Windows 2000 Administration in a Nutshell By Mitch Tulloch February 2001 1-56592-713-3, Order Number: 7133 798 pages, $39.95

Chapter 2
Quick Start

Although this book is intended not as a tutorial but as a quick desktop reference, I've included a brief chapter here to help existing Windows NT administrators quickly orient themselves to working with Windows 2000. We're all in a hurry these days--especially those of us who manage computer networks--and I want to provide you with some suggestions and tips to get you going quickly. More information on the concepts, tasks, tools, and utilities discussed here can be found in the chapters of Part II, Alphabetical Reference, of this book.

New Tools, Old Tasks

If you are familiar with the Windows NT administrative tools, you may be thrown off base initially by the Windows 2000 administrative tools, which are almost entirely new tools with very few holdovers. Tables 2-1 through 2-3 help you bridge the gap between the old platform and the new. The correspondence between tools and utilities on the two platforms is unfortunately not one-to-one, so notes are added where necessary to indicate differences. The base Windows NT platform used here includes Service Pack 4 with Internet Explorer 4 installed and Active Desktop enabled. The reference point here for the Windows 2000 tools list is Start Programs, Start Settings, or Start Programs Administrative Tools, depending on the program.

Table 2-1 lists the Windows NT administrative tools, which you may already be familiar with, and their new Windows 2000 counterparts.

Table 2-1: Administrative Tools in Windows NT and Windows 2000

Windows NT Tool	Windows 2000 Tool(s)
Administrative Wizards	No real counterpart, but Administrative Tools Configure Your Server lets you perform some high-level administration tasks
Backup	Accessories System Tools Backup
Disk Administrator	Computer Management Storage Disk Management
DHCP Manager	Computer Management Services and Applications DHCP or: DHCP
DNS Manager	Computer Management Services and Applications DNS or: DNS
Event Viewer	Computer Management System Tools Disk Management or: Event Viewer
Internet Service Manager	Computer Management Services and Applications Internet Information Services or: Internet Services Manager
License Manager	Licensing
Migration Tool for NetWare	Not included
Network Client Administrator	No real counterpart, though you can install Windows 2000 Server administration tools on a Windows 2000 Professional client using \I386\Adminpak.msi on the Windows 2000 Server compact disc
Network Monitor	Network Monitor
Performance Monitor	Performance System Monitor (note that Computer Management System Tools Performance Logs and Alerts can be used to create logs but not to display them)
Remote Access Admin	Routing and Remote Access
Server Manager	Computer Management System Tools Shared Folders (to create and manage network shares, and to send a message to users connected to the server) or: Active Directory Users and Computers (to add a computer to a domain) or: Active Directory Sites and Services (to manually force directory replication between domain controllers)
System Policy Editor	Use the Group Policy snap-in (much more powerful)
User Manager	Computer Management System Tools Local Users and Groups (to manage local users and groups on standalone servers or workstations) or: Local Security Policy (to configure password, account lockout, and audit policies and user rights on standalone servers and workstations)
User Manager for Domains	Active Directory Users and Computers (to manage users and groups, and to configure password, account lockout, and audit policies and user rights by opening and editing Group Policy Objects) or: Active Directory Domains and Trusts (to manage explicit trusts)
Windows NT Diagnostics	Computer Management System Tools System Information or: Accessories System Tools System Information
WINS Manager	Computer Management Services and Applications WINS or: WINS

Table 2-2 lists selected Windows NT folders and utilities and their Windows 2000 counterparts.

