Search the Catalog
Windows 2000 Administration in a Nutshell

Windows 2000 Administration in a Nutshell

By Mitch Tulloch
February 2001
1-56592-713-3, Order Number: 7133
798 pages, $39.95

Chapter 2
Quick Start

Although this book is intended not as a tutorial but as a quick desktop reference, I've included a brief chapter here to help existing Windows NT administrators quickly orient themselves to working with Windows 2000. We're all in a hurry these days--especially those of us who manage computer networks--and I want to provide you with some suggestions and tips to get you going quickly. More information on the concepts, tasks, tools, and utilities discussed here can be found in the chapters of Part II, Alphabetical Reference, of this book.

New Tools, Old Tasks

If you are familiar with the Windows NT administrative tools, you may be thrown off base initially by the Windows 2000 administrative tools, which are almost entirely new tools with very few holdovers. Tables 2-1 through 2-3 help you bridge the gap between the old platform and the new. The correspondence between tools and utilities on the two platforms is unfortunately not one-to-one, so notes are added where necessary to indicate differences. The base Windows NT platform used here includes Service Pack 4 with Internet Explorer 4 installed and Active Desktop enabled. The reference point here for the Windows 2000 tools list is Start Programs, Start Settings, or Start Programs Administrative Tools, depending on the program.

Table 2-1 lists the Windows NT administrative tools, which you may already be familiar with, and their new Windows 2000 counterparts.

Table 2-1: Administrative Tools in Windows NT and Windows 2000

Windows NT Tool

Windows 2000 Tool(s)

Administrative Wizards

No real counterpart, but Administrative Tools Configure Your Server lets you perform some high-level administration tasks

Backup

Accessories System Tools Backup

Disk Administrator

Computer Management Storage Disk Management

DHCP Manager

Computer Management Services and Applications DHCP

or: DHCP

DNS Manager

Computer Management Services and Applications DNS

or: DNS

Event Viewer

Computer Management System Tools Disk Management

or: Event Viewer

Internet Service Manager

Computer Management Services and Applications Internet Information Services

or: Internet Services Manager

License Manager

Licensing

Migration Tool
for NetWare

Not included

Network Client Administrator

No real counterpart, though you can install Windows 2000 Server administration tools on a Windows 2000 Professional client using \I386\Adminpak.msi on the Windows 2000 Server compact disc

Network Monitor

Network Monitor

Performance Monitor

Performance System Monitor (note that Computer Management System Tools Performance Logs and Alerts can be used to create logs but not to display them)

Remote Access Admin

Routing and Remote Access

Server Manager

Computer Management System Tools Shared Folders (to create and manage network shares, and to send a message to users connected to the server)

or: Active Directory Users and Computers (to add a computer to a domain)

or: Active Directory Sites and Services (to manually force directory replication between domain controllers)

System Policy Editor

Use the Group Policy snap-in (much more powerful)

User Manager

Computer Management System Tools Local Users and Groups (to manage local users and groups on standalone servers or workstations)

or: Local Security Policy (to configure password, account lockout, and audit policies and user rights on standalone servers and workstations)

User Manager
for Domains

Active Directory Users and Computers (to manage users and groups, and to configure password, account lockout, and audit policies and user rights by opening and editing Group Policy Objects)

or: Active Directory Domains and Trusts (to manage explicit trusts)

Windows NT
Diagnostics

Computer Management System Tools System Information

or: Accessories System Tools System Information

WINS Manager

Computer Management Services and Applications WINS

or: WINS

Table 2-2 lists selected Windows NT folders and utilities and their Windows 2000 counterparts.

Table 2-2: Folders and Utilities in Windows NT and Windows 2000

Windows NT Folder or Utility

Windows 2000 Counterpart

C:\Winnt\Profiles (location where local user profiles are stored)

C:\Documents and Settings (unless an upgrade from NT was performed, in which case it will remain in its original location)

The default location where applications save their files varies in Windows NT

My Documents folder for compliant applications designed for Windows 2000 and Windows 9x (unless an upgrade from NT was performed, in which case it will remain in its original location)

Network Neighborhood

My Network Places

Find

Search

Windows NT Explorer

Accessories Windows Explorer

Command Prompt

Accessories Command Prompt

Internet Explorer Connection Wizard

Accessories Communications Internet Connection Wizard

Settings Folder Options

Control Panel Folder Options

Settings Active Desktop

Right-click on Desktop Active Desktop

Accessories Dial-up Networking

Settings Network and Dial-up Connections (much more powerful)

