58
WINDOWS 2003 SERVER (MCSE)  Networking is for – sharing resources, security, communication etc. Basic Requirements of Networking are 1) Two Sy stems 2) Op er at in g System 3) Net wor k Int erfa ce Car d(NIC) 4) Med ia (Gu ide d Med ia or Un Gui ded Media) 5) Con ne ctors 6) IP Addre ss 1) The two Systems can be any configuration e.g.: the two systems can be of Intel and AMD. 2) The Operating System’s can be of any Vendor e.g.: the Operating System’s can be Microsoft and Linux. 3) The NIC can be of different vendors. 4) Guided Media: - A physical connectivity between systems is called guided media. Un-Guided Media: - A logical connectivity between systems is called un-guided media. 16 bit ISA NIC (Old version) & 32 bit PCI (NIC) can communicate each other. 5) The Connectors are cable Dependent. 6) 2 types of IP versions are available. IP V.6 (Only in Japan) IP V.4 (other).  IP ADDRESSING IP Address TCP/IP is unique in that the network portion of the address has not been allocated a fixed address space. The number of bits that the network portion may use depends on the number of network that needs to be identified. Although a governing body allocates an original address, the network portion of the address can be extended. To identify how many of the address bits have been extended in the network portion of the address, a subnet mask is used. IP Addresses are classified into 5 classes: Class A Class B Class C 1

MCSE Classes

Embed Size (px)

Citation preview

  • 8/7/2019 MCSE Classes

    1/58

    WINDOWS 2003 SERVER (MCSE)

    Networking is for sharing resources, security, communication etc.

    Basic Requirements of Networking are

    1) Two Systems2) Operating System

    3) Network Interface Card(NIC)

    4) Media (Guided Media or Un Guided Media)

    5) Connectors

    6) IP Address

    1) The two Systems can be any configuration

    e.g.: the two systems can be of Intel and AMD.

    2) The Operating Systems can be of any Vendor

    e.g.: the Operating Systems can be Microsoft and Linux.

    3) The NIC can be of different vendors.

    4) Guided Media: - A physical connectivity between systems is called guided media.

    Un-Guided Media: - A logical connectivity between systems is called un-guided media.

    16 bit ISA NIC (Old version) & 32 bit PCI (NIC) can communicate each other.

    5) The Connectors are cable Dependent.

    6) 2 types of IP versions are available.

    IP V.6 (Only in Japan) IP V.4 (other).

    IP ADDRESSING

    IP Address

    TCP/IP is unique in that the network portion of the address has not been allocated a

    fixed address space. The number of bits that the network portion may use depends on the

    number of network that needs to be identified. Although a governing body allocates an

    original address, the network portion of the address can be extended. To identify how many of

    the address bits have been extended in the network portion of the address, a subnet mask is

    used.

    IP Addresses are classified into 5 classes:

    Class A

    Class B

    Class C

    1

  • 8/7/2019 MCSE Classes

    2/58

    Class D

    Class E

    * To identify the IP address which class does it belongs to the first

    octet is considered.

    Class A: 0 127 (128)

    Total Networks = 126

    Total Hosts = 16.77 millions

    0 and 127 addresses are reserved.

    * 0.0.0.0 is reserved for Global IP Address

    * 127.0.0.0 is called as Loopback Address. Used for self testing purpose.All the networking services in the Operating System run on the loopback address.

    * Class A is used by the Large Organisations.

    Class B: 128-191 (64)Rule: The rule of Class B is the first 2 bits of octet are reserved as 1&0

    Total Networks =

    Total Hosts =

    The 1st valid IP Address is 128.0.0.1 to 128.0.255.254 in a single network (255 is reserved for

    broadcasting)

    * Non of the values are reserved in class B.

    * Used by the Large and Medium size Organisation.

    Class C: 192-223 (32)Rule: The rule of Class C is the first 3 bits of octet are reserved as 1, 1&0

    Total Networks =

    Total Networks =

    The 1st valid IP Address is 192.0.0.1 to 192.0.0.254 in a single network (255 is reserved for

    broadcasting)

    * Non of the values are reserved in class C.

    * Used by Smaller Organisations.

    Class D: 224-239 (16)

    2

  • 8/7/2019 MCSE Classes

    3/58

    Rule: The rule of Class D is the first 4 bits of octet are reserved as 1, 1, 1&0

    * Class D is reserved for News Groups & News agencies. Multicasting (one to group).

    Class E : 240-255 (16)Rule: The rule of Class E is the first 4 bits of octet are reserved as 1, 1, 1&1

    * Class E is reserved for Research & Development.

    # To identify the IP address to which class it belongs, we need to consider the 1st octet only.

    3

  • 8/7/2019 MCSE Classes

    4/58

  • 8/7/2019 MCSE Classes

    5/58

    WORKGROUP:

    In workgroup model all the PCs in the network are independent. Where there is no centralised

    database and centralised control.

    There is no concept of server & client relationship.There is lack of security.

    The administrative job is too high.

    DOMAIN:

    In domain model each PC is dependent in the network. Where there is centralised control &

    centralised database.

    There is a concept of server & client relationship.

    There is huge amount of security.

    The administrative job is too easy.

    Installation Steps for Windows 2003 Server

    1. Insert the Windows 2003 server CD into the CDROM and restart the System

    2. Press Del button on the keyboard to enter into BIOS.

    3. Change the booting sequence to CDROM, Save & Restart.

    4. While booting Prompts to Press Any Key on the keyboard. Press it within 6 seconds.

    5. The initialization of Hardware starts.

    6. Gives 3 options. Press Enter to install, Press R to repair & Press F3 to Quit.

    7. License Agreement appears. Accept the License Agreement by pressing F8.

    8. Displays the partition table. Press C to create new partition.9. Enter the Partition size by deleting the default size.

    10. The partition table appears again, select the partition and press Enter

    11. Displays the File System

    12. Select NTFS and press Enter.

    13. The format starts and copies the files into the partition.

    14. Restart for the first time.

    15. Enters into the second phase of installation.

    16. Displays a window to choose the Keyboard and Language click the Next button.

    17. Specify the Name and the Organisation Name in the text box and click the Next

    button.

    18. Specify the 25 Digit Product key and click the Next button.19. Specify the Computer Name and the Administrator Password and click the Next

    button.

    20. Select the Licensing Mode and click the Next button.

    21. Select the Date, Time, Location, and click the Next button.

    22. The installation continues.

    23. Select Typical settings in Network Settings Window and click the Next button.

    24. Select the Workgroup in the Next Window and click the Next button.

    25. The Installation Continues and Finishes.

    5

  • 8/7/2019 MCSE Classes

    6/58

    ACTIVE DIRECTORY

    Active Directory is a Directory service that contains information regarding User Accounts,

    Computers and resources, resources are optional. Active Directory is a centralized database

    and maintains hierarchical structure of Domains. Before 1974 each vendor were using their

    own Protocols to design the software. In such case communication between the vendors wasnot possible. NT 4.0 has a database size of 40 MB i.e. SAM database (Security Account

    Manager). Each user created occupies 1KB of information in SAM. A maximum of 40,000

    change users can be created in a single PDC. More than 40,000 change users can be created

    on a single PDC, but the server performance goes down. Because the SAM database size is

    fixed.

    Windows 2000 as well as 2003 database size of Active Directory (NTDS.DIT) has 16 and 12

    Trust relationship between the domains with in the Forest accepts. But cross forest

    relationship is not possible in Win 2000 (trust). Between two forests.

    Windows 2003 supports cross forest trust relationship.

    Requirements for Active Directory installation.

    1. Stand alone server

    2. Static IP address

    3. Require 200 MB free space with NTFS partition 5.0

    4. Require Windows 2003 Sever CD

    To Install Active Directory

    Start -> Run -> dcpromo

    ]

    A wizard appears click next

    A compatibility option appears click next

    2 options appear create a new domain controller create an additional domain controller

    6

  • 8/7/2019 MCSE Classes

    7/58

  • 8/7/2019 MCSE Classes

    8/58

  • 8/7/2019 MCSE Classes

    9/58

    Click the Next button.

    Displays the summary

    Click Next The installation starts.

    RESTART

    Typical setup of Domain Controllers

    Domain Controller (DC)

    -Preferred DNS same as IP Address

    192.168.1.1

    255.255.255.0

    PreDNS 192.168.1.1

    Additional Domain Controller (ADC)

    192.168.1.2

    9

  • 8/7/2019 MCSE Classes

    10/58

    255.255.255.0

    PreDNS 192.168.1.1

    Child Domain (CD)

    192.168.1.3255.255.255.0

    PreDNS 192.168.1.1

    New Domain in the Existing Forest (NDEF)

    192.168.1.4

    255.255.255.0

    PreDNS 192.168.1.1

    AddiDNS 192.168.1.4

    Roles of Active Directory

    There are 6 Roles for Active Directory.

    1. Domain Naming Operation Master

    2. Global Catalogue Server

    3. Schema Master

    4. RID Relative Identifier5. PDC Immolator

    6. Infrastructure Master

    1. Domain Naming Operation Master (DNOM): It maintains the uniqueness of domain name

    in the entire forest. By default the DNOM is present on the root.

    At any point of time there can be only one DNOM in the entire forest.

    To view the DNOM

    Start Prog Files Admin tools Active Directory Domains & Trusts

    To change the role of DNOM

    Start Prog Files Admin Tools Active Directory Domains & Trusts

    Right click ADDT and select Connect to another Domain

    Click the browse button to select another domain to transfer the roles. Then click

    2. Global Catalogue Server (GCS) : It maintains the total information of its Domain and

    partial information of the other domains in the entire forest. By default the GCS is available

    on the root (DC).