Table 2-2: Folders and Utilities in Windows NT and Windows 2000

Windows NT Folder or Utility	Windows 2000 Counterpart
C:\Winnt\Profiles (location where local user profiles are stored)	C:\Documents and Settings (unless an upgrade from NT was performed, in which case it will remain in its original location)
The default location where applications save their files varies in Windows NT	My Documents folder for compliant applications designed for Windows 2000 and Windows 9x (unless an upgrade from NT was performed, in which case it will remain in its original location)
Network Neighborhood	My Network Places
Find	Search
Windows NT Explorer	Accessories Windows Explorer
Command Prompt	Accessories Command Prompt
Internet Explorer Connection Wizard	Accessories Communications Internet Connection Wizard
Settings Folder Options	Control Panel Folder Options
Settings Active Desktop	Right-click on Desktop Active Desktop
Accessories Dial-up Networking	Settings Network and Dial-up Connections (much more powerful)
Accessories Telnet	telnet command
Accessories HyperTerminal	Accessories Communications HyperTerminal
Accessories Multimedia	Accessories Entertainment
Control Panel Console	Accessories Command Prompt Control Menu Defaults
Control Panel Devices	Computer Management System Tools Device Manager
Control Panel Internet	Control Panel Internet Options
Control Panel Modems	Control Panel Phone and Modem Options
Control Panel Multimedia	Control Panel Sounds and Multimedia
Control Panel Network	Control Panel Network and Dial-up Connections
Control Panel Network Identification	Control Panel Network and Dial-up Connections Advanced Network Identification or: Control Panel System Network Identification tab
Control Panel Network {Services | Protocols | Adapters}	Control Panel Network and Dial-up Connections Local Area Connection Properties
Control Panel Network Bindings	Control Panel Network and Dial-up Connections Advanced Settings
Control Panel ODBC	Administrative Tools Data Sources (PDBC)
Control Panel Ports	Computer Management System Tools Device Manager
Control Panel Regional Settings	Control Panel Regional Options
Control Panel SCSI Adapters	Computer Management System Tools Device Manager
Control Panel Server	Computer Management System Tools Shared Folders
Control Panel Services	Computer Management Services and Applications Services or: Services
Control Panel Sounds	Control Panel Sounds and Multimedia
Control Panel System {General | User Profiles}	Unchanged
Control Panel System Performance	Control Panel System Advanced Performance Options
Control Panel System Environment	Control Panel System Advanced Environment Variables
Control Panel System Startup/Shutdown	Control Panel System Advanced Startup and Recovery
Control Panel System Hardware Profiles	Control Panel System Hardware Hardware Profiles
Control Panel Tape Devices	Computer Management System Tools Device Manager
Control Panel Telephony	Control Panel Phone and Modem Options Dialing Rules
Control Panel UPS	Control Panel Power Options UPS

Table 2-3 is a quick list of things you commonly administer and the tools you use to administer them in both Windows NT and Windows 2000.

Table 2-3: Items to Administer in Windows NT and Windows 2000

Item to Administer	Windows NT Tool	Windows 2000 Tool(s)
Account policy	User Manager for Domains	Group Policy snap-in (for domains) Local Security Policy (for workgroups) Default Domain Policy (for domain controllers)
Active Directory	Not applicable	Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Users and Computers
Adding computers to a domain	User Manager for Domains	Active Directory Users and Computers
Advanced startup options	Not applicable	Press F8 during startup
Audit policy	User Manager for Domains	Group Policy snap-in (for domains) Local Security Policy (for workgroups)
Backup and restore	Backup	Accessories System Tools Backup
Bindings	Control Panel Network	Control Panel Network and Dial-up Connections Advanced Advanced Settings
Computer names	Control Panel Network Identification	Control Panel System Network Identification
Devices	Control Panel Devices	Computer Management System Tools Device Manager
Dial-up connection	Dial-up Networking	Network and Dial-up Connections
Directory replication	User Manager for Domains Registry Editor	Active Directory Sites and Services
Disk fragmentation	Third-party utility	Computer Management Storage Disk Defragmenter
Disk quotas	Third-party utility	Windows Explorer
Disks	Disk Administrator	Computer Management Storage Disk Management
Domain controllers	User Manager for Domains	Active Directory Sites and Services Active Directory Users and Computers
Domains	User Manager for Domains	Active Directory Domains and Trusts Active Directory Users and Computers
Emergency Repair Disk	rdisk command	Accessories System Tools Backup
Event logs	Event Viewer	Event Viewer
Forests	Not applicable	Active Directory Domains and Trusts
Global users	User Manager for Domains	Active Directory Users and Computers
Group Policy	Not applicable (though System Policy Editor is a weak equivalent)	Active Directory Sites and Services Active Directory Users and Computers Group Policy snap-in
Groups	User Manager for Domains	Active Directory Users and Computers
Kill a process	Right-click on taskbar Task Manager	Same
Licenses	License Manager	Licensing
Local users	User Manager	Local Users and Groups
Pagefile	Control Panel System Performance Change	Control Panel System Advanced Performance Options Change
Performance logs	Performance Monitor	Performance Logs and Alerts
Permissions	Windows Explorer	Same
Printers	Settings Printers	Same (or http://<servername>/printers/ if IIS is installed)
Protocols	Control Panel Network Protocols	Control Panel Network and Dial-up Connections Local Area Connection Properties
RAID	Disk Administrator	Computer Management Storage Disk Management
Registry	regedt32.exe regedit.exe	Same
Remote access	Remote Access Admin	Routing and Remote Access (most functions) Active Directory Users and Computers (to grant users remote-access permission)
Rights	User Manager for Domains	Group Policy snap-in (for domains) Local Security Policy (for workgroups)
Scheduling tasks	at command	Control Panel Scheduled Tasks
Sending messages to connected users	Server Manager	Computer Management
Services	Control Panel Services	Computer Management Services and Applications Services
Shared folders	Server Manager	Shared Folders (in Computer Management)
Sites	regedt32.exe regedit.exe	Active Directory Sites and Services
Trees	Not applicable	Active Directory Domains and Trusts
Trusts	User Manager for Domains	Active Directory Domains and Trusts
UPS	Control Panel UPS	Control Panel Power Options