Accessories Telnet

telnet command

Accessories HyperTerminal

Accessories Communications HyperTerminal

Accessories Multimedia

Accessories Entertainment

Control Panel Console

Accessories Command Prompt Control Menu Defaults

Control Panel Devices

Computer Management System Tools Device Manager

Control Panel Internet

Control Panel Internet Options

Control Panel Modems

Control Panel Phone and Modem Options

Control Panel Multimedia

Control Panel Sounds and Multimedia

Control Panel Network

Control Panel Network and Dial-up Connections

Control Panel Network Identification

Control Panel Network and Dial-up Connections Advanced Network Identification

or: Control Panel System Network Identification tab

Control Panel Network {Services | Protocols | Adapters}

Control Panel Network and Dial-up Connections Local Area Connection Properties

Control Panel Network Bindings

Control Panel Network and Dial-up Connections Advanced Settings

Control Panel ODBC

Administrative Tools Data Sources (PDBC)

Control Panel Ports

Computer Management System Tools
Device Manager

Control Panel Regional Settings

Control Panel Regional Options

Control Panel SCSI Adapters

Computer Management System Tools
Device Manager

Control Panel Server

Computer Management System Tools
Shared Folders

Control Panel Services

Computer Management Services and Applications Services

or: Services

Control Panel Sounds

Control Panel Sounds and Multimedia

Control Panel System {General | User Profiles}

Unchanged

Control Panel System Performance

Control Panel System Advanced Performance Options

Control Panel System Environment

Control Panel System Advanced Environment Variables

Control Panel System Startup/Shutdown

Control Panel System Advanced Startup and Recovery

Control Panel System Hardware Profiles

Control Panel System Hardware Hardware Profiles

Control Panel Tape Devices

Computer Management System Tools Device Manager

Control Panel Telephony

Control Panel Phone and Modem Options Dialing Rules

Control Panel UPS

Control Panel Power Options UPS

Table 2-3 is a quick list of things you commonly administer and the tools you use to administer them in both Windows NT and Windows 2000.

Table 2-3: Items to Administer in Windows NT and Windows 2000

Item to Administer

Windows NT Tool

Windows 2000 Tool(s)

Account policy

User Manager for Domains

Group Policy snap-in (for domains)
Local Security Policy (for workgroups)
Default Domain Policy (for domain controllers)

Active Directory

Not applicable

Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers

Adding computers to a domain

User Manager for Domains

Active Directory Users and Computers

Advanced startup options

Not applicable

Press F8 during startup

Audit policy

User Manager for Domains

Group Policy snap-in (for domains)
Local Security Policy (for workgroups)

Backup and restore

Backup

Accessories System Tools Backup

Bindings

Control Panel Network

Control Panel Network and Dial-up Connections Advanced Advanced Settings

Computer names

Control Panel Network
Identification

Control Panel System Network
Identification

Devices

Control Panel Devices

Computer Management System Tools Device Manager

Dial-up connection

Dial-up Networking

Network and Dial-up Connections

Directory replication

User Manager for Domains Registry Editor

Active Directory Sites and Services

Disk fragmentation

Third-party utility

Computer Management Storage Disk Defragmenter

Disk quotas

Third-party utility

Windows Explorer

Disks

Disk Administrator

Computer Management Storage Disk Management

Domain controllers

User Manager for Domains

Active Directory Sites and Services
Active Directory Users and Computers

Domains

User Manager for Domains

Active Directory Domains and Trusts
Active Directory Users and Computers

Emergency Repair Disk

rdisk command

Accessories System Tools Backup

Event logs

Event Viewer

Event Viewer

Forests

Not applicable

Active Directory Domains and Trusts

Global users

User Manager for Domains

Active Directory Users and Computers

Group Policy

Not applicable (though System Policy Editor is a weak equivalent)

Active Directory Sites and Services
Active Directory Users and Computers
Group Policy snap-in

Groups

User Manager for Domains

Active Directory Users and Computers

Kill a process

Right-click on taskbar Task Manager

Same

Licenses

License Manager

Licensing

Local users

User Manager

Local Users and Groups

Pagefile

Control Panel System Performance Change

Control Panel System Advanced Performance Options Change

Performance logs

Performance Monitor

Performance Logs and Alerts

Permissions

Windows Explorer

Same

Printers

Settings Printers

Same (or http://<servername>/printers/ if IIS is installed)

Protocols

Control Panel Network
Protocols

Control Panel Network and Dial-up Connections Local Area Connection Properties

RAID

Disk Administrator

Computer Management Storage
Disk Management

Registry

regedt32.exe
regedit.exe

Same

Remote access

Remote Access Admin

Routing and Remote Access (most functions)
Active Directory Users and Computers (to grant users remote-access permission)

