Learning Windows Server 2003

Content preview·Buy reprint rights for this chapter

It all started with Windows NT, Microsoft's first serious entry into the network server market. Versions 3.1 and 3.5 of Windows NT didn't garner very much attention in a NetWare-dominated world because they were sluggish and refused to play well with others. Along came Win000dows NT 4.0, which used the new Windows 95 interface (revolutionary only to those who didn't recognize Apple's Macintosh OS user interface) to put a friendlier face on some simple yet fundamental architectural improvements. With Version 4.0, larger organizations saw that Microsoft was serious about entering the enterprise computing market, even if the product currently being offered still was limited in scalability and availability. For one, Microsoft made concessions to NetWare users, giving them an easy way to integrate with a new NT network. The company also included a revised security feature set, including finely grained permissions and domains, which signified Microsoft considered enterprise computing an important part of Windows.

After a record six and one-half service packs, NT 4.0 is considered by some to be the most stable operating system ever to come out of Redmond. However, despite that, most administrators with Unix experience required an OS more credible in an enterprise environment—one that could compare to the enormous Unix machines that penetrated that market long ago and had unquestionably occupied it ever since. It wasn't until February 2000, when Windows 2000 Server was released, that these calls were answered. Windows 2000 was a complete revision of NT 4.0 and was designed with stability and scalability as first priorities.

However, something still was lacking. Sun and IBM included application server software and developer-centric capabilities with their industrial-strength operating systems, Solaris and AIX. Windows 2000 lacked this functionality. As well, the infamous security problems associated with the bundled Windows 2000 web server, Internet Information Services (IIS), cast an ominous cloud over the thought that Windows could ever be a viable Internet-facing enterprise OS. Given that many saw Microsoft as "betting the company" on a web services initiative called .NET, it was critical that the company save face and do it right the next time. It wasn't too late, but customers were very concerned about the numerous security vulnerabilities and the lack of a convenient patch management system to apply corrections to those vulnerabilities. Things had to change.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Windows Server 2003 provides scores of new features that most administrators have been hoping for since the release of Windows 2000 Server, as well as critical bug fixes, tool improvements, management refinements, and enhancements to the general fit and finish of the product. In this section, I'll take a look at the major changes in the product from Windows 2000 Server.

Windows Server 2003 indeed is fairly secure after the installation process is complete, as Microsoft promised. The product also benefited from the month-long halt of new development in March 2002, referred to by Microsoft as the beginning of the Trustworthy Computing Initiative, wherein all developers and product managers did nothing but review existing source code for security flaws and attend training on new best practices for writing secure code.

But it's not only in the actual code that security takes front seat. Perhaps the most welcomed improvement in the eyes of network administrators with large Windows XP deployments is Windows Server 2003's native understanding and support for the expanded featureset of Group Policy (GP) found in XP. Windows 2000 Server was unaware of the new XP support for software execution restrictions and remote desktop support tools and thus required a bit of handholding to get it all working together. Windows Server 2003 knows about these XP tools out of the box.

Of course, there's still room for improvement, and Microsoft sees that: at the time of this writing, Microsoft made firm plans to ship the Security Configuration Wizard by mid-2005 with its release of Windows Server 2003 Service Pack 1. The wizard lists the services required for each server product (Exchange Server, SQL Server, IIS, and the like), compiling that information from an XML database containing the pertinent data for all of Microsoft's server products. The tool can be used in conjunction with the Manage Your Server Wizard and operates in two modes. In an automatic mode, you specify certain roles for the machine, and the wizard automatically will shut off any nonapplicable services and any ports not required by the assigned server roles. In an expert mode, the wizard will analyze the current roles a server is performing and the current base of services installed and running. Using that information, it will report to the administrator what services might not be necessary, leaving the actual decision to terminate those services up to the administrator. I'll explore Windows security features and configurations in greater detail in Chapter 7.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Microsoft has increased the number of versions of Windows Server 2003 it offers. Microsoft offered Windows 2000 in three editions: Server, Advanced Server, and Datacenter Server, each requiring increasingly faster processors and more memory. Windows Server 2003 is available in the following editions:

Web Edition (WE): This version of Windows Server 2003 is optimized to host web sites using IIS and is therefore limited in its support of hardware and in its feature set. It cuts the addressable memory in half from 4GB to 2GB, restricts Internet Connection Sharing, network bridging, and Terminal Services (although you can use the XP-like Remote Desktop), and does away with DHCP and fax services. In addition, WE can be a member server of a domain, but it cannot be an Active Directory domain controller. Windows Server 2003 WE is available only through OEMs; you can't purchase it through traditional retail channels.
Standard Edition (SE): This is the plain-vanilla version of Windows that most corporations likely will deploy. Included with it is support for up to two processors and 4GB of memory. SE includes most of the features and support of the other editions, including the .NET Framework, IIS 6, Active Directory, the distributed and encrypting filesystems, and various management tools. You also receive Network Load Balancing (a feature previously reserved for the "premium editions" of the NT server product) and a simple Post Office Protocol 3 (POP3) server which, coupled with the existing Simple Mail Transfer Protocol (SMTP) server bundled with IIS, can turn your Windows Server 2003 machine into an Internet mail server.
Enterprise Edition (EE): Aimed squarely at more demanding environments, EE adds Metadirectory Services support, high-level memory management features, and some session management features for Terminal Services. It also includes support for eight-node clustering and booting directly from a SAN. Plus, you can add memory to EE while the system is running, without needing to reboot.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Table 1-1 lists Microsoft's minimum and recommended system requirements for running Windows Server 2003 Standard and Enterprise, the most commonly purchased editions.

