. So the first step in planning how you’re going to implement Group Policy on your network is to plan how you’re going to implement Active Directory itself. Such planning includes decisions like: How many forests you will deploy (one or several)? How many domain trees? Will there be child domains? What kind of OU structure will each domain have? And so on. Each of these decisions should always be made by asking the question: What impact will my decision have on how Group Policy is implemented in my enterprise? Let’s look at some guidelines that can help you design Active Directory effectively as far as Group Policy is concerned.
K.I.S.S.
The first and obvious principle is to “Keep It Simple, Stupid!” or “K.I.S.S.” In the context of Group Policy planning, this means two things:
•
•
If a single domain will meet all your company’s needs, then use only one domain. The reason simply is that the number of Group Policy Objects (GPOs) you will need to create is roughly proportional to the number of domains you have in your forest. For while linking a GPO residing in one domain to a container (domain, site or OU) in a different domain does reduce the total number of GPOs you need to deploy, it can have a significant performance impact and shouldn’t generally be done. Keep your OU structure relatively simple, for example two or three levels of OUs at most. The reason is similar here to why you should keep your number of domains as low as possible: administrative overhead.
So let’s say you begin your Active Directory design by deciding you’re going to us a single domain (see Figure 1) with two or maybe three levels of OUs within it. That’s a good place to start. What’s next?
Figure 1: Have only one domain if possible
Server OUs
Group Policy isn’t just for managing desktops; it’s also terrific for locking down servers to ensure they’re secure and working properly. And by servers I mean both member servers (which include file servers, print servers, web servers, DHCP servers, and so on) and domain controllers. The best way to lock down domain controllers is to leave them in the default Domain Controllers OU and configure a GPO linked to that OU. There are two ways you can do this:
• •
Configure the settings in the Default Domain Controllers Policy. Create a new GPO, link it to the Domain Controllers OU, and configure it.
Which approach is better? Some experts recommend leaving the default GPO untouched and creating a new GPO and moving it to the top of the link order for GPOs linked to the OU. That way if something goes wrong later you at least have your default GPO in place and untouched. On the other hand, if you run the new Security Configuration Wizard (SCW) of Windows Server 2003 Service Pack 1 on a domain controller, then in addition to other changes it will modify certain settings in the Default Domain Controllers Policy to make your domain controller more secure. So either approach works fine, but personally I prefer the second approach. What about your member servers? The trick here is to realize that the different member server roles are basically incrementally different from a baseline (having no role) member server. So a good approach is to create a top-level Member Servers OU and then beneath it add additional OUs for each role (Figure 2):
Figure 2: OU structure for member servers. The advantage of this approach is that you can now create a baseline Member Servers GPO that generally secures any member server and link it to the Member Servers OU. That way all of the member servers in child OUs will automatically inherit this policy. Then you can create a Print Servers GPO and link it to the Print Servers OU, a File Servers GPO and link it to the File Servers OU, and so on. These different GPOs linked to child OUs of the Member Server OU can be used to incrementally harden security for each server role over the basic hardening provided by the Member Servers GPO. Here’s a tip: if you want to find out more about using the above approach to harden servers using Group Policy, read the Windows Server 2003 Security Guide which is available from the Microsoft Download Center. This Guide has terrific suggestions on how to secure different server roles and it’s well worth plowing through its almost 300 pages of content. If you don’t have time to read the whole Guide, check out my blog ITreader.net and click Group Policy under Topics and you’ll find lots of useful information that I’ve culled from my own reading of the Guide as well as other Microsoft resources.
Desktop and User OUs
The OU structure you plan for your domain can depend on various things including your company org chart, branch offices, number of departments, and so on. There’s no hard and fast single best way of designing OUs for a domain, but the following tips can help you avoid problems later on when you start creating GPOs to lock down users and their desktop computers. First off, you should only create an OU if there is some compelling reason for it to exist. For example, if users in the Sales, Marketing, and Reference departments all have similar needs as far as security goes, group their accounts into a single OU instead of three. Then if Sales users have some minor difference in security requirements from the other two departments, you can create and link another GPO to the OU and use security filtering to ensure only members of the Sales group have that GPO setting applied to them. Next, you should try to create your OUs along departmental lines rather than geographical location. That way you can make more effective use of delegation when you need to use it. If you must have geographical OUs, make them the top-level OUs and then create child OUs beneath them for each division or department (Figure 3):
Figure 3: A typical OU structure.
