ignouindia.inignouindia.in/.../03/bcsl-063-solved-lab-manual.docx · web viewby default, the pane...

IGNOUINDIA.IN 126338778 BCSL-063 LAB MANUAL

Operating System Concepts and Networking Management

Session 1: NETWORK CONFIGURATION

Exercise 1 : Run the following commands and write the use of each command

Ipconfig

C:\Documents and Settings\Administrator>ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix :

IP Address : 10.227.1.81

Subnet Mask : 255.255.255.128

Default Gateway : 10.227.1.1

. . . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . .

Ping

C:\Documents and Settings\Administrator>ping

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]

[-r count] [-s count] [[-j host-list] | [-k host-list]]

[-w timeout] destination-list

Options:-t Ping the specified host until stopped.

To see statistics and continue - type Control-Br

To stop - type Control-C.

-a Resolve addresses to hostnames.

-n count Number of echo requests to send.

-l size Send buffer size.

-f Set Don't Fragment flag in packet.

-i TTL Time To Live.

-v TOS Type Of Service.

-r count Record route for count hops.

-s count Timestamp for count hops.

-j host-list Loose source route along host-list.

-k host-list Strict source route along host-list.


-w timeout Timeout in milliseconds to wait for each reply.-t Ping the specified host

until stopped.

telnetMicrosoft (R) Windows 2000 (TM) Version 5.00 (Build 2195)

Welcome to Microsoft Telnet Client

Telnet Client Build 5.00.99206.1

Escape Character is 'CTRL+]'

Microsoft Telnet>

diskperfC:\Documents and Settings\Administrator>diskperf

Physical Disk Performance counters on this system are currently set to start at boot.

netdiagC:\Documents and Settings\Administrator>netdiag

'netdiag' is not recognized as an internal or external command, operable program or batc file.

netstat

C:\Documents and Settings\Administrator>netstat

Active Connections

Proto Local Address Foreign Address State

TCP Amb:1208 72.20.27.115:8080 SYN_SENT

TCP Amb:2380 105.173.200.246:microsoft-ds SYN_SENT
















Pathping

C:\Documents and Settings\Administrator>pathping

Usage: pathping [-n] [-h maximum_hops] [-g host-list] [-p period]

[-q num_queries] [-w timeout] [-t] [-R] [-r] target_name

Options:-n Do not resolve addresses to hostnames.

-h maximum_hops Maximum number of hops to search for target.

-g host-list Loose source route along host-list.

-p period Wait period milliseconds between pings.

-q num_queries Number of queries per hop.

-w timeout Wait timeout milliseconds for each reply.

-T Test connectivity to each hop with Layer-2 priority tags.

-R Test if each hop is RSVP aware.

ftpC:\Documents and Settings\Administrator>ftp

ftp>

tftpC:\Documents and Settings\Administrator>tftp

Transfers files to and from a remote computer running the TFTP service.

TFTP [-i] host [GET | PUT] source [destination]

-i Specifies binary image transfer mode (also called octet). In binary image

mode the file is moved literally, byte by byte. Use this mode when

transferring binary files.

host Specifies the local or remote host.

GET Transfers the file destination on the remote host to the file source on the

local host.

PUT Transfers the file source on the local host to the file destination on the

remote host.

source Specifies the file to transfer.

destination Specifies where to transfer the file.


Sfc

C:\Documents and Settings\Administrator>sfc

Microsoft(R) Windows 2000 Windows File Checker Version 5.00 (C) 1999 Microsoft Corp.

All rights reserved

Scans all protected system files and replaces incorrect versions with correct Microsoft versions.

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/ENABLE]

[/PURGECACHE] [/CACHE SIZE=x] [/QUIET]

/SCANNOW Scans all protected system files immediately.

/SCANONCE Scans all protected system files once at the next boot.

/SCANBOOT Scans all protected system files at every boot.

/CANCEL Cancels all pending scans of protected system files.

/QUIET Replaces all incorrect file versions without prompting the user.

/ENABLE Enables Windows File Protection for normal operation

/PURGECACHE Purges the file cache and scans all protected system files

immediately.

/CACHESIZE=x Sets the file cache size

nbtstatC:\Documents and Settings\Administrator>nbtstat

Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]

-a (adapter status) Lists the remote machine's name table given its name

-A (Adapter status) Lists the remote machine's name table given its

-P printer Name of the print queue

-C class Job classification for use on the burst page

-J job Job name to print on the burst page

-o option Indicates type of the file (by default assumes a text file) Use "-o l" for

binary (e.g. postscript) files

-x Compatibility with SunOS 4.1.x and prior

-d Send data file first


tracertC:\Documents and Settings\Administrator>tracert

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name

Options:-d Do not resolve addresses to hostnames.

-h maximum_hops Maximum number of hops to search for target.

-j host-list Loose source route along host-list.

-w timeout Wait timeout milliseconds for each reply.

nslookupC:\Documents and Settings\Administrator>nslookup

*** Default servers are not available

Default Server: UnKnown

Address: 127.0.0.1

routeC:\Documents and Settings\Administrator>route

Manipulates network routing tables.

ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF

interface]

-f Clears the routing tables of all gateway entries. If this is used in conjunction with

one of the commands, the tables are cleared prior to running the command.

-p When used with the ADD command, makes a route persistent across boots of

the system. By default, routes are not preserved when the system is restarted.

Ignored for all other commands, which always affect the appropriate persistent

routes. This option is not supported in Windows 95. command

One of these:

PRINT Prints a route

ADD Adds a route

DELETE Deletes a route

CHANGE Modifies an existing route

destination Specifies the host.


MASK Specifies that the next parameter is the 'netmask' value.

netmask Specifies a subnet mask value for this route entry.

If not specified, it defaults to 255.255.255.255.

gateway Specifies gateway.

interface the interface number for the specified route.

METRIC specifies the metric, ie. cost for the destination. All symbolic names used

for destination are looked up in the network database file

NETWORKS The symbolic names for gateway are looked up in the host name database

file

HOSTS. If the command is PRINT or DELETE. Destination or gateway can be a

wildcard, (wildcard is specified as a star '*'), or the gateway argument

may be omitted. If Dest contains a * or ?, it is treated as a shell pattern,

and only matching destination routes are printed. The '*' matches any

string, and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*,

*224*.

Diagnostic Notes:Invalid MASK generates an error, that is when (DEST & MASK) != DEST.

Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1

The route addition failed: The specified mask parameter is invalid.

(Destination & Mask ) != Destination.

Examples:

> route PRINT

> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2

destination^ ^mask ^gateway metric^ ^ Interface^

If IF is not given, it tries to find the best interface for a given gateway.

> route PRINT

> route PRINT 157* ....

> route DELETE 157.0.0.0

> route PRINT

Only prints those matching 157*

Lpq

C:\Documents and Settings\Administrator>lpq

Displays the state of a remote lpd queue.

Usage: lpq -Sserver -Pprinter [-l]

Options:

-S server Name or ipaddress of the host providing lpd service


-P printer Name of the print queue

-l verbose output

net session

C:\Documents and Settings\Administrator>net session

There are no entries in the list.

driversC:\Documents and Settings\Administrator>drivers

'drivers' is not recognized as an internal or external command, operable program or batch file.

nettimeC:\Documents and Settings\Administrator>nettime

'nettime' is not recognized as an internal or external command, operable program or batch file.

rshC:\Documents and Settings\Administrator>rsh

Runs commands on remote hosts running the RSH service.

RSH host [-l username] [-n] command

host Specifies the remote host on which to run command.

-l username Specifies the user name to use on the remote host. If omitted,

the logged on user name is used.

-n Redirects the input of RSH to NULL.

command Specifies the command to run.

chkdskC:\Documents and Settings\Administrator>chkdsk

The type of the file system is FAT32.

Volume HCL created 22/08/2002 5:53 PM

Volume Serial Number is 3A51-1906

Windows is verifying files and folders...

File and folder verification is complete.


Windows has checked the file system and found no problem.

39,058,992 KB total disk space.

1,287,888 KB in 734 hidden files.

53,440 KB in 3,223 folders.

22,328,464 KB in 67,626 files.

15,389,184 KB are available.

16,384 bytes in each allocation unit.

2,441,187 total allocation units on disk.

961,824 allocation units available on disk.

hostnameC:\Documents and Settings\Administrator>hostname

Amb

net accountC:\Documents and Settings\Administrator>net account

The syntax of this command is:

NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP

| HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |

SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

Exercise 2: Use arp command to find your Ethernet physical address.

C:\Documents and Settings\Administrator>arp

Displays and modifies the IP-to-Physical address translation tables used by address resolution

protocol (ARP).

ARP -s inet_addr eth_addr [if_addr]

ARP -d inet_addr [if_addr]

ARP -a [inet_addr] [-N if_addr]

-a Displays current ARP entries by interrogating the current

protocol data. If inet_addr is specified, the IP and Physical

addresses for only the specified computer are displayed. If more than one

network interface uses ARP, entries for each ARP table are

displayed.

-g Same as -a.


inet_addr Specifies an internet address.

-N if_addr Displays the ARP entries for the network interface

Specified by if_addr.

-d Deletes the host specified by inet_addr. inet_addr may be

wildcarded with * to delete all hosts.

-s Adds the host and associates the Internet address inet_addr

with the Physical address eth_addr. The Physical address is

given as 6 hexadecimal bytes separated by hyphens. The entry

is permanent.

eth_addr Specifies a physical address.

if_addr If present, this specifies the Internet address of the interface

whose address translation table should be modified. If not

present, the first applicable interface will be used.

Example:

> arp -s 157.55.85.212 00-aa-00-62-c6-09 Adds a static .... entry.

> arp -a .... Displays the arp table.

Exercise 3: Modify the routing table using ipzroute

C:\Documents and Settings\Administrator>ipxroute

NWLink IPX Routing and Source Routing Control Program v2.00

Unable to open transport \Device\NwlnkIpx.

Exercise 4 :View tcp/ip settingsnetsh>show mode tcp/ip

online

Exercise 5 : Configure interfaces:netsh>set

The following commands are available:

Commands in this context:

set machine - Sets the current machine on which to operate.

set mode - Sets the current mode to online or offline.

netsh>set interface

The following command was not found: set interface.

netsh>set mode interface


'mode' is not an acceptable value for 'interface'.

The parameter is incorrect.

netsh>set mode

Usage: set mode [ mode= ] { online | offline }

Parameters: Tag Value

mode - One of the following values:

online: Commit changes immediately

offline: Delay commit until explicitly requested

Remarks:

Sets the current mode to online or offline.

netsh>set machine

Exercise 9 : Configure remote Access.With Netsh.exe, you can easily configure your computer's IP address

and other TCP/IP related settings

For example:The following command configures the interface named Local Area Connection with the static

IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of

192.168.0.1:

netsh interface ip set address name="Local Area Connection" static

192.168.0.100 255.255.255.0 192.168.0.1 1

Netsh.exe can be also useful in certain scenarios such as when you

have a portable computer that needs to be relocated between 2 or

more office locations, while still maintaining a specific and static

IP address configuration. With Netsh.exe, you can easily save and restore the appropriate

network configuration.

First, connect your portable computer to location #1, and then manually configure the required

settings (such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses).

Now, you need to export your current IP settings to a text file. Use the following command:

netsh -c interface dump > c:\location1.txt

When you reach location #2, do the same thing, only keep the new settings to a different file:

netsh -c interface dump > c:\location2.txt


You can go on with any other location you may need, but we'll keep it simple and only use 2

examples. Now, whenever you need to quickly import your IP settings and change them

between location #1 and location #2, just enter the following command in a Command Prompt

window (CMD.EXE):

netsh -f c:\location1.txt

or

netsh -f c:\location2.txt

and so on.

You can also use the global EXEC switch instead of -F:

netsh exec c:\location2.txt

Netsh.exe can also be used to configure your NIC to automatically obtain an IP address from a

DHCP server:

netsh interface ip set address "Local Area Connection" dhcp

Would you like to configure DNS and WINS addresses from the Command Prompt?

You can. See this example for DNS:

netsh interface ip set dns "Local Area Connection" static 192.168.0.200

and this one for WINS: netsh interface ip set wins "Local Area Connection" static

192.168.0.200

Or, if you want, you can configure your NIC to dynamically obtain it's DNS settings:

netsh interface ip set dns "Local Area Connection" dhcp

Exercise 10: User winchat command and communicate with your friend sitting on a different machine of Windows 2000.

Answer:

To Make a Chat Call1. On the conversation menu, click Dial2. Click the computer name, or type the computer name, for the person with whom you

want to chat, and then click OK3. When the person with whom you want to chat answers the call, begin typing in the Chat

window. You cannot begin typing until the person you are calling answers.

4. If the person you are calling does not answer, or you want to end the call, click Hang Up

on the Conversation menu.


To Answer a CallTo answer a call, click Chat , which appears on the taskbar when someone uses Chat to call

your computer. Or, if your Chat window is already open, click Answer on the Conversation

menu. Note that you must have Chat running or have the Network DDE service started to

answer a call. To start the Network DDE service:

1. Click Start, click Control Panel click Performance and Maintenance, and then click

Administrative Tools Double-click Computer Management, double-click Services and

2. Applications, and then double-click Services In the Details pane, click Network DDE3. On the Action menu, click Start

To have the Network DDE service start automatically every time you start your computer:

1. Click Start, click Control Panel, click Performance and Maintenance, and then click

Administrative Tools2 . Double-click Computer Management , double-click Services and Applications, and

then double-click Services

3. In the Details pane, click Network DDE4. On the Action menu, click Properties.5. On the General tab, in Startup type, select Automatic, andthen click OK.

To Hang UpTo end a call, click Hang Up on the Conversation menu. If the person with whom you are

chatting hangs up before you do, a message appears in the status bar. If you quit Chat, hang-

up occurs automatically.

To Turn Sound On or OffTo turn sound on or off, click Sound on the Options menu.

If your computer has a sound card, you can change the sound for incoming and outgoing rings.

To do so, double-click Sounds and Audio Devices in Control Panel. For more information,

click the Help menu in Control Panel.

To Change the Background ColorTo change the background color for the Chat window:

1. On the Options menu, click Background Color .


2. Under Basic colors , click the color you want, and then click OKThe color you choose is mapped to the nearest solid color. By default, the pane that displays

your chat partner's conversation uses the background color and font that your chat

partner has selected.

You can view your chat partner's conversation with the same background color and font that

you are using by clicking by clicking Preferences on the Options menu, and then clicking

Use Own Font.

To Change the Font1. On the Options menu, click Font2. In the Font dialog box, click the options you want.

By default, the pane that displays your chat partner's conversation uses the background color

and font that your chat partner has selected. You can view your chat partner's conversation with

the same background color and font that you are using by clicking by clicking Preferences on

the Optionsmenu, and then clicking Use Own Font

.

To Change Window Preferences1. On the Options menu, click Preferences .2. Under Window Style click the layout you prefer.

3. Under Partner's Message, click the option you want


Session 2: Linux/Unix Operating Systems

Exercise 1: First try to execute the following commands on your operating system and write down the results and use of each command.

man Step 1 :

Step 2 :

man {section}name

Shows the full manual page entry for "name". Without a section number, "man" may give you

any or all man pages for that "name". For example, "man write" will give you the manual pages

for the write command, and "man 2 write" will give you the system call for "write" ( usually from

the C or Pascal programming language ).

pwd Step 1 :


Step 2 :

pwd

Shows current working directory path.

ls Step 1 :

Step 2:

ls {directory}

Shows directory listing. If no "directory" is specified, "ls" prints the names of the files in the

current directory.

ls –a


ls –a: List entries starting with”.”

ls –al

ls –al | moreStep 1 :

Step 2 :

cd

cd {dirname}

Change current directory. Without a "dirname", it will return you to your home directory.

Otherwise, it takes you to the directory named. "cd /" will take you to the root directory.

cd ..


Cd –

chmod

cat passwd

Exercise 2:Try to explore the file system, write what is there in /bin, /usr/bin, /sbin, /tmp and /boot. Find and list the devices that are available in your system.

/bin


/usr/bin

/tmp

/sbin


/boot

Exercise 3: Make your own subdirectories called uni and linu in your home directory, Made? Ok, now delete the subdirectory called uni.

Exercise 4: Create a file called ignou.txt that contains the words “hello I am student of IGNOU”. Now copy this file and paste to other directory. Copied? Can you move the file also from one directory to another?


Exercise 5: In the previous question you have a file ignou.txt; change its permission to rwxrwxr-x. You can try different possibilities to changes in its permissions. One possibility may be rwxr-xr-x permissions. Find out what are the different commands available that can be used to change the permissions of a file/files.

chmod To change permission of file/directory.Permissions+r : Grant read permission+w : Grant write permission+x : Grant execute permission-r : Revoke read permission-w : Revoke write permission-x : Revoke execute permissionUser Permissionu : User/ownerg : Groupo : Othersa : All (User, Group and Others)Octal Permission0 : _ _ _1 : _ _ x2 : _ w _3 : _ w x4 : r _ _5 : r _ x6 : r w _7 : r w x

Exercise 6: Display the names of all files in the home directory using find. Can you display the names of all files in the home directory that are bigger than 500KB.


Exercise 7: Display a sorted list of all files in the home directory that contain the word ignou inside them. Hint: Use find and grep and sort. Can you use locate to find all filenames that contain the word ignou?

Exercise 8: Use egrep to try to find out which lines in an ignou.txt file are satisfied by the regular expression given: (^[0-9]{1,5}[a-zA-z]+$)|none and check the result with different combinations of lines.

Exercise 9: Change your password and write down restrictions for given password.

Exercise 10: Open ignou.txt using vi editor, go to the end of the file and type in the following paragraph:In 1971 Bell Labs releases the first Unix operating system. Then 1985 Richard Stallman

releases his GNU (“GNU is not Unix”) Manifesto thus starting the open sourci revolution. He

wanted to creat an open-source version of Unix Unix. Stallman’s Free Software Foundation

eventually created the GNU General Public License (GPL) which is basically an anti-copyright

also referred to as a

Now you correct spelling errors in the first three lines and remove the extra “Unix” in the 3rd line

of the paragraph. Add the words “copyleft” to the end of the paragraph. Replace the string

“GNU is not Unix” with a string “Unix is not a GNU”. Save the file and quit. Repeat the same


exercise emacs also. Write down the difference between the two editors, also write which one

you find easier and why.

Difference:-• Vi was designed to write programs while emacs was designed to write text

• Vi is much smaller and loads much faster compared to emacs

• Emac is modeless while vi can work in different modes

• Vi has few feature while in emac various plugins are available

• Vi is designed for unix while emacs works on every OS.


Session 3: LINUX / UNIX OPERATING SYSTEM

Exercise 1 : Find the files in your home directories those name as starting with character ‘s’ and redirect the output in to a file redirecting.txt and if your receive an error message of an execution of command redirect into error.exe.

if [find . -name “s*.*”]thenfind . -name “s*.*”>> redirecting.txtelsefind . -name “s*.*”>> error.txtfi

Exercise 2 : Execute sleep 25 in the foregound, suspend it with Ctrl-z and then put it into the backgound with bg.show all process running in background, bring any process back into the foreground with fg. Repeat the same exercise using kill to terminate the process and use & for sending into backgound.

sleep 25crtl+zbgpsfg %4052

sleep 25ctrl+zpsbg 4052|killps

Exercise 3 : Combine the commands cat nonexistent and echo helloIGNOU using suitable operators. Now reverse the order of the commands and try.

cat nonexistent && echo “helloIGNOU” Combination of two commands using && Operatorcat >> nonexistent Combination of two commans using append operator

Exercise 4 : Write a shell script which returns the PID of a process and accept the name of process

#ps -ef | grep processnameeg:-#ps -ef | grep firefox

Exercise 5 : Use ping to find the round-trip delay to www.ignou.ac.in.

ping ignou.ac.in -c 1


http://www.ignou.ac.in/

Exercise 6 : Send a message to all users which are online. Make provision so that you can send messages to other users but others cannot. Use talk to send messages.

talk usernamewho|talk

Exercise 7 : Print a file ignou.txt and then send multiple files to a printer. Write the command you will execute to remove any file from print queue.

lpr ignou.txtlpr abc.txt

lpq shows jobs in printer queue along with job no.To remove joblprm 10

Exercise 8 : Send a mail to yourself, and include ignou.txt inside the mail. Read the mail you have sent to yourself. Save the piece of message and file into somefolder. Reply to yourself.