Potpourri

Chapters 3 through 7 of this book form a quick desktop reference that lets you look up a concept, task, console or snap-in, utility, or command and quickly find what you're looking for. Nevertheless, for readers who are either brilliant, impatient, or have nothing better to do, the remainder of this chapter contains a potpourri of things about Windows 2000 that advanced administrators will want to know to get the most out of it and avoid the pitfalls. Wherever possible, I've drawn comparisons to similar aspects of Windows NT administration and included cross-references to Chapter 3, Concepts, and Chapter 4, Tasks, in of this book. I've also arranged the sections below in alphabetical order according to topic to help you find useful information more quickly.

Account Policy

Setting account policy--such as password and account lockout restrictions--was easy in Windows NT using the User Manager for Domains administrative tool. In Windows 2000 you must use Group Policy (or the Domain Security Policy located in Administrative Tools on a domain controller) if you are in a domain environment, and you must configure the appropriate settings of a domain GPO for your domain. See Group Policy in Chapters 3 and 4 for more information.

Active Directory

For many companies Active Directory is the raison d'être for migrating their Windows NT networks to Windows 2000, but implementing it successfully takes careful planning and training of IT staff. For information on planning and implementation, see the following articles in Chapter 3: Active Directory, domain, domain controller, forest, global catalog, and tree. Don't forget that to use Active Directory means you must use TCP/IP and implement DNS servers on your network. See DNS and TCP/IP in Chapter 3 for more information.

Administrative Tools

If you're just starting out with Windows 2000, these are the two most important administrative tools to get familiar with:

Computer Management

This lets you connect to a local or remote computer and manage disks, shares, event logs, performance logs, services, and applications, as well as display information about devices and system resources. Computer Management actually integrates over a dozen other snap-ins into a single MMC console, so get familiar with this tool. You can administer most of these things on either a local or remote computer using Computer Management. You can't use this tool on remote computers to change device drivers or uninstall devices on remote machines using the Device Manager node of the tool. (For remote computers, Device Manager operates in Read-only mode so you can't change resource settings like IRQ, I/O, and so on.)

Active Directory Users and Computers

This is used for creating and managing domain user accounts and domain local, global, and universal groups on domain controllers in your enterprise. You can also use this tool to create and configure Group Policy Objects (GPOs), which are mechanisms for configuring desktop settings on collections of computers across an enterprise.

For more information on these consoles, see Computer Management and Active Directory Users and Computersin Chapter 5, consoles. For information on Group Policy Objects and how to configure them, see Group Policy in Chapters 3 and 4.

Instead of going to a domain controller to run Active Directory Users and Computers from the local console, install the complete set of Windows 2000 administration tools on a Windows 2000 Professional workstation, and use this as your main administrator workstation. You can install these tools by running Adminpak.msi, which is found in the \I386 folder on your Windows 2000 Server compact disc.

You can run most administrative tools from the command line while logged on to a workstation using an ordinary domain user (as opposed to an administrator) account. To do this, you use a Windows 2000 feature known as Secondary Logon. Just open a command prompt and type:

runas /user:domain\username cmd

where username is an administrator account in domain. You'll be prompted to enter your password, after which a second command-prompt window opens up that lets you execute commands using your administrator credentials. The current directory of this new window is set to %SystemRoot%\System32, which is where most administrative tools (MMC consoles saved as .msc files) are located. For example, to run Computer Management as administrator, you just type the following in your new command-prompt window:

compmgnt.msc

Of course, you need to know what the command-line equivalent of a GUI administrative tool is before you can run it this way. You can usually (but not always) find this out by opening the property sheet of the shortcut for the tool in the Start menu. As a help, I've listed these equivalents in Table 5-1 in Chapter 5.

A few things to note: the Runas service must be started in order to do this, and you can specify your administrator credentials in either of the two standard Windows 2000 forms. For example, if your administrator account is admin987 and the domain is mtit.com, then you can specify either MTIT \admin987 or admin987@mtit.com in the runas command. You can also run a tool in different credentials by right-clicking on it in Windows Explorer and selecting Runas from the shortcut menu.

Audit Policy

Setting an audit policy for a domain was easy in Windows NT using the User Manager for Domains administrative tool. In Windows 2000 you must use Group Policy if you are in a domain environment and configure the appropriate settings of a domain GPO for your domain. See Group Policy in Chapter 3 for more information.

Connection

Remember, by just creating a dial-up or VPN connection, you don't give users access to resources on your network when they connect to your remote-access or VPN server--you still need to assign suitable permissions for the users to access the resources. For information on the different types of connections you can create in Windows 2000, see connection in Chapter 3.