Next, create separate OUs for computer accounts and user accounts (Figure 4). That way you can use separate OUs to lock down machine settings and user settings. Of course, you could achieve the same thing by lumping together computer and user accounts into a single OU, linking two GPOs to that OU, and disabling the machine settings in one OU and the user settings in the other OU. But keeping your computer and user accounts in separate OUs will make it easier for you to troubleshoot when Group Policy doesn’t do what you expected, and it makes mistakes in configuring policy less likely also.
Figure 4: Use separate OUs for computer and user accounts. Also, try to avoid using Blocking, Enforced, Loopback, and other ways of modifying the default Group Policy inheritance order. That’s because using these features can make it really hard to troubleshoot why Group Policy isn’t doing what you intend it to do. If you find you absolutely must use these features in your Group Policy design, you probably haven’t designed your Active Directory structure very well. The one exception to this rule is security filtering, which is a powerful tool that can help make GPO targeting more accurate without complicating the design. I’ll cover security filtering in a future article on WindowsNetworking.com. Finally, avoid making changes to the Default Domain Policy. Instead, create a new GPO, link it to the domain, and configure its settings as needed. But be very careful what you configure in any GPO linked to a domain because any settings you configure will be inherited by all computer and user accounts in all OUs in the domain. So the moral is,
wherever possible configure policy at the OU level and not at the domain level, and use domain GPOs only for configuring account policy for the domain.
Installing and Configuring Virtual PC (Part 1)
In this two part article I will guide you through the installation of Microsoft’s virtual PC. The article will also focus on how virtual PC should be installed so that your system functions correctly. In the evolving interlude of fast processors and the increased size of volatile memory (RAM) and the amplified concentration and vast sizes of hard disk storage the trends point to greater power systems than ever before. However server computers still cost a premium and are not easily approved for testing and DR purposes. This has given rise to the virtual PC era. When the terminal computing phase of IT phased out, stand alone machines and micro computing server technologies boomed, and with this explosion many personal computers landed on people’s desks and sever computers in server rooms. These computers have been installed with many services and applications and often form part of an organizations critical information technology operation. With this in mind consolidation becomes a thought. One server running virtual PC with the correct configuration can be installed to consolidate and replace many computers, and could in effect simulate your entire active directory. This type of installation not only requires extensive planning but many hours of testing and configuration. Once an optimal system has been created and is running in a stable form it is recommended that a mirror image be made and coppiced onto an alternate bootable device for recovery purposes.
Possible uses for virtual PC
Test environments Test environments require hardware and software per computer that is installed, by using virtual PC you are able to install more than one version of the operating system on one machine running simultaneously as a window within the operating system. You are also able to switch from one operating system to another seamlessly. This solution helps the professional to minimize hardware requirements and consolidates the test solution onto one manageable unit. The configuration of such a server is also effective and the viability of such an operation increases. The virtual machine solution can also be configured to run on a workstation and with the speed of the processors, RAM and hard drives today the system performs comfortably with three servers on one modern
workstation. Many IT professionals need to test patches and new software upgrades on systems before applying a critical change. The evidence of this is clear when investigating problems caused by patches that have been written incorrectly or have not been applied in the intended sequence or that react to the custom configuration within a unique environment. If the change is applied without testing the result can be crippling to the organization and this is why it is a good idea to apply the change to the virtual machine first and test for a predetermined duration and have a check list of functionality that the patches will need to pass before the patch is applied to the production environment. Antivirus software and other more protective security software sometimes if installed on the fly can cause other software on the system to stop functioning. For this reason it is important that any software that is installed is first tested on a test virtual system. Making your production system more robust means that most risks are reduced thorough testing by using virtual systems. New solutions like arbitrary software can be installed on the test system while evaluating. Evaluation software can some times cause problems as it may conflict with software that is already installed or it can leave residual dlls and other files on the machines that cause problems and these are difficult to trace as the software is often removed or deleted and then it is not taken into account when troubleshooting. Installing evaluation software on live systems also breaks all best practice rules. Ever wanted to install software on a machine but been to afraid to because of unknown repercussions? With virtual PC replicating a system over and over is not a problem and this gives the IT professional flexibility and offer peace of mind though the organizations testing is performed “offline”. The testing side of software installation is often overlooked and only highlighted once the changes have been made. Virtual PC makes the testing process a reality and assists the IT professional in making the testing of all software on the virtual system a viable option. Honey pots Honey pots are systems that are installed and positioned in vulnerable locations to deliberately allow intruders to gain access and to lure them away to a system that they perceive to be legitimate operational and live. By using this technique you are able to counter attacks as the intruders are attacking fake systems while the security professional is monitoring the intruder activity. The monitoring must be done in a discrete unconventional manner to avoid detection. You can use virtual PC to create a full network or what looks like a full network on one machine. By crating multiple interfaces on the client windows XP machine that you create you are able to assign multiple IP addresses virtually and this will give the attacker the impression that there are many machines connected together. Software has been released that creates virtual services and computers on one machine specifically aimed at honeypots so that one machine emulates a few networked machines if you use this software in conjunction with Virtual PC you are able to create an interconnected WAN
Creating honey pots using windows and virtual PC article is being created and will be released soon. Business continuity environments Establishing a business continuity strategy is necessary for most security policies and IT and operational business units. These types of systems are most effective when they run concurrently with the live system so that all data is mirrored real time to the disaster recovery site machines. These configuration may require extensive hardware and for this reason you want to design a solution for disaster recovery that is cost effective easy to install and easy to bring up on one piece of hardware. This solution is cost effective as it does not require the demanding hardware specifications required by multiple system installations. It is far more cost effective to purchase a server and bump up its processor RAM and disk space than to buy a multitude of servers. Development environments Some developers develop locally on their systems and sometimes they develop on development environments and some even want to develop live to avoid this risk development environments have been installed. These environments are not cost effective and to reduce TCO virtual PC can be installed on a system that has been highly specified. This opens new door as new systems can be reinstalled in minutes and mounted as different machines.
Installing virtual PC
Before installing virtual PC it is recommended that you backup your files to a remote location other that the machine that you will be installing on. It is also recommended that you cease any jobs applications or other installation processes. If you have previous versions of virtual PC it is recommended that you remove them from the computer. Note that virtual disks may not run on different versions of VPC. IT is recommended that you be at the console when installing virtual PC to avoid reconnection issues cause if you are using remote access when the TCP stack is rebuilt.
Resources
When designing a virtual PC system that will be integrated into a live environment it is vital that the network professional ensures that the Host machine resources are appropriately specified. The table below is Microsoft’s recommendation as of the 1st April 2004. Please note that recommendations are tested with specifications and with general environments in mind. What I recommend is that the basic specification be observed and improved upon as some specifications do not specifically cater for unique environments like those found in most organizations. These recommendations are guidelines that should be tested in the lab before going into a live environment.
Remember to also allocate appropriate resources to your guest operating system as not doing so will result in your installed operating systems to suffer from low recourses. Virtual PC supports up to 3.6 GB of RAM per virtual machine, up to a total of 4 GB of RAM on the physical machine.
Host operating system Windows XP Professional Windows XP Tablet PC Edition Windows 2000 Professional RAM 128 MB 128 MB 96 MB Disk space 2 GB 2 GB 2 GB
Guest operating system Windows XP Professional. Windows XP Home Edition. Windows 2000 Professional Windows NT Workstation 4.0, Service Pack 6 or higher Windows Millennium Edition. Windows 98. Windows 95. MS-DOS 6.22. OS/2 Warp 4 OS/2 Fixpack 15, OS/2 Warp Convenience Pack 1 OS/2 Warp Convenience Pack 2
RAM 128 MB 128 MB 96 MB 64 MB 96 MB 64 MB 32 MB 32 MB
Disk space 2 GB 2 GB 2 GB 1 GB 2 GB 500 MB 500 MB 50 MB
64 MB
500 MB
To install virtual PC double click the setup icon within the disc or insert the disc and the auto play function will start the installation automatically. Please note that a restart is required after the installation of Virtual PC.
Once you click install the screen above will be presented then click next.
Read the license agreement and then click I accept then click next.
Type in a user and organization and a serial number then ensure that anyone that uses this computer is selected then click next. IF you choose to install the virtual PC for only the user that is logged in be aware that the software will run in the context of the installation. It may be more secure but if it is installed as a user that has restrictive rights then access to certain resources may be denied and settings will not be inherited from profile to profile.
Select the location of where to install your virtual PC then click next remember that you will need to ensure that there is enough space on drive selected. It is recommended that the drive selected be quick and has redundancy be supplied and enabled. This will minimize risk in event of failure.