    There can be more than one GCS in the entire forest.

    10

    Forest wide Roles

    Domain wide Roles

  • 8/7/2019 MCSE Classes

    11/58

    To view GCS

    Start Prog Files Admin tools Active Directory Sites & Services

    Open sites (folder) Default First Site Name Open Servers Open Computer

    Name Right click on NTDS Settings. Go to properties.

    Displays the G.C. with check box.

    3. Schema Master (SM) : It maintains the total information of classes and attributes in theentire forest. By default the schema master is available on the root (DC).

    At any point of time there can be only one schema master in the entire forest.

    To view SM

    Start Run and type regsvr32 schmmgmt.dll - press enter

    Go to Start Run type mmc (Microsoft Management Console)

    The console window opens

    Click the file option

    Select Add & Remove snapin.

    A Window appears Click the Add button.In the list select AD Schema.

    Click ADD button and click the close button OK button and OK again.

    4. Relative Identifier Master (RID): Relative Identifier consist of pool of addresses. For every

    newly created object an address will be specified by the RID master.

    SID = RID + DID

    (Security Identifier) (Domain Identifier)

    By default the RID are available on the domains.

    At any point of time there can be only one RID master on the entire domain. (Parent /

    Client)

    5. Primary Domain Controller Immolator (PDCI): It immolates BDC as PDC through the

    domain controller when it is Mixed Mode (Pre windows 2000 mode). PDCI also takes care of

    password changes made by the users.

    At any point of time there can be only one PDCI in the entire domain. (Parent / Child).

    6. Infrastructure Master (IM): It maintains the updations that are done to groups. Any user

    added, deleted or moved the updation is going to be maintained by IM.

    At any point of time there can be one IM in the entire domain. (Parent / Child).

    To see the three roles (RIDM, PDCI & IM) go to

    Start Programs Admin Tools Active Directory Users and Computers

    Right click on the Domain Name and

    Select Operations Master.

    Displays the Roles

    * Start Run net accounts

    To Run Services service.msc

    11

  • 8/7/2019 MCSE Classes

    12/58

    Day 5

    FUNCTIONAL LEVELS

    Forest and Domain Functional Levels

    Functional level determines

    - Supported domain controller operating system.

    - Active Directory features available.

    Domain Functional levels can be raised independently of one another.

    Raising forest functional level is performed by Enterprise

    Administrator

    - Requires all domains to be a windows 2000 native or windows server 2003

    functional levels.

    Functional Levels are classified into two levels

    Domain Functional Level

    Forest Functional Level

    Domain Functional Levels:

    a) Windows 2000 Mixed Mode

    b) Windows 2000 Native Mode

    c) Windows 2003 Interim Mode

    d) Windows 2003 Mode

    Windows 2000 Mixed Mode:

    Windows

    2003

    2000 NT

    12

  • 8/7/2019 MCSE Classes

    13/58

    13

  • 8/7/2019 MCSE Classes

    14/58

  • 8/7/2019 MCSE Classes

    15/58

    Forest Function Level Domain Controller Supported

    Windows 2000 (Default) Win NT 4.0, 2000, 2003 Server

    Windows Server 2003 Interim Win NT 4.0, 2003 Server

    Windows Server 2003 Server Family Win Server 2003 Family

    Function Levels are important when you are planning to upgrade the operating system or forestablishing trust relationship.

    To check Functional levels

    1. Active Directory Domains & Trusts

    2. Right Click on the domain name (Ex: zoom.com)

    3. Click on the Function level or Forest Function Level

    TRUST RELATIONSHIP

    CISCO.COM (Trusting)

    CHILD.CISCO.COM (Trusted)

    Secure Communication paths that allow security principals in one domain to be

    authenticated and accepted in other domains.

    Some trusts are automatically created.

    - Parent Child domains trust each other.

    - Tree root domains trust forest root domains.

    Other trusts are manually created

    Forest Forest transitive trust relationship can be created in windows 2003 forest

    only.

    15

  • 8/7/2019 MCSE Classes

    16/58

    Transitive Trust: In Transitive trust relationship Domain A trust Domain B, In the same way

    Domain B trust Domain C and in the same way Domain C trust Domain A. This is called

    Transitive Trust.

    A

    B C

    Non Transitive Trust: Domain A trust Domain B, In the same way Domain B trusts

    Domain C but Domain C will not trust Domain A. It is known as Non Transitive TrustRelationship.

    A

    B C

    One Way Incoming: Example

    A1 Incoming

    A2

    A3 DatabaseServer

    A4

    Zoom.com Yahoo.com

    Types of Trust:

    Default: Two ways transitive trust Kerberos trusts (Intra-Forest)

    Shortcut: One or two way transitive Kerberos trusts (Intra-Forest)

    - Reduce Authentication requests.

    Forest: One or two way transitive Kerberos trust- Windows Server 2003 Forest Windows 2000 does not support forest trusts.

    16

  • 8/7/2019 MCSE Classes

    17/58

    - Only between Forest Roots

    - Creates transitive domain relationship

    External: One way Non-Transitive NTLM trusts.

    - Used to connect to/from Windows NT or External 2000 domains

    - Manually Created

    REALM: One or two way non-transitive Kerberos trusts connect to/from UNIX MIT

    Kerberos Realms.

    Configuring Cross Forest Trust Relationship

    IP Setting in 2 different domains

    Satyam.com SBI.com

    Root Domain Controller Root Domain Controller

    IP: 10.0.0.1 IP: 10.0.0.2

    PDNS: 10.0.0.1 PDNS: 10.0.0.2

    SDNS: 10.0.0.2 SDNS: 10.0.0.1

    1. In two different domains Assign alternate DNS as above given example.

    2. To Raise the function levels domains as well as forest open the console

    3. Active Directory Domain & Trusts.

    4. Right Click on the Domain ( for Example: select the domain SBI.com and raise

    domain function level from the list as Window Server 2003)

    5. To raise forest function level right click on Active Directory Domains a& Forest Raise

    forest function Level

    6. Select windows Server 2003 and raise it.

    7. Follow the same in other domain even to raise the function levels.

    8. To establish a trust between two different forest for example in SBI.com open the

    console Active Directory Domains & Trusts

    9. Right Click on the domain SBI.com

    10. Select next tab trust

    11. And Click on new trust

    17

  • 8/7/2019 MCSE Classes

    18/58

    12. Assign the DNS name of other domain for example satyam.com

    13. Check Forest trust

    14. Select 2 way

    15. Check Both this domain and specified Domain > Next

    16. Assign the credentials as admin & Password > Next

    17. Check Forest wide Authentication

    18. Check Forest wide Authentication

    19. Next

    20. Next

    21. Next

    22. Yes > Next

    23. Yes > Next

    24. Finish.

    We have to give permissions from the server side also to logon.

    1. To give permissions for users/ admin/ Groups

    2. Admin Tools

    3. Domain Controller security policy

    4. Double Click Local Policies

    5. User Right Assignment

    6. Allow Logon Locally

    7. Add user or group

    8. Browse

    9. Locations

    10. Select the Other Domain

    11. OK12. Specify Administrator and Click on check names

    13. OK

    14. OK

    15. OK

    16. (To Update default policies) Start > Run > GPUPDATE

    External Trust

    It is non-transitive it is used to communicate with Windows Server 2003 to Lower Versions

    like Win NT, Win 2000 server. It is also used to communicate between only two roots in the

    forest,

    18

  • 8/7/2019 MCSE Classes

    19/58

    REALM

    It is used to communicate between windows 2003 server to Non Windows Operating system.

    DIFFERENCE BETWEEN NT & 2003

    WINDOWS NT WINDOWS 2000 & 2003

    Protocol Used for Authorization

    NTLM KERBEROS VERSION 5

    It uses Netbios It uses DNS & Net Bios

    It uses Primary Domain Controller &

    Backup Domain Controller

    It uses Domain Controller & Additional

    Domain Controller

    It Supports 40,000 Workstations It supports 1 Billion Work Stations

    It uses Directory named SAM = Security

    Account Manager

    It uses Directory named NTDC = New

    Technology Domain Controller.

    Domain Represents Round Domain Represents Triangle

    FLEXIBILITY

    In Windows NT Primary Domain Controller is configured while installing Operating System.

    And if we want to remove Primary Domain Controller we have to format the whole operating

    system.

    In Win 2000 & 2003

    We have a flexibility of installing or Uninstalling Active Domain Server on the server

    operating system.

    DAY 6

    PHYSICAL COMPONENTS

    Logical Components of Window 2003 Server is Forest & Trees.

    Physical Components:

    Domain Controllers

    Sites

    Domain Controller is a system which is loaded with Active Directory Services in Windows

    2000 or Windows 2003 server operating system.

    - Stores Replicas of Active Directory Database.

    - Associated with given site.

    Sites are areas of good connectivity it is one of the Physical component of the Active

    Directory Services.

    Sites are associated with subnet mask. Subnet Mask is a Sub Division of IP Network.

    19

  • 8/7/2019 MCSE Classes

    20/58

    A Site can span multiple domains. A domain can span multiple sites.

    Example for Sites:

    INDIA USA

    Servers Servers

    DC WAN LINK DC

    Clients Clients

    REPLICATION TOPOLOGY

    They are classified into 2 sites

    1. Intra Site Replication

    2. Inter Site Replication

    Intra Site Replication: The replication which is taking place within a single site between DC

    to ADC is called Inter Site Replication.