Rights

User Manager for Domains

Group Policy snap-in (for domains)
Local Security Policy (for workgroups)

Scheduling tasks

at command

Control Panel Scheduled Tasks

Sending messages to connected users

Server Manager

Computer Management

Services

Control Panel Services

Computer Management Services and Applications Services

Shared folders

Server Manager

Shared Folders (in Computer Management)

Sites

regedt32.exe
regedit.exe

Active Directory Sites and Services

Trees

Not applicable

Active Directory Domains and Trusts

Trusts

User Manager for Domains

Active Directory Domains and Trusts

UPS

Control Panel UPS

Control Panel Power Options

Potpourri

Chapters 3 through 7 of this book form a quick desktop reference that lets you look up a concept, task, console or snap-in, utility, or command and quickly find what you're looking for. Nevertheless, for readers who are either brilliant, impatient, or have nothing better to do, the remainder of this chapter contains a potpourri of things about Windows 2000 that advanced administrators will want to know to get the most out of it and avoid the pitfalls. Wherever possible, I've drawn comparisons to similar aspects of Windows NT administration and included cross-references to Chapter 3, Concepts, and Chapter 4, Tasks, in of this book. I've also arranged the sections below in alphabetical order according to topic to help you find useful information more quickly.

Account Policy

Setting account policy--such as password and account lockout restrictions--was easy in Windows NT using the User Manager for Domains administrative tool. In Windows 2000 you must use Group Policy (or the Domain Security Policy located in Administrative Tools on a domain controller) if you are in a domain environment, and you must configure the appropriate settings of a domain GPO for your domain. See Group Policy in Chapters 3 and 4 for more information.

Active Directory

For many companies Active Directory is the raison d'être for migrating their Windows NT networks to Windows 2000, but implementing it successfully takes careful planning and training of IT staff. For information on planning and implementation, see the following articles in Chapter 3: Active Directory, domain, domain controller, forest, global catalog, and tree. Don't forget that to use Active Directory means you must use TCP/IP and implement DNS servers on your network. See DNS and TCP/IP in Chapter 3 for more information.

Administrative Tools

If you're just starting out with Windows 2000, these are the two most important administrative tools to get familiar with:

Computer Management
This lets you connect to a local or remote computer and manage disks, shares, event logs, performance logs, services, and applications, as well as display information about devices and system resources. Computer Management actually integrates over a dozen other snap-ins into a single MMC console, so get familiar with this tool. You can administer most of these things on either a local or remote computer using Computer Management. You can't use this tool on remote computers to change device drivers or uninstall devices on remote machines using the Device Manager node of the tool. (For remote computers, Device Manager operates in Read-only mode so you can't change resource settings like IRQ, I/O, and so on.)

Active Directory Users and Computers
This is used for creating and managing domain user accounts and domain local, global, and universal groups on domain controllers in your enterprise. You can also use this tool to create and configure Group Policy Objects (GPOs), which are mechanisms for configuring desktop settings on collections of computers across an enterprise.

For more information on these consoles, see Computer Management and Active Directory Users and Computersin Chapter 5, consoles. For information on Group Policy Objects and how to configure them, see Group Policy in Chapters 3 and 4.

Instead of going to a domain controller to run Active Directory Users and Computers from the local console, install the complete set of Windows 2000 administration tools on a Windows 2000 Professional workstation, and use this as your main administrator workstation. You can install these tools by running Adminpak.msi, which is found in the \I386 folder on your Windows 2000 Server compact disc.

You can run most administrative tools from the command line while logged on to a workstation using an ordinary domain user (as opposed to an administrator) account. To do this, you use a Windows 2000 feature known as Secondary Logon. Just open a command prompt and type:

runas /user:domain\username cmd

where username is an administrator account in domain. You'll be prompted to enter your password, after which a second command-prompt window opens up that lets you execute commands using your administrator credentials. The current directory of this new window is set to %SystemRoot%\System32, which is where most administrative tools (MMC consoles saved as .msc files) are located. For example, to run Computer Management as administrator, you just type the following in your new command-prompt window:

compmgnt.msc

Of course, you need to know what the command-line equivalent of a GUI administrative tool is before you can run it this way. You can usually (but not always) find this out by opening the property sheet of the shortcut for the tool in the Start menu. As a help, I've listed these equivalents in Table 5-1 in Chapter 5.

A few things to note: the Runas service must be started in order to do this, and you can specify your administrator credentials in either of the two standard Windows 2000 forms. For example, if your administrator account is admin987 and the domain is mtit.com, then you can specify either MTIT \admin987 or admin987@mtit.com in the runas command. You can also run a tool in different credentials by right-clicking on it in Windows Explorer and selecting Runas from the shortcut menu.