The virtual PC then takes some time to initialize and install and during this time you will be presented with a status screen that displays the progress of the installation if the bar freezes for a while it is recommended that you wait several minutes as some time initialization take a little while depending on the hardware you are installing the virtual PC on, if this condition persists cancel the installation, restart the machine and restart the installation. Click next to continue.
This screen is then presented next and it will require a restart click on the yes button if you would like the machine to restart, this is recommended.
Installing and configuring virtual PC (Part 2)
In the first part of this article I took you through the installation of Virtual PC, in this article I will guide you through the configuration of Microsoft’s virtual PC. The article will focus on how virtual PC should be configured so that your system functions effectively and makes use of the hardware efficiently. It is fundamental to the Virtual PC arena that all hardware purchased and installed is of a reliable standard and it is imperative that the hardware be compatible and designed to function efficiently with all aspects of the system. It is essential that the hardware be installed and working before attempting configuration. Non standard hardware that requires non supported drivers should be avoided and all hardware should be tested before using it in a live environment. These guidelines are recommended to thwart loss of data and to insure continuation of service after installing and configuring a virtual PC in a production environment. Please ensure that you always backup the entire system and ensure that you are able to restore the backup if you are dealing with critical data and configurations.
Multiple virtual machines
Using virtual PC enables the network professional by providing the flexibility of running several virtual machines and different combinations and configurations of operating systems and applications on one physical computer. This methodology eliminates the necessity of setting up different physical machines, and allows organizations the elasticity needed when consolidation is a consideration, however it introduces new problems and scenarios to consider when planning for VPC deployments. Using Virtual PC allows the organization to share hardware that it would otherwise have to purchase individually for each respective machine or task and this may be beneficial from a financial perspective but introduces another level of risk to be considered regarding single point of failure. Do not overlook this point as a restart of the host operating system will result in all of the virtual machines installed becoming unavailable and the IT professional will then have to reinitialize the host operating system and guest operating systems to get them to function correctly as intended. Also note that shared recourses, if not tested properly, may function differently than expected. Inexpensive items like NICs and CD drives may function erratically if shared, and will not perform at the normal speed. CD drives have locking mechanisms that are linked to software that locks the drive on the corresponding guest operating system; some
systems that reference a CD in a drive and that have files in use while another operating system is attempting access can cause the main operating system to require a restart. Being aware of these ramifications will assist the IT professional in designing a robust and well thought out VPC solution that can be used safely in production. Some guidelines that will clarify installation and configuration settings follow:
• • •
• • • • • • •
•
Before installing and configuring VPC ensure that you have administrative control of the host OS. Ensure that each virtual machine has a unique name and make it descriptive in order to identify it at a later stage. Ensure that there are enough resources for both the operating system and guest operating system to run. If more than one VPC session is open assign appropriate resources to each virtual machine. Remember that resources are shared on the VPC and that when moving from machine to machine captured drives and resources alternate. Remember to share your data between virtual machines. When using virtual machines it is a good idea to make a small banner in MSpaint to facilitate identification of each VPC. Set all resolutions to a Std resolution to make transition between VPCs easier. It is also possible to use remote desktop to terminal into the machines to administrate these machines. It is a good idea to use NTFS on the Host OS. Each virtual machine needs patches and security updates, and each VPC needs an antivirus, Note if this point is overlooked it may result in the comprimising of the entire system. Licensing can be tricky and it is the IT professional’s prerogative to check the agreement with the respective vendor. Accessing shared folders on other machines or on the host can be achieved by mapping a folder to a drive from the virtual machine to the shared folder on the host machine. This is an efficient way to transfer files from guest system to host system or from guest to guest.
After installing the Virtual PC you will need to run the new virtual PC wizard. This will allow you to create a virtual drive. This drive consists of one file that contains all of the system and boot files found in ordinary installations of operating systems. The file's extension is .vhd if you enable undo disks, these disks allow you to make changes to the virtual PCs for test purposes and let you back track to a point in time before the changes. These disks have the .vud extension. .vmc is temporary; a disk that stores information in a non volatile state like the hibernation file in windows. This screen also allows you to use the default configuration and this will create an automatic version of the virtual hard disk, or you can select previous Virtual drives to boot off. Please note: previous versions of Virtual PC sometimes create virtual drive files that are not readable or accessible by newer versions of virtual PC. When you have made your selection, please click next.
It is a good idea to assign each virtual machine a unique name that is descriptive and easy to understand. When you have chosen a name click next.