Mail root(user 1) ->Mail amb(user 2)

Exercise 9 : Use telnet and ftp to get connected with other remote machine. Write the problems you encounter during connection with remote machine.

1. Install a telnet program (client) on your computer. HyperTerminal, included with Windows, will perform many telnet operations. You can also locate an array of freeware, shareware or commercial telnet clients from various software Web sites.

2. Open your telnet program.3. Enter the telnet address in the address box. Click OK.4. Enter your login ID. If you have been given special permission, your host will have

provided you with a login ID. If it is an anonymous site, you may be able to log in as "guest" or by using your e-mail address.

5. Once you are logged in, the procedure varies depending on how the host has been set up.

Exercise 10 : Use the ls command and grep to display all names starting with “s”.

ls –d | grep “^s*”


Session 3: Linux / Unix Operating System

Exercise 1 : Find the files (with full path) in your home directory those name are starting with the character ‘s’ and redirect the output into a file redirecting.txt and if you receive any error message on execution of the command redirect into errors.txt.

Ans : 1

Exercise 2 : Execute sleep 25 in the foreground, suspend it with Ctrl-z and then put it into the background with bg. show all process running in background, bring any process back into the foreground with fg. Repeat the same exercise using kill to terminate the process and use & for sending into background. (You need to see different options of the kill command)

Ans:2


Exercise 3 : Write a shell script, which returns the PID of a process and accept the name of the process.

Ps e | grep init Echo $a | cut –f1 –d ― ―

Ans 3:

Exercise 4 : Use ping to find the round-trip delay to www.ignou.ac.in

Use ping to find the round-trip delay to www.ignou.ac.in Ping ―www.ignou.ac.in


Exercise 5 : Send a message to all users which are online. Make provision so that you can send messages to other users but others cannot. Use talk to send messages.

Answer : Mesg n

Exercise 6 : Send a mail to yourself, and include ignou.txt inside the mail. Read the mail you have sent to yourself. Save the piece of message and file into some folder. Reply to yourself.

Answer : Mail root(user 1) -> Mail amb(user 2)

Ans: 6


Exercise 7 : Print a file ignou.txt, and then send multiple files to printer. Write the command you will execute to remove any file from print queue.

Ans: lpr ignou.txt

Exercise 8 : Use the ls command and grep to display all names starting with "s".

Ans : 8

Exercise 9 : Use telnet and ftp to connected with other remote machine. Write the problems you encounter during connection with remote machine.

Ans: 9


Session 4: SYSTEM ADMINISTRATOR USING UNIX & LINUX

Exercise 1: Use finger or who to get a list of users on the machine.

Who –all Lists all the users logged in to system

Finger –sl Lists all the logged in with detailed information

Exercise 2: Add different users,set their passwords and define permissions. Check whether you are able to change the passwords of all users or not.

Useradd user1 This will add a user named user1

Useradd user2 This will add a user named user2

Passwd user1 This will ask to enter new password for user1

Usermod –g root user1 This will assign root as a primary group to user1

Only super user can change password and permissions of other users on linux system.

Exercise 3: Delete the user, which just now you have added.


Userdel user2 This will delete user2 from the user list

Exercise 4: Set the execution time of two jobs so that it can run automatically tomorrow, one at 11:oo p.m. After this setting, how can you change the time of execution of job?

Erontab –e This will open a file in vi editor and it will reflect to the scheduled where we can change the time of execution and run the job

0 11 * * * || /etc > > /||Entries edited to run the job at 11:00 a.m.

0 13 * * * mv /|| /||| Entries edited to run the job at 3:00 p.m.

Exercise 5: Try to access your account available at a remote machine. Download some file from that machine to your machine.

ssh 192.168.0.254 This will help to enter to the system having ip

192.168.0.254. The condition is ther must be sshd service running there on that system. After running this command it will ask for the administrator password of that user. After entering the successful entry of super user password, it will give the control

of that system on command prompt.

Scp/tmp/jeet.txt 192.168.0.11:/home/jeet/tmp/jeetnew/.txt

This will copy or download the file from the remote machine to the machine whose ip is 192.168.0.11

Exercise 6: Create a cron job that sends you a message after every 5 minutes.

crontab –e This will start the cron job

*/5 * * * * echo “Testing” This will edit the cron job entry

~25~


Exercise 7: Restart any system daemon like the web server httpd.

Service vsfted restart This will restart the service httpd

Exercise 8: Write a message to inform all user “they should shut down their machine after completing the lab exercise”

Wall “they should shut down their machine after completing the lab exercise”

Exercise 9: Monitor the log time of users using xargs.

Who/var/adm/wtmpx | xargs

Exercise 10: Eliminate file names from all users home direstories containing bad characters and whitespace.

1 #!/bin/bash

2

3 # Delete filenames in current directory containing bad characters.

4

5 for filename in *

6 do

7 badname=’echo “$filename” | sed –n /[\+\{\;\”\\\=\?~\<\>\&\*\|\$]/p’

8 # Files containing those nasties: +{ ; “ \ = ? ~ () < > & * | $

9 rm $badname 2>/dev/null #So error messages deep-sixed.

10 done

11

12 # Now, take care of files containing all manner of whitespace.

13 find. –name “* *” –exec rm –f {} \;

14 # The path name of the file that “find” finds replkaces the “{}”.

15 # The ‘\’ ensures that the ‘;’ is interpreted literally, as end of command.

16

17 exit 0


18

19 #---------------------------------------------------------------------------

20 #Commands below this will not execute because of “exit” command.

21

22 # An alternative to the above script:

23 find . –name ‘*[+{;”\\=?~()<>& ]*’ -exec rm -f ‘{}’ \;

24 exit 0


Session 5 : INTRODUCTION TO NETWORKING

Exercise 1: Different System Tools And Administartive Tools Computer Management

Use Computer Management to manage local or remote computers using a single, consolidated desktop tool. It combines several Windows 2000 administration utilities into a single console tree, providing easy access to a specific computer's administrative properties and tools. Use Computer Management to:

Monitor system events such as logon times and application errors. Create and manage shares. View a list of users connected to a local or remote computer. Start and stop system services such as the Task Scheduler and the Spooler. Set properties for storage devices. View device configurations and add new device drivers.

Manage server applications and services such as the Domain Name System (DNS) service or the Dynamic Host Configuration Protocol (DHCP) service.

Local Security Settings

The Security Settings node allows a security administrator to configure security levels assigned to a Group Policy object or local computer policy.This can be done after or instead of importing or applying a security template.

Event ViewerUsing the event logs in Event Viewer, you can gather information about hardware, software, and system problems and monitor Windows 2000 security events. Windows 2000 records events in three kinds of logs:


The application logThe application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. The developer decides which events to record.The system logThe system log contains events logged by the Windows 2000 system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined.The security logThe security log can record security events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files. An administrator can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log.

ServicesUsing Services, you can start, stop, pause, or resume services on remote and local computers, and configure startup and recovery options. You can also enable or disable services for a particular hardware profile.

With Services, you can: Manage services on local and remote computers, including remote

computers running Windows NT 4.0. Set up recovery actions to take place if a service fails, such as

restarting the service automatically or restarting the computer (oncomputers running Windows 2000 only).

Create custom names and descriptions for services so that you caneasily identify them (on computers running Windows 2000 only).


BackupThe Backup utility helps you protect data from accidental loss due to hardware or storage media failure. For example, using Backup you can create duplicate copy of the data on your hard disk by backing up the data to another storage device such as a hard disk or a tape. In the event that the original data on your hard disk is accidentally erased or overwritten, or becomes inaccessible because of a hard disk malfunction, you can easily restore the data from the backed up copy.Using Backup, you can:

Back up selected files and folders on your hard disk. Restore the backed up files and folders to your hard disk or any other

disk you can access.

Create an Emergency Repair Disk (ERD), which will help you repair system files in the event they get corrupted or are accidentally erased.

Make a copy of any Remote Storage data and any data stored in mounteddrives.

Make a copy of your computer's System State, which includes such thingsas the registry, the boot files, and the system files.

Back up services on servers and domain controllers, including suchthings as the Active Directory service database, the Certificate

Services database, and the File Replication service SYSVOL directory. Schedule regular backups to keep your backed up data up to date.

You can use Backup to back up and restore data on either FAT or NTFS volumes.However, if you have backed up data from an NTFS volume used in Windows 2000,it is recommended that you restore the data to an NTFS volume used in Windows2000, or you could lose data as well as some file and folder features. For example, permissions, encrypting file system (EFS) settings, disk quota information, mounted drive information, and Remote Storage information will be lost if you back up data from an NTFS volume used in Windows 2000 and thenrestore it to a FAT volume or an NTFS volume used in Windows NT 4.0.

Disk DefragmenterDisk Defragmenter locates fragmented files and folders on local volumes. A fragmented file or folder is split up into many pieces and scattered over a volume. When a volume contains a lot of fragmented files and folders, Windows takes longer to gain access to them because it requires several additional disk drive reads to collect the various pieces. Creating new files and foldersalso takes longer because the free space available on the volume is scattered. Windows must then save new files and folders to various locations on the volume.

Disk Defragmenter moves the pieces of each file or folder to one location on the volume, so that each occupies a single, contiguous space on the disk drive. As a result, your system can gain


access to your files and folders and save new ones more efficiently. By consolidating your files and folders, Disk

Defragmenter also consolidates your free space, making it less likely that new files will be ragmented. The process of finding and consolidating fragmented files and folders is called defragmentation. The amount of time that defragmentation takes depends on several factors, including the size of the volume, the number of files on the volume, the amount of ragmentation, and the available local system resources. You can find all of the fragmented files and folders before defragmenting them by analyzing the volume first. You can see how many fragmented files and folders are saved on the volume and then decide whether or not you would benefit from defragmenting the volume.Disk Defragmenter can defragment FAT, FAT32, and NTFS formatted volumes.For more information, see Related Topics.

System InformationSystem Information collects and displays your systemconfiguration information. Support technicians require specific information about your computer when they are troubleshooting your configuration. You can use System Information to quickly find the data they need to resolve your system problem.

System Information displays a comprehensive view of your hardware, systemcomponents, and software environment. The displayed system information isorganized into a system summary and three top-level categories that correspond to the Resources, Components, and Software Environment nodes on the console tree.

The node displays general information about System Summary yourcomputer and the version of Windows 2000 operating system installed.

This summary includes the name and type of your system, the name of your Windows system directory, regional options, and statistics about

physical and virtual memory. The Hardware Resources node displays hardware-specific settings, namely

DMA, IRQs, I/O addresses, and memory addresses. The Conflicts/Sharingnode identifies devices that are sharing resources or are in conflict.This can help identify problems with a device.

The Components node displays information about your Windowsconfiguration and is used to determine the status of your devicedrivers, networking, and multimedia software. In addition, there is acomprehensive driver history, which shows changes made to yourcomponents over time.

The Software Environment node displays a snapshot of the softwareloaded in computer memory. This information can be used to see if aprocess is still running or to check version information.Other applications may add nodes to System Information that displayinformation specific to the application.


You can use the View menu to switch between the display of Basic and Advanced information. The Advanced view shows all of the information in the Basic view plus additional information that may be of interest to the more advanced user or to Microsoft Product Support Services

Exercise 2 : ADD DIFFERENT USERS AND GROUPS. ALSO CONFIGURE THEIR PERMISSIONS.OPEN THE START MENUSELECT SETTINGSCLICK CONTROL PANEL

DOUBLECLICK USERS AND PASSWORDS


IN DIALOG BOX CLICK USERS TABMAKE SURE USERS MUST ENTER A USERNAME AND PASSWORD CHECKBOX IS SELECTEDTO ADD A NEW USER CLICK ADD BUTTON AND FOLLOW PROMPT TO NAME ACCOUNT

ESTABLISH ACCESS LEVEL AND PASSWORDTO SET PASSWORD CLICK SET PASSWORD BUTTON. TO CHANGE ACCESS PRIVILAGES SELECT AN ACCOUNT AND CLICK PROPERTIES. FROM RESULTING DIALOUGE BOX YOU CAN ALTER ACCESS PRIVILAGES FOR THE ACCOUNT


EXERCISE 3: INSTALL AND CONFIGURE A LOCAL PRINTER

(1)GO TO START MENU SETTINGS PRINTERS AND FAXES

(2)DOUBLECLICK THE ADD A PRINTER OPTION IN THE PRINTERS AND FAXES FOLDER

(3)CLICK THE NEXT BUTTON OF THE WELCOME SCREEN OF THE ADD PRINTER WIZARD

(4)SELECT LOCAL PRINTER AND CLICK NEXT ON THE LOCAL OR NETWORK PRINTER PAGE


(5)SELECT A PORT FROM THE DROP DOWN MENU AND CLICK THE NEXT BUTTON

(6)SELECT THE MANUFACTURER AND PRINTER AND CLICK THE NEXT BUTTON

(7)SPECIFY A NAME FOR THE PRINTER AND SETTINGS FOR USING THE PRINTER AS A DEFAULT PRINTER IF YOU WANT TO SHARE THE PRINTER ON THE NETWORK THEN CLICK NEXT


(8)SPECIFY THE SETTINGS FOR SHARING THE PRINTER AND CLICK THE NEXT BUTTON

(9)SPECIFY THE LOCATION AND COMMENT FOR THE PRINTER AND CLICK NEXT BUTTON

(10)SPECIFY WHETHER OR NOT TO PRINT A TEST PAGE AND CLICK NEXT

(11)CLICK THE FINISH BUTTON

Exercise 4 : Windows 2000 Active Directory and Domain controller.The Active Directory (AD) of Windows 2000 Server and Windows Server2003 basically manages all the information that is relevant in the network'soperation. This includes connections, applications, databases, printers,users and groups. Microsoft's text describes it concisely: Active Directory


provides a standard way to name, describe, localize, manage, secure andaccess these resources.To Start Active Directory Installation,

The dcpromo command is used to raise the level of the server to become anActive Directory controller. The process takes approximately ten minutes andis described briefly in the following.

We assume that there are no other servers in your network and therefore, wewant a controller for a new Active Directory infrastructure

Afterwards, we define whether the new AD domain is to be integrated into an existing system.


Active Directory uses its own database system in order to manage thedescribed information efficiently. Provided your environment could growquickly and the server could take on additional tasks, the database as wellas the log files should be swapped out to a separate hard disk in order tokeep system performance as high as possible.

The SYSVOL folder is another specialty of the Active Directory because itscontents are replicated by all the Active Directory controllers in a domain.This includes login scripts, group policies and other things that must beavailable on other servers as well. The location of this folder can of course be changed according to need.


There is no DNS Server running. So we need to install DNS Server.After Installing Forward Lookup zone, We have to install Reverse lookup zone also.


Exercise 5 : Create a Hierarchical Directory Tree

A hierarchical representation of the folders, files, disk drives, and otherresources connected to a computer or network. For example, Windows Exploreruses a tree view to display the resources that are attached to a computer or a network.

Exercise 6 : Share and Share Permissions.

I create a folder test uder c:\temp directry and set permissions asfollows.Take Properties of Local Area Connction.


Exercise 7: Install and Configure TCP/IPProperties of TCP/IP

Exercise 8 : Install a caching DNS server and find out how it reduces the network trafficWindows 2000 authentication is implemented in two steps: an interactive logon process and a network authentication process. Typically, the same set of credentials is used by the interactive logon process and the network authentication process. If your credentials differ, you are


prompted to provide Windows domain credentials each time you access a network resource. You can avoid this by logging on to your computer using your Windows domain name, your Windows domain user name, and Windows domain password before you try to connect to a network resource. If you log on without being connected to the network, Windows 2000 recognizes the information from a previous successful logon. You receive the message "Windows cannot connect to a server to confirm your logon settings. You have been logged on using previously stored account information." When you connect to your network, the cached credentials are passed to your Windows 2000 domain and you are able to access network resources without having to provide a password again. Limiting the number of protocols on your computer enhances network performance and reduces network traffic

Exercise 9 : Configure a DNS Server as a root name server.

If you originally set up a DNS server forinternal queries only, it's possible that the root hints in yourserver are empty or that someone has modified them to point tointernal servers. If you now want the DNS server to resolve queriesfor external hosts, it's important to ensure that the server has avalid set of root hints. To configure root hints for the server, followthese steps:

1. Ensure that you've configured the server touse an upstream DNS server capable of resolving external hosts.

2. Open the DNS console from the AdministrativeTools folder.3. In the left pane, right-click the server inquestion, and choose Properties.4. On the Root Hints tab, select the firstserver in the Name Servers list, and click Edit.5. Click Resolve to resolve the host name to itsIP address, and click OK. You can also

manually enter the IPaddress for the target server.6. Repeat the process for the remaining rootservers, and add others if necessary.7. When you've finished, close all dialogboxes.

Exercise 10 : Implement delegated zones for a Doman Name serverIn the Macintosh environment, a logical grouping that simplifies browsing the network for resources, such as servers and printers. It is similar to a domain in Windows 2000 Server networking.

In a DNS (Domain Name System) database, a zone is a subtree of the DNS database that is administered as a single separate entity, a DNS server. This administrative unit can consist of a single domain or a domain with subdomains. A DNS zone administrator sets up one or more name servers for the zone.


Session 6 : Windows 2000 : Server Management

Exercise 1:Install and Configure Windows 2000 Client

Solution :

This step-by-step Windows 2000 Professional installation (W2k pro installation), is design to guide user using the screenshot (all screen capture, image on the page) that taken from the installation process of the Windows 2000 Professional operating system. You can use this step by step guide to install or setup Windows 2000 Professional on i386 machine, but you must make appropriate adjustment that suitable to your system configuration and network configuration for your machine and network environment. There is some part on this installation process that may require you to consult your system administrator.

Objective:

1. Install Windows 2000 Professional on Intel base machine (i386 PC).

Tools and Equipments;

1. Operating System manual.2. Operating system Windows 2000 Professional installation CD's.3. A set of complete Personal Computer (PC).

Safety:

1. Follow Standard Operating Procedure (SOP).2. Make necessary backup for your system (incase something wrong happen).3. Make sure that you have the right tools while working on this installation project.4. Prepare the necessary documentations as reference when needed.

Knowledge and ability:

Upon the completion of this Windows 2000 installation project, you will be able to:1. Install new operating system on your personal computer (PC).2. Able to make new partition on the hard drive.3. Able to Format the partition using NTFS file system.4. Configure the Windows 2000 Professional operating system on personal computer (PC).


Steps :

1. Set your computer to boot from the CD-ROM drive by changing computer BIOS Boot Sequence setting. 2. Insert Windows 2000 Professional installation CD into the CD-ROM drive and reboot the computer so that the computer will boot from Windows 2000 Professional installation CD-ROM that already on the CD-ROM drive. 3. After your computer boot the Windows 2000 Professional installation CD-ROM, the Windows 2000 Setup then start checking the system configuration and loading files driver.