Table 1-1: Minimum and recommended system requirements
Requirements	Standard Edition	Enterprise Edition
Minimum CPU speed	133MHz	133MHz for x86-based computers; 733MHz for Itanium-based computers
Recommended minimum CPU speed	550MHz	733MHz
Minimum RAM	128MB	128MB
Recommended minimum RAM	256MB	256MB
Maximum RAM	4GB	32GB for x86-based computers; 64GB for Itanium-based computers
Multiprocessor support (MPS)	Up to 4	Up to 8
Disk space for setup	1.5GB	1.5GB for x86-based computers; 2GB for Itanium-based computers

However, anyone with prior experience with Windows operating systems likely is familiar with the simple fact that Microsoft's minimum system requirements (and often, the recommended requirements as well) are woefully inadequate for all but the most casual serving duties. Based on price and performance considerations as of this writing, I recommend the following specifications for any Windows Server 2003 version available through traditional channels. I'll refer to these as the "realistic minimums" from this point on in the book.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Two camps of people and their organizations will find compelling reasons to upgrade to Windows Server 2003:

Those still running a version of Windows NT.: The official Microsoft decree of end of life for NT Workstation 4.0 was on July 1, 2003, well before this book was published. NT Server 4.0 has an end of life for January 2005, but it's really not a good idea to continue to bet your company's IT assets and policy on a moribund operating system. Windows Server 2003 provides a good jump, and it's a stable jump, too. A new server version of Windows will not be released at current estimates for at least five years, and more likely six or seven. Upgrading now makes sense if you're running NT.
Those with Select or Open License Microsoft allow agreements current them to upgrade to the latest release at no additional cost.: If there's no fee or additional monetary outlay for your upgrade, you can get the benefit of Windows Server 2003 for little cost. Windows Server 2003 requires about the same hardware as Windows 2000 Server, so if you're currently on that level, you can keep the machines you already have and enjoy the fit, finish, and new features Windows Server 2003 offers you.

If you are not a member of either group, the value of upgrading to Windows Server 2003 is less clear. Traditionally, Microsoft operating system upgrades offered at least somewhat compelling reasons to move to the newest edition: improved user interfaces, performance improvements, the migration from 16- to 32-bit, and so on. That's not as much the case anymore, at least until the next paradigm shift at Microsoft, which won't be for a few years.

For most corporations, it's a question of timing. Consider that the next radically different revision of Windows, codenamed Longhorn, is three years away on the desktop and four to five years away on the server. So, whatever you choose, you have a while to live with it. For others, it's a question of finances: if you can't afford to upgrade to Windows Server 2003, you are not missing much. If you are satisfied with Windows 2000, nothing in Windows Server 2003 is absolutely mandatory. If you're on NT, however, it's time to move to Windows Server 2003. (Although I am familiar with several IT shops that have done so, it doesn't make practical sense to go to Windows 2000 from NT at this point.)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Now that you've been thoroughly introduced to what's new, what's hot, and what's not in Windows Server 2003, the time has come to install the operating system on your machines. Installing Windows Server 2003 is easy: the fun comes in configuring and customizing the operating system. I begin this chapter by covering the installation options and how you can install the operating system using a CD-ROM. Then I devote a large part of this chapter to unattended installations, automated deployment, and batch machine imaging because you can gain a significant time savings by letting your computer handle as many of the tedious installation tasks as possible. Let's jump in and get started.

As with any operating system, Windows Server 2003 comes with optional components that add or extend functionality in addition to the components that are required for everyday use. In this section, I'll outline these optional components, explain their function, and guide you as to whether you should install them.

An unwritten rule of system administration is to never install any components unless they are required. Although that might seem moronic at first, the point to take is that systems that operate only with the components required for their daily work are far easier to manage. There's less to go wrong, less to secure, and less to administer. Microsoft has embraced this maxim in a lukewarm sort of way by eliminating the ability to customize components (including adding them) at the time of a standard installation. You can add and remove Windows components only after installation is complete. (I'll cover ways around that limitation later in this chapter, but for now, note that you can't customize an installation while that installation is in progress.)

However, even before you install the operating system, you should spend some time looking over the components to figure out which ones you need, using as a guide Table 2-1, which lists the components available for installation onto machines with Windows Server 2003 loaded.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

As with any operating system, Windows Server 2003 comes with optional components that add or extend functionality in addition to the components that are required for everyday use. In this section, I'll outline these optional components, explain their function, and guide you as to whether you should install them.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

An unwritten rule of system administration is to never install any components unless they are required. Although that might seem moronic at first, the point to take is that systems that operate only with the components required for their daily work are far easier to manage. There's less to go wrong, less to secure, and less to administer. Microsoft has embraced this maxim in a lukewarm sort of way by eliminating the ability to customize components (including adding them) at the time of a standard installation. You can add and remove Windows components only after installation is complete. (I'll cover ways around that limitation later in this chapter, but for now, note that you can't customize an installation while that installation is in progress.)