Virtual PC is able to host and run software that is compatible with x86 standards. This makes virtual PC flexible and empowers the professional to install a range of software on one machine for testing purposes. Once you have selected the respective operating system click next.
When this screen is presented you will be able to specify how much RAM your guest operating system will use. I recommend you double the RAM from the recommendation displayed if your budget allows.
This screen is simple yet important when assigning your virtual disk a name and location it is important to turn on undo disks if you require the machine for testing or if you will be making changes that you are unsure of. Although this option uses up some free space it is well worth it and saves you from reinstalling if you make an uncalculated mistake. When you have completed your selections then click next.
This screen is the follow up screen that defines where the virtual drive is installed. When you have completed your selection click next.
This screen will summarize your settings if you are content with your selections then click finish to create your virtual machine. Once you click finish, your virtual machine will have been created and configured. You will now need to install a guest operating system on the virtual machine once it is started. Treat the machine as you would a normal computer. You will be able to boot from CD to install the operating system within the virtual machine. Open the Virtual PC Console to begin.
This is the virtual PC console; you will need to get familiar with this console if you are going to be using virtual PC. It is very simple and has four options that will be expanded on. The New button facilitates the creation of new virtual PCs. Once you have created new virtual PCs they are displayed on the left panel. From the file option you are able to initiate the disk wizard. The settings option when clicked reflects the settings of the selected virtual machine, and are fully applied to the machine once the virtual machine is restarted if it the VPC is open. Some of the key settings are described below. The remove button removes virtual PCs that have been created. The start button initiates the virtual machine and this in turn emulates a computer booting with its own virtual BIOS and booting process. Also note by using the action menu you are able to pause and resume a virtual machine. This option is useful if you want to quickly suspend an operating system so that you can shutdown the host operating system and when you restart the host you can resume the virtual PC back to the point you were at before you started. Some settings screenshots follow that will help in the configuration of VPC.
This screen is presented once settings are clicked in the VPC console. You are able to configure the name of the VPC RAM memory allocation some of these settings are only available with in wizards and are restricted by the physical resources available within your host machine.
Each virtual machine can be setup to use no network adapter or four network adaptors. These can be configured to access internal network machines, other virtual PC machines and internet machines. This technology functions as a great tool when testing a networked environment.
This screen displays the amount of RAM that has been assigned to the virtual machine.
You can quickly get to the virtual PC console by right clicking on the tray icon near to the time and selecting show Virtual PC console.
By clicking options you are able to control global settings that apply to all of the virtual PCs that have been created. You are then able to make single changes that apply though out the subsidiary virtual machines. Note: Ref: MS CHM file. If you replicate or image a vhd file you will need to change the MAC address. Edit the .vmc file to remove the MAC address. Find the following line: <ethernet_card_address type="bytes">0003FFxxxxxx</ethernet_card_address> Remove the number so the line appears as follows: <ethernet_card_address type="bytes"></ethernet_card_address> After you remove the number, Virtual PC will create a new MAC address the next time you start the virtual machine.
Setting up a client based VPN connection via PPTP Introduction
Although VPN's are considered as an extension of a private network, in reality they are nothing close to the equivalent of a private network. This is so because you can't compare physically connected devices in a closed environment to a remote connection. Some advantages of a VPN connection are as follows:
• • •
Expensive long distance leased lines are not required, thus lowering costs Compared with alternatives, it is relatively easy to setup on both the client and server side Flexibilty; for the simple reason that you can connect to a VPN server from anywhere in the world that has internet access.
However, it does have a couple of disadvantages, namely:
•
•
If a fast and reliable internet connection is not available then the performance of the VPN connection can be negatively effected. Unfortunately, this is something out of the organization's control Due to all the encryption that takes place, although compressed, one may notice a slight decrease in speed.
A VPN is composed of two parts: VPN Server The VPN Server is the machine that accepts VPN connections from VPN clients. A VPN server provides remote access connections or router-to-router VPN connections. In Windows 2003, this can be setup from the RRAS (Routing and Remote Access Server) Administrative Tool. VPN Client The VPN Client can be the remote user who wishes to connect to the VPN Server to establish a session on the network. The interface required by the VPN Client can be that of a dial-in modem or a dedicated connection to the internet (ADSL for example). The diagram below illustrates the basic anatomy of a typical VPN connection.