    For Replication KCC (Knowledge Consistency Checker) service is responsible.

    Inter Site Replication: The Replication which is taking place between 2 different sites is

    called Inter Site Replication.

    BRIDGE HEAD SERVER: The server is responsible for gathering the information from one

    Domain Controller. So that it can replicate to another Domain Controller (ADC)

    By Default DC & ADC serves will get updated in default first site name. In site by default

    one site link also configured.

    Configuring Sites:

    1. To create sites open the console.

    2. Active Directory sites & services.

    3. Expand Sites

    4. Right Click on site folder

    5. New Site

    6. Mention the name of the site

    7. And Select Default site link

    8. ok

    9. To Add the servers expand the newly created sight default first sight name Expand

    servers.10. Right click on the server

    20

  • 8/7/2019 MCSE Classes

    21/58

    11. Select and move from the list select new site

    12. OK

    13. Create one more site by following the same steps

    TO CONFIGURE SITE LINKS

    1. Expand Inter site transport2. Right Click on IP

    3. Select New site link

    4. Specify the name of the site link

    5. Add them in the list

    6. Ok

    TO SET THE REPLICATION SCHEDULE

    1. Select IP Folder

    2. Double click newly created site link

    3. Click on change schedule4. set the schedule

    ACTIVE DIRECTORY PARTITIONS

    NTDS

    NTDS.DIT

    SCHEMA CONFIGURATION DOMAIN APPLICATION

    Active Directory Service Database is stored in NTDS.DIT. This database further logically

    divided into four partitions.

    1. Schema Partition2. Configuration Partition

    3. Domain Partition

    4. Application Partition

    1. Schema Partition: Schema is a design or architecture of Active Directory, where it is

    built on. It provides set of rules to create or manipulate different objects only schema

    administrators can modify the schema. You can modify schema partition only when

    you are planning to upgrading or installing the Operating system or applications,

    which is replicating to Additional Domain Controller.

    Schema is also known as forest wide replication.

    21

  • 8/7/2019 MCSE Classes

    22/58

    2. Configuration Partition: It is one of the logical partition which maintains the

    information about structure of the forest. It contains information like Domain

    Controller, Sites, Sites Links and Trust relationship.

    Configuration partition is the road map of Active Directory because of which users are

    easily able to locate network objects. It is also called forest wide replication.

    3. Domain Partition: Will maintain the information about domains specific objects. It is a

    domain wide replication

    4. Application Partition: It is configurable partition either it can be forest wide

    replication or Domain wide replication. It maintains the information about the DNS.

    Joining Client to the Domain

    To convert work group to a client (windows XP)

    Login as administrator in Win XP.

    Right click on My Computer Properties

    In the options select Computer Name

    Click the Change button.

    Select the Domain option and specify the Domain Name. Click apply, OK.

    Prompts for Domain Administrator User & Password.

    Gives the configuration that it has successfully connected.

    Restart the Machine.

    To convert work group as Member Server

    Login as Administrator in Windows 2003 server operating system.

    Right click on My Computer Properties

    In the options select Computer Name

    Click the Change button.

    Select the Domain option and specify the Domain Name. Click apply, OK.

    Prompts for Domain Administrator User & Password.

    Gives the configuration that it has successfully connected.

    Restart the Machine.

    A Member server can act as a server as well as client. If the user login it behaves as a

    client. If Administrator logs in, it behaves as a server.

    22

  • 8/7/2019 MCSE Classes

    23/58

    Active Directory Users & Groups

    There are 2 types of users

    1) Local User and 2) Domain User

    1. Local User: Local users are created on the client machines as well as on Member

    Server. A local user cannot access all the resources in the network. A local user cannot

    login onto multiple systems. He can login where account exists. A local user account

    is also called as the temporary account.

    2. Domain User: The domain users are created on the domain controller. The domainuser account can access any resources on the entire network. A domain user account

    can be created even on a Member Server, by login as Domain Administrator. To create

    Start Run dsa.msc A Domain User and Client window appears. Now you can

    create user accounts.

    To create a Local User Account

    Login as administrator on the client machine or on the member server.

    Right click on My Computers.

    Select manage.

    A System Management window appears.

    Open local Users & Groups folder.

    Right click on the user folder and select new user (same as groups)

    23

  • 8/7/2019 MCSE Classes

    24/58

    To create a Domain User Account

    Login as Administrator on the Domain Controller.

    Start Programs Admin Tools Active Directory Users and Computers

    Right click on the user folder

    Select new option and select new user.

    24

  • 8/7/2019 MCSE Classes

    25/58

    To create Domain User Accounts on Windows 2003 server. The minimum requirement is the

    password is must and should be minimum of 7 characters, which includes alphabets, special

    characters and numeric numbers).

    3 Types of Group scopes are:

    1) Domain Local Group 2) Global Group (Default) 3) Universal Group

    1) Domain Local Group: Users and groups of the domain can be added as well as users and

    groups of the other domains also can be added but resources of the domain only can be

    accessed.

    2) Global Groups: This is the default group. Users and groups of the domain can only be

    added into the Global Group but can access any resources in the entire forest.

    3) Universal Group: Users and groups of the domain can be added as well as users and

    groups of the other domain can also be added into the Universal Group and also can access

    any resources any in the entire forest. The Universal Group is available in Windows 2000 andWindows 2003 Servers only.

    2 Types of Groups

    1) Security Group & 2) Distribution Group

    1) Security Group: To a security group Permissions can be applied, in such a case certain

    mailing services will not function properly.

    2) Distribution Group: To a Distribution Group Permissions can be applied, in such a case

    all mailing services will function properly.

    Permissions

    Permissions are of 2 types.

    1) Security Permissions & 2) Shared Permissions

    Shared Permissions are the permissions that are applied over the network.

    Security permissions are the permissions that are applied within a local machine.

    Out of both these permissions Security plays major role. The permissions are of 2

    Allow and Deny. Deny has highest priority rather than Allow.

    The Default Permissions in Windows 2003 Server is everyone with Read only

    permission in both Security and sharing permission.

    The combination of permissions that are applied in both Sharing and Security will take

    effect over the network. For example if Read and Write Permission are given in

    Security and Read Permission are given sharing then only Read Permission will apply

    over the network.

    25

  • 8/7/2019 MCSE Classes

    26/58

    The permissions that are present in Sharing are:

    Access Deny

    Full Control

    Change

    Read

    The permissions that are present in Security are:

    Access Deny

    Full Control

    Modify

    List of Contents

    Read & Exicute

    Read

    WriteAssigning shares on FAT & NTFS partition

    1. Select a folder

    2. Right Click the folder Select Sharing

    3. Select Share this folder option

    4. Specify a Unique Share Name in the Share Name Dialog box

    26

  • 8/7/2019 MCSE Classes

    27/58

    Assigning SHARE permissions on FAT & NTFS partition

    1. After assigning a share click Permissions Button.

    2. Click Add.

    3.From the list Select the Users/Groups you want to assign Permissions

    Click Add Click OK

    4. In the Permissions window Select each User/Group and assignpermissions

    Assigning NTFS permissions to a folder on NTFS partition

    1. Right Click a Folder (on NTFS) Select Properties

    2. Select the Security Tab

    27

  • 8/7/2019 MCSE Classes

    28/58

    3. Deselect the check box at the bottom of the windows Allow inheritablepermissions from parent to propagate to this object and selectRemove

    4. Click Add

    5. Select the Users/groups you want to assign permissions Click Add

    Click OK

    6. Highlight the User/Group and assign permissions individually

    PROFILES

    Profile is nothing but user personal information which consists of Desktop, Start menu,

    Application Data, My Documents etc.

    By default even an administrator cant view it on certain profile (Roaming Profile).

    There are 3 types of Profiles in Windows 2003

    1. Local Profile 2. Roaming Profile 3. Mandatory Profile

    1. Local Profile: By default each and every user has a local profile automatically created. A

    local profile will be saved on the local Hard disk of the PC. A local profile user cant carry his

    profile where ever he logs in the entire network. A profile will be available on the particular

    system itself.

    * A Local Profile can be upgraded to Roaming Profile user. A Local Profile can not be

    upgraded to Mandatory Profile directly.

    28

  • 8/7/2019 MCSE Classes

    29/58

    2. Roaming Profile: A roaming profile user can carry his profile wherever he logs in the

    entire network. Because the profile is saved on the server. Whenever the user login on a

    particular machine in the network the profile is downloaded from the server.

    * A Roaming Profile user can be degraded back to Local Profile user.

    * Roaming Profile user can be upgraded to Mandatory Profile user.

    3. Mandatory Profile: A mandatory profile user cant save any information in his profile.Because this profile has read-only permission.

    * A Mandatory Profile user can be converted to Local Profile user.

    * A Mandatory Profile user can be converted back to Roaming Profile user.

    To convert the user from a Local Profile to Roaming Profile:

    Create a shared folder on the Domain Controller (Server)

    Set the permissions as user with Full Control (i.e. Shared and Security)

    Go to Start Programs Administrative Tools Active Directory Users and Computers

    Select the User and right click Properties. Go to Profile tab and specify the profile path.

    \\computer name \share folder name\ user name.Apply, OK.

    Log in as user on the client side to view the profile. Right click on the My Computer

    properties. In the options select Advance and click settings button in the user profile. Displays

    the type of profile.

    The profile will be updated only when the user logs off.