However, even before you install the operating system, you should spend some time looking over the components to figure out which ones you need, using as a guide Table 2-1, which lists the components available for installation onto machines with Windows Server 2003 loaded.

Table 2-1: Windows Server 2003 installation components
Option	Purpose
Accessories/Utilities	Compilation of small applications software such as WordPad and Paint.
Certificate Authority	Secure authentication support for email, web-site access, and smart cards and LDAP directory services (among others) using X.509 authenticity certificates.
Cluster Services	Provides for real-time failover in the event that one or more servers in a group stops working (only in EE and DE editions).

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

It's a fairly effortless procedure to install Windows Server 2003 onto new systems. Here are the steps:

Turn the system power on and insert the Windows Server 2003 CD into the drive. If you receive a prompt to select from what location to boot, choose the option to boot off the CD. The system will boot a minimal, text-only version of Windows Server 2003 into main memory and begin the initial installation procedure. Figure 2-1 shows the beginning of this phase.

Figure 2-1: The character-based Setup process
The Welcome to Windows Setup screen will appear. Press Enter to continue.
Read the terms of the license agreement. If you accept (which, of course, you have to do to continue installation), press F8 to continue.
A screen listing your current disk partitions will appear. You can simply move around the menu and select an existing partition on which to install by pressing the arrow keys and then Enter to confirm your selection. You also can delete partitions (be sure you have backed up first!) by selecting the partition and pressing the D key. Lastly, you can create a new partition by selecting the Unpartitioned space selection in the menu and then pressing the C key. Figure 2-2 shows the disk partitioning screen.

Figure 2-2: The disk partitioning screen
Choose the best option for you, and then press the appropriate key.
You'll now be prompted to choose a filesystem. Select the filesystem with which you want the partition formatted and press Enter to start the format. The formatting process can take up to one hour to complete, depending on your drive's size and speed, and then large amounts of files will be copied to the newly formatted partition. Now's a good time to catch up on your email backlog or to take a coffee break.
Once the format and file copy processes are complete, the system will reboot, and the next portion of the installation will commence in graphical mode. The process starts with the Regional Settings screen, which pops up soon after the reboot. On this screen, you can change the language, locale, and keyboard settings depending on your geographical location. Click Next to continue.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Most organizations and businesses have extensive investments in previous versions of server operating systems. In this section, I'll cover issues you'll run into when upgrading from Windows NT and Windows 2000 to Windows Server 2003.

A lot of companies are jumping the sinking NT ship—end of life for the NT Workstation product was mid-2003 and NT Server's death is fast approaching as well—and so it's highly possible you have some machines running NT that are worth upgrading. It's remarkably easy to upgrade any type of Windows NT installation—be it a primary domain controller (PDC), a backup domain controller (BDC), or a regular member server—to Windows Server 2003. Microsoft has taken great pains to ensure the upgrade to Windows Server 2003 is as painless as possible. The installation procedure follows a clean install reasonably closely, and in fact requires less hands-on work. The program doesn't prompt you at all after the inception of the installation, and at the beginning, you're asked only for the CD Key and to acknowledge any compatibility issues.

NT upgraders should, however, note the following points:

The Windows NT installation must be running Service Pack 5 or greater. You can download the most recent update, Service Pack 6a, from http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp. Other acceptable Windows NT versions include NT Terminal Server Edition with SP5 or later, and NT Server Enterprise Edition, also with SP5 or later.
Little to no reconfiguration is required with an upgrade installation because existing users, settings, groups, rights, and permissions are saved and automatically applied during the upgrade process. You also don't need to remove files or reinstall applications with an operating system version upgrade.
Before the upgrade, you should evaluate the hardware on which Windows Server 2003 will run. Does it require an upgrade based on the minimum or recommended hardware requirements covered earlier in this chapter?

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Although the vast majority of the time Windows Server 2003 will install without a hitch, some issues (a piece of malfunctioning hardware, a power failure during installation, or a faulty download of a dynamic update) can cause the installation process to fail. Luckily, you can recover from a bugged-out installation in at least two ways: starting over or using the Recovery Console.

Sometimes it can be easier to cut your losses and restart an installation from the beginning, particularly if an error early in the process is preventing you from proceeding. The installation process changes three things on your drive, all of which you need to reverse to restart the installation (unless, of course, you want to format the hard drive and therefore aren't concerned with data loss):

Setup constructs the $win_nt$.~bt directory to store boot files, which instruct your computer to boot into Setup's post-first phases (that is, all phases after the initial reboot). Remove this directory.

Setup modifies your boot.ini file with a line such as this:

Multi(0)disk(0)rdisk(0)partition(2)\$win_nt$.~bt="Microsoft Windows 
Server 2003 Setup"

Remove this line as well.
Setup creates the $win_nt$.~ls directory and copies all files to the system in this directory to have data to work with if it cannot access the setup CD. Remove this as well, if it exists. (Some installation scenarios don't require its creation, such as ones initiated from a network share or a hard disk and not on a CD.)