The cloud in the middle signifies the public intranet, which in the case of a dedicated connection to the internet interface, the VPN client uses to connect to the server.
A step-by-step guide
The following is a step-by-step guide of how to setup a client based VPN connection using the Point to Point Tunneling protocol. The first thing you must do is right click the My Network Places icon and select Properties.
This will bring you to the Network Connections window which displays a list of your current network connections. Double click the New Connection Wizard icon.
You are faced with three options - choose the second one, "Connect to the network at my workplace" and click Next.
Now choose the second option, "Virtual Private Network connection" and click Next. This will bring you to the window in which you should enter the name of the company or server you will be connecting to. After you have typed the name in, press Next.
This will bring you to the following window in which you must enter the host name or IP address of the VPN server. Tip: Entering the IP address is recommended (the IP address can be obtained from the server administrator).
And finally, the "Connection Availability" window will allow you to select who is authorized to use the VPN connection. "Anyone's use" will permit anyone who logs onto the system to use the connection, whereas "My use only" will limit it's use to you only.
Once you click Next and Finish, your new connection will be visible in the Network Connections window (as seen below).
Right click the new connection and select properties to open the properties window. Here, you can configure, amongst others, the network settings and general options. Select the Networking tab and in the "Type of VPN" drop down list, choose PPTP VPN. It is not necessary to configure any other options on this page, unless otherwise specified by the VPN server administrator. File and Printer Sharing for Microsoft Networks is the service required for you to be able to share files and printers once a connection has been established to the organizational network.
Now move onto the Options tab. You are able to configure dialing and redialing options on this page.
If you are using the same logon at your company network as you are for the VPN server, then select the "Include Windows logon domain" check box. Go to the security tab and verify that the screen looks like the one below. Only select the first check box if the local computer you are logged on to has the same log on account and password as the account you have on the VPN server.
If you select the General tab you can change the IP or Host Name of the VPN server and select whether or not you want another connection to be established first before initiating the VPN connection. You would do this if, for example, you had an ADSL connection you wanted to connect to first before dialing into the VPN server.
Press OK to close the window and return to the network connections window. If you double click your VPN connection the logon window will appear.
Enter your username and password and click Connect. After the authentication process is complete, you will be logged on to the VPN Server and two computers will appear at the bottom right hand corner of your screen (default).
Congratulations! You have now successfully been connected to the VPN server.
Windows 2003 Active Directory: An overview Times gone by
Some years ago, you could have been excused for thinking that selecting the right server software for your Windows network was a tough job. Microsoft hasn’t always been the toughest dog in the pound. On one hand Microsoft’s NT4 platform provided good integration and, more importantly, a platform that IT managers were immediately familiar with. On the other hand, Novell had a rock solid, lean, and world proven product in Novell Netware (4.1 or 5). The secret at the heart of the world dominance of Novell, and the foot blocking the door of Microsoft in the critical international corporate server market, was the inclusion of a directory service called NDS (Novell Directory Services). Such a directory allowed for scalable and more easily managed networks, and lent itself well to multi-office, global networks, at least it was the better alternative to the provisions in Windows NT4.
Fig 1: Novells NDS was world class…at the time. For those of you knew to the idea of a Directory in network terms, you can think of it as a telephone directory, with each entry being a network object, such as a user or a printer or a network share, rather than a piece of contact information. This information can be structured in to logical containers, called Organisational Units (OU’s) allowing for a more manageable environment when dealing with large numbers of users and other objects. This directory can be duplicated and replicated across multiple servers, allowing for redundancy and a distributed structure to be built in to the network design. This directory, like its paper based name sake, can be searched quickly an easily, though this can be done far faster than turning the pages of the book. Allowing for a logical structure and design allows IT Departments to apply policies to groups of users or computers based upon the needs of the business. Clearly, in order for Microsoft to gain global dominance in the server field, they had to rework the server platform, and make it scalable, reliable and resilient from the ground up, and without completely reinventing the wheel. Thus Active Directory was born.