Audit Policy

Setting an audit policy for a domain was easy in Windows NT using the User Manager for Domains administrative tool. In Windows 2000 you must use Group Policy if you are in a domain environment and configure the appropriate settings of a domain GPO for your domain. See Group Policy in Chapter 3 for more information.

Connection

Remember, by just creating a dial-up or VPN connection, you don't give users access to resources on your network when they connect to your remote-access or VPN server--you still need to assign suitable permissions for the users to access the resources. For information on the different types of connections you can create in Windows 2000, see connection in Chapter 3.

Computer Names

If you expect to have both Windows NT and Windows 2000 coexist for a while on your network, select NetBIOS computer names that will be compatible with both platforms (maximum 15 characters). Also, since Windows 2000 uses DNS by default as its name-resolution service, make sure your computer names are DNS compatible as well (this means no underscores, periods, or spaces--only letters, numbers, and dashes). For more on naming computers, see computer name in Chapters 3 and 4.

Speaking of computer names, there is also the issue of shared names to consider. When naming a shared folder or printer, it's a good idea to avoid using spaces or special characters if your network contains a mix of Windows 2000 and other computers (such as downlevel Windows NT machines, Unix machines, and so on). Otherwise, some clients might have difficulty connecting to your Windows 2000 shares.

By the way, if you need to change the name of a domain controller, you first must demote it to a member server, change the name, then promote it to a domain controller again. This sounds simple, but it can cause problems if you have downlevel Windows NT servers on your network and are using WINS for name resolution for these servers. This is because the WINS databases will maintain the former name of your domain controller for a period of time, which can cause name-resolution problems for clients unless the offending records are flushed from the database.

Delegation

Delegation is a powerful feature of Windows 2000 that helps administrators shuffle off some of their administrative responsibility to other trusted (trustworthy) users before overwork causes them to "shuffle off this mortal coil." For information on how to implement this feature, see delegation in Chapters 3 and 4.

DHCP

If you are going to deploy and manage IP addressing on Windows 2000 using DHCP, you might want to disable the Automatic Private IP Addressing (APIPA) feature on your machines. APIPA causes an IP address to be automatically assigned to a client machine from the reserved address range 169.254.0.1 through 169.254.255.254 when the system is configured for DHCP but is unable to contact a DHCP server when it first starts up. This can be nasty, since no warning message indicates that the system has used APIPA instead of DHCP to obtain its address, resulting in an inability to access other machines on the network because they are on a different subnet.

See the section "Automatic Private IP Addressing (APIPA)" in the article for information on how to disable APIPA. For further general information on DHCP, see DHCP and DHCP relay agent in Chapters 3 and 4.

Disk Quotas

A good tip when implementing disk quotas is to configure global quotas only and not quotas for individual users. Not following this can make quota administration a real headache. For more information see disk quota in Chapters 3 and 4.

Disks

Microsoft has borrowed the concept of mounted volumes from Unix and implemented the ability to mount a FAT or NTFS volume in an empty folder on an NTFS volume in Windows 2000. This feature helps you get beyond the 24-letter limit for mapped drives. See disks in Chapters 3 and 4 for details. Note that you can cause problems for yourself with this feature: nothing prevents you from mounting a volume in a folder on a mounted volume, or even mounting a volume in a folder on itself!

DNS

DNS is used as the name-locator service in Windows 2000. This means you must have DNS servers implemented on your network if you want to connect to resources without specifying their IP address. DNS is also required if you want to use Active Directory on your network. For more information see Active Directory and DNS in Chapter 3.

NetBIOS is another option for name resolution. NetBIOS over TCP/IP is enabled by default (even in native mode domains) so that downlevel (Windows NT or Windows 98/95) computer names can be resolved if such systems are present. You can disable NetBIOS over TCP/IP by using the Advanced TCP/IP settings box (see TCP/IP in Chapter 4). Note that if you disable NetBIOS over TCP/IP, you won't be able to restrict a user's access to specific workstations using the Account tab of the user account's property sheet. This feature requires NetBIOS over TCP/IP in order to work.

TIP:  If you manually modify any resource records on a Windows 2000 DNS server, select Update Server Data Files to make sure these changes are propagated to other DNS servers on your network. See DNS and DNS server in Chapter 4 for more information on how to manage DNS in Windows 2000.

Domain Controllers

In Windows NT, one domain controller was special within a domain--the primary domain controller (PDC). The PDC was the only domain controller with a writable copy of the domain directory database, and all changes made to user, group, or computer accounts in the domain had to be made on the PDC. (If the PDC was unavailable, then those changes could not be made.) All other domain controllers in the domain were backup domain controllers (BDCs), which contained Read-only versions of the domain directory database.