4. Windows 2000 Professional Setup screen, then display the Welcome to Setup. Press [ ENTER ] to set up Windows 2000 or press [ R ] key to repair a Windows 2000 installation or if you want to quit the installation process now, press [ F3 ] key. Press [ENTER] key to proceed with the installation process.

5. Windows 2000 Professional Setup, detect that the hard disk is new or has been erased, or that your computer running on operating system that is incompatible with windows 2000.


http://www.microsoft.com/windows2000/professional/

http://www.labtestproject.com/misc/boot-seq.html

http://www.labtestproject.com/misc/boot-seq.html

NOTE: Make sure that your hard disk is new or not contain any data, because the installation will destroy all data on the disk. * Best practice, make backup before upgrading or installing new software on the system. * Press [C] key to proceed with the setup process.

6. Windows 2000 Licensing Agreement screen. Read the licensing agreement carefully, use the [ Page Down ] and [ Page Up ] key to scroll down and up the licensing agreement. If you find the licensing agreement acceptable, press [ F8 ] to agree and press [ Esc ] key if you not agree with the licensing agreement term. Press [F8] key to proceed with the setup process.

7. Windows 2000 Professional Setup screen then display the existing partition information. Here, on this screen you can create new partition to the hard disk or delete unwanted partition, or you can select the unpartition space to make partition for your Windows 2000 Professional.To delete partition, press [D] key. Highlight the unpartition space then press [C] key to create a partition.


http://en.wikipedia.org/wiki/Partition_(computing)

8. Windows 2000 Professional Setup then display the size of unpartition space on the disk that we select in the above procedure. To create a new partition for Windows 2000, resize the partition by entering the desire partition size in megabytes (MB) for the partition then,Press [ENTER] key to create the new partition space.

9. Windows 2000 Professional Setup screen then display the disk partition information. To create more partition space on disk highlight the un-partition space then, press [C] key. To set up Windows 2000 on the desire partition, highlight the New <Unformatted> , make sure that this partition space is enough to put the Windows 2000 Operating system then, Press [ENTER] key to install Windows 2000 Professional on the selected partition.

Note: This is the last point to Quit the installation process without destroying any data on the disk. There is no turning point after this step. To quit the installation process without destroying any data on the disk, press [ F3 ] key.


10. Windows 2000 Professional Setup screen then prompt that the partition selected is not formatted. In order to make your disk useable, disk formatting is the process to prepare the computer hard disk to used file system . On this screen there is two type of file system that you can use choose from; for the operating system NTFS filesystem or FAT file system . One of the advantages of using NTFS file system on Windows 2000 is the increase of security features. Highlight the Format the partition using the NTFS file system, to format the partition using NTFS file system then, Press [ENTER] key to continue.

Recommended reading and digging on the different between NTFS file system and FAT file system: NTFS vs. FAT: Which Is Right for You? Basic information on NTFS and FAT Comparison of file systems 11. Windows 2000 Professional Setup screen then display that the partition is being formatted and the progress bar show percentage of the partition being formatted. Wait for a while, this procedure may take some time depending on the size of the partition and the speed of the computer it self.

12. Windows 2000 Professional Setup screen then copies files to the Windows 2000 installation folder. The progress bar show percentage of the files that already


http://en.wikipedia.org/wiki/Comparison_of_file_systems

http://www.ntfs.com/

http://www.microsoft.com/windowsxp/using/setup/expert/russel_october01.mspx

http://en.wikipedia.org/wiki/File_Allocation_Table

http://en.wikipedia.org/wiki/NTFS

http://en.wikipedia.org/wiki/File_system

http://en.wikipedia.org/wiki/Disk_format

being copies to the Windows 2000 installation folder. Wait for a while, this process may take some time to complete...

13. Windows 2000 Professional Setup screen than display that the portion of setup has complete successfully, remove any bootable media. Press [ENTER] key to restart the computer or you can wait for setup to restart your computer automatically.

14. After restart, the Microsoft Windows 2000 Professional screen will be display and starting up your Windows 2000 Professional for a first time.

15. Windows 2000 Setup screen display please wait...


16. Windows 2000 Professional Setup screen then display, Welcome to the Windows 2000 Setup Wizard. The Windows 2000 Setup Wizard will gather information about you and the computer to setup Windows 2000 Profesional operating system properly on your computer. Note: From this Setup Wizard screen onwards, you can start using your mouse to click on the button instead using the keyboard. Click [Next >] button to continue with the setup process.

17. Windows 2000 Professional Setup screen display Installing Devices. On this screen, Setup detect and installing devices on the computer. Setup also inform that the screen of the computer may flicker for a few seconds. Wait for a while for setup to finish detecting and installing the devices on the computer.


18. Windows 2000 Professional Setup screen then display Regional Settings, in this setup screen you can customize the system locale and the user locale for all users on the computer by clicking the [ Customize... ] button, or you can accept the default setting that the system locale is set to English (United States), and the user locale is set to English (United States) for all users on the computer.In this example, the default setting for the keyboard layout is US Keyboard layout, you can customize this keyboard layout setting by clicking the [ Customize... ] button. Click [Next >] button to continue with the setup process.

19. Windows 2000 Professional Setup screen then display Personalize Your Software, in this screen type in your name in the Name box and type in name of your organization in the Organization box.

Name: <Consult your system Administrator>

Organization: <Consult your system Administrator>

Click [Next >] button to continue with the setup process.


20. Windows 2000 Professional Setup screen then display Your Product Key, type in the Product Key for your Windows 2000 Professional in the Product Key box. You can find this 25 character Product Key in the back of your Windows 2000 Professional CD case or consult your system Administrator. Make sure that you properly key in the right product key or you cannot proceed to next installation process Click [Next >] button to continue with the setup process.

21. Windows 2000 Professional Setup screen then display Computer Name and Administrator Password, type in the computer name in the Computer name box. Type in an administrator password in the Administrator password box, then retype the same administrator password again in the Confirm password box.

Computer name: <Consult your system Administrator>

Administrator password:Confirm password:



22. Windows 2000 Professional Setup screen then display Date and Time Settings, adjust the date & time and time zone configuration as necessary. Click [Next >] button to continue with the setup process.

23. Windows 2000 Professional Setup screen then display Networking Settings, the screen also show the progress bar on Windows installs networking components.


24. After Windows install networking components progress bar complete, the screen then display two options (Typical settingand Custom setting) for networking setting.Choose the Typical setting to:Creates network connections using the Client for Microsoft Networks, File and Printing Sharing for Microsoft Networks, and the TCP/IP transport protocol with automatic addressing. Click [Next >] button to continue with the setup process.

25. Windows 2000 Professional Setup screen then display Workgroup or Computer Domain settings, on this screen you can choose to join the existing Domain (Collection of computers defined by a network administrator) or be in Workgroup (Collection of computers that have the same workgroup name). Select by clicking the radio button to:No, this computer is not on a network, or is on a network without a Domain.Type a workgroup name in the following box. Note: The configuration on the connection Windows 2000 Professional workstation to the existing Domain is on the 'Step-by-step how to connect Windows 2000 Professional to Windows Domain' lab project.\



26. Windows 2000 Professional Setup screen then display progress bar on the status of installing Windows 2000 components. Wait until Setup install all the components. This process may take several minutes to finish.

27. Windows 2000 Professional Setup screen then display Performing Final Tasks window. On this screen progress bar show the progress on Setup to complete a final set of task. Please wait until Setup complete: Installs Start menu items Registers components Saves settings Remove any temporary files used


28. After Setup complete Performing Final Tasks, the Windows 2000 Professional Setup screen then display massage that we have successfully completed Windows 2000 setup. Remove the Windows 2000 Professional installation media from the CD-ROM drive then ... Click [Finish] button to restart the computer ...

29. Splash screen display Windows 2000 Professional is starting up on the first boot up after installation.


30. After Windows finish loading (Starting up...), then the screen of Windows 2000 Professional, display the Welcome window of the "Network Identification Wizard". Click [Next >] button to continue with the setup process.

31. The Network Identification Wizard window screen then prompt you the question "who can log on on this computer?"... if you using this computer yourself or only you the user of the computer, click on the radio button that say "Windows always assume the following user has logged on to this computer:" then set password for the user if needed. or if this computer is for the use of multiple users (e.g. for public computer network) the select "Users must enter a user name and password to use this computer". The only user for this computer now is Administrator, this means that the Administrator have to logon on this computer and set up the user account or join domain to make this computer available to use for other users. Click [Next >] button to continue with the setup process.


32. To complete the Network Identification Wizard, click [Finish] button.

33. Now the Log On To Windows 2000 Professional screen appear, this screen only available if we select "Users must enter a user name and password to use this computer" option and enter the password on the above procedure (Network Identification Wizard --> Users of This Computer). if you select "Windows always assume the following user has logged on to this computer:" option on above procedure (Network Identification Wizard --> Users of This Computer) and leave the password box blank (didn't set any password) the system will login automatically and this Log On screen will never appear. Enter the user name and password for the user can click [OK] button to start login to the system.


34. The system start to load and the Windows 2000 Professional desktop will appear.

Microsoft Windows 2000, with its Active Directory Services, allows companies to develop large, centralized directories of network resources. Managing large numbers of users is easy due to its centralized directory architecture. Access Gateway with Advanced Access Control 4.2 can take advantage of a company's Active Directory infrastructure by authenticating users through the Internet Authentication Service (IAS), Microsoft's implementation of RADIUS.

Procedure

Configuring IAS with the Advanced Access Control server:

1. Go to Start > Programs > Administrative Tools > Internet Authentication Service to start the IAS console.


2. To add the Advanced Access Control server as a client, right-click the RADIUS Clients node and then select New RADIUS Client. Type in a friendly name and the IP address or Fully Qualified Domain Name (FQDN) of the Advanced Access Control server. Click Next.


3. Under Client-Vendor, leave the default selection RADIUS Standard and ensure the Request must contain the Message Authenticator attribute check box is cleared. Type in the shared secret to use for the connection. The shared secret is used when configuring the logon point on the Advanced Access Control server.

4. Click Finish.


Note: The shared secret allows for basic encryption of the RADIUS packets between the RADIUS server and the Advanced Access Control server. Additionally, the shared secret is case-sensitive.

Once this process is complete, the RADIUS server permits the Advanced Access Control server to query it; however, a Remote Access Policy is still required to permit or deny access to specific users.

Configuring Policies in IAS with the CTXSUserGroups attribute:

A remote access policy tells the IAS server to permit or deny access to a user based on a set of credentials. It also allows for the configuration of Vendor-specific Attributes (VSAs), a form of RADIUS extensions, which allow you to send specific information to the Advanced Access Control server. Remote access policies can permit access based on parameters such as a user’s group membership in Active Directory and scheduled times or dates, among many others. Before any user can authenticate to the IAS server, a remote access policy must be defined. In this article, the following policy is created:

Advanced Access Control Carmel Group Policy: Permit Access to Carmel users and return Carmel User-Group attribute

This policy permits users who are members of the Active Directory group Carmel to authenticate to the RADIUS server. This policy will also return attributes to the Advanced Access Control server if the user is a member of the Carmel group, so access can be restricted to members of the Carmel group only.


1. To define a remote access policy, from the IAS console, right-click Remote Access Policies and click New Remote Access Policy.

2. In the New Remote Access Policy Wizard, select Set up a custom policy and type a policy name. Click Next.

3. Under the Policy Conditions box, click Add and then select the Windows-Groups attribute type.


4. Select the Active Directory user group whose access you want to restrict. In this article, the Carmel group is selected. A summary of conditions to match for this policy is shown. You may add additional groups, but users must be a member of all the groups to be granted access. Click Next.


5. Select Grant remote access permission and click Next.

6. Click Edit Profile to edit the dial-in properties for the remote access profile. This is where Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) authentication and VSAs are


enabled. Click the Authentication tab and clear the Microsoft Encrypted Authentication check boxes. Select the Encrypted authentication (CHAP) and Unencrypted authentication (PAP, SPAP) check boxes.

7. The RADIUS server must tell the Advanced Access Control server that users matching this policy are members of the Carmel group in Active Directory. This is done by sending VSAs to the Advanced Access Control server as part of this remote access policy.

8. Click the Advanced tab and remove any attributes that are present. Click Add.


9. Select Vendor Specific and then click Add. From the Multivalued Attribute Information window, click Add and then select Enter Vendor Code. Type 4 as the vendor code. Select Yes. It conforms. and click Configure Attribute…


10.Type 14 as the Vendor-assigned attribute number and then enter CTXSUserGroups=Carmel as the Attribute value. Click OK.

11.Complete the wizard. A dialog box pops up warning that you have changed settings. Click No and then click OK.

When you have finished configuring your remote access policy, it appears in the Remote Access Policies list in the IAS console. This policy permits access and returns the Carmel attribute to the Advanced Access Control server when users who match these conditions authenticate.

Configuring Advanced Access Control for RADIUS authentication and


authorization:

1. From the Access Suite Console, select the farm properties node and click Edit farm properties under Common Tasks. On the Authentication Profiles page, under Radius Profiles, click New and provide a name for your RADIUS profile. In this example the name is IAS Radius.

2. Click New… and add the IP address or FQDN of the RADIUS server. Change the port numbers if you changed them on the IAS server. Otherwise, the default values work. Click OK.


3. Select Enable RADIUS auditing and then click Configure Authorization. Enter 4 for the Vendor identifier and then enter 14 for the Vendor specified type. Click OK and OK again to exit the wizard.

4. Select the logon point you wish to use with RADIUS and click Edit logon point under Common Tasks. On the Authentication page, select the RADIUS profile option and then choose the RADIUS server from the list box.


5. On the Authorization page, the RADIUS profile option is selected automatically. Select the Enable pass-through authentication to Active Directory check box and then enter the default Active Directory domain.


6. On the Visibility page, select Allow external (gateway appliance) users access to this logon point to enable access to the Access Gateway appliance. Click OK.


7. Add the RADIUS shared secret using the Server Configuration utility. Go to Start > Programs > Citrix > Access Gateway > Server Configuration and select Configured Logon Points.

8. Select the logon point you configured for RADIUS and then click Authentication Credentials. Under RADIUS Servers, in Global secret for all servers, enter and confirm the shared secret for the RADIUS server you created in IAS. Click OK.


9. To make use of the group(s) returned by RADIUS, you must create a resource in the Access Suite Console and create a policy for the resource. When creating the policy, choose the RADIUS server from the list box and click Add. Add the name of the group you configured to allow access to this resource. In this example, Carmel is selected. Click OK.


Now you are ready to log on to the Advanced Access Control server using RADIUS authentication and authorization. After logging on, the default navigation page displays the resource created for members of the Carmel group to access.

Exercise 2:Install and Configure Windows 2000 Server

Solution :

Step #1: Plan your installation

When you run the Windows 2000 Server Setup program, you must provide information about how to install and configure the operating system. Thorough planning can make your installation of W2K more efficient by helping you to avoid potential problems during installation. An understanding of the configuration options will also help to ensure that you have properly configured your system.

I won't go into that part right now but here are some of the most important things you should take into consideration when planning for your Windows Server 2000 installation:


Check System Requirements

Check Hardware and Software Compatibility

Determine Disk Partitioning Options

Choose the Appropriate File System: FAT, FAT32, NTFS

Decide on a Workgroup or Domain Installation

Complete a Pre-Installation Checklist

After you made sure you can go on, start the installation process.

Step #2: Beginning the installation process

You can install Windows 2000 Server in several methods - all are valid and good, it all depends upon your needs and your limitations.

Manual installations usually come in 3 flavors:

Boot from CD - No existing partition is required.

Boot from the 4 Setup Boot Disks, then insert the CD - No existing partition is required.

Boot from an MS-DOS startup floppy, go to the command prompt, create a 4GB FAT32 partition with FDISK, reboot, format the C partition you've created, then go to the CD drive, go into the I386 folder, and run the WINNT.EXE command.

Run an already installed OS, such as Windows NT 4.0 Server. From within NT 4.0 go to the I386 folder in the W2K installation CD and run the WINNT32.EXE command.

If you want to upgrade a desktop OS such as Windows 98 into Windows 2000 Professional you can follow the same procedure as above (You cannot upgrade Windows 98 into W2K Server).

There are other non-manual installation methods, such as using an unattended file along with a uniqueness database file, using Sysprep, using RIS or even running unattended installations from within the CD itself, but we won't go into that right now.

It doesn't matter how you run the setup process, but the moment it runs - all setup methods look alike.


Step #3: The text-based portion of the Setup program

The setup process begins loading a blue-looking text screen (not GUI). In that phase you will be asked to accept the EULA and choose a partition on which to install W2K, and if that partition is new, you'll be asked to format it by using either FAT, FAT32 or NTFS.

1. Start the computer from the CD.

2. You can press F6 if you need to install additional SCSI adapters or other mass-storage devices. If you do you will be asked to supply a floppy disk with the drivers and you CANNOT browse it (or a CD for that matter). Make sure you have one handy.

3. Setup will load all the needed files and drivers.

4. Select To Setup W2K Now. If you want, and if you have a previous installation of the OS, you can try to fix it by pressing R. If not, just press ENTER.

5. In case your server is a new one, or it is using a new hard disk that hasn't been partitioned yet, you'll get a warning message. Read it, and if you want to continue, press C.

6. Read and accept the licensing agreement and press F8 if you accept it.

7. Select or create the partition on which you will install W2K. Depending upon your existing disk configuration choose one of the following:

If the hard disk is not yet partitioned, you can create and size the partition on which you will install Windows 2000. Press C.


http://www.petri.co.il/images/w2k_inst1.gif




If the hard disk is new and you want to create a partition that will span the entire hard disk's size - press Enter.

Other optionsL

If the hard disk is already partitioned, but has enough unpartitioned disk space, you can create an additional partition in the unpartitioned space.

If the hard disk already has a partition that is large enough, you can install Windows 2000 on that partition. If the partition has an existing operating system, you will overwrite that operating system if you accept the default installation path. However, files other than the operating system files, such as program files and data files, will not be overwritten.

If the hard disk has an existing partition, you can delete it to create more unpartitioned space for the new partition. Deleting an existing partition erases all data on that partition.

If you select a new partition during Setup, create and size only the partition on which you will install Windows 2000. After installation, use Disk Management to partition the remaining space on the hard disk.

8. Select a file system for the installation partition. After you create the partition on which you will install W2K, you can use Setup to select the file system with which to format the partition. W2K supports the NTFS file system in addition to the file allocation table (FAT) and FAT32 file systems. Windows Server 2003, Windows XP Professional, Windows 2000, and Windows NT are the only Microsoft operating systems that you can use to gain access to data on a local hard disk that is formatted with NTFS. If you plan to gain access to files that are on a local W2K partition with the Microsoft Windows 95 or Windows 98 operating systems, you should format the partition with a FAT or FAT32 file system. We will use NTFS.

9. Setup will then begin copying necessary files from the installation point (CD, local I386 or network share).

10.Note: If you began the installation process from an MS-DOS floppy, make sure you have and run SMARTDRV from the floppy, otherwise the copying process will probably last more than an hour, perhaps even more. With SMARTDRV (or if setup







was run by booting from CD) the copying will probably last a few minutes, no more than 5 max.

11.The computer will restart in graphical mode, and the installation will continue.

Step #4: The GUI-based portion of the Setup program

The setup process reboots and loads a GUI mode phase.

It will then begin to load device drivers based upon what it finds on your computer. You don't need to do anything at this stage.

If your computer stops responding during this phase (the progress bar is stuck almost half-way, and there is no disk activity) - shut down your computer and begin removing hardware such as PCI and ISA cards. If it works for you then later try to figure out how to make that specific piece of hardware work (it's probably not in the HCL).