    To convert Roaming Profile to Mandatory Profile:

    Open the shared folder on the Domain Controller (Server)

    Right click on the user folder Properties. In the options select Securities click on

    Advance button. Select Owners in the list.

    Select Administrators GroupCheck the option Replace owners sub contents & objects.

    Apply, OK.

    Open a user folder. There is a hidden file called as NT USER.DAT. Rename it to NT

    USER.MAN.

    29

  • 8/7/2019 MCSE Classes

    30/58

    Go back to the shared folder. Right click Properties. Select the security option. Click on

    Advance button and check the box Allow Inherit permission to all child.

    Click Apply, OK.

    Distributed File System (DFS)

    DFS brings all the shared folders in the networks which are required to a centralized location

    called as the root. Because shared folders are widely distributed across network, administrator

    face growing problems as they try to keep users connected to the data they need. The

    Distributed file system (Dfs) provides a mechanism for administrators to create logical views

    of directories and files, regardless of where those files physically reside in the network. Fault

    tolerance of network storage resources is also possible using Dfs.

    To a single server in Windows 2000 DFS only one root can exist, but in 2003 DFS on a single

    server multiple roots can exists.

    For each link in DFS a maximum of 31 targets (backup) can be created.

    Backup for the root is called as a root target. A maximum of 31 root targets can be created.

    The root as well as root targets can be created only on the servers operating system.

    Using the Dfs Administrator Tool

    This step-by step guide describes how to use the Dfs Administrator snap-in. Installation of the

    Dfs service takes place automatically during Windows 2003 Server Setup. How ever, You

    must configure Dfs in order for a Dfs share to be accessible to be accessible to clients.

    Domain Managing Root Link Link Root Controller Server Target Target

    Move on to the Domain Controller.

    To create a Root

    1. Click Start Programs Administrative tools Distributed file system

    2. Select Distributed file system Right Click Distributed File System andselect New Root

    30

  • 8/7/2019 MCSE Classes

    31/58

    3. On the Dfs Root Wizard Click Next

    4. Select the type of Dfs Root you want to create (Domain / Standalone) click Next(The Steps are based on Selecting the Domain Based Dfs).

    5. Select the Host Domain for the Dfs Root Click Next

    6. Enter the Server Name that will Host the Dfs Root in the Domain Click Next7. Specify the Dfs Root Name and Click Next

    8. Enter the full path of the Shared Folder that is created and Click Next

    9. Click Finish

    To create Link1. Click Start Programs Administrative tools Distributed file system

    2. Right Click On the Existing Dfs Root Select New Link

    3. In New Link window Enter the Name of the Link that appears to user

    4. In Path to target(shared folder) text box give UNC path of theshared folder that has to be linked to the above link name

    5. Enter a comment for the Link

    6. Specify the time until which the REFERRAL (Original location) of the link iscached by the client computer click OK

    31

  • 8/7/2019 MCSE Classes

    32/58

    To create the Root Targets (on DC)

    1. Click Start Programs Administrative tools Distributed file system

    2. Right Click On the Existing Dfs Root Select New Root Target

    3. On the Host Server page, verify that your Servers name is listed and clickNEXT.

    4. On the Specify the DFS root share page, click Create a new Share.

    5. In the path to Share box, type the path for the shared folder you want tocreate. And click NEXT.( A message appears indicating that the folder does not

    exist) click Yes to create the folder.

    6. In the share name box, type the share name you want and then click Finish.

    To create a Link Target:

    1. Click Start Programs Administrative tools Distributed file system

    2. Right Click On the Dfs link for which you want to create a new replica, and thenclick New Replica

    32

  • 8/7/2019 MCSE Classes

    33/58

    3. In the Add a New Replica dialog box, Click Browse to select the shared folderfor the new replica and click OK (Note: Each Dfs link can have upto 32 replicas).

    Setting up Configure Replication

    Steps:

    1. Open Distributed File System.

    2. Right-click a Dfs root or Dfs link, and then click Configure Replication.

    3. A Wizard appires click Next Select the Root path for the root and Link pathfor the link Click Next Select the Topology Click Finish.

    33

  • 8/7/2019 MCSE Classes

    34/58

    GROUP POLICIES

    Group Policies are nothing but allowing / denying policies to the users. There are more than

    1000 policies that can be given to a single. These policies are divided in to 1) Computer

    configuration and 2) User configuration.

    1) Computer Configuration: Though computer configuration the policies are

    given to systems. The policies will take effect in computer configuration only

    when the PCs are restarted.

    2) User Configuration: In user configuration policies are given to users. The

    policies take effect only when the user logoff and login again.

    To create an Organisational Unit (OU):

    Start Programs Admin Tools Active Directory Users and Computers

    Right click on Domain Name and

    In the options select New Organisational Unit. A window appears.

    You have to specify the name for OU. Then click OK.

    To apply a Group Policy object to Organisational Unit:

    Right click on OU select Properties.In the options select Group Policy

    Click the New button to create a new policy

    Rename the default name with specific name.

    Select the Policy and click Edit button.

    The Group Policy edit window appears.

    Go to User Configuration and open Administrative Templates folder

    Open the Desktop folder (you can select which ever you want to set the policy)

    Select a policy on right side of the screen.

    Right click and go to Properties

    Not configured Enable Disable

    Select Enable option and click Apply and OK.

    To apply a Group Policy at Domain level:

    Start Programs Admin Tools Active Directory Users and Computers

    Right click on Domain name and go to Properties.

    In the options select Group Policies

    To do the Password policy:

    Select the default domain policy and click the Edit button

    Group Policy window appears

    34

  • 8/7/2019 MCSE Classes

    35/58

    Go to Computer configuration open Windows Settings Security settings

    Accounts Policies Password Policy

    Select the policy with the name Minimum Password length. Right click and go to

    Properties, change the value to 0. Click apply and OK.

    Select another policy with the name password must meet the complexity

    requirement.

    Right click and go to Properties. Select Disable option. Apply. OK.Start Run gpupdate

    To give a policy at the Site level:

    Start Programs Admin Tools Active Directory Sites and Services

    Open Sites folder

    Right click on the default 1st site name & go to Properties

    In the options select Group Policy

    Click the New button to create a new policy

    Rename the default name with specific name.

    Select the Policy and click Edit button.

    The Group Policy edit window appears.

    Go to User Configuration and open Administrative Templates folder

    Open the Desktop folder (you can select which ever you want to set the policy)

    Select a policy on right side of the screen.

    Right click and go to Properties

    Not configured Enable Disable

    Select Enable option and click Apply and OK.

    Folder Redirection:

    Folder Redirection used to redirect a part of the users profile to the server.

    To do the folder redirection:

    Create a shared folder on the server and set the permissions (Shared & Security).

    Start Programs Admin Tools Active Directory Sites and Services

    Right click on the OU and go to Properties.

    In the options select Group Policy

    Create a new policy by clicking on new button.

    Rename the policy as Folder Redirection (to understand easily)

    Select the created policy and click on Edit button.

    The Group Policy Edit window appears.

    Select User ConfigurationWindows Settings Redirection Folder(4 options: Application Data, Start Menu, My Documents & Desktop)

    Select Desktop folder and go to Properties, a window appears.

    Target Settings 2 list items (Basic Redirection-User) and Advance Redirection-

    Groups)

    Select Basic Redirection

    Another dropdown list box appears. Select Redirect to following location

    Specify the path (\\computername\share folder name\ user name) Apply. OK.

    Scripts

    35

  • 8/7/2019 MCSE Classes

    36/58

    Scripts are used to intimate the users what tasks should be performed at regular intervals.

    These scripts can be given not only to users but also to systems.

    The scripts that are given to users are Login & Logoff scripts.

    The scripts that are given to computers are Start up & Shutdown scripts.

    To create a script:

    Open Notepad and type

    Wscript.echo Welcome to .

    Save the file as *.vbs (Generally save the file in drives)

    Right click on the file and select copy.

    Start Programs Admin Tools Active Directory Users and Computers

    Right click on Organisational Unit and go to Properties.

    In the options select Group Policy.

    Create a new policy and give appropriate name and click on Edit button.Group Policy edit window appears.

    User ConfigurationWindows Settings open Scripts folder

    Select Login and go to Properties

    Click add button a window appears to open/select the script file.

    Click on browse in the open window paste the copied script file.

    Ok Apply, OK.

    Software Deployment

    Software Deployment is used to deploy the software over the network through the server.

    Group policy doesnt support .exe extension softwares over the network. Because if an

    application is installed through an exe on a particular system each and every user in the

    network access the application. To deploy the software over the network through group policy

    the software extensions must be either .zap or .msi (Microsoft Installation). Through group

    policy the softwares can be deployed in 2 ways. 1. Publish and 2. Assign. There is also an

    additional option called as advanced. Through this option only service packs and patches can

    be deployed to already deployed software. Through advanced option new softwares cannot

    be deployed.

    To convert .exe to .zap:

    Create a shared folder on the drive and set the permissions (shared and security).

    Past the exe software into shared folder.Open Notepad and type the following.

    [Application]

    Friendlyname = name of the software

    Setupcommand =\\computername\sharedfoldername\softwarename.exe

    Save the file in the shared folder, with the name .zap

    - .zap extension applications supports only publish in Group policy.

    Start Programs Administrative Tools Active Directory Users and Computers

    Right click on Organisational Unit and go to Properties.

    In the options select Group policy.

    Create New policy by clicking new button and rename with specific name.

    Select the policy and click on Edit button.

    36

  • 8/7/2019 MCSE Classes

    37/58

    The Group policy edit window appears.