At this point, no traces of the previous setup attempt remain on the machine, and you are free to restart the installation process.

For dealing with serious installation problems that don't allow you into the standard graphical interface, or for a once-functional installation that seems to have failed, Microsoft provides a tool that might help you rescue a system from the jaws of certain death. Available since Windows 2000, the Recovery Console is a text-based operating system extension that allows you direct access to the disk on which Windows Server 2003 is installed, and similar access to key configuration files and data. It also provides a convenient way around DOS's inability to read NTFS-formatted drives, which is an issue any administrator with troubleshooting experience has come up against.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Unless you have only two or three servers, it's likely that you tire fairly quickly of being a high-paid installation babysitter, shoving disks and CD-ROMs in and out of machines while telling them all what country you live in. For all but the smallest of Windows shops, it is a good idea to use the Windows unattended installation feature—that is, installations run by files constructed by an administrator ahead of time that answer all of Setup's questions. This will save you time and make deploying and rolling out the operating system less tedious.

You can automate Windows installations using one of three main methods. The first is through the use of unattended installation scripts, which are simple to configure and use but lack some flexibility in deploying to machines that are configured with different hardware. Scripts are best when you have a uniform hardware base.

The second method is through the use of Remote Installation Services (RIS), a very useful feature that enables you to boot from the network and install Windows without any sort of distribution media. With this method, you have a lot of upfront configuration, but on the other hand, you can deploy to nearly any base of hardware, and you can customize certain aspects of the user experience during the installation, too. RIS is most appropriate when you have a diverse hardware base, plenty of network bandwidth, and computers that can boot from the network.

The third and final method to use unattended installations is through the deployment of system images. It requires quite a bit of upfront installation, but it's a great timesaver when you need a computer redeployed and reformatted in less than 30 minutes.

Let's discuss each method.

Perhaps the simplest method of automating a Windows Server 2003 deployment is to use scripts, or more specifically, unattended setup answer files. These files use a syntax not unlike that found in Windows 3.1 INI files, providing answers for questions such as computer name, your CD key, your name, where you live, and the like.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

One of Windows Server 2003's primary functions within a typical organization is to serve files and connect multiple machines to a smaller number of printers. Windows Server 2003 enables you to create any number of shared folders that contain documents and programs your users can access via such methods as Windows Explorer, Network Neighborhood, or mapped drives. The operating system also enables you to create a hierarchy of shared folders stored across multiple machines that can appear to end users as though they're stored on a single server.

Print services are simple to configure and manage. Windows Server 2003 enables you to share a printer connected either physically to the server, or to a print server device that is attached directly to the network. It also can host drivers for multiple operating systems and automatically distribute the correct drivers to client systems.

You'll need to be familiar with the following terminology to get the most from this chapter. Feel free to skip to the next section if you've been working with Windows for a while.

Disk: A disk is the actual, physical hard disk within the machine.
Drive: A drive is a logical object formatted for use with Windows. This can be either an entire physical disk or a partition.
Partition: A partition is a portion of a physical disk that can be used with volumes.
Volume: A volume is either a drive or a partition within Windows—it's a common term for both.

In this chapter, I'll discuss in depth all the file and print services Windows Server 2003 provides.

Several new features have been added to Windows Server 2003 to enable faster, more seamless access to file and print services on your network. Although the infrastructure of the file and print systems has not been completely redesigned, it certainly has been modified to provide for ease-of-use enhancements, increased data integrity, automatic and assisted backup, and other key features, including the following.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Several new features have been added to Windows Server 2003 to enable faster, more seamless access to file and print services on your network. Although the infrastructure of the file and print systems has not been completely redesigned, it certainly has been modified to provide for ease-of-use enhancements, increased data integrity, automatic and assisted backup, and other key features, including the following.

Enhanced Distributed File System (Dfs): Dfs is a feature, introduced in Windows NT but refined in Windows 2000, which permits an administrator to create one logical filesystem layout despite the fact that shares can be scattered across the network on different servers. This makes it easier for clients to find and store files consistently, and it allows for better equipment utilization. Windows Server 2003 adds the ability for a server to host multiple Dfs roots, which are "starting" points for a hierarchy of shared folders. As well, a Windows Server 2003 server can use Active Directory site topology to route Dfs requests from clients to the closest available server, increasing response time. The brother to Dfs, the File Replication Service (FRS), also is improved in that it's more resilient to transient network errors. Those of you using RoboCopy might find that FRS fulfills that need now.
Enhanced Encrypting File System (EFS): Native encryption abilities are built into the NTFS filesystem used in this release of Windows. By simply checking a checkbox in the Properties sheet for a file, you can easily encrypt and decrypt files and folders to protect their integrity. This feature is particularly useful for mobile computers, which have a greater risk of data loss and capture than traditional corporate desktop machines.
Volume shadow copy: The volume shadow copy feature is perhaps one of the most beneficial additions to Windows Server. The server will take snapshots of files at specific periods during the day, thereby making available a library of previous versions of a file. If a user accidentally overwrites a file, saves an incorrect version, or somehow destroys the primary copy, he can simply click Previous Versions in the Explorer view of the folder and access a shadow copy version.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

To configure a machine as a file server, open the Manage Your Server Wizard from the Start menu. Adding a file server role to a machine involves the following tasks.