1. Click Customize to change regional settings, if necessary.

Current System Locale - Affects how programs display dates, times, currency, and numbers. Choose the locale that matches your location, for example, French (Canada).

Current Keyboard Layout - Accommodates the special characters and symbols used in different languages. Your keyboard layout determines which characters appear when you press keys on the keyboard.

If you don't need to make any changes just press Next.

If you do need to make changes press Customize and add your System Locale etc.





Note for Hebrew users: In W2K it is NOT SAFE to install Hebrew language support at this phase!!! Trust me, do it later. If you don't listen to me, good chances are that you'll get ???? fonts in some Office applications such as Outlook and others.

Read the Install Hebrew on Windows 2000 page for more info.

2. Type your name and organization.

3. Type the product key.

If you'd like to skip this step in the future, please read Install Windows 2000 Without Supplying the CD Key.

4. Enter the appropriate license type and number of purchased licenses.

5. Type the computer name and a password for the local Administrator account. The local Administrator account resides in the SAM of the computer, not in Active Directory. If you will be installing in a domain, you need either a pre-assigned computer name for which a domain account has been created, or the right to create a computer account within the domain.

6. Choose which components to install or remove from the system.

7. Select the date, time, and time zone settings.IGNOUINDIA.IN 126338778 BCSL-063 LAB MANUAL

http://www.petri.co.il/install_windows_2000_without_supplying_the_cd_key.htm

http://www.petri.co.il/install_windows_2000_without_supplying_the_cd_key.htm

http://www.petri.co.il/install_hebrew_on_w2k.htm






6. Setup will now install the networking components.

After a few seconds you will receive the Networking Settings window. BTW, if you have a NIC that is not in the HCL (see the What's the HCL? page) and W2K cannot detect it, or if you don't have a NIC at all, setup will skip this step and you will immediately go to the final phase of the setup process.

Press Next to accept the Typical settings option if you have one of the following situations:

You have a functional DHCP on your network.

You have a computer running Internet Connection Sharing (ICS).

You're in a workgroup environment and do not plan to have any other servers or Active Directory at all, and all other workgroup members are configured in the same manner.

Otherwise select Custom Settings and press Next to customize your network settings.

7. Highlight the TCP/IP selection and press Properties.

In the General tab enter the required information. You must specify the IP address of the computer, and if you don't know what the Subnet Mask entry should be - you can simply place your mouse pointer over the empty area in the Subnet Mask box and click it. The OS will automatically select the value it thinks is good for the IP address you provided.


http://www.petri.co.il/what's_the_hcl.htm





Lamer note: In the above screenshot I've configured the computer with a valid IP address for MY network, along with the Default Gateway and the address of MY DNS server. Your settings may differ.

If you don't know what these values mean, or if you don't know what to write in them, press cancel and select the Typical Settings option. You can easily change these values later.

8. In the Workgroup or Domain window enter the name of your workgroup or domain.

A workgroup is a small group of computers on a network that enables users to work together and does not support centralized administration.

A domain is a logical grouping of computers on a network that has a central security database for storing security information. Centralized security and administration are important for computers in a domain because they enable an administrator to easily manage computers that are geographically distant from each other. A domain is administered as a unit with common rules and procedures. Each domain has a unique name, and each computer within a domain has a unique name.

If you're a stand-alone computer, or if you don't know what to enter, or if you don't have the sufficient rights to join a domain - leave the default entry selected and press Next.

If you want to join a domain (NT 4.0 domain of W2K/2003 Active Directory domain) enter the domain's name in the "Yes, make this computer a member of the following domain" box.

To successfully join a domain you need the following:

The person performing the installation must have a user account in Active Directory. This account does not need to be the domain Administrator account.

and



http://www.petri.co.il/images/inst_w2k25.gif

The computer must have an existing computer account in the Active Directory database of the domain that the computer is joining, and the computer must be named exactly as its domain account is named.

or

The person performing the installation must have appropriate permission to create a domain account for the computer during installation.

Also, you need to have connectivity to the domain's domain controllers (only to the PDC if on an NT 4.0 domain) and a fully functional DNS server (only in AD domains). Read the Joining a Domain in Windows XP Pro and Requirements when Joining a Domain pages for more on this issue.

Enter the Active Directory domain name (in the form of xxx.yyy, for example: DPETRI.NET) or the NetBIOS name of the NT 4.0 domain (in the form of xxx, for example: DPETRI). Press Next.

Note: If you provide a wrong domain name or do not have the correct connectivity to the domain's DNS server you will get an error message.

A username/password window will appear. Enter the name and password of the domain's administrator (or your own if you're the administrator on the target domain).

Note: Providing a wrong username or password will cause this phase to fail.

9. Next the setup process will finish copying files and configuring the setup. You do not need to do anything.

10.After the copying and configuring phase is finished, if Windows Server 2003 finds that you have a badly configured screen resolution it will advise you to change it and ask you if you see the new settings right.

11.Setup finishes and displays the finish window. Unfortunately, you must press Finish in order to reboot..


http://www.petri.co.il/requirements_when_joining_a_domain.htm

http://www.petri.co.il/requirements_when_joining_a_domain.htm

http://www.petri.co.il/joining_a_domain_in_windows_xp_pro.htm





12.Windows 2000 reboots and you should get the CTRL-ALT-DEL window.

13.That's it! you're done!

Exercise 3: Set your printer on sharing and assign print permissions according to different users, configuring printer priorities for different groups.

Solution : The easiest way to connect and manage network printers is through Active Directory. You can also use Group Policy to change the default behavior of the printing environment and to provide computers and users a standard set of preferences.

Some of the most common tasks are publishing a printer in Active Directory , remotely managing printers , setting Group Policy for printers , and setting or removing permissions for a printer . You can also manage network printers from the Managing printing from the command line .

To publish a printer in Active Directory1. Open Printers and Faxes.2. Right-click the printer you want to publish, and then click Sharing.3. On the Sharing tab, click Share this printer, and then type a name for the

shared printer.4. Select the List in the Directory check box to publish the printer in Active

Directory.

To remotely manage printers1. Double-click My Network Places, and then locate the print server for the

printers you want to manage.2. Double-click the print server, double-click the Printer folder icon on that server,

and then click a printer.

Important


http://technet2.microsoft.com/WindowsServer/en/library/aed6763a-458c-48e6-bfea-ae94a82997b61033.mspx

http://technet2.microsoft.com/windowsserver/en/library/#Permissions

http://technet2.microsoft.com/windowsserver/en/library/#Permissions

http://technet2.microsoft.com/windowsserver/en/library/#GP

http://technet2.microsoft.com/windowsserver/en/library/#Remote

http://technet2.microsoft.com/windowsserver/en/library/#Publish







• To facilitate stronger network security, remote printer management is not available by default. To enable remote printer management, in Group Policy, you must enable the Allow Print Spooler to Accept Client Connections policy.

3. Change the print server, printer, or printing preference settings as required.

To set Group Policy for printers1. Start Group Policy according to the object you want to set printer policy to.2. After selecting the properties page of the object you want to set printer policy to,

select the Group Policy node.

• If you want to set policies that apply only to computers, expand the Computer Configuration node, and then expand Administrative Templates.

• If you want to set policies that apply only to users, expand the User Configuration node, expand Administrative Templates, and then expand Control Panel.

3. Double-click Printers to open a listing of policies.4. Double-click the printer policy you want to set.5. On the Policy tab, enable or disable the policy by selecting or clearing the

appropriate radio button. With some policies, you might need to enter additional information.

To set or remove permissions for a printer1. Open Printers and Faxes.2. Right-click the printer for which you want to set permissions, click Properties,

and then click the Security tab.3. Do one of the following:

• To change or remove permissions from an existing user or group, click the name of the user or group.

• To set up permissions for a new user or group, click Add. In Select Users, Computers, or Groups, type the name of the user or group you want to set permissions for, and then click OK to close the dialog box.

4. In Permissions, click Allow or Deny for each permission you want to allow or deny, if necessary. Or, to remove the user or group from the permissions list, click Remove.

Exercise 4: Install and Configure the DHCP Server Service.

Solution : How to Install the DHCP ServiceBefore you can configure the DHCP service, you must install it on the server. DHCP is not installed by default during a typical installation of Windows


Standard Server 2003 or Windows Enterprise Server 2003. You can install DHCP either during the initial installation of Windows Server 2003 or after the initial installation is completed.

How to Install the DHCP Service on an Existing Server

1. Click Start, point to Control Panel, and then click Add or Remove Programs.

2. In the Add or Remove Programs dialog box, click Add/Remove Windows Components.

3. In the Windows Components Wizard, click Networking Services in the Components list, and then click Details.

4. In the Networking Services dialog box, click to select the Dynamic Host Configuration Protocol (DHCP) check box, and then click OK.

5.

In the Windows Components Wizard, click Next to start Setup. Insert the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive if you are prompted to do so. Setup copies the DHCP server and tool files to your computer.

6. When Setup is completed, click Finish.

How to Configure the DHCP ServiceAfter you have installed the DHCP service and started it, you must create a scope, which is a range of valid IP addresses that are available for lease to the DHCP client computers on the network. Microsoft recommends that each DHCP server in your environment have at least one scope that does not overlap with any other DHCP server scope in your environment. In Windows Server 2003, DHCP servers in an Active Directory-based domain must be authorized to prevent rogue DHCP servers from coming online. Any Windows Server 2003 DHCP Server that determines itself to be unauthorized will not manage clients.

How to Create a New Scope

1. Click Start, point to Programs, point to Administrative Tools, and then click DHCP.

2. In the console tree, right-click the DHCP server on which you want to create the new DHCP scope, and then click New Scope.

3. In the New Scope Wizard, click Next, and then type a name and description for the scope. This can be any name that you want, but it should be descriptive enough so that you can identify the purpose of the scope on your


network (for example, you can use a name such as "Administration Building Client Addresses"). Click Next.

4.

Type the range of addresses that can be leased as part of this scope (for example, use a range of IP addresses from a starting IP address of 192.168.100.1 to an ending address of 192.168.100.100). Because these addresses are given to clients, they must all be valid addresses for your network and not currently in use. If you want to use a different subnet mask, type the new subnet mask. Click Next.

5.

Type any IP addresses that you want to exclude from the range that you entered. This includes any addresses in the range described in step 4 that may have already been statically assigned to various computers in your organization. Typically, domain controllers, Web servers, DHCP servers, Domain Name System (DNS) servers, and other servers, have statically assigned IP addresses. Click Next.

6.

Type the number of days, hours, and minutes before an IP address lease from this scope expires. This determines how long a client can hold a leased address without renewing it. Click Next, and then click Yes, I want to configure these options now to extend the wizard to include settings for the most common DHCP options. Click Next.

7.Type the IP address for the default gateway that should be used by clients that obtain an IP address from this scope. Click Add to add the default gateway address in the list, and then click Next.

8.

If you are using DNS servers on your network, type your organization's domain name in the Parent domain box. Type the name of your DNS server, and then click Resolve to make sure that your DHCP server can contact the DNS server and determine its address. Click Add to include that server in the list of DNS servers that are assigned to the DHCP clients. Click Next, and then follow the same steps if you are using a Windows Internet Naming Service (WINS) server, by adding its name and IP address. Click Next.

9. Click Yes, I want to activate this scope now to activate the scope and allow clients to obtain leases from it, and then click Next.

10. Click Finish.

11. In the console tree, click the server name, and then click Authorize on the Action menu.

Exercise 5: Configure Windows 2000 Client to use DHCP, DNS, and WINS.


Solution : Configuring the clients to use DHCP

Once the DHCP server is configured, each client must be configured to use DHCP. The following information describes the steps to configure your Windows (R) and OS/2(R) clients to request their configuration information from the DHCP server. In addition, it describes how the clients can view their own DHCP lease information.

Windows 2000 clients To enable DHCP:

1.On the Start Menu, select and Settings --> Network and Dial-up Connections.

2.Right-click the appropriate connection name and select Properties. 3.Select TCP/IP Protocol and select Properties. 4.On the General tab, select Obtain an IP address from a DHCP server. 5.Select OK.

Windows NT and Windows 2000 clients also have a utility that displays the client's MAC address and DHCP lease information. To check the DHCP lease for a Windows NT and Windows 2000 client:

1.Open an MS-DOS Command Prompt. 2.Run IPCONFIG /ALL.

Note: This utility does not dynamically update the displayed information, so it will be necessary to re-run the utility to view updated status. You can use the same utility with different parameters to release and renew a lease (IPCONFIG /RELEASE and IPCONFIG /RENEW). Run IPCONFIG /? from an MS-DOS Command Prompt to see all of the possible parameters for the command.

Windows 2000 DHCP clients need to be configured if you want the DHCP server to update DNS A records on behalf of the client. You may want to delegate updates to the DHCP server if your network has standard legacy Microsoft (R) Windows clients like Windows 95 and NT, since these clients currently do not update DNS A records. This may simplify your DNS administration because DNS updates will originate from the DHCP server for all clients, rather than having some clients update their own records.

To disable DNS dynamic updates from the client perform the following steps:

1.On the Start Menu, select Settings --> Network and Dial-up Connections. 2.Right-click the appropriate connection name and select Properties. 3.Select TCP/IP Protocol and select Properties. 4.Select Advanced. 5.On the DNS tab, deselect the "Register this connection's addresses in DNS"

and "Use this connections DNS suffix in DNS registration" options. 6.Select OK.


This should be done for all connections that you want to have the DNS records update delegated to the DHCP server.

How to Configure DNS Dynamic Update on a Windows 2000 DNS Client ComputerTo configure DNS dynamic update on a Windows 2000 DNS client computer:

1. Click Start, point to Settings, and then click Network and Dial-up Connections.

2. Right-click the network connection that you want to configure, and then click Properties.

3.Click either the General tab (for the local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.

4. Click Advanced, and then click the DNS tab.

5.

To use DNS dynamic update to register both the IP addresses for this connection and the full computer name of the computer, click to select the Register this connection's addresses in DNS check box. This check box is selected by default.

6. To configure a connection-specific DNS suffix, type the DNS suffix in the DNS suffix for this connection box.

7.

To use DNS dynamic update to register the IP addresses and the connection-specific domain name for this connection, click to select the Use this connection's DNS suffix in DNS registration check box. This check box is selected by default.

InstallationTo disable WINS/NetBT name resolution:

1. Click Start, point to Settings, and then click Network and Dial-up Connections.

2. Click the local area connection that you want to be statically configured, and then click Properties on the File menu.

3. Click Internet Protocol(TCP/IP), click Properties, click Advanced, and then click the WINS tab.

4. Click Disable NetBIOS over TCP/IP.

5. Click OK, click OK, and then click OK.

NOTE: Optionally, you can select the Use NetBIOS setting from the DHCP server if you are using a DHCP server that can selectively enable and disable NetBIOS


configurations through DHCP option types. NetBIOS over TCP/IP can also be disabled for computers that are running Windows 2000 by using DHCP option types that are supported by the Windows 2000 DHCP Server service.

Exercise 6: Configuring a Windows Client as a VPN Client.

Solution :

WindowsXP VPN ClientThe following page details the steps necessary to create a WindowsXP VPN Connection to a Server

1. Go to Start / Settings / Network Connections

2. Start the New Connection Wizard

3. Select Connect to the network at my workplace


http://www.onecomputerguy.com/networking/xp_vpn.htm


4. Click on the Next button.

5. Click on Virtual Private Network connection


6. Click on the Next button

7. Give the Connection a Name


8. Click on the Next button

9. If prompted, select whether or not you need to dial to the Internet before establishing a VPN connection.


10.Enter in the IP address of the server you want to connect to. This needs to be the external WAN IP address that is being used by the VPN Server. Not the LAN IP address of the VPN server.


11. Check whether you want to have an icon placed on the desktop and click on the Finish button.


VPN and Browsing

1.

Browsing the remote network can be difficult if not impossible over a VPN connection. There are too many variables that can hinder this.

2.

To make browsing work a little easier, you might want to edit the HOSTS and LMHOSTS files on the VPN Client.

These are in the C:\Windows\System32\drivers\etc directory for XP.

3 Just add a line with the LAN IP address of the VPN server followed by it's name.


. e.g192.168.1.10 SERVER

4.

You can also add in the LAN IP address and Name of any other computers on the remote network that you may want to connect to

5.

Also, make sure the workgroup name is the same on all computers.

The default Client TCP/IP setting might interfere with your ability to access the Internet while having a VPN connection. To correct this:

1. Go to the properties for your VPN connection

2. Click on the Networking tab

3. Double click on TCP/IP

4. Click on the Advanced button

5. Uncheck "Use default gateway on remote computer"

Exercise 7: Implement Dfs (Distributed file system) replication.

Solution : The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the 'key' to a list of shares found on multiple servers on the network. Think of it as the home of all file shares with links that point to one or more servers that actually host those shares. DFS has the capability of routing a client to the closest available file server by using Active Directory site metrics. It can also be installed on a cluster for even better performance and reliability. Medium to large sized organizations are most likely to benefit from the use of DFS - for smaller companies it is simply not worth setting up since an ordinary file server would be just fine.

Understanding the DFS Terminology



It is important to understand the new concepts that are part of DFS. Below is an definition of each of them.

Dfs root: You can think of this as a share that is visible on the network, and in this share you can have additional files and folders.

Dfs link: A link is another share somewhere on the network that goes under the root. When a user opens this link they will be redirected to a shared folder.

Dfs target (or replica): This can be referred to as either a root or a link. If you have two identical shares, normally stored on different servers, you can group them together as Dfs Targets under the same link.

The image below shows the actual folder structure of what the user sees when using DFS and load balancing.

Figure 1: The actual folder structure of DFS and load balancing

Windows 2003 offers a revamped version of the Distributed File System found in Windows 2000, which has been improved to better performance and add additional fault tolerance, load balancing and reduced use of network bandwidth. It also comes with a powerful set of command-line scripting tools which can be used to make administrative backup and restoration tasks of the DFS namespaces easier. The client windows operating system consists of a DFS client which provides additional features as well as caching.

Setting Up and Configuring DFS

The Distributed File System console is installed by default with Windows 2003 and can be found in the administrative tools folder. To open, press Start > Programs > Administrative Tools > Distributed File System or in the Control Panel, open the Administrative Tools folder and click on the Distributed File System icon. This will open the management console where all the configuration takes place.

The first thing you need to do is create a root. To do this, right click the node and select New Root.

Press next on the first window to be brought to the screen where you will have to make the choice of creating either a stand alone or domain root. A domain root will


publish itself in Active Directory and supports replication, whereas a stand alone root does not. If you have an AD Domain Controller set up on your machine, I recommend choosing the domain root.

Note: The root would be the top level of the hierarchy. It is the main Active Directory container that holds Dfs links to shared folders in a domain. Windows 2003 allows your server to have more than one root - which wasn't the case in Windows 2000.

The next screen is the one where you have to select which trusted domains will be hosted. Since I only have one domain in my network, only domain.com is visible.

Once this is done you have to select a server on that domain - in my example it is netserv. The FQDN (Fully Qualified Domain Name) of this host server is netserv.domain.com.

Figure 2: inputting the host server name

The following screen allows you to specify the root name of your primary DFS root. You should give it something which will accurately define the contents of that share. In my example I have called this root "Company" - which would be a real name of an ogranization. You can change this to anything you want. You might wish to have a root called "Documents" - which would clearly state that one can expect to find anything related or specific to documents, and documentation in that root.


Figure 3: entering the dfs root name

You will now have to select the location of a folder in which all the files will be stored.

Figure 4: selecting the root share

Tip: for added security, when selecting a folder, try to choose one that is located on a partition other than that of the operating system.