    In User Configuration Software Settings.

    Right click on software installation select option New package

    Select the .zap extension file through the network path. Click Ok

    3 options will be shown. By default Publish will be selected. Click OK

    The entry will be available in the Software Installation file.

    Login as user Control Panel Add & Remove Programs

    Click on Add New Program. Displays the software to install.

    Click the Add button to install the software.

    To convert .exe to .msi

    To convert .exe to .msi is applications a third party tool is required. i.e. winstillle (Veritas).

    Install the winstillle software on the server machine.

    Create a shared folder on the server and set the permissions.

    Paste the exe file in the shared folder.

    Start Programs Varitas software.

    Select varitas discover

    By default before snapshot. A wizard appears click next

    Specify the relevant name to deploy the software.

    Specify the path where .msi file should be saved (shared folder) Click Next.

    Displays the drives. Select the drive where the Operating System is present. Generally C:

    Click >> button to add the drive to the right side of the box. Click Next.

    Displays all files and folders of the drive where it performs the scan. Click Next.

    Before the snapshot starts finally gives the confirmation completion of snapshot.

    A window appears, Select .exe file and click Open button and install the application.

    To perform after snapshot

    Start Programs Varitas software varitas discovers Click Next

    Select default before/after snapshot.

    The after snapshot starts. Click Ok.

    Finally gives the confirmation after snapshot.

    Now .msi file is available for deploying the software.

    --Deployment can be done as .zap

    Start Programs Administrative Tools Active Directory Users and Computers

    Right click on Organisational Unit and go to Properties.

    In the options select Group policy.Create New policy by clicking new button and rename with specific name.

    Select the policy and click on Edit button.

    The Group policy edit window appears.

    In User Configuration Software Settings.

    Right click on software installation select option New package

    Select the .msi extension file through the network path. Click Ok

    3 options will be shown.

    Select Assign. Click OK

    The entry will be available in the Software Installation file

    37

  • 8/7/2019 MCSE Classes

    38/58

    To Change the Shutdown Event:

    Start Run gpedit.msc

    Computer Configuration Administrative Templates System

    Edit: Display Shutdown Event (On the right side)

    Printer

    A printer device is an equipment that generates hardcopy from the softcopy. Printer device

    has become an essential equipment in the network. There are generally three flowers of

    printer devices available in the market they are

    DOT Matrix INK-JET LASER

    Cost 7000/- 2,200/- 8,000/-

    Ribbon 20/- Cartridge 400/- Toner 2,500/-

    Print pages 1000 500 3000

    Maintenance No Yes Yes

    Pages/Min. 3/4 10/12 16/18

    Port LPT LPT/USB LPT/USB/IEEE 802.3

    There are 2 types of Printer devices.

    1. Local Printer Device & 2) Network Printer Device

    1. Local Printer Device: These are connected to the PC directly and PC is connected to

    the network. That means the local printer devices are system dependent. A local

    printer devices are easily portable. These are easy to install and configure. These

    printers are connected through two ports of the machine, LPT/USB. The buffer size in

    the local printer device is less, around 2 to 8 MB.

    2. Network Printer Device: These are directly connected the Hub/Switch. Because

    these printer devices have inbuilt NIC card. That means they are system independent.

    The network printer devices are very huge in size, and they are difficult in order to

    transport. But the performance of these printers is excellent. The network printer

    devices are too costly. And they are difficult in installation and configuration. The

    buffer size in a Network Printer Device is huge, around 32MB, 64MB, 128MB.

    Network printer device installation:

    Start Run type \\ of the system where the printer device is

    connected.

    It displays all shared resources.

    Select printer icon and double the icon the network printer driver gets installed in the

    Machine.

    Separator Page:

    38

  • 8/7/2019 MCSE Classes

    39/58

    The separator page gives an identity that the printout belongs to a particular department. And

    all the printer devices doesnt support separator page, only certain versions of printer devices

    supports. By default the separator Pages are available in the following path

    C:\Windows\system32\pcl.sep and more.

    For each and every printer device only one separator page can be set.

    To create new/own separator page:

    Open notepad and type the following.

    \

    \L\U IT Department

    \E

    Save the file with any name .sep in system32 folder.

    To set the separator page:

    Start Settings Printers & faxes

    Right click on the printer device and go to Properties.

    In the options select Advance.

    Click the Separator Page button

    Click the browse button.

    Select the Separate Page. Click OK, OK. OK

    To set the Priority Level:

    Start Settings Printers & Faxes

    Right click on Printer Devices and go to Properties.

    Select Advanced and Specify the Priority Level (default is 1)

    You can set the priority level from 1 to 99. Apply, OK

    For each Printer Device only one Priority Level can be set.

    There are three different types of Printouts that can be taken through a Printer Device they are

    1) Local Printout

    2) Network Printout3) Internet Printout

    1. Local Printout: Local printouts are taken on the printer device to which the system is

    connected locally. To take a local printout there is no need of a Network.

    BACKUP

    Backup is nothing but creating copies for the existing data. This backup varies depending

    upon the organisations. Backups can be taken not only on folders and files but even of Active

    Directory. The general media that is used and specifically designed for backup is Tape Drives.

    In Windows NT 4.0 backups can be taken only on tape drives, where there is no alternatives

    39

  • 8/7/2019 MCSE Classes

    40/58

    to take backup. This problem is solved in Windows 2000 and 2003 backups, where backup

    can be taken on any media. Eg: CD, HDD, Tape Drive, Pen Drive, Zip Drive etc.

    Backups are of 5 types:

    1. Normal Backup

    2. Copy Backup

    3. Incremental Backup4. Differential Backup

    5. Daily Backup

    1). Normal Backup: Through Normal Backup it takes each and every file as backup. Even

    though the files are already been taken backup takes all files. Once the normal backup is taken

    it uncheck the Archive bits for the files. Normal backup is a time consuming backup as well

    as restoring also. Generally the normal backups are taken either on the 1 st day of the week or

    the 1st day of the month.

    2). Incremental Backup: Though Incremental Backup it takes newly created files and

    modified files only. The incremental backup is generally used by the banking & financialsector where the accounts closed at the end of the day. These backups are taken every day

    separately. Incremental backup is not a time consuming process. Restoring multiple

    incremental backup is a time consuming process. Once the incremental backup is taken it

    unchecked the Archive bits for the file.

    3). Differential Backup: Through differential backups newly created files, modified files and

    previous differential backup files are taken. Taking differential backup is a time consuming

    process as duration exceeds (day by day). But the restore is done faster. Differential backup is

    generally used by general sector where they close their accounts at the end of the month.

    Differential backup is used when multiple copies exists in the last backup. Once the

    differential backup is taken it doesnt uncheck the Archive bit.

    System State Backup:

    System state backup is backup of Active Directory. Taking system state backup is as same as

    the previous topics. The difference is restoring in system state backup.

    There are 2 types of restores for system state backup.

    1) Authoritative 2) Non-authoritative

    1) Authoritative: Authoritative restore is done when there is replication between thedomains. The Authoritative restore is used to Update Sequence Number (USN). For

    every object create or delete, it updates USN value.

    2) Non-authoritative: Non-authoritative restore is done when there is no replication

    between the domains.

    To restore the system state backup:

    Restart the machine and press F8 after the POST (Power On Self Test) operation is over.

    A menu appears. In the menu select Directory service Mode (Active Directory restores

    Mode).

    The Login screen appears.

    In the login screen type Administrator as User name and password of Active Directory.

    After you have done restore the backup first.After the backup is restored it prompts whether to restart the machine or not.

    40

  • 8/7/2019 MCSE Classes

    41/58

    If you click Yes button indicated that it is a Non-authoritative and by clicking No button

    indicates that it is authoritative mode.

    After clicking No button, go to command prompt.

    Start Run type cmd

    :ntdsutil

    :authoritative restore

    :restore subtree cn=username,ou=Organisation Name,dc=Domain Name,dc=comAsks for the confirmation whether to authoritative or not.

    Click Yes button

    Finally gives the confirmation, one entry is successfully updated.

    OR

    To restore entire database for Active Directory

    :restore database

    Click Yes & restart.

    NETWORK ADMINISTRATION

    DHCP (Dynamic Host Configuration Protocol)

    DHCP server is used to assign dynamic IP address to the client machine (not to servers).

    Assigning multiple systems with static IP addresses, the 4 major problems are:

    1) IP Conflict

    2) Different network IP address

    3) Not assigning IP address to a client machine

    4) Time

    DHCP server is also present in Windows NT 4.0, but the major drawback of security feature

    in Windows NT 4.0 DHCP is no authorisation concept. As this concept is used in Windows

    2000 and 2003 DHCP server. Only the root administrator can do the authorisation in DHCP

    server. Without authorising the DHCP severs it cannot issue the DHCP IP address.

    The features of DHCP server are:

    1) Scope

    2) Super Scope

    3) Multicast Scope

    4) Reservations

    5) Scope & Server options

    6) DHCP Backup & Restore

    Scope: Scope consists range of IP addresses belonging to a single network. A scope cannot

    have multiple network IP addresses. We can have multiple scopes in DHCP servers.

    Range: Range is nothing but pool of IP addresses.

    Super Scope: Clubbing more than one scope into a super scope such that different network IP

    address can be issued.

    Multicast Scope: Multicast Scope is used to assign to a range of IP addresses from Class D

    networks.

    Reservations: Reservations are nothing but assigning dynamically static IP addresses. To do

    the Reservations in DHCP we require the clients NIC cards MAC (Media Access Control)

    address.