Configuring the machine as a file server: This process involves turning on file sharing and creating the first shared folder. Windows also creates a few of its own shares by default, which I'll discuss in more detail as the chapter progresses.
Establishing disk space limits by enabling disk quotas, if necessary: Disk quotas are a simple way to limit and control the amount of disk space your users take up with their data. Quotas monitor and limit a user's disk space on a per-partition or per-volume basis; quotas do not stretch across multiple disks. The wizard can configure Windows to apply default quota settings that you select to any new users of any NTFS filesystem. This is not required to set up file sharing services, but you might find the feature useful.
Turning on the Indexing Service, if necessary: The Indexing Service reads the contents of most files on the server and makes a catalog of their contents for easy search and retrieval at later points in time. Because the user interface for the Manage Your Server Wizard presents this option, I mention it here, but I cover it in detail in Chapter 13.
Installing the File Server Management MMC console: This console snap-in provides an easy way to create, modify, edit, and generally administer shared folders, and I'll talk about it in this chapter.
Creating shared folders and setting share permissions for each folder: Finally, you'll want to create the shared folders and apply permissions to them. After all, that's why you started the process, right?

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

They're one of the most dreaded and tedious but necessary tasks of system administration. However, file- and folder-level permissions are significant in terms of protecting data from unauthorized use on your network. If you have ever worked with Unix permissions, you know how difficult they are to understand and set: complex CHMOD-based commands, with numbers that represent bits of permission signatures—it's so easy to get lost in the confusion. Windows Server 2003, on the other hand, provides a remarkably robust and complete set of permissions, more so than any common Unix or Linux variety available today. It's also true that no one would argue how much easier it is to set permissions in Windows than to set them in any other operating system. That's not to say, however, that Windows permissions are a cinch to grasp; there's quite a bit to them.

Windows supports two different views of permissions: standard and special. Standard permissions are often sufficient to be applied to files and folders on a disk, whereas special permissions break standard permissions down into finer combinations and enable more control over who is allowed to do what functions to files and folders (called objects) on a disk. Coupled with Active Directory groups, Windows Server 2003 permissions are particularly powerful for dynamic management of access to resources by people other than the system administrator—for example, in the case of changing group membership. (You'll meet this feature of Active Directory, called delegation, in Chapter 5 .)

Table 3-1 describes the standard permissions available in Windows.

Table 3-1: Windows Server 2003 standard permissions
Type	Description

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Windows 2000 first introduced the quota feature, allowing an administrator to define a limit or set of limits on the consumption of disk space by individual users. Windows quota support, up until Windows 2000, was available only through third-party software, which was typically very expensive.

Windows Server 2003's quota management features some interesting properties:

Windows Server 2003 can distinguish between volumes, so you can set different quotas on different volumes to, perhaps, segregate types of data, or offer a specific volume for one department's exclusive use.
You can assign quotas on mapped drives, as long as the physical volumes to which the mapped drives point were created with Windows 2000 Server or Windows Server 2003, or were upgraded to either of the later versions from Windows NT 4.0.
Windows Server 2003 does not allow grace writes, as do some third-party software programs. That is, some software allows a user to continue an operation—say, a file copy process—even if during the middle of that operation the quota is reached. Server 2003 does not allow this; it will cut off the operation when the quota is reached.

As usual, though, neat features always contain weak points. First, quotas are supported only on disks formatted with the NTFS filesystem. This isn't too surprising because most progressive filesystem features aren't available under the various flavors of FAT. Second, and perhaps more disturbing, due to an architectural limitation, filesystem-based quotas can be added only to users. This creates quite a headache, as most other network operating systems allow you to set a default quota based on group membership. In this manner, all normal users could have 500MB, power users and executives could have 1.5GB, and administrators could have unrestricted space. Alternatively, payroll users could have 250MB while the sales team, with their myriad PowerPoint presentations, might need 1GB a piece. Alas, Windows Server doesn't support this, but later in this section I'll show you a problematic but workable way around this limitation. And third, Windows Server 2003 doesn't provide any sort of messaging mechanism when users exceed their quota. The OS simply writes an event to the System event log, and although you can filter through these events via either the GUI or the command-line as described later, it still requires manual labor on your part. This certainly could be improved in future revisions.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Offline Files and Folders is a neat feature, offered for the first time in Windows 2000 Professional, which synchronizes files and folders when you connect to and disconnect from the network. Similar to the Windows 95 Briefcase, except much more versatile and automated, Offline Files and Folders caches a copy of selected files and folders on a computer's hard drive. When that computer becomes disconnected from the network for any reason, Windows reads the cache on the machine and intercepts requests for files and folders inside the cache. To the end user, he still can open, save, delete, and rename files on network shares because Windows is fooling him into thinking everything is still on the network and not in the cache. Windows records all changes, and the next time an appropriate network connection is detected, the changes are uploaded to the network and the cache and the actual network file store are synchronized.