Your DFS root is now configured and visible in the configuration console. Right click the root target and press Status to check if it is online or not.

A green check mark verifies that everything is working properly and that the node is online, whereas a red X means that there is a problem.


To add a new link, right click the root for which you want the link to be created, and select New Link.

In the "New Link" screen, enter a name and path for the link and click OK. Repeat this for as many links as you need to create.

Figure 5: creating a new link

Links are visible right under the node. Below is a screenshot displaying the three links I have created for the COMPANY root.


Figure 6: dfs root and three links in the DFS mmc console

Publishing the root in Active Directory

By publishing dfs roots in AD as volume objects, network users will be able to search for shares more easily and administration can be delegated.

To do this right click the desired dfs root, select Properties and go to the Publish tab. Enter the appropriate details in each box and press OK.In the keywords section you can specify certain words that will help locate the dfs root when it is being searched for.


Figure 7: publish tab in the dfs properties window

The dfs root will now be published in Active Directory.

File Replication Services

There are two types of replication:

Automatic - which is only available for Domain DFS * Manual - which is available for stand alone DFS and requires all files to be replicated manually.

The four ways in which replication can be achieved between two or more servers are:

-Ring-Hub and Spoke

- Mesh - Custom

The first three refer to network topologies and the last allows you to specify an advanced method of replication, which can be tuned to your needs.

The advantages and disadvantages of replication are as follows:

Advantages - client caching, integration with IIS, easy to administer and setup.


Disadvantages - limited configuration options, there is no method of programmatically initiating a replication session

Exercise 8: Install and configure Microsoft Certificate Server (MCS).

Solution : INSTALLING THE CERTIFICATE SERVER

The Microsoft Certificate Server (MCS) enables you to install the Certificate Server service as either its own Root Certificate Authority (Root CA) or as a service that will use an external (public) Certificate Authority (non-Root CA). These two configurations require very different configuration processes, and are mutually exclusive. Your Certificate Server can be either a Root CA or a non-Root CA, but not both.

Before you install the MCS on your server, you need to evaluate how you are going to use it. For example, if your use of the MCS is to provide your corporate intranet users with secure communications, then you would want to install the MCS as a Root CA, and issue your own self-signed certificates to your servers and users.

However, if you intend to use the MCS on your Internet server to provide your Internet users with secure communications so they can safely provide confidential purchasing information (such as credit card numbers), then you would want to install the MCS as a non-Root CA and obtain a validating certificate from an external CA such as VeriSign.

Because of the differences between installing the MCS for external (non-Root CA) and internal (Root-CA) use, we have described each of these uses separately later in this chapter, following the section on installation.

To install the Microsoft Certificate Server, you must install the Windows NT 4.0 Option Pack using the Custom option, and select the Certificate Server for installation. You have two distinct options for installing Certificate Server:

Installing MCS as a stand-alone Certificate Authority by specifying it as the Root CA (commonly used for intranet implementations)

Installing MCS to use a public Certificate Authority hierarchy by specifying it as a non-Root CA (commonly used for Internet servers)

This selection is significant in determining where the certificates supplied by MCS derive their validation (from your enterprise or from a public agency verifying your identity). This important option is selected in step 2 in the following list.

Note: Certificate Server cannot be installed on a Windows NT Server that is a Backup Domain Controller (BDC). The Certificate Server must either be installed


on a Primary Domain Controller (PDC) or a stand-alone Server.

During the installation of the Windows NT 4.0 Option Pack, you are prompted with several dialog boxes to configure the Certificate Server settings.

The following list walks you through the dialog boxes used in installing Certificate Server:

1. Following the installation dialog boxes for SMTP, NNTP, and MSMQ (if selected), the Windows NT 4.0 Option Pack installation process switches to installing the Certificate Server, and you are prompted with several dialog boxes to configure Certificate Server settings. The first Certificate Server installation dialog box is shown in Figure 17-1.You must set the following options in the Microsoft Certificate Server Setup dialog box:

The Configuration Data Storage Location must be set to a local directory that is shared on the network, so users can access and install certificates. The local pathname for this shared directory must be specified in full, including the drive letter (for example, D:\CertFile).

The Database Location folder defaults to the %systemroot%\system32\ CertLog directory, but it can be modified by clicking Browse and selecting a different directory.

The Log Location folder also defaults to the %systemroot%\system32\ CertLog directory, and may be changed by clicking Browse and selecting a different directory.

The Show Advanced Configuration checkbox, by default, is not selected, and the defaults for MCS specify that it will install as a Root CA. This default is acceptable only if you are going to use the MCS as a Root CA on your intranet. If you want to employ this installation of MCS on an Internet server, you will likely want to setup MCS as a non-Root CA and obtain a server certificate from a public CA source (such as VeriSign).

Note: This option is very important in the installation of MCS, because you cannot change from a Root CA to a non-Root CA without reinstalling.

The Show Advanced Configuration checkbox enables you to set up MCS as a non-Root CA or to modify any other Advanced option. If you want to configure MCS as a non-Root CA, in its subsequent dialog box select the Non-Root CA option.

Once you have selected the desired directories and enabled the Show Advanced Configuration option (if needed), click Next to continue.

2. If the Show Advanced Configuration checkbox is checked, the next dialog box, shown in Figure 17-2, will request you to set MCS as a Root or non-Root CA, as well as select a Cryptographic Services Provider (CSP) and a hash


http://www.windowsitlibrary.com/Content/405/17/files/fig17_2.html


algorithm. In this version of Certificate Server, the Microsoft Base Cryptographic Provider is the only CSP option available, and the MD5 hashing algorithm is selected by default.

Note: As indicated by the README.TXT for Service Pack 4, do not use the HMAC hashing algorithm, or the MCS installation will fail.

This dialog box offers the following options:

A checkbox enabling you to use existing keys (not selected by default). This option is useful when restoring Certificate Server or when you want to use keys generated by other applications. When the Use Existing Keys option is enabled, the remaining options in the bottom half of the dialog boxes are disabled.

A checkbox option to remove existing certificate information, which is not selected by default. To remove existing certificate data, click the checkbox next to Erase all previous configuration information.

This Certificate Server installation will be automatically set as the default Certificate Server. To allow a different Certificate Server to be the default, clear the checkbox next to Make this Certificate Server the default.

The Certificate Authority Hierarchy is specified in this dialog box, and by default assigns the selected CSP Root Certificate Authority that creates a root certificate for the Certificate Authority. When the Root CA option is selected, the Certificate Server Configuration Wizard creates a public/private pair of keys and a self-signed root (signature) and key exchange certificates for your newly created Root CA.

If Non-Root CA is selected, a Root CA certificate is not generated, and only a CA certificate request file is created. The non-Root CA must be selected if you want to use a public CA certificate on this server for Internet applications.

Note: This non-Root CA certificate request file must be submitted to a CA (such as VeriSign or MCS) in order to generate a certificate. This externally validated non-Root CA certificate would be used in a CA hierarchy, though only limited support for CA hierarchies (for use with Exchange) is included in this version of MCS. Full support for CA hierarchies is planned for the Windows 2000 version of MCS. This certificate request file is not a server certificate request file, and does not contain a Common Name (that is, DNS name) value required for valid server certificates. You should use Key Manager to create a server certificate request file after you have completed the installation.

Once you have selected the desired options, click Next to continue.


3. In the next Certificate Server dialog box, shown in Figure 17-3, you are asked to provide the Certificate Authority name, organization, organizational unit, locality, state, country, and description for this Certificate Authority. Fill in the information for your enterprise and click Next to continue.

4. Upon completion of the identifying information, the Configuration Wizard does one of two things, depending upon the type of CA that was selected.If a Root CA was selected, the Configuration Wizard creates the root (signature) and key exchange certificates for your newly created Root CA. The keys, certificates, and configuration data are handled in the following manner:

The keys are stored in the local machine’s key repository, and configuration information is written to the registry.

The certificates will be stored in the Configuration Data Storage Location specified in the first Certificate Server installation dialog box. You will be able to use these certificates for server and client authentication in support of SSL sessions for your Web sites.

The newly created CA certificate will be added to the Certificate Authority Certificate List Web page, which enables clients to install a CA certificate via their Web browser. This process is discussed in the “Installing a CA Certificate on the Client” section later in this chapter.

The Certificate Server configuration file is written to the Configuration Data Storage Location in a text file called CertSrv.txt.

If the Non-Root CA option is chosen, only a certificate request file is generated. The request file must be submitted to an external CA (such as VeriSign) in order to receive a root certificate. This process is discussed in the “Obtaining a Server Certificate from a Public CA” section later in this chapter.

The Certificate Server files are installed in the %systemroot%\system32 directory on the server. The Certificate Server enrollment and Web-based management tools are written to the %systemroot%\system32\CertSrv directory and the CertEnroll, CertControl, CertAdm, and CertQue subdirectories. The Certificate Authority certificates are written to the share specified in the Configuration Data Storage Location field of the first Certificate Server installation dialog box.

After you install the Certificate Server configuration settings, the Windows NT 4.0 Option Pack installation will continue.

USING MCS AS THE ROOT CA

In order to make SSL work on your NT Server with MCS as the Root CA, the following requirements must be met:

You must install Certificate Server and select the Root CA option which will install the self-signed Root CA certificate on your server.



You must then use Key Manager to create a key pair for the server, submit the key pair to Certificate Server to be automatically processed and installed, and then commit the changes in Key Manager. This is described in detail in the following section, “Creating the Key Pair and Server Certificate.”

Then, you must load IIS 4.0, go to the Web site Properties, select the Directory Security property sheet, bring up the Secure Communications dialog box, and click the Require Secure Channel checkbox.

Once the prerequisites are met, you will be able to use your browser to connect to the site. The site now requires an SSL connection (the URL must be prefaced with HTTPS://). You may receive a message telling you that the certificate issuer is unknown. If you click Yes when you receive this message, you will be connected to the site anyway. To avoid the unknown issuer message, have users download the CA certificate and add it to their browser.

In order to use certificates in support of SSL sessions, you must first create the encryption key pair. A key pair consists of a public key and a private key, which are used to negotiate a secured SSL connection between the Web server and client browser. The Key Manager is used to create the pair of keys that are required to create a server certificate.

Using the MCS as a Root CA, you can create the key pair and automatically submit the certificate request to the MCS, which generates the server certificate containing the server’s public key. You then bind the server certificate to the IP address and SSL port of your Web site, which enables users to create SSL connections to the site.

Exercise 9 : Install the Network Monitor Driver and show how to capture data with network monitor.

Solution : To install the Network Monitor driver1. Open Network Connections.2. In Network Connections, click Local Area Connection, click the File menu,

and then click Properties.3. In the Local Area Connection Properties dialog box, click Install.4. In the Select Network Component Type dialog box, click Protocol, and then

click Add.5. In the Select Network Protocol dialog box, click Network Monitor Driver, and

then click OK.6. If you are prompted for additional files, insert the installation CD for your

operating system, or type a path to the location of the files on the network.

Notes

• To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If


the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

• To open Network Connections, click Start, click Control Panel, and then double-click Network Connections.

• Network Monitor Driver does not appear in the Select Network Protocol dialog box if the Network Monitor driver is already installed.

To capture network frames1. Open Network Monitor.2. If prompted, select the local network from which you want to capture data by

default.3. On the Capture menu, click Buffer Settings, and then set the buffer and frame

size as appropriate.4. On the Capture menu, click Start.

To save captured frames to a file1. Open Network Monitor.2. If prompted, select the local network from which you want to capture data by

default.3. On the Capture menu, click Buffer Settings, and then set the buffer and frame

size as appropriate.4. On the Capture menu, click Start.5. To halt the data capture temporarily, on the Capture menu, click Pause.6. To stop and view the data capture, on the Capture menu, click Stop and View.7. On the File menu, click Save As.8. Open the folder in which you want to store the file.9. In the File Name box, specify a file name.10. If necessary, do one of the following:

• To save a range of frames, in the From box, type the beginning frame number, and in the To box, type the ending frame number.

• To save only the frames that appear when the current display filter is in use, select the Filtered check box.

11. Click Save.

To set a capture trigger1. Open Network Monitor.2. If prompted, select the local network from which you want to capture data by

default.3. On the Capture menu, click Trigger.4. Do one of the following to specify trigger criteria:

• To initiate a trigger action when a specific ASCII or hexadecimal string appears in a frame, click Pattern match. In the Pattern box, type the string you want Network Monitor to detect, and then specify whether the


pattern is in hexadecimal or ASCII. If you want, specify where Network Monitor should search for the pattern.

• To initiate a trigger action when a specific percentage of the capture buffer is full, click Buffer space, and then specify the percentage needed.

• To initiate a trigger action when Network Monitor detects a specific pattern in a frame after a specific percentage of the capture buffer becomes full, click Buffer space then pattern match, and specify the percentage and pattern needed.

• To initiate a trigger action when a specific percentage of the capture buffer becomes full after Network Monitor detects a specific pattern in a frame, click Pattern match then buffer space, and specify the pattern and percentage needed.

• To clear any capture triggers that have been set, click Nothing.5. Do one of the following to specify a trigger action:

• To have the computer beep, click Audible Signal Only.• To stop the capture, click Stop Capture.• To run a command or a program, click Execute Command Line and

specify the command or program that runs when the conditions for the trigger are met. To specify a program, type the path and the name of the program file, or click Browse and navigate to the program file. To use an MS-DOS command, such as copy, type CMD /K, and then type the command.

To capture data in dedicated capture mode1. Open Network Monitor.2. If prompted, select the local network from which you want to capture data by

default.3. On the Capture menu, click Dedicated Capture Mode.4. On the Capture menu, click Start.

Exercise 10: Implement different kind of servers like File Server, Print Server, and Application Server. Learn different routine administration tasks for each kind of server.

Solution : File Server Overview

The File Server feature for Microsoft® Windows® CE .NET enables clients to access files and other resources over the network. The File Server feature uses

the Common Internet File System (CIFS), which is an extension of the Server Message Block (SMB) file sharing protocol. CIFS enables a network-enabled

application to access and manipulate files and directories on a remote server in


the same way that the application accesses and manipulates files and

directories on the local system.

Session 7: Windows 2000: Advanced Networking

Exercise 1: Implement different Groups in a Workgroup and in a Domain also.

A Windows based computer network can be a workgroup (Peer to Peer) or domain (client/server). You can make your computer a part of the workgroup or a domain. If you have centralized server then your computer will be part of the domain and if you have no server then all computers will be having peer to peer networking. In both cases, while joining your computer to a domain or a workgroup always assign unique, sequenced, memorable and meaningful names to the computers. Do not use duplicate names and the special characters such as / \ *,:,,. In order to join a computer to a domain or workgroup in Windows 2000 and Windows XP Professional do the following.

1) Right Click on My Computer2) Click Properties3) Click on Computer Name4) In Workgroup or domain, enter the name of the workgroup or domain.

If everything is correct such as unique computer name, unique IP address, correct workgroup or domain name then you computer will be the part of the workgroup or domain in the few seconds and you will be see a welcome to domain or workgroup message and will be prompted to restart the computer name.

Exercise 2: Show how you can enhance the feature and strength of file and print servers with Active Directory.

Being on network computer files and printer sharing is a must. To enable the files and folder sharing in Windows XP Professional 2000 and Windows 2000 do the following.

1) Right Click on the folder name you want to share.2) Click on the properties.3) Click Sharing.4) Click on Share this computer on the network.5) Assign a shared computer name.


You can set the sharing rights for the users and also control the shared folder access by allowing and denying permissions to specific users or groups. If you want to share the individual files, you can put the files in the same shared folder. All the files and folders in the parent shared folder will be automatically shared.

Exercise 3: Install the routing and remote access services for IP Routing.

Installing Routing and Remote Access Service During Routing and Remote Access Service Setup, you can install the Routing and Remote Access Service files on the same computer on which you downloaded the files, or you can download the files and then install Routing and Remote Access Service on another computer. To set up Routing and Remote Access Service by downloading from the Web, see "Downloading and Installing Routing and Remote Access Service from the Web." To set up Routing and Remote Access Service on another computer, see "Installing Routing and Remote Access Service by Using a Network Connection to the Setup Files." Downloading and Installing Routing and Remote Access Service from the WebTo download and install Routing and Remote Access Service from the Web, you need to follow the steps outlined in the following sections:

Download the Routing and Remote Access Service files Install Routing and Remote Access Service options Finish installation if you install a RAS Server

Download the Routing and Remote Access Service Files1) In your Web browser, go to Routing and Remote Access Service Update for

Windows NT Server 4.0 . 2) Follow the instructions on the screen to download the Routing and Remote

Access Service installation files to your computer. Specify the path and directory where you want to put the Routing and Remote Access Service installation files. These files are kept on your computer for future configuration or installations.

After copying the files to a directory on your computer, you can then continue Setup and install Routing and Remote Access Service, or you can exit Setup to install Routing and Remote Access Service at a later time or on another computer.

Install Routing and Remote Access Service OptionsDuring Routing and Remote Access Service Setup the dialog box shown in Figure 2.1 appears automatically.


Figure 2.1 Setting Routing and Remote Access Service options You can use this dialog box to install any or all of the options described in Table 2.3. If do not install an option, such as Remote access service, and you later want this functionality, you must run mprsetup again to install it. For information on how to use this command, see the procedure "Run Setup" in the section "Installing Routing and Remote Access Service by Using a Network Connection to the Setup Files" later in this chapter.

Table 2.3 Routing and Remote Access Service Installation Options Option Effect if selected

Remote access service

Installs support for client dial-up networking.

LAN routing Installs support for LAN-to-LAN routing (including WAN cards that support LAN emulation).

Demand-dial routing

Installs support for routing over WANs and dial-up media, such as ISDN and PPTP.

Finish Installation If you Install a RAS ServerIf you install Remote Access Service (RAS), you must configure additional Setup dialog boxes. Additionally, you can choose to use Remote Authentication Dial-In User Service (RADIUS) authentication instead of Windows NT authentication to authenticate remote clients.


1) In the Add RAS Device dialog box, select the remote access devices, such as modems or PPTP VPNs, that you want to use for demand-dial routing and RAS, and click OK.

2) In the Routing and Remote Access Setup dialog box, click Network. 3) In the Network Configuration dialog box, select the network protocols (IP or

IPX) you want to use for your router. 4) If you want to use RADIUS authentication, in the Authentication provider

box, click the RADIUS option and click Configure. You can then select and configure RADIUS servers to use as your provider.

5) In the Routing and Remote Access Setup dialog box, click Continue. After you have finished installing Routing and Remote Access Service, the Routing and RAS Admin tool is installed in your Start/Programs/Administrative Tools (Common) folder. Any network adapters that you have installed automatically appear as interfaces in Routing and RAS Admin. If you plan to use routing protocols, you must add the protocols and then add interfaces to them before you can begin to use the Windows NT router. For more information on how to add these see Chapter 3, "Administering Routing and Remote Access Service." Installing Routing and Remote Access Service by Using a Network Connection to the Setup FilesYou can download the files as described in "Downloading and Installing Routing and Remote Access Service from the Web," and then install Routing and Remote Access Service on another computer. Although you can download the Routing and Remote Access Service files to any client or workstation computer, Routing and Remote Access Service can be installed only on a computer running Windows NT Server. To install Routing and Remote Access Service on another computer, you need to follow the steps outlined in the following sections:

Copy Setup files Run Setup

Copy Setup FilesCopy the file mprsetup.exe from the directory where you stored the installation files to Systemroot\System32 on your computer running Windows NT Server. Run Setup

1) On the computer running Windows NT Server, open a Command Prompt window.