    41

  • 8/7/2019 MCSE Classes

    42/58

    To assign the Reservations.

    Start Programs Administrative tools DHCP

    Open the scope. Right click on Reservations and select New Reservations.

    Specify the name to the Reservations.

    Specify an IP address.

    Specify the default option. Click Next. (0. both 0. 0. )

    Finish.Scope & Server Options: Specifying the information of the servers present in the network. It

    is specified for a particular scope it called as Scope Option. If it should specified to entire

    DHCP specify it in the server options.

    DHCP Backup & Restore: The configurations that are done to DHCP can be taken as

    backup through the DHCP server itself and also it can be restored through the DHCP server

    itself.

    Right click on the Computer Name (in DHCP). Select Backup option

    Requirement of DHCP Server.

    1) Standalone Server (DC and Member server)

    2) Static IP Address for Server.

    To Install DHCP server:

    Start Settings Control Panel Add Remove Programs Add Remove

    Components

    Scroll down the list select Networking Services and click details and select DHCP.

    To authorise DHCP:

    Start Programs Administrative Tools DHCP

    Right click on the Computer Name and Select Authorise.

    Arrow in upward in Red in color is not authorise

    Arrow in upward in Green in color is authorise

    To configure Scope:

    Start Programs Administrative Tools DHCP

    Right click on Computer name and Select Scope.

    A wizard appears, Click Next.

    Specify a name to Scope and Click NextSpecify a range of IP addresses with a single network, Click Next.

    Specify an exclusion range if required, Click Next.

    Displays the least period with duration of 8 days, Click Next.

    Gives 2 options.

    To Configure scope options Now To Configure scope options Later

    Select the default Click Next.

    Specify the Router information if present, Click Next.

    Specify the DNS server information, Click Next.

    Specify the WINS servers information if required, Click Next.

    Displays 2 options.

    Activate Scope Now Activate Scope Later

    42

  • 8/7/2019 MCSE Classes

    43/58

    Select the default Click Next. & Finish

    To Configure Super Scope:

    Start Programs Administrative Tools DHCP

    Right click on computer name and Select Super Scope.

    A Wizard appears, Click Next.

    Specify a name to Super Scope, Click Next.Select the Scopes and Add

    Click Next & Finish.

    If an Administrator is sitting on client side go to the command prompt and type,

    : ipconfig /release

    0.0.0.0

    : ipconfig /renew

    the new dynamic IP address displays.

    DNS (Domain Naming System)

    DNS is used to resolve the host name to IP addresses and IP addresses back to host name.

    DNS servers has 2 types of zones.

    1) Forward Lookup Zone & 2) Reverse Lookup Zone

    Forward Lookup Zone: It is used to resolve the host name to IP addresses. There can be

    multiple Forward Lookup Zones on a single IP address. Forward Lookup Zone consists of

    SOA (Start of Authority), NS (Naming System), Host, Alias etc. (And resource records are

    available only on the domain zone)

    Service Records: Service records consist of LADP, Kerberos, Global Catalogue,

    Domain Name, TCP, UDP etc. (6 folders in 2003). These resource records areavailable only for the domain zones.

    Root

    ISP - DNS

    Local - DNS

    User Browser

    Yahoo

    Com Org Net

    Sify

    Mail Chat

    ROOT

    TOP

    LEVEL

    DOMAINS

    SECOND LEVEL DOMAINS

    SUB DOMAINS

    43

  • 8/7/2019 MCSE Classes

    44/58

    Reverse Lookup Zone: It is used to resolve IP addresses back to host names. There can be

    only one Reverse Lookup Zone to the entire network. But it can consist of multiple pointers.

    Forward Lookup Zone: There are 3 types of zones in Forward Lookup Zone.

    1) Primary Zone 2) Secondary Zone & 3) Stub Zone.

    Primary Zone: A Primary Zone is a master copy created in the DNS.NOTE: Primary Zone can be created either with Active Directory integrator or without Active

    Directory integrator.

    With Active Directory integrator: If a primary zone is created with Active Directory

    integrated the zone file is saved in the Active Directory Data Store. The Administrator cannot

    make any modifications to the zone.

    Without Active Directory integrator: If a primary zone is created without Active Directory

    integrated the zone file is saved in the DNS folder. The Administrator can make the

    modifications to the zone file.

    Secondary Zone: Secondary Zone is a copy (backup) and is used to copy the Primary zone.

    There can be multiple Secondary Zones to a single Primary Zone, but the Secondary Zonemust not exist where Primary zone already exists. Secondary Zone maintains the total

    information of the Primary zone.

    Stub Zone: Stub Zone is also a copy of Primary zone but Stub Zone maintains only 3 records

    information of the Domain zone or 2 records of the other zones. The 3 records are 1) SOA, 2)

    NS and 3) Host. Stub Zone is available only in windows 2003 DNS server.

    Requirements for DNS server:

    1. Standalone server (Domain controller / Member server) It is recommended to install in

    Member server for load balancing.

    2. Static IP address

    3. Windows 2003 Server CD

    To Install DNS:

    Start Control PanelAdd / Remove Programs Add/Remove Windows components.

    Scroll down the list and Select Networking components.

    Select details and Check DNS OK

    (Insert Windows 2003 Server CD, when prompted. - Finish)

    To Configure Primary Zone (with Active Directory integrated)

    Start Programs Administrative Tools DNS

    Right Click on the Forward Lookup Zone and select New Zone. A wizard appears Click Next3 Options will be displayed.

    Primary Zone Secondary Zone Stub Zone

    At the bottomWith Active Directory

    Select default Click Next.

    Specify a Host Name to Zone (eg: ccna.com, mcse.com etc.) Click Next

    Specify a name to the Zone Click Next

    3 Options will be displayed:

    Dont dynamic update Allow dynamic update secure Allow dynamic update

    secure & non-secure

    Select default and Click Next & Finish.

    If the service records are not viewable in the domain zone:

    44

  • 8/7/2019 MCSE Classes

    45/58

    Start Programs Administrative Tools Services (need to restart 2 services)

    1) Net logon 2) DNS server service

    Now you can find 6 Folders / Service Records

    If the Domain Zone is created without Active Directory integrated. (DC system)

    Open My Computer C (where the OS is existing)Windows System32 open

    Config folder.Select and open netlog.dns file in the Notepad. Copy the entire content and close Notepad.

    Now (In DNS system)

    Open My Computer C (where the OS is existing)Windows System32 open

    DNS folder select the zone file and open in Notepad and paste the content at the bottom of

    the notepad, save & close.

    Start Programs Administrative Tools Services (need to restart 2 services)

    1) Net logon 2) DNS server service

    Creating a Secondary Zone:

    Move on to different PC where DNS is installed.

    Start Programs Administrative Tools DNS

    Right Click on the Forward Lookup Zone Select New Zone.

    A wizard appears Click Next.

    In the Options select the Secondary Zone, Click Next

    Specify the Zone Name. Click Next (Same name)

    Specify the IP Address where the Primary Zone exists, click Add button. Click Next & Finish.

    Move back to Primary Zone PC.

    Right click on zone and go to Properties.

    In the options select Zone Transfer and check it. Apply and OK.

    To get the Resource Records of the Domain Zone on the Member Server.

    First share the Config Folder in the DC.

    Restart the Net logon service on Dc & DNS server service on the Member server.

    To Create a new Reverse Lookup Zone

    Start Programs Administrative Tools DNSRight Click on Reverse Lookup Zone and Select New Reverse Lookup Zone

    A wizard appears, Click Next.

    Displays 3 Options: Select Primary Zone (default) Click Next.

    Gives 3 Options again, Select 2nd option (default) Click Next

    Specify the Network ID (192.168.1) Click Next & Finish.

    To Create a Pointer in Reverse Lookup Zone

    Right Click on the newly created Reverse Lookup Zone and Select New Pointer

    Specify the Host ID.

    Click the browse button to select the zone in the Forward Lookup Zone host file. OK

    To find out the out put, type at command prompt - : nslookup 192.168.1.1

    45

  • 8/7/2019 MCSE Classes

    46/58

    Six Important Roles of DNS:

    1) Disable Recursion 2) Bind Secondary 3) Secure Cache against Pollution

    4) Round robin 5) Net mast Ordering 6) Fail on Load if bad zone data.

    1) Disable Recursion: If a query is passed on to the DNS server, the DNS server tries toresolve the query by searching multiple number of times. By default this option is

    unchecked. If this option is checked then the DNS server tries to resolve the query

    once.

    2) Bind Secondary: If a query is passed on to the primary zone, if it is unable to solve it

    sends the query to the secondary zone. On certain circumstances if this option is

    unchecked, it doesnt even allow to create a secondary zone. By default this option is

    checked.

    3) Secure Cache against Pollution: When a website is visited we find multiple link sites

    getting opened. By default DNS cache saves all the information where pollution is

    created. And also if a website is visited enough it saves the information in C:. After

    certain duration the same site is visited again, in such a case the NS makes 2 entries

    where pollution is created. To solve this problem check the option.

    4) Round robin: When there are multiple web servers with a single host name but

    different IP addresses. The DNS server send the query to all the web serves till any

    one of the server resolves the query. By default this option is checked. If the option is

    unchecked sends the query to the 1st web severs only.

    5) Enable Net mask ordering: If a single sever have multiple network adaptors then the

    DNS sends the query to the respective NIC card only. Because by default this option is

    checked. If this option is unchecked then it functions in Round robin format.