Windows 2000 promised to be different in that domain controllers are all peers and each domain controller contains a full writable copy of the Active Directory database. Replication between domain controllers follows a method called multimaster replication in which there is no single master domain controller. However, if you look under the surface, you find out that this is not quite the case. There are actually five special domain-controller roles (called operations master roles), which are restricted to certain domain controllers in an enterprise. For information on these special roles, see domain controller in Chapters 3 and 4.

Speaking of PDCs and BDCs, the usual way of upgrading a Windows NT domain to Windows 2000 is to upgrade the PDC first, then the BDCs. The hitch is this: make sure the former PDC is available on the network when you are upgrading the BCDs. If it isn't, the first BDC you upgrade will think it's the first domain controller in the domain and will assume some of the operations master roles discussed above. Then when the former PDC comes back online, you will have a serious conflict between them, and the only way to resolve it is to wipe your former BDC and reinstall it from scratch.

By the way, if you have only upgraded some of your downlevel Windows NT BDCs to Windows 2000 domain controllers, you need to make sure each domain has a global catalog server in order for cross-domain authentication to take place successfully in a forest of trees. Native mode domains do not have this restriction, and in a well-connected enterprise (no slow WAN links), you can probably get away with only one global catalog server if it can handle the load.

After promoting a Windows 2000 member server to the role of a domain controller using the Active Directory Installation Wizard (dcpromo.exe), be sure to check the Dcpromo.log and Dcpromoui.log log files that are created in the %SystemRoot%\debug folder. These logs will list any problems that occurred during the promotion.

Domains

Active Directory in Windows 2000 has changed the whole nature of domains and how they connect together using trusts. You no longer need to separate master (account) domains from slave (resource) domains as you did in Windows NT or create trusts manually between domains. Instead, when you promote a Windows 2000 member server to the role of a domain controller, you can either:

The whole thing is done using Active Directory Installation Wizard (dcpromo.exe). The hierarchies of domains that result (trees in a forest) are all interconnected by trusts automatically so that any user in any domain can access any resource in any other domain immediately, provided they have suitable permissions. For more information on planning Windows 2000 domains and domain structures, see these articles in Chapter 3: Active Directory, domain, forest, OU, tree, and trust.

Dual-Boot

I don't recommend dual-boot configurations except for playing around at home, and you should know that volumes formatted with the version of NTFS on Windows 2000 (called NTFS5) only support dual-boots on Windows NT 4.0 with Service Pack 4 or higher. If you are using an earlier version of NT and want to maintain it on a dual-boot configuration, you will be unable to use advanced features of Windows 2000's NTFS, such as disk quotas and EFS.

By the way, just because you encrypt a file or folder using EFS doesn't mean you can't accidentally delete it!

Emergency Repair Disk

You no longer use the rdisk command to create ERDs; you use Backup, which is in the System Tools subgroup of the Accessories program group. I thought I'd let you know since you are no longer prompted during Setup to create an ERD, but have to do it manually afterwards.

Also, Windows 2000 ERDs do not contain everything Windows NT ERDs used to have. In fact, the only files on a Windows 2000 ERD are autoexec.nt, config.nt, and Setup.log (the last of which contains system state information and minimal versions of registry hives for the system). When you create an ERD, you can also choose to back up the full registry hives as well to the %SystemRoot%\repair directory. For more information see Emergency Repair Disk (ERD) in Chapters 3 and 4.

Event Logs

Event logs are pretty much the same as they were in Windows NT, although an MMC console is used to manage them now (Event Viewer, which is also part of Computer Management). One thing to note is that if you are running a high-security networking environment, you can configure a Windows 2000 system to halt when the event log becomes full. You need to configure a registry setting to do this--see event logs in Chapters 3 and 4 for more information.

Also, when you install or upgrade a machine to Windows 2000, configure your event log size and wraparound settings immediately so you won't lose valuable data that might be useful for troubleshooting purposes later on.

Global Users

What were called global user accounts in Windows NT (user accounts that could be used for logging on to the domain) are called domain user accounts in Windows 2000. These are created and managed using the Active Directory Users and Computers console. For more information see domain user account in Chapters 3 and 4 and Active Directory Users and Computers in Chapter 5.

Group Policy

If you are configuring Group Policy for your Windows 2000 network, you may want to test your new Group Policy settings without rebooting machines or waiting for Group Policy to auto-refresh (90 minutes or more). The trick is to use the secedit command to force Group Policy to refresh on the local machine. To do this, type the following at the command prompt:

secedit /refreshpolicy machine_policy

For more information see Group Policy in Chapters 3 and 4.