What happens when a common network share—call it Contracts—is modified by two different users while they're offline? In this instance, it's really a case of who gets connected first. User A will synchronize with the network, and his modified version of the file will be the one now stored live on the network volume. When User B attempts to synchronize, Windows will prompt him to choose whether to keep the existing version (the one that User A modified) or to overwrite it with the one that User B has worked on.

This has obvious advantages for mobile users. In fact, as I write this, I am sitting at a rest stop on Interstate 20 outside Augusta, Georgia, taking an extended break from a road trip. To open this file, I navigated through Windows Explorer to my regular network storage location for this book and its assorted files. I noticed no difference between being in my office and being in this car right now, at least as far as Windows' interface to the network was concerned. However, tomorrow, when I am back in my office, I will plug the Ethernet cable into my laptop, and Windows will synchronize any files I modified in that folder with the files on my servers in the office. Using this feature, I always have the latest file with me wherever I am, be it in the office or on the road, and I don't really have to consciously think about it. But there's also a plus side that you might not have considered: if you enable Offline Files on regular desktop machines, not just mobile laptops, you create a poor man's fault-tolerant network. (The price is bandwidth.) That is, when the network connection disappears, Windows doesn't care if you are using a big mini-tower system or an ultra-thin notebook. So, your desktop users still can safely and happily use network resources, even if the network has disappeared, and you as the administrator can rest assured in knowing whatever the users do will be updated safely on the network when it reappears. Now, of course, this is no substitute for a well-planned network with quality components, but in a pinch, offline folders do well to reduce user panic and wasted help-desk calls.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Shadow copies are a new technology within Windows products that enables a server to take snapshots of documents on a disk to record their states at certain points in time. If a user accidentally deletes or otherwise overwrites a file, he can open a version the server saved earlier in time, thereby eliminating the need for him to either re-create his work or contact the help desk to get them to restore the file from the most recent backup. When shadow copies are enabled on a disk, clients connecting to a share on that disk will be able to view and access previous point-in-time copies of either individual files or entire directories.

Further benefits lurk beneath the surface of this feature, however. The service behind shadow copies, called the Volume Shadow Copy Service (VSS), actually is responsible for a newly developed application programming interface (API) that allows server-based applications such as Exchange, SQL, and backup programs to take advantage of the benefits of shadow copies. Perhaps the most famous example is a backup that skips open files, either because they are currently open by a user or because they are locked by another process. In the past, this resulted in incomplete backups, either because the backup process halted in midstream because of this unrecoverable error, or because the process skipped the open file. If the open file is, say, your Exchange email database, that's not necessarily a good thing. But now, with volume shadow copies, the backup application can simply use an API to take a snapshot of any open files and back up that snapshot. Now you have an instant backup of a database at any point in time, with no interruption in availability to the user. This is a very nice feature.

You definitely can take advantage of shadow copies in the user realm as well. Part of the volume shadow copy service is a piece of client software that can be pushed out to any computer in your domain through GP. (This software is located on the Windows Server 2003 CD and can also be downloaded from Microsoft's web site.) Once the user has this client, Windows adds a tab to the Properties sheet for any document. This is shown in Figure 3-13.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

The oft-neglected process of backing up your machines and the critical data they contain is perhaps the most effective insurance policy you can take out for your business. It's like exercise: although nearly everyone knows that it's an excellent idea and vital to health, not everyone does it. Fortunately, Server 2003 includes a backup utility in the box which performs this function at a basic level. This section will discuss how to use the GUI frontend, Backup, and how to access the same features from the command-line using the core NTBACKUP program for enhanced automation possibilities.

NTBACKUP can perform several different types of backups.

Copy: Copies all selected files but does not mark each file with a cleared archive attribute. Copy backups can be performed completely independently of other backup procedures without affecting their sets.
Daily: A daily backup backs up all files modified since the last day. With a daily backup, the archive attribute is not cleared.
Differential: A differential backup copies new files and other files modified since the last normal or incremental backup. It does not mark files as having been backed up. To restore a complete backup, you'll need the last normal backup (covered later) in addition to the last incremental backup.
Incremental: An incremental backup backs up files created or modified since the last normal or the last incremental backup. It does mark files as having been backed up. To restore a complete backup, you'll need the last normal backup (covered next) in addition to the last incremental backup.
Normal: A normal backup (sometimes called a full backup) copies all selected files and marks each file as backed up. You create these to start a backup scheme, and they're used in conjunction with differential and/or incremental backups, depending on what you choose. Normal backups can be used independently; they don't require another accompanying set.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Windows 2000 introduced the Encrypting File System (EFS), a way to scramble the contents of documents, other files, and even programs so that they become unreadable by anyone other than the person who encrypted them. Although EFS has merits in environments consisting of corporate desktop computers, the real boon is for laptops: because theft of laptops has been on the rise for almost a decade, there is a real risk in storing sensitive information on these mobile system. If a laptop from a research and development representative were to fall into a competitor's hands, the cost of that loss would far exceed the retail price of a new laptop; indeed, the damage would be almost immeasurable. So, EFS is definitely an asset.