    6) Fail on Load if bad zone data: If a zone has multiple records if any one of the record

    is bad, it doesnt stop the functioning of the zone. Because by default this option is

    unchecked. If this option is checked if any one of the zone file is bad then it disables

    the entire zone itself.

    To find out these six roles:

    Start Programs Administrative Tools DNS

    Right Click on the computer Name & go to Properties.In the options select the advance.

    Displays the 6 Roles.

    There are 2 types of queries in DNS

    1) Recursive Query 2) Interactive Query

    Recursive Query: If a client sends a query to DNS it is called as Recursive Query

    Interactive Query: If a DNS sends a query to another DNS server is called as Interactive

    Query

    What is the Integrating DNS and Active Directory

    46

  • 8/7/2019 MCSE Classes

    47/58

    An Active Directory-integrated zone can be defined as an improved version of a primary DNS

    zone because it can use multi-master replication and the security features of Active Directory.

    The zone data of Active Directory-integrated zones are stored in Active Directory. Active

    Directory-integrated zones are authoritative primary zones.

    A few advantages that Active Directory-integrated zone implementations have over standard

    primary zone implementations are:

    Active Directory replication is faster, which means that the time needed to transfer

    zone data between zones is far less.

    The Active Directory replication topology is used for Active Directory replication, and

    for Active Directory-integrated zone replication. There is no longer a need for DNS

    replication when DNS and Active Directory are integrated.

    Active Directory-integrated zones can enjoy the security features of Active Directory.

    The need to manage your Active Directory domains and DNS namespaces as separate

    entities is eliminated. This in turn reduces administrative overhead.

    When DNS and Active Directory are integrated; the Active Directory-integrated zones

    are replicated, and stored on any new domain controllers automatically.Synchronization takes place automatically when new domain controllers are deployed.

    How to create an Active Directory-integrated zone

    1. Click Start, Administrative Tools, and then click DNS to open the DNS console.

    2. In the console tree, select the DNS server that you want to create a new DNS zone.

    3. From the Action menu, click the New Zone option.

    4. On the initial page of the New Zone Wizard, click Next.

    5. Select the zone type that you want to create. The options are Primary, to create a new

    standard primary zone; Secondary, to create a copy of the primary zone; and Stub, tocreate a copy of zone but for only the NS record, SOA record, and the glue A record.

    6. Select the default selected option - Primary zone.

    7. To integrate the new zone with Active Directory, and if the DNS server is a domain

    controller; then you can select the Store the zone in Active Directory (available only if

    DNS server is a domain controller) checkbox.

    8. Click Next.

    9. On the Active Directory Zone Replication Scope page, accept the default setting for

    DNS replication: To all domain controllers in the Active Directory domain. Click

    Next.

    10. Select the Forward lookup zone option on the following page which is displayed by

    the New Zone Wizard, and then click Next. 111. Enter a zone name for the new zone. Click Next. 1

    12. The options that you can select on the following page pertain to dynamic updates. The

    Allow only secure dynamic updates (recommended for Active Directory) option is

    only available if you are using Active Directory-integrated zones. Click Next. 1

    13. Click Finish to add the new zone to your DNS server.

    Primary zone: This is the only zone type that can be edited or updated because the

    data in the zone is the original source of the data for all domains in the zone. Updates

    made to the primary zone are made by the DNS server that is authoritative for the

    47

  • 8/7/2019 MCSE Classes

    48/58

    specific primary zone. You can also back up data from a primary zone to a secondary

    zone.

    Secondary zone: A secondary zone is a read-only copy of the zone that was copied

    from the master server during zone transfer.

    Active Directory-integrated zone: An Active Directory-integrated zone is a zone thatstores its zone data in Active Directory. DNS zone files are not needed. This type of

    zone is an authoritative primary zone. Zone data of an Active Directory-integrated

    zone is replicated during the Active Directory replication process. Active Directory-

    integrated zones also enjoy the security features of Active Directory.

    Stub zone: A stub zone is a new Windows Server 2003 feature. Stub zones onlycontain those resource records necessary to identify the authoritative DNS servers for

    the master zone.

    IIS v 6.0

    Kernel Mode: Kernel Mode is a mediator between the user mode and hardware. A kernel

    mode is directly interactive with hardware.

    IIS v 6.0 is Kernel Mode.

    IIS server is user to host Websites and FTP sites generally. IIS server in Windows 2003

    comes with version 6.0. Whereas in Windows 200 IIS v. 5.0. Rather in Windows NT 4.0 IISby default is 2.0 and if install Service pack 6.0 IIS server is 4.0. IIS v 6.0 works on directly on

    Kernel Mode. Where as previous versions work on the User mode. As IIS 6.0 works on

    Kernel Mode it is faster to host websites.

    Websites can be hosted in a windows 98 operating system also by using PWS (personal web

    server). But there are lot of disadvantages compare to IIS v. 6.0 on server. IIS is installed by

    default in Windows 2000 server. Whereas in 2003 IIS server is not installed by default. We

    call IIS as ISM (Internet Service Manager) in Windows 2003 server. Whereas in Windows

    2000 we call as IISM (Internet Information Service Manager).

    Websites: We can be hosted on a IIS server by using the default port number 80. Website on

    an IIS server can be configured using a different port also. There are a total 65,535 ports out

    of that 1023 ports are reserved.FTP: File Transfer Protocol is specifically used for uploads and downloads. FTP site can be

    configured on IIS server with a default port number 21. In Windows 2003 IIS by default the

    administrator is allowed to download and denied to upload. The only one user can do both of

    them, i.e. the Power User of IIS. He is calls as iuser (Internet). The administrator has to take

    permission by himself in order to upload any data through the FTP site.

    Once IIS server is configured the DNS server should be configured with zones. IIS is totally

    integrated with DNS server.

    By default in Window 200 IIS server there are 2 default websites. 1) Default website and 2)

    Administrative Website.

    Default website consists of help regarding IIS server. Administrative website is not available

    in Windows 2003 IIS server.

    48

  • 8/7/2019 MCSE Classes

    49/58

    Requirements for IIS server to host:

    1. Standalone Sever (Can be installed in Domain Controller, Member Server or Work

    Group).

    2. Member server is recommended

    3. Static IP Address

    4. Windows 2003 server CD5. DNS Server

    6. Web content (html files).

    To Install IIS Server:

    Start Setting Control Panel Add/Remove Programs Add Remove Windows

    Components.

    Select the Application services, Click the details button.

    Check the IIS. (by default FTP site is not selected).

    So select IIS and click on Details again and check the FTP. Then OK OK Finish.

    Insert Windows 2003 server CD when prompted.

    After installation click Finish.

    To configure website in IIS server:

    Start Programs Administrative Tools IISM

    Open websites folder and Right Click.

    Select New Website.

    A wizard appears Click Next

    Specify a name to the website (this name is available only in the IIS server) Click

    Next

    Specify the servers IP address. Leave the default port number and specify Host

    Header name (eg: www.yahoo.com) Click Next

    Specify the path where web contents exist by clicking the Browse button. Click Next

    Displays the certain options. Check the Browse option and Click Next and Finish.

    Configure DNS with a Zone in the Forward Lookup Zone with same Header name

    (newly created site in IIS).

    Once the zone is configured with Host and Alias go to the Command Prompt and ping

    with the Host header name.

    If an error occurs while pinging flush DNS. To flush the DNS type the following

    command.

    C:>ipconfig \flushdns.

    Once the DNS is flushed again ping with the host header name.

    To Set the Home Page for the Website:In IIS server, Right Click on the website which is created, go to Properties.

    In the options select Documents. Click the add button and specify the Home Page file

    name (eg: index.html). Click OK.

    Delete if the default home page specified. Apply, OK.

    To configure the Sub Domain for the existing website.

    Right Click on the website which is created. Select New Website.

    Follow the same steps as for website.

    To configure the Sub Domain in DNS server in the Forward Lookup Zone.

    Right Click on the Forward Lookup Zone which is created and Select New Domain

    Specify the Sub Domain Name only (eg: mail).

    Press OK, Sub Domain will be created.

    49

    http://www.yahoo.com/http://www.yahoo.com/
  • 8/7/2019 MCSE Classes

    50/58

    Create Host and Alias for the Sub Domain.

    Now go to Command Prompt and ping (www.mail.yahoo.com)

    1) A maximum of 13 Sub Domains can be created and configured.

    www.mail.yahoo.com

    www.yahoo.com/ Virtual Directory.

    To Create Virtual DirectoryRight Click on the website and select New Virtual Directory. Specify a name to the

    Virtual Directory (mail). Next follow the same steps as previous.

    To Configure FTP site:

    Start Programs Administrative Tools IISM.

    Open FTP Folder and Right Click and select New FTP site (This name is available

    only in the list of IIS server) Click Next

    Specify the servers IP address.

    Leave default port (21), Click Next

    Displays options:

    0) Do not isolate users 0) Isolate Users 0) Isolate users over internet.Select default, Click Next

    Specify the path where the web contents are, by clicking the Browse button. Click

    Next

    Displays 2 options: 0) Read 0) Write

    Check Write option, Click Next & Finish.

    Create the following folders..

    C:\ Root

    MCSE

    Administrator

    Username

    Public

    Giving the right to the Administrator to upload the information in to the FTP site:

    Right Click on the FTP site which is created.

    Go to properties select the 2nd option.

    It displays the iuser account.

    Change to Administrator by clicking the Browse button. Apply. OK.

    Refresh for 1/2 minutes.