Groups

A new type of group (universal group) and enhanced functionality of domain local and global groups (nesting, more membership options) are available for Windows 2000 domains running in native mode. These are attractive reasons to switch your domains to native mode instead of leaving them in mixed mode. There are some pitfalls, however, particularly with universal groups. When you change the membership of a universal group, the entire list of group members is replicated to all global catalog servers on the network, and in an enterprise with global catalog servers located at different sites separated by slow WAN links, this can be a problem. The best solution is to restrict the membership of universal groups to other groups only (either global or universal) and exclude individual user accounts from membership in universal groups. Also, you should keep the number of members of a universal group fairly small (preferably in the tens). Finally, select the membership for a universal group such that it is not expected to change frequently. For more information see group in Chapters 3 and 4.

Hardware

Like Windows NT before it, Windows 2000 is forgiving of problems created when you update devices with incorrect or corrupt drivers. Such updates can sometimes prevent the system from booting to the point where you can log on. If this is the case, simply press the F8 function key when the boot-loader menu prompts you to select an operating system to boot. This causes the Advanced Startup Options menu to appear. One of the menu items is the familiar Last Known Good Configuration, which restores the system to the state in which it last booted successfully. If this fails, you can select the Safe Mode option to boot using a minimal set of device drivers. For more information see Table 3-10 in the article disaster recovery in Chapter 3.

Speaking of the boot menu, in a normal Windows NT installation this menu displayed two options: normal boot and VGA mode boot. In Windows 2000, however, there is only one boot option: normal boot (there is no VGA mode boot menu option because Safe mode takes care of this). The result is that in a normal Windows 2000 installation (only one operating system installed) the boot menu doesn't appear at all. In this case, to open the Advanced Startup Options menu, just press F8 while it says "Starting Windows" at the bottom of the screen.

If the Recovery Console is installed on a machine, however, the boot menu does appear since the Recovery Console is essentially a different operating system (a command-line version of Windows 2000). See Recovery Console in Chapters 3 and 4 for details.

Installing Windows 2000

With Windows NT, some administrators chose to make their boot partition FAT while using NTFS to secure their data partitions. This enabled them to repair missing or corrupt system or driver files by booting from a DOS disk when these missing or corrupt files were preventing them from successfully booting the system. This hack is no longer necessary with Windows 2000 because of two new features:

Recovery Console
Provides a way of booting to a minimal command-line version of Windows 2000 that lets you copy files to NTFS volumes

Safe mode
Lets you boot using a minimal set of device drivers to repair the system, which is useful when a corrupt or missing driver is preventing a successful boot

The bottom line is that you should use only NTFS for your Windows 2000 boot volume, as it is more secure than FAT or FAT32. For more information on the features described earlier, see Advanced Startup Options and Recovery Console in Chapter 3. Further useful information on troubleshooting boot failures or recovering from them can be found in disaster recovery and Emergency Repair Disk (ERD) in Chapter 3 and backup and restore and recovery options in Chapter 4.

A useful tool for performing unattended installations of Windows 2000 is Setup Manager, which is included in the Windows 2000 Server Resource Kit (and is also included in the \Support\Tools folder of the Windows 2000 Server CD). Setup Manager walks you through the process of creating an answer file for unattended installations. For more information on Setup Manager (and other methods for unattended installation of Windows 2000), see install in Chapters 3 and 4.

TIP:  If you're using answer files for unattended installations, the answer file created by Setup Manager is plain text (unencrypted). This is fine, except that if you specified that the system you will install should join a domain, you probably entered your administrator account and password when running Setup Manager, and this information is therefore contained in the answer file in unencrypted form. So carefully protect the disk containing the answer file, or change your administrator account after performing the installation. An alternative is to install your new systems as members of a workgroup and then manually join them to the domain afterwards. See computer in Chapter 4 for information on how to do this.

IntelliMirror

Where's the IntelliMirror console in Windows 2000? There ain't no such beast! You see, IntelliMirror is just an umbrella term or buzzword for a series of Windows 2000 features that enable users to access their desktops and data conveniently from any computer on (or off) the network. Specifically, IntelliMirror has four aspects:

User data management
This is just another buzzword for two features of Group Policy:

Folder redirection
Lets you redirect users' personal folders such as My Documents to a network file server so they are available to the user from anywhere on the network. For more information see folder redirection in Chapters 3 and 4.

Offline folders
Lets users who are working offline (on laptops disconnected from the LAN) access shared network resources as if they were still connected to the LAN. Users can synchronize their files once they connect again to the LAN. For more information see offline files in Chapters 3 and 4.