How does EFS appear to the end user? It's nearly transparent in operation, though not as much in presentation. When you encrypt a document, Windows doesn't attempt to hide the document's presence on the disk. In fact, encrypted documents are outlined in blue with a normal default folder view. The real transparency comes when you open the document. The process goes as follows: from each individual file on a server's disk, Windows calculates a unique file encryption key. When a user selects to encrypt a file, the file encryption key is encrypted too, using the public key stored on the user's EFS certificate. (This public key is generated the first time a request to encrypt an object is submitted.) To decrypt a file, the file encryption key must first be decrypted, which happens when a specific user has a private key that corresponds with the public key. These private keys are not stored in the SAM; rather, they are held in a protected key store. Note that other users can be authorized to decrypt the file encryption key by using their own private key. If the keys match up correctly—that is, if the expected result is obtained from the mathematical processes—the filesystem object is decrypted transparently. If there is an error, and unexpected results are returned, the user is denied access and the object remains encrypted. The object is encrypted again when the user closes it.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

The Distributed File System (Dfs) is a technology that allows several distinct filesystems, potentially on multiple servers, to be mounted from one place and appear in one logical representation. The different shared folders, which likely reside on different drives in different server machines, can all be accessed from one folder, known as the root node. Link nodes serve to point from shared folder to shared folder to mimic a directory tree structure, which can be rearranged and altered according to a particular implementation's needs. Dfs also allows the clients to know only the name of the share point and not the name of the server on which it resides, a big boon when you field help-desk calls asking, "What server is my last budget proposal located on?"

Dfs root nodes come in two basic flavors: standalone root nodes, which store the folder topology information locally, and fault-tolerant root nodes, which store the topology structure in Active Directory and thereby replicate that information to other domain controllers. In this case, if you have multiple root nodes, you might have multiple connections to the same data—it just so happens that they appear in different shared folders. You even can set up two different share points to the same data on two different physical servers because Dfs is intelligent enough to select the folder set that is geographically closest to the requesting client, saving network traffic and packet travel time. (The redundant share points also replicate around the network, which is another layer of backup protection.) In either case, you can replicate a Dfs root by creating root targets on other servers in the domain. This provides file availability when the host server becomes unavailable.

First, let's look at some definitions used in Dfs. A Dfs root can exist either as a standalone entity or as a member of a domain. In either case, the root collects links to all shared paths in the network and publishes those links to users. The childlike

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Printers and printing services are areas of Windows Server 2003 that haven't changed very much in the migration from Windows 2000. Given that, let's take a brief look at the relevant terminology associated with printing services and how Windows treats printing in general.

To Windows, a printer is the machinery that actually puts ink or toner on a page. There also is such a thing as a logical printer, which refers to the interface between the physical printer and the software that is instructing the printer to print. Think of the logical printer as the printer driver; you can indeed use the two terms interchangeably.

Some important points to consider:

It is possible and practical in some instances to have multiple logical printers for every physical printer. I cover some of the scenarios in which such a configuration would be useful in this section.
Conversely, you can associate one logical printer with multiple physical printers, creating a "printer cluster" of sorts. The technical term for this is a printer pool, and it's most commonly used when print jobs need to be directed to the first available printer. I also discuss that a bit later in this part of the chapter.
Different types of drivers are available for use in Windows Server 2003. Level 2 drivers are older drivers that were written for Windows NT which run in kernel mode, a function of the OS that makes the entire OS vulnerable to any instability on the part of the driver. Fortunately, this becomes an issue only when you upgrade NT systems to Windows Server 2003. Level 3 drivers, which are newer and are meant for Windows 2000, XP, and Server 2003, run in protected user mode, which separates them from the kernel and isolates them in the event they crash.

There's also a feature introduced in Windows 2000 but retained in Windows Server 2003 known as Internet printing, which enables you to print directly to the printer over an intranet or the Internet using the HTTP protocol. You do this either by using an Internet-enabled printer, which some of the more expensive printers are, or by using Windows Internet printing services, which involves using IIS.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

The Domain Name System (DNS) is a staple of the public Internet and is the name resolution system of choice for both large and small networks. DNS is a directory of IP addresses and their corresponding hostnames, much like a phonebook in functionality. However, DNS is more complex than a phonebook and it stores many types of mappings as well as information on services provided by servers on your network.

Whereas Windows NT relied on the Windows Internet Naming Service (WINS) for name resolution, Windows 2000 and Windows Server 2003 depend on DNS. In fact, DNS is required for anyone that wants to use Active Directory—DNS lies at the heart of Active Directory, and they're inseparable. WINS is obsolesced if you have an Active Directory network with all machines running Windows 2000 or later and DNS-aware applications.

In this chapter, I'll discuss the fundamentals of DNS, its structure, and the various types of data it supports and requires, and then I'll proceed through installing and configuring a Windows DNS server and describe how you can integrate it with Active Directory.