2) Run mprsetup and type the path to the installation files. For example, type: mprsetup \\Computername\Share

Exercise 4: Install the RIP and OSPF protocols.

Configuring RIP interface propertiesNext, you need to configure RIP’s properties. If you’ve just specified an interface for RIP, Windows 2000 automatically pops up the property sheet for the interface. Otherwise, select the RIP branch and then right-click the interface and choose Properties. The General page lets you configure several properties, as shown in Figure A.


The Operation Mode property specifies the way in which RIP updates routes. The Auto-Static Update Mode option configures RIP to send out route announcements only when adjacent routers request an update. Routes learned through Auto-Static Mode are treated as static routes and are not removed from the routing table even if the router is rebooted, although you can manually remove the routes. Auto-Static Update Mode is the default

mode used for demand-dial interfaces.

The second option for operation mode is Periodic Update Mode. When you enable this option, RIP automatically generates RIP announcements at a predefined interval (configured through the Periodic Announcement Interval on the Advanced property page). Any routes added using this mode are handled as RIP routes and are flushed when the router is rebooted. They must be added again through RIP advertisements. Periodic Update Mode is the default mode for LAN interfaces.


The Outgoing Packet Protocol property specifies the protocol that RIP uses for outgoing RIP announcements. If all adjacent routers support RIP v2, select RIP Version 2 Multicast. In a mixed environment where RIP v1 and RIP v2 routers are present, select RIP Version 2 Broadcast. You can’t use the multicast option in this scenario because RIP v1 doesn’t support multicast announcements. If none of the adjacent routers supports RIP v2, select RIP Version 1 Broadcast. The final option, Silent RIP, prevents the router from generating RIP announcements and causes it to operate in Listen-Only Mode. In this mode, the router listens for RIP announcements from other routers and updates its routing table based on those RIP announcements, but it doesn’t broadcast its own announcements.

The Incoming Packet Protocol property specifies the protocol the router uses for incoming packets. Select an option based on the capabilities of the adjacent routers. Or select Ignore Incoming Packets if you want the router to ignore RIP announcements from adjacent routers. This option places the router in Announce-Only Mode.

Use the Added Cost For Routes property to modify the cost for the route. You would increase this number to increase the cost of the route and direct traffic through other, less costly routes when possible. Keep in mind that RIP is limited to a maximum of 15 hops, and routes with an effective cost of more than 15 are considered unreachable.

The Tag For Announced Routes property lets you assign a tag number to be included with all RIP announcements. Inclusion of a tag number is applicable only to RIP v2. The tag is used to mark specific routes for administrative purposes and is generally not required.

Advanced optionsThe Advanced property page for a RIP interface, shown inFigure B, offers several options. I’ll look at each of these options.

Periodic Announcement Interval: This value specifies the frequency of RIP announcements from the local router. This value is used in conjunction with Periodic Update Mode, which you set through the General property page for the RIP interface. You can specify a value in seconds between 15 seconds and 24 hours.


Time Before Routes Expire: This setting specifies the time-to-live (TTL) for routes that are learned from other routers through RIP. Routes that do not update before they exceed the specified TTL are marked as invalid. As with the announcement interval, this setting is applicable only with Periodic Update Mode.

Time Before Route Is Removed: Use this setting to specify the amount of time a route will remain in the routing table before it expires and is removed. Valid values are between 15 seconds and 72 hours. This setting is applicable only with Periodic Update Mode.

Enable Split-Horizon Processing: This option, when enabled, prevents routes learned on a given network from being announced on that same network. Deselecting the option allows those routes to be announced.

Enable Poison-Reverse Processing: Use this option to assign a metric of 16 to those routes learned on a given network that are announced on the same network. Assigning a metric higher than 15 marks the routes as unreachable.

Enable Triggered Updates: Use this option to allow the router to generate triggered updates, as discussed earlier.

Send Clean-Up Updates When Stopping: Selecting this option causes the local router to broadcast RIP announcements for all routes with a metric of 15 to indicate to adjacent routers that the routes are unreachable. When the router comes back up, it generates additional announcements that reannounce the routes with their default metrics, making them available again.

Process Host Routes In Received Announcements: Use this option to include host routes received in incoming RIP announcements. By default, host routes are ignored.

Include Host Routes In Sent Announcements: Use this option to include host routes in outgoing RIP announcements. By default, host routes are not included.

Process Default Routes In Received Announcements: Use this option to include default routes learned through incoming RIP announcements. By default, the default routes are ignored. Enabling this option could result in the router being disabled if the default routes learned through RIP are not applicable to the local router. So, use this option with discretion and only if the default routes apply to all routers on the interface.


Include Default Routes In Sent Announcements: Use this option to include default routes in outgoing RIP announcements. See the previous item for an explanation of why this can cause problems.

Disable Subnet Summarization: Use this route to prevent subnet routes from being summarized by class-based network ID for outgoing RIP announcements generated to networks that are not part of the same class-based network. Subnet summarization can improve routing performance by, in effect, sorting the routes. Subnet summarization requires that all adjacent routers support either RIP v2 Broadcast or RIP v2 Multicast. The option is disabled by default.

Exercise 5: Configure web-based printer.

How to Connect to a Printer Using a Web Browser

To connect to a printer using a Web browser, follow these steps:

1) Start Internet Explorer. 2) In the Address box, type the address of the printer:

o If you do not know the name of the printer to which you want to connect, type the following address, where print_server is the name of the print server: http://print_server/printers/

For example, to view a list of all of the printers that are located on a print server that is named "MyPrintServer," type the following address:

http://myprintserver/printers/

A list of all of the printers on the print server is displayed in your browser window. In the list of available printers, click the name of the printer to which you want to connect.

If you know the name of the printer to which you want to connect, type the address of the printer using the following format, where print_server is the name of the print server and printer is the name of the printer: http://print_server/printer/

For example, if you want to go directly to the page of a printer that is named "Laser" that is shared from a server that is named "MyPrintServer," type the following address: http://MyPrintServer/Laser/

3) To connect to the printer, click Connect under Printer Actions. When you connect to the printer, the print server downloads the appropriate printer driver to your computer. After the installation is complete, the printer's icon is added to the Printers folder on your computer. You can use, monitor, and administer the printer as if it were attached to your computer.


1) Open Printers. 2) Double-click Add Printer to start the Add Printer wizard, and then click Next. 3) Click Network printer, and then click Next. 4) Connect to the desired printer by:

o Searching for it in the Active Directory. o Typing its name using the following format, or clicking Next to locate

the printer on the network: o Typing its URL using the following format:

5) Follow the instructions on the screen to finish connecting to the network printer.

6)Exercise 6: Install and configure Terminal Services.

To Install Terminal Services

1) Insert the Windows 2000 Server CD-ROM into the CD-ROM or DVD-ROM drive.

2) If a dialog box appears automatically after you insert the CD-ROM, click Install Add-on Components. If no dialog box appears, click Start, point to Settings, and then click Control Panel. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.

3) In the list of components, click to select the Terminal Services check box. 4) Click to clear the Terminal Services Licensing check box if it is selected.

You do not need this service for Remote Administration mode. Click Next. 5) Click Remote Administration Mode, and then click Next. 6) The Terminal Services Wizard runs and installs Terminal Services. Close the

wizard when it is finished, and then reboot your computer if you are prompted to do so.

Connecting to Terminal Services

To connect to Terminal Services running on a server, you must use a Terminal Services client. The client is available on the server on which you installed Terminal Services, in the following folder:

%SystemRoot%\System32\Clients\Tsclient\Net\Win32

Create a share on your server so that you can easily install the client on any computer.

To Create a Share on Your Server

1) Use Windows Explorer to locate the %SystemRoot%\System32\Clients\Tsclient\Net\Win32 folder. Note that %SystemRoot% may be the C:\Winnt folder.

2) Right-click the Win32 folder, and then click Sharing. 3) On the Sharing tab, click Share this folder. 4) Change the share name to TSClient. 5) Click Permissions.


6) Click to clear the Full control and Change check boxes. Only the Read permission should be selected.

7) Click OK, and then click OK.To Install the Terminal Services Client

1) Connect to the \\Servername\TSClient share that you created earlier. 2) Double-click Setup.exe. 3) Click Continue in the dialog box that appears, and then type your name and

organization in the next dialog box. 4) Click I agree (if you agree) when you see the license agreement. 5) Click the large button in the next dialog box. You can change the installation

path first, if you want to. 6) Click Yes when you are prompted whether you want all users to have the

same initial settings.Using the Terminal Services Client

Before you can manage your Terminal Services servers remotely, you must create a connection to these servers. This procedure uses the Client Connection Manager tool to create icons for all of the Terminal Services servers you want to manage.To Create a Connection to the Terminal Services Server

1) Click Start, point to Programs, point to Terminal Services Client, and then click Client Connection Manager.

2) When the Client Connection Manager Wizard starts, click Next. 3) In the Connection name box, type a descriptive name for the connection. 4) In the Server name or IP address box, type the server's name or IP address,

or click Browse to search for the server. When you are done, click Next. 5) Leave all automatic logon information blank. Using automatic logon

information might present a security problem if a non-administrator has access to the computer from which you run the client. Click Next.

6) Click a screen resolution that is appropriate for you. It is best to use the largest area you can select (the client does not let you select an area that is larger than your local screen can display). Do not select Full screen at this time; you can toggle between windowed and full screen modes later. Leaving the initial connection in a window helps reinforce the fact that you are working on a remote computer rather than your local workstation. Click Next.

7) Leave the Enable data compression and Cache bitmaps check boxes clear. They are useful only if you are working over a slow dial-up link. Click Next.

8) Leave the Start the following program check box clear. You want the client to display the server's desktop. Click Next. Change the icons if you want to. Click Next. Click Finish to complete the wizard.

This process creates an icon for your server. Double-clicking the icon connects you to the server. You can also right-click the icon to change the connection properties if you need to.

To Connect to the Server Using Terminal Services

1) Double-click the server icon in Client Connection Manager.


2) The Terminal Services client window appears and displays the server's logon dialog box. You might need to double-click the window's title bar to see it all.

3) Type an appropriate set of credentials to log on to the server. Typically, you will log on as some kind of administrator (local, domain, or enterprise).

4) If you use correct credentials, you see the server's desktop.

Exercise 7: Create a Remote Access Policy. Show how you can change the Remote Access Logging setting.

1>To create a remote access server, follow these steps:

1) Click Start, point to Settings, and then click Network And Dial-up Connections.

2) Click Make New Connection to start the Network Connection Wizard, and then click Next.

3) Click Accept Incoming Connections, and then click Next. 4) Click to select one or more check boxes for connection devices. 5) For each selected device, click Properties, configure the connection, and

then click OK. 6) Click Next. 7) Click either Allow Virtual Private Connections or Do not allow virtual

private connections, and then click Next. 8) Click the type of users that are allowed to connect to the server, and then

click Next. 9) Click to select the network component options you want to enable for

incoming connections, and then click Next. 10) Type the name for the connection in the box, and then click Finish.

Exercise 8: Install the routing and remote access services as VPN server. Create a VPN Remote Access policy also.

How to Install and Enable VPN

To install and enable a VPN server, follow these steps:

1) On the Microsoft Windows 2000 VPN computer, confirm that both the connection to the Internet and the connection to your local area network (LAN) are correctly configured.

2) Click Start, point to Administrative Tools, and then click Routing and Remote Access.

3) Click the server name in the tree, and click Configure and Enable Routing and Remote Access on the Action menu, and then click Next.


4) In the Common Configurations dialog box, click Virtual private network (VPN server), and then click Next.

5) In the Remote Client Protocols dialog box, confirm that TCP/IP is included in the list, click Yes, all of the available protocols are on this list, and then click Next.

6) In the Internet Connection dialog box, select the Internet connection that will connect to the Internet, and then click Next.

7) In the IP Address Assignment dialog box, select Automatically in order to use the DHCP server on your subnet to assign IP addresses to dialup clients and to the server.

8) In the Managing Multiple Remote Access Servers dialog box, confirm that the No, I don't want to set up this server to use RADIUS now checkbox is selected.

9) Click Next, and then click Finish. 10) Right click the Ports node, and then click Properties. 11) In the Ports Properties dialog box, click the WAN Miniport (PPTP)

device, and then click Configure. 12) In the Configure Device - WAN Miniport (PPTP) dialog box, do one

of the following: o If you do not want to support direct user dialup VPN to modems

installed on the server, click to clear the Demand-Dial Routing Connections (Inbound and Outbound) check box.

o If you do want to support direct user dialup VPN to modems installed on the server, click to select the Demand-Dial Routing Connections (Inbound and Outbound) check box.

13) Type the maximum number of simultaneous PPTP connections that you want to allow in the Maximum Ports text box. (This may depend on the number of available IP addresses.

14) Repeat steps 11 through 13 for the L2TP device, and then click OK.How to Configure the VPN Server

To further configure the VPN server as required, follow these steps.

Configuring the Remote Access Server as a Router

For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations in the intranet are reachable from the remote access server.

To configure the server as a router:


2) Right-click the server name, and then click Properties. 3) On the General tab, click to select Enable This Computer As A Router. 4) Select either Local area network (LAN) routing only or LAN and demand-

dial routing, and then click OK to close the Properties dialog box.How to Configure PPTP Ports

Confirm the number of PPTP ports that you need. To verify the number of ports or to add ports, follow these steps:



2) In the console tree, expand Routing and Remote Access, expand the server name, and then click Ports.

3) Right-click Ports, and then click Properties. 4) In the Ports Properties dialog box, click WAN Miniport (PPTP), and then

click Configure. 5) In the Configure Device dialog box, select the maximum number of ports for

the device, and then select the options to specify whether the device accepts incoming connections only, or both incoming and outgoing connections.

How to Manage Addresses and Name Servers

The VPN server must have IP addresses available in order to assign them to the VPN server's virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client.

For Windows 2000-based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP by default. You can also configure a static IP address pool. The VPN server must also be configured with name resolution servers, typically DNS and WINS server addresses, to assign to the VPN client during IPCP negotiation. How to Manage Access

Configure the dial-in properties on user accounts and remote access policies to manage access for dial-up networking and VPN connections.

Access by User Account

If you are managing remote access on a user basis, click Allow Access on the Dial-In tab of the user's Properties dialog box for those user accounts that are allowed to create VPN connections. If the VPN server is allowing only VPN connections, delete the default remote access policy called "Allow Access If Dial-In Permission Is Enabled." Then create a new remote access policy with a descriptive name, such as VPN Access If Allowed By User Account. For more information, see Windows 2000 Help.

CAUTION: After you delete the default policy, a dial-up client that does not match at least one of the policy configurations you create will be denied access.

If the VPN server is also allowing dial-up remote access services, do not delete the default policy, but move it so that it is the last policy to be evaluated.

Access by Group Membership


If you are managing remote access on a group basis, click the Control access through remote access policy radio button on all user accounts by using the Active Directory Users and Computers Console in Administrator Tools or MMC snap-in. Create a Windows 2000 group with members who are allowed to create VPN connections. If the VPN server allows only VPN connections, delete the default remote access policy called Allow Access If Dial-In Permission Is Enabled. Next, create a new remote access policy with a descriptive name such as VPN Access If Member Of VPN-Allowed Group, and then assign the Windows 2000 group to the policy.

If the VPN server also allows dial-up networking remote access services, do not delete the default policy; instead move it so that it is the last policy to be evaluated.

How to Configure a VPN Connection from a Client Computer

To set up a connection to a VPN:

1) On the client computer, confirm that the connection to the Internet is correctly configured.

2) Click Start, point to Settings, and then click Network And Dial-Up Connections.

3) Double-click Make New Connection. 4) Click Next, and then click Connect To A Private Network Through The

Internet, and then click Next. 5) Do one of the following:

If you use a dial-up connection to connect to the Internet, click Automatically Dial This Initial Connection and then select your dial-up Internet connection from the list.

If you use a full-time connection (such as a cable modem), click Do Not Dial The Initial Connection.

6) Click Next. 7) Type the host name (for example, Microsoft.com) or the IP address (for

example, 123.123.123.123) of the computer to which you want to connect, and then click Next.

8) Click to select For All Users if you want the connection to be available to anyone who logs on to the computer, or click to select Only For Myself to make it available only when you log onto the computer, and then click Next.

9) Type a descriptive name for the connection, and then click Finish.10) Click Start, point to Settings, and then click Network And Dial-Up

Connections. 11) Double-click the new connection. 12) Click Properties to further configure options for the connection:

If you are connecting to a domain, click the Options tab, and then click to select the Include Windows logon domain check box to specify whether to request Windows 2000 logon domain information before attempting to connect.

If you want the connection to be redialed if the line is dropped, click the Options tab, and then click to select the Redial if line is dropped check box.

To use the connection:


1) Click Start, point to Settings, and then click Network And Dial-Up Connections.

2) Double-click the new connection. 3) If you do not currently have a connection to the Internet, Windows offers to

connect to the Internet. 4) Once the connection to the Internet is made, the VPN server prompts you for

your user name and password. Enter your user name and password, click Connect, and your network resources should be available to you in the same way they are when you connect directly to the network.NOTE: To disconnect from the VPN, right-click the connection's icon, and then click Disconnect.

Exercise 9: Install and configure a Web server.

Installing Internet Information Services

Microsoft Internet Information Services (IIS) is the Web service that is integrated with Windows 2000. To install IIS:

1) Click Start, point to Settings, and then click Control Panel. 2) In Control Panel, double-click Add/Remove Programs. 3) Click Add/Remove Windows Components. 4) In the Windows Components Wizard, select the Internet Information

Services (IIS) check box, and then click Details. 5) Clear all the check boxes, and then select the following check boxes:

Common FilesDocumentationFrontPage 2000 Server ExtensionsInternet Information Services Snap-InInternet Services ManagerWorld Wide Web Server

6) Click OK, and then on the Windows Components page, click Next. If you are prompted to do so, insert the Windows 2000 CD-ROM, and then click OK.

7) On the "Completing the Windows Components Wizard" page, click Finish. 8) In the Add/Remove Programs dialog box, click Close.

Configuring Anonymous Authentication

1) Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager. (In Windows 2000 Professional, you can start Administrative Tools from Control Panel.)

2) Right-click * server name (where server name is the name of the server), and then click Properties.

3) In the Master Properties box, click WWW Service (if it is not already selected), and then click the Edit button that is next to the Master Properties box.

4) Click the Directory Security tab. 5) Under Anonymous access and authentication control, click Edit.


6) Under Authenticated access, select the Integrated Windows authentication check box.

7) Select the Anonymous access check box, and then click Edit. Note the user account in the Username box. This account is used by Windows to authenticate anonymous users when they browse the Web site.

8) Click OK, click OK, click OK, and then click OK.Basic Web Site Configuration

1) Start Internet Services Manager. 2) In the Tree list, expand * server name (where server name is the name of

the server). 3) Right-click Default Web Site, and then click Properties. 4) If you have multiple IP addresses assigned to your computer, click the IP

address that you want to assign to this Web site in the IP Address box. 5) If you do not want unlimited connections to the Web site, click Limited To,

and then type the number of concurrent connections that you want.

6) Click the Performance tab. 7) Move the Performance tuning slider to the position that you want. 8) If you want to limit the amount of network bandwidth that is available for

connections to this Web site, select the Enable bandwidth throttling check box, and then type the amount that you want in the Maximum network use box.

9) If you want to limit the amount of computer processing time spent servicing requests for content on this Web site, select the Enable process throttling check box, and then type the amount that you want in the Maximum CPU use box.

This prevents the Web site from consuming too much processor time to the detriment of other computer processes.