User settings management
This is really just another name for roaming profiles, which let users log on to any workstation on the network and have their personal desktops appear. For more information see user profile in Chapter 3 and roaming user profile in Chapter 4

Software Installation and Maintenance
This is another feature of Group Policy that lets administrators remotely install software packages and updates on users' workstations. For more information see Windows Installer in Chapter 4.

Remote Installation Services
This is an optional Windows 2000 service that can be used for mass deployments of Windows 2000 Professional on corporate networks.

MMC

The Microsoft Management Console can be used for building customized administrative tools, which can then be distributed by email or by storing them on a network share. See the first part of Chapter 5 for information on the MMC and how to customize it.

Permissions

Like the earlier Windows NT operating system, Windows 2000 provides you with two sets of permissions for security access to files and folders: NTFS permissions and shared-folder permissions. The basic approach for secure shared resources is the same as in NT, but NTFS permissions will require some relearning in Windows 2000. For more information see permissions in Chapter 3 and the articles offline files and shared-folder permissions in Chapter 4.

Printers

One terrific feature of Windows 2000 is that you can manage printers remotely across a network (or even over the Internet) using only a web browser. See in and for more information about this feature. By the way, to print to a Windows 2000 print server over the Internet, open the printer in your web browser and click Connect. This installs the appropriate drivers on your computer and creates a network printer to let you print to the remote print device.

TIP:   Let Windows 2000 detect Plug and Play printers and install drivers for them automatically. If you install the driver manually and reboot your machine, you may end up with two printers for the same print device!

In addition, specify a location for your printer when you create it using the Add Printer Wizard. Users will then be able to search for printers by location when they search Active Directory using Start Search For Printers. This makes life easier for your users.

Remote Access

If you have migrated a Windows NT domain to Windows 2000 but still have Windows NT RAS (or RRAS) servers on your network, there may be a problem: Windows NT RAS servers that are configured as member servers will be unable to communicate with Active Directory to authenticate users trying to initiate RAS sessions. There are two solutions to choose from:

For more information on remote access in Windows 2000, see remote access in Chapter 3 and remote-access server in Chapter 4.

Rights

Modifying system rights for a user or group in Windows NT was a relatively straightforward task involving the use of User Manager for Domains. In Windows 2000, however, you must use Group Policy to do this if you are in a domain environment and must configure the appropriate settings of a domain GPO for your domain. See Group Policy in Chapters 3 and 4 for more information.

Scheduling Tasks

Although the Windows NT 4.0 Server Resource Kit included a GUI utility to complement the at command-line utility, Windows 2000 carries this further with Task Scheduler, a wizard for scheduling tasks to be run. For more information see Task Manager in Chapter 6, Utilities. The at command is still available for batch scripting purposes however, but there are some compatibility issues. For example, if you create a task using the at command and then reconfigure its settings using the GUI Task Scheduler tool, you will then be unable to use the at command to further configure it.

TIP:   If a computer's date and time are not set correctly, your task may not run as expected (or at all). With Windows 2000 computers, date and time should be synchronized automatically within a domain, so this shouldn't be a problem.

Sending Messages to Connected Users

You can use Computer Management to send a console message to users connected to a Windows 2000 computer on the network. This is an advisable practice as it's not nice to disconnect users unexpectedly and have them lose their work. See Computer Management in Chapter 5 for more information.

Service Pack

Service Pack 1 for Windows 2000 addresses a number of operating-system issues regarding system reliability and application compatibility. SP1 also includes a new feature called integrated installation that makes an administrator's life simpler: you can apply the service pack to a network distribution point containing the Windows 2000 installation files. By doing this, the source files themselves become updated with the fixes in the service pack so that any future network installations that are performed from the distribution point will cause new systems to apply service pack fixes automatically during Setup. The one downside of integrated installation is that you cannot uninstall SP1 if you simultaneously install Windows 2000 and SP1 on a machine.

Another new feature of SP1 is that you no longer need to reapply the service pack after installing new system components or devices (hooray!)

Shared Folders

If you have a lot of shared folders scattered across different file servers, there are two ways you can make it simpler for your users to locate the shared resources they need:

For more information see Dfs in Chapters 3 and 4 and Active Directory in Chapter 4. For general information about how to share folders on local and remote machines, see shared folder in Chapters 3 and 4.