Computer Names

If you expect to have both Windows NT and Windows 2000 coexist for a while on your network, select NetBIOS computer names that will be compatible with both platforms (maximum 15 characters). Also, since Windows 2000 uses DNS by default as its name-resolution service, make sure your computer names are DNS compatible as well (this means no underscores, periods, or spaces--only letters, numbers, and dashes). For more on naming computers, see computer name in Chapters 3 and 4.

Speaking of computer names, there is also the issue of shared names to consider. When naming a shared folder or printer, it's a good idea to avoid using spaces or special characters if your network contains a mix of Windows 2000 and other computers (such as downlevel Windows NT machines, Unix machines, and so on). Otherwise, some clients might have difficulty connecting to your Windows 2000 shares.

By the way, if you need to change the name of a domain controller, you first must demote it to a member server, change the name, then promote it to a domain controller again. This sounds simple, but it can cause problems if you have downlevel Windows NT servers on your network and are using WINS for name resolution for these servers. This is because the WINS databases will maintain the former name of your domain controller for a period of time, which can cause name-resolution problems for clients unless the offending records are flushed from the database.

Delegation

Delegation is a powerful feature of Windows 2000 that helps administrators shuffle off some of their administrative responsibility to other trusted (trustworthy) users before overwork causes them to "shuffle off this mortal coil." For information on how to implement this feature, see delegation in Chapters 3 and 4.

DHCP

If you are going to deploy and manage IP addressing on Windows 2000 using DHCP, you might want to disable the Automatic Private IP Addressing (APIPA) feature on your machines. APIPA causes an IP address to be automatically assigned to a client machine from the reserved address range 169.254.0.1 through 169.254.255.254 when the system is configured for DHCP but is unable to contact a DHCP server when it first starts up. This can be nasty, since no warning message indicates that the system has used APIPA instead of DHCP to obtain its address, resulting in an inability to access other machines on the network because they are on a different subnet.

See the section "Automatic Private IP Addressing (APIPA)" in the article for information on how to disable APIPA. For further general information on DHCP, see DHCP and DHCP relay agent in Chapters 3 and 4.

Disk Quotas

A good tip when implementing disk quotas is to configure global quotas only and not quotas for individual users. Not following this can make quota administration a real headache. For more information see disk quota in Chapters 3 and 4.

Disks

Microsoft has borrowed the concept of mounted volumes from Unix and implemented the ability to mount a FAT or NTFS volume in an empty folder on an NTFS volume in Windows 2000. This feature helps you get beyond the 24-letter limit for mapped drives. See disks in Chapters 3 and 4 for details. Note that you can cause problems for yourself with this feature: nothing prevents you from mounting a volume in a folder on a mounted volume, or even mounting a volume in a folder on itself!

DNS

DNS is used as the name-locator service in Windows 2000. This means you must have DNS servers implemented on your network if you want to connect to resources without specifying their IP address. DNS is also required if you want to use Active Directory on your network. For more information see Active Directory and DNS in Chapter 3.

NetBIOS is another option for name resolution. NetBIOS over TCP/IP is enabled by default (even in native mode domains) so that downlevel (Windows NT or Windows 98/95) computer names can be resolved if such systems are present. You can disable NetBIOS over TCP/IP by using the Advanced TCP/IP settings box (see TCP/IP in Chapter 4). Note that if you disable NetBIOS over TCP/IP, you won't be able to restrict a user's access to specific workstations using the Account tab of the user account's property sheet. This feature requires NetBIOS over TCP/IP in order to work.

TIP:  If you manually modify any resource records on a Windows 2000 DNS server, select Update Server Data Files to make sure these changes are propagated to other DNS servers on your network. See DNS and DNS server in Chapter 4 for more information on how to manage DNS in Windows 2000.

Domain Controllers

In Windows NT, one domain controller was special within a domain--the primary domain controller (PDC). The PDC was the only domain controller with a writable copy of the domain directory database, and all changes made to user, group, or computer accounts in the domain had to be made on the PDC. (If the PDC was unavailable, then those changes could not be made.) All other domain controllers in the domain were backup domain controllers (BDCs), which contained Read-only versions of the domain directory database.

Windows 2000 promised to be different in that domain controllers are all peers and each domain controller contains a full writable copy of the Active Directory database. Replication between domain controllers follows a method called multimaster replication in which there is no single master domain controller. However, if you look under the surface, you find out that this is not quite the case. There are actually five special domain-controller roles (called operations master roles), which are restricted to certain domain controllers in an enterprise. For information on these special roles, see domain controller in Chapters 3 and 4.