10) Click the Home Directory tab. If you want to use Web content that is stored on the local computer,

click A directory located on this computer, and then type the path that you want in the Local Path box. For example, the default path is C:\Inetpub\wwwroot.

If you want to use Web content that is stored on a different computer, click A share located on another computer, and then type the location that you want in the Network Directory box that appears.

If you want to use Web content that is stored on another Web address, click A redirection to a URL, and then type the location that you want in the Redirect to box. Under The client will be sent to, select the appropriate check box.

11) Click the Documents tab. Note the list of documents that IIS can use as the default start documents. If you want to use Index.html as your start document, you must add it. To do this:

Click Add. In the Add Default Document dialog box, type Index.html, and then

click OK.


Click the up-arrow button until Index.html is displayed at the top of the list.

12) Click the Operators tab. Note the user accounts that have operator privileges on this Web site. Click Add to add additional user accounts to operate this Web site.Click OK to return to the Internet Information Services window.

13) Right-click Default Web Site, and then click Stop. 14) Right-click Default Web Site, and then click Start

Exercise 10: Create two global groups and configure so that users from both groups should be able to access some command folders.

Groups with Global Scope

Global groups, effectively the same as Windows NT global groups, have the following features:

Mode. Global groups exist in both mixed-mode and native-mode domains. Membership. Global groups can have members from within their own

domain (only). Permissions. Although a global group is limited to domain-wide scope as far

as membership goes, it can be made a member of machine or domain local groups or granted permissions in any domain (including trusting domains in other forests and down-level domains with which a trust relationship exists). That is, groups with global scope can be put into other groups in any trusting domain.

Using Global Groups

Groups with global scope help you manage directory objects that require daily maintenance, such as user and computer accounts.

Use global groups to collect users or computers that are in the same domain and share the same job, organizational role, or function. For example, "Full-time employees," "Managers," "RAS Servers" are all possible global groups. Because group members typically need to access the same resources, make these global groups members of domain local or machine local groups, which, in turn, are listed on the DACL of needed resources. Membership of these groups can be efficiently managed by administrators of user domains, because these administrators are familiar with the functions and roles played by users and computers in their domain.

Groups with Universal Scope

Universal groups, a new feature of the Windows 2000 operating system, have the following features:

Mode. Universal groups are available only in native-mode domains. Membership. Universal groups can have members from any Windows 2000

domain in the forest. (Universal groups can contain members from mixed-mode domains in the same forest, but this is not recommended. Members


from such domains cannot have the universal group's SID added to their access token because universal groups are not available in mixed-mode domains. Therefore, troubleshooting access problems would be difficult.)

Permissions. Universal groups can be granted permissions in any domain, including in domains in other forests with which a trust relationship exists.

Using Universal Groups

A small organization can use universal groups to implement a relatively simple group structure. If you choose to use groups with universal scope in a multi-domain environment, these groups can help you represent and consolidate groups that span domains. For example, you might use universal groups to build groups that perform a common function across an enterprise.

Although few organizations will choose to implement this level of complexity, you can add user accounts to groups with global scope, nest these groups within groups having universal scope, and then make the universal group a member of a domain local (or machine local) group that has access permissions to resources. Using this strategy, any membership changes in the groups having global scope do not affect the groups with universal scope.

A useful guideline is to designate widely used groups that seldom change as universal groups. The reasons for this approach are explained next.

Group Scope and Replication Traffic

Groups having universal scope—and all of their members—are listed in the global catalog. Whenever one member of a group with universal scope changes, the entire group membership must be replicated to all global catalogs in the domain tree or forest. Therefore, if you use groups with universal scope, use them in situations where the membership of the group does not change frequently.

Groups having global or domain local scope are also listed in the global catalog, but their individual members are not listed. Using these groups thus reduces the size of the global catalog and reduces the replication traffic needed to keep the global catalog up-to-date. Therefore, use groups with global or domain local scope if the group membership changes frequently.

Session 8: Windows 2000: Security


Exercise 1: Enable and configure IPsec policy on local computer.(also Enable and configure IPsec policy for an entire domain.)

How to create a new IPSec policy1. Open the IP Security Policy Management console.2. Right-click IP Security Policies and then select Create IP Security Policy from

the shortcut menu.3. The IP Security Policy Wizard initiates.4. Click Next on the IP Security Policy Wizard Welcome page.5. On the IP Security Policy Name page, provide a name and a description for

the new IPSec policy, and then click Next.6. On the Requests for Secure Communication page, you can leave the Activate

the default response rule option selected, or you can deselect the option. Click Next.

7. On the Default Rule Authentication Method page, set the authentication method for the security rule, and then click Next.

8. On the Completing the IP Security Policy Wizard page, select the Edit properties option, and then click Finish.

9. The IP Security Policy Properties dialog box for the new policy opens so that you can change the properties of the policy, and change any security rules.

10.Click Edit on the IP Security Policy Properties dialog box.11.When the Edit Rule Properties dialog box opens, you can add and remove

security methods, modify existing security methods, set the order of precedence for security methods, and specify the utilization of session key perfect forward secrecy (PFS).

12.Click the Authentication tab. This is where you add and remove authentication methods, and set the order of precedence for authentication methods.

13.Click OK to close the Edit Rule Properties dialog box.14.Before you assign the IPSec policy, first ensure that the IPSec service is

running.15.In the IP Security Policy Management console, right-click the new policy

name that you want to assign, and then click Assign from the shortcut menu.How to assign IPSec policy for a Active Directory domain

1. Click Start, click Run, type mmc in the Run dialog box, and then click OK.2. Click the File Menu item, and select Add/Remove Snap-in.3. The Add/Remove Snap-in dialog box opens. Click Add.4. The Add Standalone Snap-In dialog box opens.5. Select Group Policy Object Editor, and then click Add.6. The Select Group Policy Object dialog box opens. Click Browse7. The Browse For A Group Policy Object dialog box opens.8. Select Default Domain Policy, and then click OK.9. Click Finish.10.Click Close to close the Add Standalone Snap-in dialog box.11.Click OK to close the Add/Remove Snap-in dialog box.12.Expand Domain Policy, expand Computer Configuration, expand Windows

Settings, expand Security Settings, expand IP Security Policies on Active Directory.

13.Select IP Security Policies On Active Directory.14.The details pane displays all available IPSec policies.


15.Right-click the IPSec policy which you want to assign, and then click Assign from the shortcut menu

16.Exercise 2: Protect client machine by using Internet Connection Firewall (ICF)

Windows 2000 includes a Firewall to protect your system against unwanted "visitors" from the Internet ( but not controlling connections from your system to the Internet, for which you would need to install a Non-Microsoft Firewall, like ZoneAlarm ) , which is configured using the Propertiesof the modem-connection :( using the Firewall on a LAN connection will cause network access problems to your system )

In the properties of the Internet Connection :tab: Advanced.

make sure, that the checkmark is placed forthe Internet Connection Firewall.

Using Settings, you can configure the firewall.

tab : Services

The list of programs, which could run on yoursystem. By default, no access is allowed from the Internet to your system to any of these services.

Unless you need to grant such an access, do NOT activate any of these services.


tab: Security Logging

Allows to activate a log-file

tab : ICMP

ICMP (Internet Control Message Protocol ispart of TCP/IP, the most common use is thePING program to test a network connection.

By default, the firewall will NOT respond toany ICMP , incl. PING, from the Internet.

Advanced Setup:In case you have the Internet Information Server(maybe including the FTP-server) installed and youlike to allow access from the Internet, then youneed to place the Check-marks (you are promptedto confirm the system allowed to be accessed)


Activate ONLY the service, which peopleneed to access from the Internet.

tab: ICMP

To allow people on the Internet to test, that theconnection is working to your system, you shouldallow incoming echo requests (PING-requests).

Warning: now your systems becomes alsovisible for all these "bad boys and girls", whichprobe all IP-addresses on the Internet and thentry to find out which system they had found, andsome of them may try to damage your system !

Exercise 3: Configure TCP/IP packet filter.

1. Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .

2. Right-click the interface on which you want to configure inbound access control, and then click Properties .

3. In the Components checked are used by this connection box, click Internet Protocol (TCP/IP) , and then click Properties .

4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced .

5. Click the Options tab. IGNOUINDIA.IN 126338778 BCSL-063 LAB MANUAL

6. Click TCP/IP filtering , and then click Properties .

7. Select the Enable TCP/IP Filtering (All adapters) check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.

8. There are three columns with the following labels:

TCP PortsUDP PortsIP Protocols

In each column, you must select either of the following options:

Permit All . If you want to permit all packets for TCP or UDP traffic, leave Permit All activated. Permit Only . If you want to allow only selected TCP or UDP traffic, click Permit Only , click Add , and then type the appropriate port in the Add Filter dialog box.

If you want to block all UDP or TCP traffic, click Permit Only , but do not add any port numbers in the UDP Ports or TCP Port column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17.

Note that you cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and you do not include IP protocol 1. TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.

Exercise 4: Monitor the IP Routing status.


Exercise 5: Customize and configure IPsec policy and rules for transport mode on the local computer.

1. Using HQ-RES-WRK-01, in the left pane of the MMC Console, right-click IP Security Policies on Local Machine, and then click Create IP Security Policy. The IP Security Policy Wizard appears.

2. Click Next.

3. Type Partner as the name of your policy, and click Next.

4. Clear the Activate the default response rule check box, and then click Next.

5. Make sure the Edit Properties check box is selected (it is by default), and then click Finish.

6. In the Properties dialog box for the policy you have just created, ensure that Use Add Wizard check box in the lower-right corner is selected, and then click Add to start the Security Rule Wizard.

7. Click Next to proceed through the Security Rule Wizard, which you started at the end of the previous section.

8. Select This rule does not specify a tunnel, (selected by default) and then click Next.

9. Select the radio button for All network connections, (selected by default) and click Next.

Exercise 6: Configure IPsec for tunnel mode. (Note: You need separate computers to which you have administrative access)

How to configure a policy for IPSec tunnel modeIPSec tunnel mode can be used to provide security for WAN and VPN connections that use the Internet as the connection medium. With tunneling, the data contained in a packet is encapsulated inside an additional packet. The new packet is then sent


Command Purpose

Router# mrinfo [hostname | address] [source-address | interface]

Query a multicast router about which neighboring multicast routers are peering with it.

Router# mstat source [destination] [group]

Display IP multicast packet rate and loss information.

Router# mtrace source [destination][group]

Traces the path from a source to a destination branch for a multicast distribution tree for a given group.

over the network. In tunnel mode, IPSec encrypts the IP header and the IP payload. Tunnel mode is typically used for server to server, server to gateway, and gateway to gateway configurations.To configure an IPSec policy for IPSec tunnel mode

1. Open the IP Security Policy Management console.2. Right-click the IP Security Policies On Local Computer node and select

Create IP Security Policy from the shortcut menu.3. When the IP Security Policy Wizard initiates. click Next on the IP Security

Policy Wizard Welcome page.4. Provide a name and a description for the new IPSec policy, and then click

Next.5. On the Requests for Secure Communication page, disable the Activate the

default response rule option, and then click Next.6. On the Completing the IP Security Policy Wizard page, select the Edit

properties option, and then click Finish7. The Tunnel To Properties dialog box opens.8. Click Add on the Rules tab.9. The Create IP Security Rule Wizard starts.10.Click Next on the Create IP Security Rule Wizard Welcome page.11.On the Tunnel Endpoint page, select The Tunnel Endpoint Is Specified By

The Following IP Address option, and then enter the IP address of the other machine. Click Next.

12.On the Network Type page, select the Local Area Network (LAN) option and then click Next.

13.Specify the All IP Traffic option and then click Next.14.On the Filter Action page, specify the Request Security (Optional) option and

then click Next.15.On the Authentication Method page, specify the Active Directory Default

(Kerberos V5 protocol) option and then click Next.16.Click Finish and then click OK.17.Repeat the process on the other machine

Exercise 7: Audit the IPsec logon activities and event. (Note: you can use two IP capable computers that are able to communicate to each other with there administrative access)

1. Before you attempt to ping from a computer on one subnet to the other (NetA or NetB), type ipconfig at a command prompt. The network interfaces that are initialized in the TCP/IP stack are displayed.

2. Run the IP Security Monitor tool. 3. Load Network Monitor, click Capture/Network, and then click the W2KextIP

interface (you can start a capture by clicking Capture/Start). 4. Attempt to ping the computer. The first ICMP echo packets may timeout while

the IPSec tunnel is being built. If the ping attempt is not successful, check the security and system logs.

5. If the ping attempt is successful, stop the Network Monitor capture and see if the ICMP traffic went on the clear or if you just see the ISAKMP and IPSec protocol packets. Check IP Security Monitor to see if an SA was created using the NetA to NetB filter you created. Also check the security log. You should see Event ID 541 (IKE security association established).


http://www.tech-faq.com/ip-address.html

6. Type ipconfig at a command prompt again so you see that there is no additional TCP/IP interface while the tunnel is up. This is because IPSec is actually protecting the traffic going through the physical interface (W2KextIP).

Exercise 8: Install the network monitor application. Show the use of capture filter and display filter with the help of your own examples.

Installing Network Monitor

1. Click Start, point to Settings, and then click Control Panel. 2. Double-click Add/Remove Programs. 3. Click Add/Remove Windows Components. 4. Click Management and Monitoring Tools, and then click Details. 5. Click to select the Network Monitor Tools check box, and then click OK. 6. Click Next.

1. CAPTURE FILTERS

The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before launching the Wiershark capture, which is not the case for the display filters that can be modified at any time during the capture.

The steps to configure a capture filter are the following:- select capture -> options. - Fill the "capture filter" field or click on the "capture filter" button to give a name to your filter to reuse it for subsequent captures.- Click on Start to capture data.

Protocol:Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.If no protocol is specified, all the protocols are used.

Direction:Values: src, dst, src and dst, src or dst

If no source or destination is specified, the "src or dst" keywords are applied.


http://openmaniak.com/tcpdump.php

For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".

Host(s):Values: net, port, host, portrange.If no host(s) is specified, the "host" keyword is used.For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".

Logical Operations:Values: not, and, or.Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.For example,"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23"."not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".

2. DISPLAY FILTERS:

The display filter is used to search inside captured data obtained with a capture filter.Its search capabilities are more extended than those of the capture filter and it is not necessary to restart the capture when you need to change your filter.

Protocol:

A large number of protocols, located between layers two and seven of the OSI model, is available. They can be seen when you click on

the

"Expression..." button in the main screen.Some examples are: IP,TCP,DNS,SSH


Supported protocols with a little description can also be consulted as indicated below:The Wireshark website provides explanations about protocols and their sub categories.

String1, String2 (Optional settings):Sub protocol categories

inside the protocol.To find them, look for a protocol and then click on the "+" Exercise 9: Configure PPTP packet filter such that it will block every packet stream except PPTP stream.

How to Configure PPTP Filters to Allow Traffic for PPTP VPN Clients

PPTP is a popular VPN protocol because it is very secure and easy to set up. You can deploy PPTP easily in both Microsoft-only and mixed environments. You can configure your Windows 2000-based Routing and Remote Access service VPN server to drop non-PPTP packets by using packet filters.


http://www.wireshark.org/docs/dfref/#_blank



How to Configure PPTP Input Filters to Allow Inbound Traffic from PPTP VPN Clients

1. Start the Routing and Remote Access console from the Administrative Tools menu.

2. In the left pane of the Routing and Remote Access console, expand your server, and then expand the IP Routing node.

3. Click the General node. Right-click the external interface, and then click Properties.

4. On the General tab, click Input Filters. 5. Click Add. 6. Select the Destination network check box. In the IP address box, type the

IP address of the external interface. In the Subnet mask box, type 255.255.255.255.

7. In the Protocol box, click TCP. In the Protocol Number box, type 1723. Click OK.

8. Click Drop all packets except those that meet the criteria below. 9. Click Add. 10.Select the Destination network check box. In the IP address box, type the

IP address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click Other. In the Protocol Number box, type 47. Click OK.

11.Click OK.How to Configure PPTP Output Filters to Allow Outbound Traffic to PPTP VPN Clients

1. On the General tab in the External_interface Properties dialog box, click Output Filters.

2. Click Add. 3. Select the Source network check box. In the IP address box, type the IP

address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click TCP. In the Source port box, type 1723. Click OK.

4. Click Drop all packets except those that meet the criteria below option. 5. Click Add. 6. Select the Source network check box. In the IP address box, type the IP

address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click Other. In the Protocol Number box, type 47. Click OK.

7. Click OK. 8. Click OK.

NOTE After you make these changes, only PPTP traffic is allowed into and out of the external interface of the Routing and Remote Access service VPN server. These filters support communications with a PPTP VPN client that initiates an inbound call to the Routing and Remote Access service VPN server.

Exercise 10: Implementing Server Security by using Security Templates


You can apply security template settings by using the Security Configuration and Analysis snap-in. When you use this snap-in, you can import security templates and apply them to a computer, site, domain, or to an organizational unit. You can apply the security settings to a local computer configuration or to a Group Policy Object. You can also use this tool to analyze the security settings for a local computer or for a Group Policy Object.

To apply security template settings:

1. At a command prompt, type mmc. 2. Click Add/Remove Snap-in on the Console menu. 3. Click Add in the Add/Remove Snap-in dialog box. 4. In the Add Standalone Snap-in dialog box, click the Security Configuration

and Analysis snap-in, click Add, click Close, and then click OK. 5. To create a new security database, right-click the Security Configuration

and Analysis node in the left pane, and then click Open Database. 6. Type a name for the database in the Open database dialog box, and then

click Open. 7. In the Import Template dialog box, click the security template that you want

to apply, and then click Open. 8. Right-click the Security Configuration and Analysis node in the left pane,

and then click Configure Computer Now.


Session 9: Windows 2000 Network Management

Example : 1 Create a Group Policy object

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create a Group Policy object

1. Open Group Policy Management.

2. Depending upon whether you want to create or delete, use one of the following procedures:

o Create

o Create and link

Create

1. In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a Group Policy object (GPO).

Where?

Forest name/Domains/Domain name/Group Policy Objects

2. Click New.

3. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

Create and link

1. In the console tree, right-click the domain name in the forest in which you want to create and link a Group Policy object (GPO).

Where?

Forest name/Domains/Domain name

2. Click Create and Link a GPO Here.

3. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

Notes


To create a GPO, you must have GPO creation privileges. By default only domain administrators, enterprise administrators, and members of the Group Policy creator owners group can create Group Policy objects. To delegate GPO creation permissions to additional groups and users, go to Group Policy Objects in the desired domain and click the Delegation tab.

To delete a GPO, you must have Edit Settings, Delete, Modify Security permissions for the GPO.

When you use this procedure to create a GPO, no links are created to the GPO, but you can add links within the same forest by right-clicking any domain, site, or organizational unit, and then clicking Link Existing GPO. Alternatively, you can both create and link a GPO by right-clicking any domain or organizational unit and then clicking Create and Link a GPO Here.

When you delete a GPO, Group Policy Management attempts to delete all links to that GPO in the domain of the GPO. However, to delete a link to a GPO, you must have permission to link Group Policy objects for the organizational unit or domain. If you do not have rights to delete a link, the GPO will be deleted, but the link will remain. Links from other domains and sites are not deleted. The link to a deleted GPO appears in Group Policy Management as Not Found. To delete Not Found links, you must either have permission on the site, domain or organizational unit containing the link, or ask someone with sufficient rights to delete it.

Group Policy objects are distinguished in the Active Directory by GUID, and it is theoretically possible for more than one GPO to have the same friendly name. The Group Policy Management snap-in prevents the creation of Group Policy objects with duplicate friendly names, but the Group Policy infrastructure does not enforce uniqueness of friendly names. Therefore, it is possible for duplication of friendly names to occur if you use legacy tools to create Group Policy objects, if replication is slow, or if you use a script to perform operations on Group Policy objects.