Sites

Managing directory replication between Windows NT domain controllers and sites connected by slow WAN links was a hit-and-miss procedure of juggling various registry entries such as ChangeLogSize, ReplicationGovernor, and so on. Things are simpler in Windows 2000: use Active Directory Sites and Service to create logical sites that map the physical (geographical) topology of your network and map well-connected subnets to each site, and to handle the replication between the sites (or configure the site links manually if desired, by specifying bridgehead servers, replication schedules, and such). See site in Chapters 3 and 4 for more information.

In Windows 2000 the term "directory replication" refers to updating Active Directory information among domain controllers; in Windows NT it referred to copying a tree of folders between NT servers using the Directory Replicator service. This service is not needed in Windows 2000 since the Distributed File System service included with it is much more powerful and versatile. See Dfs in Chapters 3 and 4 for more information.

System Policy

If you have a Windows NT 4.0 network with System Policy implemented for locking down client desktops and other features, you should be aware that when you upgrade your network to Windows 2000, these System Policies will not be upgraded to Group Policies. The reason is that Group Policy modifies special areas of the registry rather than the actual registry entries of the settings managed, whereas System Policy directly modifies the registry settings involved.

Likewise, if you migrate a portion of your network to Windows 2000, then be aware that any Group Policies you configure will have no effect on your remaining Windows NT computers. Therefore, you may want to continue using Windows NT's System Policy Editor (poledit.exe) to create and manage System Policy on your downlevel machines (place the Ntconfig.pol file in the SYSVOL folder on your Windows 2000 domain controller for it to be applied). For more information on Group Policy, see Group Policy in Chapters 3 and 4.

Terminal Services Advanced Client ( TSAC)

The Service Pack 1 CD for Windows 2000 also includes Terminal Services Advanced Client (TSAC), a Win32 ActiveX control that enables you to run Terminal Services sessions within Internet Explorer (IE). This is a useful feature since it allows administrators to administer Windows 2000 servers remotely over the Internet from any computer on which IE is installed, without the need of installing the standard (full) Terminal Services Client software (mstsc.exe) on the computer. TSAC is included on the SP1 CD but is not part of SP1 and is not automatically installed when SP1 is applied. TSAC also includes a Windows Installer (MSI) Setup package for deploying an updated full Terminal Services Client on machines running Windows 2000 Professional (or on earlier versions of 32-bit Windows that have had Windows Installer installed).

Trusts

Windows 2000 promised to be simpler to manage than Windows NT at the enterprise level because of two-way transitive trusts. In Windows 2000, two-way trusts are automatically established between adjacent parent and child domains in a domain tree and between the root domains of trees in a forest, when you create a new child domain or new tree. However, the fine print is that these trusts are only transitive once you convert your domains to native mode, meaning that you no longer have any Windows NT BDCs in your domains. For more information on domain modes, see mixed mode and native mode in Chapter 3. For information on changing the mode of a domain, see domain in Chapter 4.

Speaking of native mode, it's quite OK to still have Windows NT 4.0 member servers as part of a Windows 2000 domain running in native mode. It's also OK to have Windows NT 4.0 Workstation or Windows 95/98 desktop machines as part of such a domain. Native mode simply means there are no more Windows NT domain controllers present in the domain.

Also, it's OK to have some domains in native mode and others in mixed mode in the same tree of domains. It's OK, but not terrific, as it complicates trusts and authentication (see my next point).

Kerberos authentication is used for authentication across domain boundaries; it can be a complex process that generates significant network traffic when it occurs between domains in different trees of a forest. Kerberos traffic can be limited, however, by establishing an explicit trust between a domain where resources are located and the domain where users who need to access those resources are located. For more information see trust in Chapters 3 and 4.

User Accounts

Besides using the Active Directory Users and Computers console to create and configure new user accounts, you can also use the csvde command-line utility to bulk-import account information from a comma-delimited text file (.csv file) that has been previously exported from a spreadsheet or database. This is a great way of creating large numbers of user accounts at one shot. See csvde in Chapter 7, Commands, for more information.

Windows 2000 Professional

Upgrading your Windows NT servers to Windows 2000 Server has clear advantages for enterprise network management--the most obvious of which is Active Directory. But what about upgrading your desktop machines to Windows 2000 Professional? This is bound to be a costly exercise since hardware on existing machines will have to be beefed up (or replaced entirely) in order to make them compatible with Windows 2000. Is it worth it?

It probably is, for several reasons:

I'll stop there lest I sound like an ad for Microsoft, but the fact is that there are compelling reasons why migrating desktop computers to Windows 2000 Professional makes sense.

Back to: Windows 2000 Administration in a Nutshell


O'Reilly Home | O'Reilly Bookstores | How to Order | O'Reilly Contacts
International | About O'Reilly | Affiliated Companies

© 2001, O'Reilly & Associates, Inc.
webmaster@oreilly.com