Speaking of PDCs and BDCs, the usual way of upgrading a Windows NT domain to Windows 2000 is to upgrade the PDC first, then the BDCs. The hitch is this: make sure the former PDC is available on the network when you are upgrading the BCDs. If it isn't, the first BDC you upgrade will think it's the first domain controller in the domain and will assume some of the operations master roles discussed above. Then when the former PDC comes back online, you will have a serious conflict between them, and the only way to resolve it is to wipe your former BDC and reinstall it from scratch.

By the way, if you have only upgraded some of your downlevel Windows NT BDCs to Windows 2000 domain controllers, you need to make sure each domain has a global catalog server in order for cross-domain authentication to take place successfully in a forest of trees. Native mode domains do not have this restriction, and in a well-connected enterprise (no slow WAN links), you can probably get away with only one global catalog server if it can handle the load.

After promoting a Windows 2000 member server to the role of a domain controller using the Active Directory Installation Wizard (dcpromo.exe), be sure to check the Dcpromo.log and Dcpromoui.log log files that are created in the %SystemRoot%\debug folder. These logs will list any problems that occurred during the promotion.

Domains

Active Directory in Windows 2000 has changed the whole nature of domains and how they connect together using trusts. You no longer need to separate master (account) domains from slave (resource) domains as you did in Windows NT or create trusts manually between domains. Instead, when you promote a Windows 2000 member server to the role of a domain controller, you can either:

• Add it to an existing domain as a peer domain controller
• Make it the first domain controller of a new child domain under an existing parent domain, with a two-way transitive trust created automatically between the parent and child domains
• Make it the first domain controller of a new root domain, creating a new tree in an existing forest, with a two-way transitive trust created automatically between the new root domain and the root domains of existing trees in the forest
• Make it the first domain controller of the root domain of the first tree in a new forest (in other words, this is the very first Windows 2000 domain controller on your network)

The whole thing is done using Active Directory Installation Wizard (dcpromo.exe). The hierarchies of domains that result (trees in a forest) are all interconnected by trusts automatically so that any user in any domain can access any resource in any other domain immediately, provided they have suitable permissions. For more information on planning Windows 2000 domains and domain structures, see these articles in Chapter 3: Active Directory, domain, forest, OU, tree, and trust.

Dual-Boot

I don't recommend dual-boot configurations except for playing around at home, and you should know that volumes formatted with the version of NTFS on Windows 2000 (called NTFS5) only support dual-boots on Windows NT 4.0 with Service Pack 4 or higher. If you are using an earlier version of NT and want to maintain it on a dual-boot configuration, you will be unable to use advanced features of Windows 2000's NTFS, such as disk quotas and EFS.

By the way, just because you encrypt a file or folder using EFS doesn't mean you can't accidentally delete it!

Emergency Repair Disk

You no longer use the rdisk command to create ERDs; you use Backup, which is in the System Tools subgroup of the Accessories program group. I thought I'd let you know since you are no longer prompted during Setup to create an ERD, but have to do it manually afterwards.

Also, Windows 2000 ERDs do not contain everything Windows NT ERDs used to have. In fact, the only files on a Windows 2000 ERD are autoexec.nt, config.nt, and Setup.log (the last of which contains system state information and minimal versions of registry hives for the system). When you create an ERD, you can also choose to back up the full registry hives as well to the %SystemRoot%\repair directory. For more information see Emergency Repair Disk (ERD) in Chapters 3 and 4.

Event Logs

Event logs are pretty much the same as they were in Windows NT, although an MMC console is used to manage them now (Event Viewer, which is also part of Computer Management). One thing to note is that if you are running a high-security networking environment, you can configure a Windows 2000 system to halt when the event log becomes full. You need to configure a registry setting to do this--see event logs in Chapters 3 and 4 for more information.

Also, when you install or upgrade a machine to Windows 2000, configure your event log size and wraparound settings immediately so you won't lose valuable data that might be useful for troubleshooting purposes later on.

Global Users

What were called global user accounts in Windows NT (user accounts that could be used for logging on to the domain) are called domain user accounts in Windows 2000. These are created and managed using the Active Directory Users and Computers console. For more information see domain user account in Chapters 3 and 4 and Active Directory Users and Computers in Chapter 5.

Group Policy

If you are configuring Group Policy for your Windows 2000 network, you may want to test your new Group Policy settings without rebooting machines or waiting for Group Policy to auto-refresh (90 minutes or more). The trick is to use the secedit command to force Group Policy to refresh on the local machine. To do this, type the following at the command prompt:

secedit /refreshpolicy machine_policy

For more information see Group Policy in Chapters 3 and 4.

Groups

A new type of group (universal group) and enhanced functionality of domain local and global groups (nesting, more membership options) are available for Windows 2000 domains running in native mode. These are attractive reasons to switch your domains to native mode instead of leaving them in mixed mode. There are some pitfalls, however, particularly with universal groups. When you change the membership of a universal group, the entire list of group members is replicated to all global catalog servers on the network, and in an enterprise with global catalog servers located at different sites separated by slow WAN links, this can be a problem. The best solution is to restrict the membership of universal groups to other groups only (either global or universal) and exclude individual user accounts from membership in universal groups. Also, you should keep the number of members of a universal group fairly small (preferably in the tens). Finally, select the membership for a universal group such that it is not expected to change frequently. For more information see group in Chapters 3 and 4.