Learning the basics
Before we begin, lets quickly cover the basics of Active Directory. Any Active Directory installation goes hand in hand with a correctly setup DNS server running on your network. The reliance on DNS is apparent in Windows 2000, and it’s almost impossible to run a Windows 2000 network with out it being underpinned by DNS. This is very different from the old NT networks, which could do without, or would most likely use WINS which was a Microsoft ‘alternative’ to DNS offered up at the time. Such is the reliance on DNS, that it should be the first point of call when fault finding an issues with AD working or replication issues. Active Directory itself is made up of three ‘logical’ partitions, these being ‘Domain’, ‘Configuration’ and ‘Schema’. Within the file system these are stored in the NTDS.DIT on any domain controller. The Domain partition stores information relating to the domain, while the Configuration partition holds information relating to the forest structure. Finally the Schema holds information on the definition of objects within the network. These can roughly be associated, in order, with the following tools; Active Directory Users and Computers, Active Directory Sites and Services, and ADSIEdit.
Is there a spin doctor in the house?
You’re not going to be bowled over by swathes of new features in Active Directory 2003, the most visible new features are to be found in the management tools which, as part of the Admin Pak, can be installed on a Windows XP machine and will work quite happily with Windows 2000. One of the most useful features of the new AD tools, for the general IT person, is the ability to create and store queries in Active Directory Users and Computers. You can now create queries to display users, computers, or any other object you can think of, based on pretty much any attribute you can think of. Microsoft have wisely included some predefined criteria, for performing the most common searches, which include; Disabled Accounts, Accounts not logged for xx days, Username (which can be the usual starts with, ends with, or contains etc), Description, and Expired Passwords. These queries alone should be able to help most IT folk, but the list of objects and attributes are endless.
Fig 2: Queries let you quickly find common groups of objects We will be covering queries in further detail in a future article. There are also significant changes to the Group Policy management facilities of AD Users and Computers. Again, these features will be covered in further detail in future articles. There are also, however, several overhauls under the bonnet as well that should be given due attention. Clearly the priority with which you regard these new features will depend squarely upon the kind of network you have, it’s structure, and your job role.
AD/AM
One of the most interesting features of this release is in actual a separate release balancing on the coat tails of Active Directory 2003. Active Directory / Application Mode (or ADAM to it’s closest friends) is a separate application that should proof to be a boon to application developers and IT Managers alike. As Active Directory is a customisable database that allows for replication across various internet links and connections, many applications (bespoke and otherwise) can use it to store data relating to a package and its users, as well as for authorisation of users. This means that the programmers of such applications needn’t reinvent the wheel when it comes to creating distributed data stores, and development cycles can be reduced. It does, however, introduce several massive problems in turn mainly a big increase in bandwidth and big lag. Network links between branch offices are often slow, the additional data added by such applications can easily result in these lines crawling to halt. Even in the biggest of offices, with the fastest of lines, replication data management can be black art, and additional replication data is never needed. In addition to this issue is that of replication speed. In a busy office with multiple branches (the kind of network that could well make use of such bespoke applications running on distributed data stores such as AD) the
replication of all this new data means that none of the offices are ever going to be seeing the latest of information. Due to these issues most application developers have turned away from using AD as an application data store. Microsoft seeks to change that by introducing a stand alone version of Active Directory tailored towards application data storage. ADAM is available as a download from Microsoft and is installable on either a Windows 2003 server or a Windows XP workstation. When installed it runs in the context of a nominated account, and as it’s separate to Active Directory replication schedules can be configured separately. On top of that, multiple instances of ADAM can run on the same machine, which should allow developers and others alike to test different schema setups far more easily that before.
Fig 3: Active Directory running under XP, who would of thought it! It should be said that Microsoft has included a new Application Directory Partition feature in AD2003, which allows for a new fourth ‘logical’ partition, called ‘Application’. This new partition is tailor made to store data from 3rd party AD aware programs, and means that data for Ad aware programs can be stored outside of the main three partitions, and can have separate replication schedules. This obviously has several of the advantages that benefit the ADAM approach, but with ADAM you are able to run multiple instances, something which cannot be done with a normal AD installation.
Setting up a DHCP server in Windows 2003
"Dynamic Host Configuration Protocol (DHCP) is an IP standard designed to reduce the complexity of administering IP address configurations." - Microsoft's definition. A DHCP server would be set up with the appropriate settings for a given network. Such settings would include a set of fundamental parameters such as the gateway, DNS, subnet masks, and a range of IP addresses. Using DHCP on a network means administrators don't need to configure these settings individually for each client on the network. The DHCP would automatically distribute them to the clients itself. The DHCP server assigns a client an IP address taken from a predefined scope for a given amount of time. If an IP address is required for longer than the lease has been set for, the client must request an extension before the lease expires. If the client has not requested an extension on the lease time, the IP address will be considered free and can be assigned to another client. If the user wishes to change IP address then they can do so by typing "ipconfig /release", followed by "ipconfig /renew" in the command prompt. This will remove the current IP address and request a new one. Reservations can be defined on the DHCP server to allow certain clients to have their own IP address (this will be discussed a little later on). Addresses can be reserved for a MAC address or a host name so these clients will have a fixed IP address that is configured automatically. Most Internet Service Providers use DHCP to assign new IP addresses to client computers when a customer connects to the internet - this simplifies things at user level.