Let's go through the basic building blocks of DNS first before we break into more advanced concepts. I'm going to provide you with a very fundamental, introductory look at DNS, and then in the following sections I'll break down each part with more detailed explanations and examples. Think of this as an abstract or executive summary, just so we're all on the same page before I move on to more technical topics.

The main premise of DNS is to provide name resolution services—that is, to resolve friendly textual hostnames to their associated IP addresses. DNS is the de facto standard for name resolution on the Internet and in modern networks that use TCP/IP as the transmission protocol. DNS is based on domains, which are simply textual names that refer to computers. There are top-level domains (TLDs), including some that are probably familiar to you: .COM, .NET, .ORG, and the like. There are also second-level domains, which are less inclusive and usually take the form of

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Let's go through the basic building blocks of DNS first before we break into more advanced concepts. I'm going to provide you with a very fundamental, introductory look at DNS, and then in the following sections I'll break down each part with more detailed explanations and examples. Think of this as an abstract or executive summary, just so we're all on the same page before I move on to more technical topics.

The main premise of DNS is to provide name resolution services—that is, to resolve friendly textual hostnames to their associated IP addresses. DNS is the de facto standard for name resolution on the Internet and in modern networks that use TCP/IP as the transmission protocol. DNS is based on domains, which are simply textual names that refer to computers. There are top-level domains (TLDs), including some that are probably familiar to you: .COM, .NET, .ORG, and the like. There are also second-level domains, which are less inclusive and usually take the form of name.tld. For example, my domain is jonathanhassell.com. O'Reilly has a domain name of oreilly.com. CNN's domain is cnn.com.

Politically, there is an organization called ICANN, short for the Internet Consortium of Assigned Names and Numbers, which keeps track of all the top-level domains. This keeps utter confusion from breaking out when thousands upon thousands of top-level domains might be issued. Individuals and businesses are allowed to register second-level domain names beneath top-level domains—hasseltech.net, for example.

DNS resolves names based on zones. Zones contain information on computers, services, and IP addresses for a collection of computers. Zones typically correspond to DNS domains, but they certainly do not have to. The DNS server or servers in a zone that contain a readable and writeable copy of the zone file (which contains all that information on computers, services, and addresses) is considered to be

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

As you learned in the previous section, a DNS domain in its simplest form is a second-level name coupled with an ICANN-sponsored top-level domain—hasselltech.net, for example. In DNS parlance, a zone is the range of machines and addresses that a specific nameserver needs to be concerned about. Zones don't necessarily need to correspond to DNS domains, meaning that I can have multiple DNS zones for the single hasselltech.net domain. For example, I can have one zone for sales.hasselltech.net, another zone for billing.hasselltech.net, and yet another for hosting.hasselltech.net, all with separate nameservers but all within the control of the hasselltech.net domain.

Why would you want multiple DNS zones for a single DNS domain? To delegate administration is a common reason. If your organization is spread all over the country and you have an administrator for each office around the country, that administrator is likely best equipped and skilled to handle DNS configuration for his office—after all, he works with the individual computers more than a higher-level administrator at the home office does. So, the home office nameserver is configured to hold a few names and addresses for servers and machines there, and the branch office nameservers hold zones for their respective computers. In this configuration, when a computer comes to their servers and requests a name for an IP address associated with a branch office, the nameservers at the home office will refer the requesting computer to the nameserver at that branch office that holds the names and addresses for that zone, a process known as delegating name resolution to other servers. Additionally, the branch office server is authoritative for its zone, meaning that it holds the definitive name-to-address correspondence for computers in its zone.

Of course, domains aren't limited to just a second-level name plus an ICANN-approved extension. You also can have multiple levels of names: for example, customers.extranet.microsoft.com is a valid name, as is payjon.corp.hasselltech.net. You'll see as you read further into the chapter where situations in which a longer, more extended domain name would be appropriate.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

A DNS zone contains various types of entries, called resource records. Resource records are the meat of a DNS zone, providing information about hostnames, IP addresses, and in some cases the services offered by a particular machine. There are several different classes of record types, the most common of which I'll define now.

Don't use either a "-" or a "_" as the first character in any DNS name, as they are not compliant with the DNS standard. Confusingly, Windows DNS systems will accept these entries, but it's best to stay away from them.

Host records, or A records, simply map a hostname to an IP address. You generally create host records for each machine in your network.

A sample A record looks like this in a zone file:

colossus    A      192.168.0.10

Using host records, you can implement a load-balancing technique known as round-robin DNS. Round-robin DNS involves entering multiple A records, all configured with the same hostname, but with different IP addresses that correspond to different machines. This way, when computers contact a nameserver for a certain hostname, they have an equally proportionate chance of receiving any one of the number of machines with A records. For example, if I have a web site at www.hasselltech.net and I have three web servers at 192.168.0.50, 192.168.0.51, and 192.168.0.52, I can configure three A records, all named "www," but with the three IP addresses mentioned earlier. Now, when client computers come to the nameserver and ask for the IP address of www.hasselltech.net, they have a 33% chance of receiving 192.168.0.50 as the web server of choice, a 33% chance of receiving 192.168.0.51, and a 33% chance of receiving 192.168.0.52. It's a poor-man's load-balancing system.

Table of Contents