Hardware

Like Windows NT before it, Windows 2000 is forgiving of problems created when you update devices with incorrect or corrupt drivers. Such updates can sometimes prevent the system from booting to the point where you can log on. If this is the case, simply press the F8 function key when the boot-loader menu prompts you to select an operating system to boot. This causes the Advanced Startup Options menu to appear. One of the menu items is the familiar Last Known Good Configuration, which restores the system to the state in which it last booted successfully. If this fails, you can select the Safe Mode option to boot using a minimal set of device drivers. For more information see Table 3-10 in the article disaster recovery in Chapter 3.

Speaking of the boot menu, in a normal Windows NT installation this menu displayed two options: normal boot and VGA mode boot. In Windows 2000, however, there is only one boot option: normal boot (there is no VGA mode boot menu option because Safe mode takes care of this). The result is that in a normal Windows 2000 installation (only one operating system installed) the boot menu doesn't appear at all. In this case, to open the Advanced Startup Options menu, just press F8 while it says "Starting Windows" at the bottom of the screen.

If the Recovery Console is installed on a machine, however, the boot menu does appear since the Recovery Console is essentially a different operating system (a command-line version of Windows 2000). See Recovery Console in Chapters 3 and 4 for details.

Installing Windows 2000

With Windows NT, some administrators chose to make their boot partition FAT while using NTFS to secure their data partitions. This enabled them to repair missing or corrupt system or driver files by booting from a DOS disk when these missing or corrupt files were preventing them from successfully booting the system. This hack is no longer necessary with Windows 2000 because of two new features:

Recovery Console

Provides a way of booting to a minimal command-line version of Windows 2000 that lets you copy files to NTFS volumes

Safe mode

Lets you boot using a minimal set of device drivers to repair the system, which is useful when a corrupt or missing driver is preventing a successful boot

The bottom line is that you should use only NTFS for your Windows 2000 boot volume, as it is more secure than FAT or FAT32. For more information on the features described earlier, see Advanced Startup Options and Recovery Console in Chapter 3. Further useful information on troubleshooting boot failures or recovering from them can be found in disaster recovery and Emergency Repair Disk (ERD) in Chapter 3 and backup and restore and recovery options in Chapter 4.

A useful tool for performing unattended installations of Windows 2000 is Setup Manager, which is included in the Windows 2000 Server Resource Kit (and is also included in the \Support\Tools folder of the Windows 2000 Server CD). Setup Manager walks you through the process of creating an answer file for unattended installations. For more information on Setup Manager (and other methods for unattended installation of Windows 2000), see install in Chapters 3 and 4.

TIP:  If you're using answer files for unattended installations, the answer file created by Setup Manager is plain text (unencrypted). This is fine, except that if you specified that the system you will install should join a domain, you probably entered your administrator account and password when running Setup Manager, and this information is therefore contained in the answer file in unencrypted form. So carefully protect the disk containing the answer file, or change your administrator account after performing the installation. An alternative is to install your new systems as members of a workgroup and then manually join them to the domain afterwards. See computer in Chapter 4 for information on how to do this.

IntelliMirror

Where's the IntelliMirror console in Windows 2000? There ain't no such beast! You see, IntelliMirror is just an umbrella term or buzzword for a series of Windows 2000 features that enable users to access their desktops and data conveniently from any computer on (or off) the network. Specifically, IntelliMirror has four aspects:

User data management

This is just another buzzword for two features of Group Policy:

Folder redirection

Lets you redirect users' personal folders such as My Documents to a network file server so they are available to the user from anywhere on the network. For more information see folder redirection in Chapters 3 and 4.

Offline folders

Lets users who are working offline (on laptops disconnected from the LAN) access shared network resources as if they were still connected to the LAN. Users can synchronize their files once they connect again to the LAN. For more information see offline files in Chapters 3 and 4.

User settings management

This is really just another name for roaming profiles, which let users log on to any workstation on the network and have their personal desktops appear. For more information see user profile in Chapter 3 and roaming user profile in Chapter 4

Software Installation and Maintenance

This is another feature of Group Policy that lets administrators remotely install software packages and updates on users' workstations. For more information see Windows Installer in Chapter 4.

Remote Installation Services

This is an optional Windows 2000 service that can be used for mass deployments of Windows 2000 Professional on corporate networks.

MMC

The Microsoft Management Console can be used for building customized administrative tools, which can then be distributed by email or by storing them on a network share. See the first part of Chapter 5 for information on the MMC and how to customize it.