    We cannot make any changes directly on the FTP site.To make changes- Download the file makes necessary changes and then uploads.

    Software Router

    Router is used to establish connectivity between 2 different networks.

    192.168.1.1 192.168.2.1

    50

    192.168.1.2

    192.168.2.2

    Router

    http://www.mail.yahoo.com/http://www.yahoo.com/http://www.mail.yahoo.com/http://www.yahoo.com/
  • 8/7/2019 MCSE Classes

    51/58

    There are 2 types of Routers:

    2) Software Router and

    3) Hardware Router.

    Software Router: A software router is used to establish connectivity between 2 different

    networks within a local LAN (preferred).

    Hardware Router: A hardware router is used to establish connectivity between 2 different

    geographical locations. Eg: WAN.Differences between a Software Router & Hardware Router:

    Sl Hardware Router Software Router

    1 A Hardware Router has one task to

    perform i.e. Routing

    A Software Router can be used to perform

    multiple tasks

    2 It can be configured only by

    professional

    It can be configured by any person with a

    simple knowledge

    3 There are fixed series of routers are

    available in hardware routers

    There are no fixed series in software routers

    4 It is easily portable It is difficult for portable

    5 It is costlier It is cheaper

    6 It is required a third party devices

    for connectivity and configuring.

    Eg: Transceiver, DB9

    No need to use any third party devices for

    software routers.

    RTL (Routing Table List):

    An RTL is present within the router. RTL maintains the information of directly connected

    networks to the router and also indirectly connected networks to the router.

    NAT (Network Address Translator):

    NAT is used to differentiate between private networks (IP address), Such that the public

    network cannot access the private network but the private network can access the public

    network. The NAT is implemented on the router. NAT is a layer 3 security, but with an optioncalled as Basic Firewall it functions in all the 7 layers.

    192.168.1.1 192.168.2.1

    DHCP Relay Agent:

    DHCP Relay Agent is used to assign different network IP addresses dynamically of one

    network to another. The DHCP Relay Agent takes the request from the client machine passes

    through router and delivers at to the DHCP server present on the other network. Takes the IPaddresses from the DHCP server passes through the router and assign the dynamic IP address

    to client.

    4) Without configuring the DHCP Relay Agent on the router the DHCP server cannot

    assign a dynamic IP address to a different network. Once the DHCP Relay Agent is

    configured on the router no need to configure any Super Scope in the DHCP server.

    192.168.1.1 192.168.2.1

    51

    192.168.1.2192.168.2.2

    NAT

    Router

    192.168.1.2192.168.2.2

    DHCP

    Relay

    Agent

    (Router)

  • 8/7/2019 MCSE Classes

    52/58

    The routers information must & should be specified in the scope options for the

    server options on the DHCP server.

    Requirement for Software Router:

    1. Standalone Sever (Can be installed in Domain Controller, Member Server or Work

    Group).

    2. Member Server is recommended3. Requires at least 2 NIC cards.

    Each and every interface of the router must & should be configured with a different

    network IP addresses.

    To install the Software Router:

    The software router is by default installed with Operating System.

    To Configure the Software Router:

    Start Programs Administrative Tools Routing & Remote Access

    Right Click on Computer Name & Select Configure & Enable Routing & Remote

    Access

    A wizard appears Click Next.

    In the options select connectivity between 2 private networks. Click Next.

    Displays 2 Options: Either to configure Dialup Not to configure Dialup

    Select the No option. Click Next & Finish.

    To configure NAT in Software Router:

    By default the NAT is installed with the router in Windows 2003 software router with

    an option of Basic firewall. If NAT is not installed, then

    Start Programs Administrative Tools Routing & Remote AccessRight Click on General Folder and select New Routing protocol.

    In the options select NAT/Basic Firewall. Click OK button.

    Appears in the list.

    To configure the NAT:

    Right click on NAT/Basic Firewall and Select New Interface.

    In the Interface select an Interface, Click OK

    In the options displays: Private & Public.

    Select the default option, Click Ok

    Again Right Click on the NAT & select New Interface

    Select the other Interface, Click OK.Displays Public & Private.

    Select the Public option & check NAT. Click OK. (Can select Basic format)

    To configure DHCP Relay Agent:

    To install the DHCP Relay Agent, on the Router remove NAT from the Router.

    Because NAT requires both the interfaces with Static IP addresses.

    To Install DHCP Relay Agent:

    Start Programs Administrative Tools Routing & Remote Access.

    Right click on General & Select New routing Protocol.

    In the options select DHCP Relay Agent and Click OKDHCP Relay Agent appears in the list.

    52

  • 8/7/2019 MCSE Classes

    53/58

    To Configure:

    Right Click on DHCP Relay Agent and Select New Interface.

    In the Interfaces Select an Interface and Click OK button.

    Select the default options & OK

    Add the other Interface also in the same procedure.

    o Right click on the DHCP Relay Agent, go to Properties.

    o Specify the DHCP servers IP Address, Click OK.

    Remote Access Service (RAS)

    RAS is used to establish connectivity between the client and the server remotely, by using the

    3rd vendor in the middle (Telephone Department).

    Each and every network is by default an unsecured network. Because in an unsecured

    network the data travels in a pure text format over the network. It can be hacked by

    any person once the data is over the network.

    In RAS concept the client machine uses the Dial-up connection to get connected to the RAS

    server. In such case the client PC uses PPP (Point to Point) protocol or PPMP (Point to PointMulti-link Protocol) to establish connectivity.

    PPMP protocol is used when we require huge amount of bandwidth to connect to the RAS

    server. It clubs multiple lines such as ISDN, X.25 and Digi (Digital) link to get huge amount

    of bandwidth. An unsecured network is also called as a physical connectivity between two

    nodes. To connect the unsecured network to a secured network VPN (Virtual Private

    Network) connections are used.

    To have a secured network we must and should have an unsecured network first. A

    secured network cannot be directly established. A secured network logical

    connectivity between 2 nodes to have secured network 2 protocols is utilised. PPTP

    (Point to Point Tunnelling Protocol) and L2TP (Layer 2 Tunnelling Protocol).

    Initially PPTP was the industrial standard protocol for VPN connection. Later L@TP has

    become the industrial standard for VPN connection. By default Microsoft Windows Server

    2003 supports PPTP protocol.

    A network is called as secured network because data travel in an encrypted format over the

    network and will be decrypted only at the destination end.

    By default 2 single unsecured networks (dial-up) a maximum of 5 VPN connections

    can be established using PPTP protocol.

    Digital

    Digital

    Dial-up

    53

    Analog

    Windows

    2000 (Prof)

    Windows

    2003 Server

    Modem Modem

    VPN

    PPP

    PPMP

    PPTP

    L2TP

    PPPOE

    MRASP

  • 8/7/2019 MCSE Classes

    54/58

    Point to Point Over Ethernet (PPPOE): To have a huge bandwidth over point to point

    connection has Ethernet technology a protocol is used on the RAS server is called as PPPOE.

    Microsoft Remote Access Service Protocol (MRASP): When there are multiple RAS

    servers able to communicate each other then MRASP protocol is used to establish that

    connectivity.

    Requirement for RAS Server:

    1. Standalone Sever (can be installed in Domain Controller, Member Server or Work

    Group). Member Server is recommended

    2. Static IP Address

    3. Modem

    4. Telephone Line

    5. Telephone Number

    To Install RAS Server:

    By default RAS server is installed with operating system.

    To Configure RAS Server:

    Start Programs Administrative Tools Routing & Remote Access

    Select Configure & Enable Routing and Remote Access.

    A wizard appears Click Next

    Select the option Remote Access (by default it is selected) Click Next

    Displays 2 options: VPN & Dial-up; Check Dial-up & Click Next

    Gives 2 options again:

    Assign IP address through DHCP serverManually

    Select Manual option and Click Next

    Specify the range of IP Addresses by clicking Add button; Click Next

    Gives 2 options: To configure Radius Not to configure Radius

    Select No Click Next & Finish.

    To configure Modem both on Server and Client:

    Start Settings Control Panel Phones & Modems

    Double click on Phones & Modems, Select Modem in the options. Click Add button.

    A wizard appears with check box indicating Manually select the Modem Driver.

    Check the option and Click Next.

    In the next options select the Communication cable between 2 computers Click Next

    Select the COM port Click Next & Finish.

    To Configure Dial-up Connection: (On the Client Side Only)

    Start Settings Network Connections. Double click Make new connection

    A Wizard appear, Click Next

    In the options select Advanced Click Next

    2 options appears. In the options select Connect Directly to Another Computer Click

    Next

    Displays 2 options: (Host & Guest), select Guest option, Click Next

    Specify the Computer name of the RAS server Click Next

    Select the Modem Click Next

    2 Options displays: (Everyone & Myself), select any one option Click Next & Finish

    54

  • 8/7/2019 MCSE Classes

    55/58

  • 8/7/2019 MCSE Classes

    56/58

    1) Remote Control: Through Remote Control option the administrator can view the users

    terminal service session. There are 2 modes in Remote Control option. 1) View Mode

    & 2) Interactive Mode. In View Mode the administrator can view the users Terminal

    Service session. Trough Interactive Mode the Administrator can interact with the use

    through this particular mode. There is an option is checked once the Remote Control is

    applied to the users Terminal Service either to accept or deny. If this option is

    unchecked once the Remote Control is applied to a user and no intimation will be sentto him and forcibly takes the users Terminal Session.

    2) Environment: Through Environment option only one application can be deployed to

    the user when the user in the Terminal Service. If we n