The above diagram diplays a simple structure consisting of a DHCP server and a number of client computers on a network. The DHCP Server itself contains an IP Address Database which holds all the IP addresses available for distribution. If the client (a member of the network with a Windows 2000 Professional/XP operating system, for example) has "obtain an IP address automatically" enabled in TCP/IP settings, then it is able to receive an IP address from the DHCP server.
Setting up a DHCP Server
This will serve as a step-by-step guide on how to setup a DHCP server. Installing the DHCP server is made quite easy in Windows 2003. By using the "Manage your server" wizard, you are able to enter the details you require and have the wizard set
the basics for you. Open to "Manage your server" wizard, select the DHCP server option for the list of server roles and press Next. You will be asked to enter the name and description of your scope. Scope: A scope is a collection of IP addresses for computers on a subnet that use DHCP.
The next window will ask you to define the range of addresses that the scope will distribute across the network and the subnet mask for the IP address. Enter the appropriate details and click next.
You are shown a window in which you must add any exclusions to the range of IP addresses you specified in the previous window. If for example, the IP address 10.0.0.150 is that of the company router then you won't want the DHCP server to be able to distribute that address as well. In this example I have excluded a range of IP addresses, 10.0.0.100 to 10.0.0.110, and a single address, 10.0.0.150. In this case, eleven IP's will be reserved and not distributed amongst the network clients.
It is now time to set the lease duration for how long a client can use an IP address assigned to it from this scope. It is recommended to add longer leases for a fixed network (in the office for example) and shorter leases for remote connections or laptop computers. In this example I have set a lease duration of twelve hours since the network clients would be a fixed desktop computer in a local office and the usual working time is eight hours.
You are given a choice of whether or not you wish to configure the DHCP options for the scope now or later. If you choose Yes then the upcoming screenshots will be of use to you. Choosing No will allow you to configure these options at a later stage.
The router, or gateway, IP address may be entered in next. The client computers will then know which router to use.
In the following window, the DNS and domain name settings can be entered. The DNS server IP address will be distributed by the DHCP server and given to the client.
If you have WINS setup then here is where to enter the IP Address of the WINS server. You can just input the server name into the appropriate box and press "Resolve" to allow it to find the IP address itself.
The last step is to activate the scope - just press next when you see the window below. The DHCP server will not work unless you do this.
The DHCP server has now been installed with the basic settings in place. The next stage is to configure it to the needs of your network structure.
Configuring a DHCP server
Hereunder is a simple explanation of how to configure a DHCP server. The address pool displays a list of IP ranges assigned for distribution and IP address exclusions. You are able to add an exclusion by right clicking the address pool text on the left hand side of the mmc window and selecting "new exclusion range". This will bring up a window (as seen below) which will allow you to enter an address range to be added. Entering only the start IP will add a single IP address.
DHCP servers permit you to reserve an IP address for a client. This means that the specific network client will have the same IP for as long as you wanted it to. To do this you will have to know the physical address (MAC) of each network card. Enter the reservation name, desired IP address, MAC address and description - choose whether you want to support DHCP or BOOTP and press add. The new reservation will be added to the list. As an example, I have reserved an IP address (10.0.0.115) for a client computer called Andrew.
If you right click scope options and press "configure options" you will be taken to a window in which you can configure more servers and their parameters. These settings will be distributed by the DHCP server along with the IP address. Server options act as a default for all the scopes in the DHCP server. However, scope options take preference over server options. In my opinion, the DHCP server in Windows 2003 is excellent! It has been improved from the Windows 2000 version and is classified as essential for large networks. Imagine having to configure each and every client manually - it would take up a lot of time and require far more troubleshooting if a problem was to arise. Before touching any settings related to DHCP, it is best to make a plan of your network and think about the range of IPs to use for the computers.
http://www.windowsnetworking.com/articles_tutorials/Windows_2003/
Sponsor Documents
Recommended
No recommend documents