Permissions

Like the earlier Windows NT operating system, Windows 2000 provides you with two sets of permissions for security access to files and folders: NTFS permissions and shared-folder permissions. The basic approach for secure shared resources is the same as in NT, but NTFS permissions will require some relearning in Windows 2000. For more information see permissions in Chapter 3 and the articles offline files and shared-folder permissions in Chapter 4.

Printers

One terrific feature of Windows 2000 is that you can manage printers remotely across a network (or even over the Internet) using only a web browser. See in and for more information about this feature. By the way, to print to a Windows 2000 print server over the Internet, open the printer in your web browser and click Connect. This installs the appropriate drivers on your computer and creates a network printer to let you print to the remote print device.

TIP:   Let Windows 2000 detect Plug and Play printers and install drivers for them automatically. If you install the driver manually and reboot your machine, you may end up with two printers for the same print device!

In addition, specify a location for your printer when you create it using the Add Printer Wizard. Users will then be able to search for printers by location when they search Active Directory using Start Search For Printers. This makes life easier for your users.

Remote Access

If you have migrated a Windows NT domain to Windows 2000 but still have Windows NT RAS (or RRAS) servers on your network, there may be a problem: Windows NT RAS servers that are configured as member servers will be unable to communicate with Active Directory to authenticate users trying to initiate RAS sessions. There are two solutions to choose from:

• Upgrade your Windows NT RAS server (member server) to a domain controller. This way, the RAS server doesn't need to contact a different domain controller for authenticating RAS users.
• Weaken RAS permissions for your Windows 2000 domain by adding the Everyone built-in special identity to the local group called Pre-Windows 2000 Compatible Access on a Windows 2000 domain controller. This lets the RAS server use LTLM for authenticating RAS users.

For more information on remote access in Windows 2000, see remote access in Chapter 3 and remote-access server in Chapter 4.

Rights

Modifying system rights for a user or group in Windows NT was a relatively straightforward task involving the use of User Manager for Domains. In Windows 2000, however, you must use Group Policy to do this if you are in a domain environment and must configure the appropriate settings of a domain GPO for your domain. See Group Policy in Chapters 3 and 4 for more information.

Scheduling Tasks

Although the Windows NT 4.0 Server Resource Kit included a GUI utility to complement the at command-line utility, Windows 2000 carries this further with Task Scheduler, a wizard for scheduling tasks to be run. For more information see Task Manager in Chapter 6, Utilities. The at command is still available for batch scripting purposes however, but there are some compatibility issues. For example, if you create a task using the at command and then reconfigure its settings using the GUI Task Scheduler tool, you will then be unable to use the at command to further configure it.

TIP:   If a computer's date and time are not set correctly, your task may not run as expected (or at all). With Windows 2000 computers, date and time should be synchronized automatically within a domain, so this shouldn't be a problem.

Sending Messages to Connected Users

You can use Computer Management to send a console message to users connected to a Windows 2000 computer on the network. This is an advisable practice as it's not nice to disconnect users unexpectedly and have them lose their work. See Computer Management in Chapter 5 for more information.

Service Pack

Service Pack 1 for Windows 2000 addresses a number of operating-system issues regarding system reliability and application compatibility. SP1 also includes a new feature called integrated installation that makes an administrator's life simpler: you can apply the service pack to a network distribution point containing the Windows 2000 installation files. By doing this, the source files themselves become updated with the fixes in the service pack so that any future network installations that are performed from the distribution point will cause new systems to apply service pack fixes automatically during Setup. The one downside of integrated installation is that you cannot uninstall SP1 if you simultaneously install Windows 2000 and SP1 on a machine.

Another new feature of SP1 is that you no longer need to reapply the service pack after installing new system components or devices (hooray!)

Shared Folders

If you have a lot of shared folders scattered across different file servers, there are two ways you can make it simpler for your users to locate the shared resources they need:

• Use the Distributed File System (Dfs) to combine your shared folders into one or more Dfs trees. Users just connect to a Dfs tree and browse the tree for the share they need, and they do not need to know the name of the file server on which the share is located.
• Publish the shares in Active Directory so users can search for them by location and by using friendly names. In this way users do not need to know the names of the file servers hosting the shares. You can also configure permissions on the shared folder object you publish to Active Directory--not to control access to the share but to control who can find and view the information you have published to Active Directory about the share.

For more information see Dfs in Chapters 3 and 4 and Active Directory in Chapter 4. For general information about how to share folders on local and remote machines, see shared folder in Chapters 3 and 4.

Sites

Managing directory replication between Windows NT domain controllers and sites connected by slow WAN links was a hit-and-miss procedure of juggling various registry entries such as ChangeLogSize, ReplicationGovernor, and so on. Things are simpler in Windows 2000: use Active Directory Sites and Service to create logical sites that map the physical (geographical) topology of your network and map well-connected subnets to each site, and to handle the replication between the sites (or configure the site links manually if desired, by specifying bridgehead servers, replication schedules, and such). See site in Chapters 3 and 4 for more information.

In Windows 2000 the term "directory replication" refers to updating Active Directory information among domain controllers; in Windows NT it referred to copying a tree of folders between NT servers using the Directory Replicator service. This service is not needed in Windows 2000 since the Distributed File System service included with it is much more powerful and versatile. See Dfs in Chapters 3 and 4 for more information.

System Policy

If you have a Windows NT 4.0 network with System Policy implemented for locking down client desktops and other features, you should be aware that when you upgrade your network to Windows 2000, these System Policies will not be upgraded to Group Policies. The reason is that Group Policy modifies special areas of the registry rather than the actual registry entries of the settings managed, whereas System Policy directly modifies the registry settings involved.

Likewise, if you migrate a portion of your network to Windows 2000, then be aware that any Group Policies you configure will have no effect on your remaining Windows NT computers. Therefore, you may want to continue using Windows NT's System Policy Editor (poledit.exe) to create and manage System Policy on your downlevel machines (place the Ntconfig.pol file in the SYSVOL folder on your Windows 2000 domain controller for it to be applied). For more information on Group Policy, see Group Policy in Chapters 3 and 4.

Terminal Services Advanced Client ( TSAC)

The Service Pack 1 CD for Windows 2000 also includes Terminal Services Advanced Client (TSAC), a Win32 ActiveX control that enables you to run Terminal Services sessions within Internet Explorer (IE). This is a useful feature since it allows administrators to administer Windows 2000 servers remotely over the Internet from any computer on which IE is installed, without the need of installing the standard (full) Terminal Services Client software (mstsc.exe) on the computer. TSAC is included on the SP1 CD but is not part of SP1 and is not automatically installed when SP1 is applied. TSAC also includes a Windows Installer (MSI) Setup package for deploying an updated full Terminal Services Client on machines running Windows 2000 Professional (or on earlier versions of 32-bit Windows that have had Windows Installer installed).

Trusts

Windows 2000 promised to be simpler to manage than Windows NT at the enterprise level because of two-way transitive trusts. In Windows 2000, two-way trusts are automatically established between adjacent parent and child domains in a domain tree and between the root domains of trees in a forest, when you create a new child domain or new tree. However, the fine print is that these trusts are only transitive once you convert your domains to native mode, meaning that you no longer have any Windows NT BDCs in your domains. For more information on domain modes, see mixed mode and native mode in Chapter 3. For information on changing the mode of a domain, see domain in Chapter 4.

Speaking of native mode, it's quite OK to still have Windows NT 4.0 member servers as part of a Windows 2000 domain running in native mode. It's also OK to have Windows NT 4.0 Workstation or Windows 95/98 desktop machines as part of such a domain. Native mode simply means there are no more Windows NT domain controllers present in the domain.

Also, it's OK to have some domains in native mode and others in mixed mode in the same tree of domains. It's OK, but not terrific, as it complicates trusts and authentication (see my next point).

Kerberos authentication is used for authentication across domain boundaries; it can be a complex process that generates significant network traffic when it occurs between domains in different trees of a forest. Kerberos traffic can be limited, however, by establishing an explicit trust between a domain where resources are located and the domain where users who need to access those resources are located. For more information see trust in Chapters 3 and 4.

User Accounts

Besides using the Active Directory Users and Computers console to create and configure new user accounts, you can also use the csvde command-line utility to bulk-import account information from a comma-delimited text file (.csv file) that has been previously exported from a spreadsheet or database. This is a great way of creating large numbers of user accounts at one shot. See csvde in Chapter 7, Commands, for more information.

Windows 2000 Professional

Upgrading your Windows NT servers to Windows 2000 Server has clear advantages for enterprise network management--the most obvious of which is Active Directory. But what about upgrading your desktop machines to Windows 2000 Professional? This is bound to be a costly exercise since hardware on existing machines will have to be beefed up (or replaced entirely) in order to make them compatible with Windows 2000. Is it worth it?

It probably is, for several reasons:

• Remote management of Windows 2000 Professional computers is a breeze using the Computer Management console, and it's bound to reduce your help-desk costs significantly.
• Group Policy adds additional dimensions of enterprise-wide management of desktop settings, software installation, roving desktops, and other useful features.
• Costs for training users will be minimal if users are already familiar with the features of the Windows 95/98 and Windows NT 4.0 Workstation GUI.

I'll stop there lest I sound like an ad for Microsoft, but the fact is that there are compelling reasons why migrating desktop computers to Windows 2000 Professional makes sense.

Back to: Windows 2000 Administration in a Nutshell