You cannot delete the Default Domain Controllers policy or the Default Domain policy.

Before deleting a GPO, you can check for cross-domain links by navigating to the Scope tab of the GPO you want to delete and, in the Display links in this location box, selecting Entire Forest. You can then select all links, right click the selection, and click Delete link. This procedure ensures that cross-domain links are deleted before you delete the GPO.

Search for a Group Policy object

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To search for a Group Policy object


1. Open Group Policy Management.

2. In the console tree, double-click the forest containing the domain that you want to search for a Group Policy object (GPO), double-click Domains, right-click the domain, and then click Search.

3. In the Search for Group Policy Objects dialog box, in the Search for GPOs in this domain box, select a domain or All domains shown in this forest.

4. In the Search item box, select the type of object on which you want to base your search.

If you select Security Group, the Select User, Computer, or Group dialog box appears. Specify the appropriate object type, location of the object, and object name, and then click OK.

You can choose GPO-links on the Search item dropdown menu to find unlinked GPOs and GPOs linked across domains.

5. In the Condition box, select the condition that you want to use in the search.

6. In the Value box, select or specify the value that you want to use to filter the search, and then click Add.

7. Repeat steps 4 through 6 until you complete the definition of all search criteria, and then click Search.

The search is based on the intersection of the criteria specified, so a GPO must meet all criteria specified for it to be returned in the results.

8. When search results are returned, do one of the following:

o To save the search results, click Save results and then, in the Save GPO Search Results dialog box, specify the file name for the saved results, and then click Save.

o To navigate to a GPO found in the search, double-click the GPO in the search results list.

o To clear the search results, click Clear.

9. Repeat steps 3 through 8 until you have completed all required searches, and then click Close.

Notes

You can also open the search dialog box by by right-clicking a forest and then clicking Search. In this case, the Search for GPOs in this domain box defaults to All domains shown in this forest.


If a setting is enabled, and then all the settings in that extension are removed, there can be false-positive search for certain types of settings. This happens because the GPO has the extension listed as active. The extensions with this behavior are Security Settings, Software Installation, Folder Redirection, Internet Explorer Maintenance, and Encrypting File System (EFS).

2. Configuring Software Deployment Setting.

Configuring Software Deployment

You can also use Group Policy to deploy line-of-business applications throughout your Active Directory network. This installation can take place silently, without the need for user intervention or assigning elevated privileges to your users at the desktop level. Software that's installed via Group Policy is self-healing, which means that any application files that become corrupted or deleted will be replaced automatically by the Group Policy Object. Depending on the needs of your environment, Group Policy software deployment can allow a user's applications to follow him no matter where he logs on to the network from, or ensure that a specific set of tools is available on a particular machine no matter who logs on to it. In this section, we'll look at some of the most useful options available to you in using Group Policy to deploy software.

Creating an Installation Package

As long as you have an .MSI installer for the application you want to deploy, doing so through Group Policy is pretty much a snap. If your application does not have an .MSI file associated with it, though, you are still not entirely out of luck. You can create a .ZAP file that will still allow you to deploy the software, with the following caveats:

The installation process can't take advantage of elevated privileges for installation. So if your users are only members of the Users group and they need Administrator access to perform the installation, the deployment will fail.

The program can't be installed on the first use of the software—we'll talk about how .MSI does this in a moment.

You won't be able to install a feature on the first use of the feature, similar to how Microsoft Word can leave the Thesaurus function uninstalled, but you can copy it to the user's workstation the first time she tries to use it.

Most problematic of all, you can't roll back an unsuccessful installation, modification, repair, or removal of a .ZAP file the way you can with .MSI.

To create a software installation package for an .MSI installer, follow these steps:

1. Open the GPO that you want to use from the GPMC console.2. Navigate to User Configuration ➤ Software Settings ➤ Software Installation from either the Computer Configuration or User Configuration node. (You can also deploy software to computers instead of users; we'll talk about that in the "Understanding


Deployment Options" section next.)3. Right-click the Software Installation node and select New ➤ Package. Browse to the location of the .MSI file and click OK.

4. The next screen gives you a choice of how you want to deploy the software: Published, Assigned, or Advanced. We'll go over the differences between these options next; for now select Published, which will install the application the first time a user clicks a file associated with it. (Double- clicking a .DOC file would launch the Microsoft Word installer, for example.)5. Click OK to finish. The GPO Editor will take a moment to refresh itself, and then you'll see your software package listed in the Software Installation window. From here you can right-click the package and select Properties to change any deployment options.

Understanding Deployment Options

When deploying software, you need to make two major decisions:

Do I want to publish this software package, or assign it?

Do I want to deploy this software to a user object or a computer object?

In this section we'll look at the differences between these choices, as well as some more advanced options available for software deployments.

Publishing Applications

Publishing an application will make that application available to your users at their next login. Once you've published an application, a user can install or uninstall it by using the Add/Remove Programs applet in Control Panel. The installer will also launch through document invocation, that is, when the user tries to view or edit a file that requires the published application to open. This is a good way to roll out applications that might not be used consistently across your network, since you won't be performing the actual installation unless (and until) the user actively requires the software. Using Group Policy will still ease the installation process for your users since they won't need to remember share names or instructions for manually installing software.

You have a few additional options available to you when publishing a software package. When you right-click the package and go to Properties, you'll see the screen shown in Figure 4-6 by clicking the Deployment tab.


Figure 4-6

As you can see, the option to install the app when a user double-clicks the appropriate file extension is enabled by default. Two other options that you can enable are

Uninstall this application when it falls out of the scope of management: Let's say that user JSmith is contained in the Accounting OU of your domain and has the PeachTree accounting package installed via Group Policy. If JSmith moves to Marketing, and the Marketing OU does not have the accounting software published to it, then the application will be uninstalled from JSmith's workstation. This is useful in ensuring that sensitive applications do not remain installed on a workstation if the user no longer has a need for them.

Do not display this package in the Add/Remove Programs control panel: Just like it sounds, this ensures that a published application will only be installed through document invocation. You may enable this option to prevent applications from being installed unnecessarily by curious users.

Assigning Software

In addition to publishing an application, you can also assign it to either a computer or a user object. By assigning an application to a computer object, the application will be automatically installed the next time the computer boots up: this requires no document invocation or user intervention of any kind. Once the program has been installed, only an administrator will be able to uninstall it (either manually or through Group Policy). Like a published application, an assigned application is self-healing so that it can automatically repair or replace any damaged or erased program files.


Assigning an application to a user takes one of two forms. In the default scenario, the user will see a shortcut to the application on her Desktop or Start menu. However, the app won't actually be installed until the first time she double-clicks the shortcut or uses document invocation. And since the installation takes place silently, a user can easily be confused when he tries to launch the program and nothing seems to happen. It's important to be aware of this fact, since "I double-clicked the Excel icon and my machine has been hung up for like two minutes" can be a common help desk phone call in this situation.

While this was the only way of assigning software to a user in Windows 2000, Windows Server 2003 provides the Install application at logon option, which will perform an install as soon as the user logs on. Similar to the help desk calls you might experience from the default scenario, though, this option may greatly increase your users' logon times while the installation process is running. As with anything else, good communication with your users and support staff will help to make this operation as smooth as possible.

You'll typically assign software to computer objects for critical applications that need to be present on any computer on your network: antivirus software is a favorite use of this feature. Simply add the antivirus software's .MSI file to the Default Domain policy, and every machine in your network will receive the installation the next time they reboot.

Deploying Custom Applications and Upgrades

For applications with many different parts, such as Microsoft Office, you can even configure the installation file so that it only installs the components you want. The remaining components can be left out entirely, or you can allow them to be installed on their first use: the first time a user requests the Word spell-checker, for example. To customize your applications in this way, you'll use a transform file with the .MST extension. You'll specify these .MST files on the Modifications tab of the software package's Properties sheet, which you saw in Figure 4-6.

Finally, once you've deployed a software package through a GPO, you can use a newer installer to upgrade that package using the Upgrades tab of the Properties sheet. An upgrade package can either be optional or mandatory, and the upgrade will take place the next time the user logs on or the machine boots up.

Exercise 3: Configure Remote And Removable Storage.

Remote and Removable Storage

Storage Concepts

Understanding Libraries

Understanding Media Pools

Understanding Media States

Setting up and Using Remote Storage


Volume Management

Managing Media

Using Removable Storage

Configuring and Managing Libraries

Configuring Media Pools

Configuring and ManagingPhysical Media

Configuring Queued Work and Operator Requests

Configuring Removable Storage Security

Summary

Disk storage space is an ongoing issue in networking environments. Even with the large hard drives available today, file storage continues to pose a problem in many environments. Microsoft addresses this issue by providing remote storage on tape drives and removable media drives in Windows 2000. This technology makes it easy for you to gain additional storage space without having to purchase more hard disks.

Remote storage is not the same as backup. Remote storage is designed to be a storage solution to extend a hard drive, but a regular backup plan should still be in place and followed. In the following sections, you first learn how remote and removable storage work and the benefits that can be gained, then you learn how to configure and manage Remote and Removable Storage in Windows 2000.

Storage Concepts

Remote storage works by moving eligible files from your local hard disk volumes to a remote storage location. When the space on your local, or managed, volume falls under the level you specify, remote storage automatically removes the content from the original file and moves it to the remote storage location. The file still appears on your local drive, but the file size is zero since the file actually resides in a remote location. When the file is needed, remote storage recalls the file and caches it locally so the file can be accessed. Since response time is slower than if the file were actually stored on your local volume, you specify the files or the parameters for the files that should be stored remotely so that your most commonly used files remain on the local volume.

Removable storage allows you to extend your local volumes by using removable storage media to store information. Removable Storage Manager handles this process and keeps track of the location of data stored on removable media, such as CD-ROMs, digital audio tape (DAT), Zip disks, and DVD.


Understanding Libraries

Removable storage organizes data in libraries so that it can track the storage location of individual files. There are two major types of libraries. The first are the Robotic libraries, often called changers or jukeboxes, that hold multiple tapes or disks and can automatically switch between tapes and disks as needed. For example, a ten-CD stereo player can automatically mount the various CDs loaded to the CD drive. The second type are Stand-alone libraries, which are single drives that hold one tape or disk at a time and must be manually changed by the administrator. Remote storage can also manage and track offline media not currently contained in a library. For example, you could store some of the disks or tapes in a file folder until they are needed. Even though the disks or tapes are not currently available, remote storage is aware of them and still considers them a part of the storage library.

Exercise 4: Setup the filter options for Advanced Users and Groups.

Introduction

This guide introduces you to administration of the Microsoft® Windows® 2000 Active Directory™ service and the Active Directory Users and Computers snap-in. This snap-in allows you to add, move, delete, and alter the properties for objects such as users, contacts, groups, servers, printers, and shared folders.

Prerequisites

This Software Installation and Maintenance document is based on Step-by-Step Guide to the Common Infrastructure for Windows 2000 Server Deployment, http://www.microsoft.com/windows2000/techinfo/planning/server/serversteps.asp.

Before beginning this guide, please build the common infrastructure, which specifies a particular hardware and software configuration. If you are not using the common infrastructure, you need to make the appropriate changes to this instruction set.

You can run the Administrative Tools from the server, or you can run the tools from a computer running Windows 2000 Professional. The Administrative Tools are installed by default on all Windows 2000 domain controllers.

You must be logged on as a user with administrative privileges to run through the procedures in this document.

If you are working on a domain controller, the Active Directory Schema snap-in might not be installed. To install it:

1. Click Start, point to Settings, click Control Panel, and then click Change or Remove Programs.


http://www.microsoft.com/windows2000/techinfo/planning/server/serversteps.asp

http://www.microsoft.com/windows2000/techinfo/planning/server/serversteps.asp

2. When prompted, reinstall all the Administrative Tools.

On Windows 2000-based stand-alone servers or workstations, Active Directory Administrative Tools are optional. You can install them fromAdd/Remove Programs in Control Panel, using the Windows Components wizard, or from the ADMINPAK on the Windows 2000 Server or Professional CD.

In this Step-by-Step Guide:

Common Administrative Tasks

· Creating Organizational Units· Creating Users and Contacts· Creating Groups and adding members to Groups

Advanced Administrative Tasks

· Publishing shared network resources, such as shared folders and printers.· Moving Users, Groups, and Organizational Units · Using Filters and Searches to retrieve objects

Creating a Group

1. Right-click the Engineering OU, click New, and then click Group.2. In the Name of New Group text box, type: Tools

Select the appropriate Group type and Group scope and then click OK.

The Group type indicates whether the group can be used to assign permissions to other network resources, such as files and printers. Both security and distribution groups can be used for e-mail distribution lists.

The Group scope determines the visibility of the group and what type of objects can be contained within the group.

Scope Visibility May contain

Domain Local Domain Users, Domain Local, Global, or Universal Groups

Global Forest Users or Global groups

Universal Forest Users, Global, or Universal Groups

Adding a User to a Group

1. Click Engineering in the left pane.2. Right-click the Tools group in the right pane, and click Properties.3. Click the Members Tab and click Add.4. Scroll to James Smith, select his name, click Add, then click OK as in Figure

7 below.


Figure 7: Add James Smith to the Tools Group

Note: You can select multiple users or groups in this dialog by pressing the CTRL key as you click them. You can also type the name directly. If the name is ambiguous, a further list is displayed to confirm your selection.

Alternatively, you can select the users from the results pane, right click then click Add members to a Group. Or you can click Add the selected objects to a group you specify on the snap-in toolbar. This may be more efficient for adding large numbers of members to a group.

Top of page

Publishing a Shared Folder

Any shared network folder, including a Distributed File System (Dfs) folder, can be published in Active Directory. Creating a Shared folder object in the directory does not automatically share the folder. This is a two-step process: you must first share the folder, and then publish it in Active Directory.

1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk volumes.

2. In Windows Explorer, right-click the folder name, and then click Properties. Click Sharing, and then click Share this folder.

3. In the New Object–Shared Folder dialog box, type ES in the Share name box and click OK. By default, Everyone has permissions to this shared folder. If you want, you can change the default by clicking the Permissions button.

4. Populate the folder with files, such as documents, spreadsheets, or presentations.

Exercise 5 :Backup and Restore all files in a domain.

File-By-File Restore of a Domain Controller


http://technet.microsoft.com/en-us/library/bb742437.aspx#mainSection

http://technet.microsoft.com/en-us/library/Bb742437.managa15_big(l=en-us).gif

Overview

To perform a full restore of a failed operating system on a domain controller, it is necessary to have a full backup of the system partition, including the System State and Active Directory. When restoring a failed operating system, hardware identical to the original machine should be used whenever possible.

Prerequisites for Full Operating System Restore

The restore target must be booted into Directory Services Restore mode.

The Windows name and OS version of the restore target must match the original system.

The OS on the restore target must be installed to the path as the original system. WINDOWS (XP, 2003) or WINNT (NT, 2000) are the default names for the %SYSTEMROOT% path.

All of the latest OS service packs must be applied to the restore target.

Install the full version of UltraBac on the restore target.

Any new hardware should be matched to the original hardware as closely as possible.

If the restore is being performed remotely, ensure the default UltraBac account has enough authority on the restore target to perform an OS restore.

Restoring to Dissimilar Hardware

If restoring a machine with dissimilar hardware, try including only the Software Registry hive (a sub-component of the System State). Run the restore in two separate sessions, restoring all of the files first, followed by the Registry hive. Depending on how dissimilar the hardware on the target machine is from the original, restoring the full System State may cause system instability.

Restore

To begin the restore process:

1. Launch the "Restore Wizard" by clicking “File”/”Load Index for Restore/Verify" from the main UltraBac menu.

2. Select and load the index for restore.

3. Select all objects in the OS partition and the System State.

4.


NOTE: When restoring the System State/Active Directory, all System State components must be restored. If one component is excluded from the restore, all objects will be excluded.

5.

6.Fig. 1 - Loaded set in the File Viewer, OS partition, System State, and Active Directory selected.

7.

8. Click "Operations"/"Restore Selected Files."

9. Check "Restore in-use files"

10.Set the "Overwrite option" to Always" and click "Next."

11.Fig. 2 - Restore Options


12.Check "Run unattended" and click "Restore." If "Run unattended" is not checked, UltraBac will return a prompt for every file skipped or overwritten.

Viewing the Restore Logs

When the restore is finished, UltraBac will confirm that the System State has been restored (if selected), and prompt for a reboot.

Click "Cancel" to view the UltraBac restore log or if an authoritative restore is to be run.

Authoritative Restore

1. From the Command prompt on the restore target, type "NTDSUTIL" and press "Enter."

2. Type "authoritative restore" at the NTDSUTIL.EXE prompt and press "Enter."

3. Type in the text "restore database" at the Authoritative Restore prompt and press "Enter", to make the full Active Directory restore Authoritative. This command will be used in most cases.

4. Select "Yes" when prompted with the Authoritative Restore confirmation screen.

5.


Fig. 3 - Authoritative Restore confirmation prompt.

6. NTDSUTIL will return the number of records that need updating, as well as the number of records updated.

7.

Fig. 4 - NTDSUTIL from a DOS prompt.

8. Type in "quit" at the authoritative restore prompt and press "Enter."

9. Type in "quit" at the NTDSUTIL.EXE prompt and press "Enter."

10.Reboot.

Exercise 6. : Protect Data By Using Encrypting File System (EFS) And Recover Encrypted Data With a Data Recovery Agent.

Introduction

In many businesses, users share desktop computers. Some users travel with portable computers that they use outside the physical protection of the business, in customer facilities, airports, hotels, and at home. This means that valuable data is often beyond the control of the business. An unauthorized user might try to read data stored on a desktop computer. A portable computer can be stolen. In all of these scenarios, malevolent parties can gain access to sensitive company data.


One solution to help reduce the potential for stolen data is to encrypt sensitive files by using Encrypting File System (EFS) to increase the security of your data. Encryption is the application of a mathematical algorithm to make data unreadable except to those users who have the required key. EFS is a Microsoft technology that lets you encrypt data on your computer, and control who can decrypt, or recover, the data. When files are encrypted, user data cannot be read even if an attacker has physical access to the computer's data storage. To use EFS, all users must have Encrypting File System certificates-digital documents that allow their holders to encrypt and decrypt data using EFS. EFS users must also have NTFS permission to modify the files.

Two types of certificates play a role in EFS:

Encrypting File System certificates. This type of certificate allows the holder to use EFS to encrypt and decrypt data, and is often called simply an EFS certificate. Ordinary EFS users get this type of certificate. The Enhanced Key Usage field for this type of certificate (visible in the Enrollment no:-115043695Certificates Microsoft Management Console snap-in) has the value Encrypting File System (1.3.6.1.4.1.311.10.3.4).

File Recovery certificates. This type of certificate allows the holder to recover encrypted files and folders throughout a domain or other scope, no matter who encrypted them. Only domain admins or very trusted designated persons called data recovery agents should get this. The Enhanced Key Usage field for this type of certificate (visible in the Certificates Microsoft Management Console snap-in) has the value File Recovery (1.3.6.1.4.1.311.10.3.4.1). These are often called EFS DRA certificates.

Requirements

Credentials: Administrator of the domain. Tools: the Active Directory Users and Computers snap-in to MMC.

To create a domain-based recovery agent1. Click Start, click Control Panel, double-click Administrative Tools,

and then double-click Active Directory Users and Computers.

2. Right-click the domain whose recovery policy you want to change, and then click Properties.

3. Click the Group Policy tab.


4. Right-click the recovery policy you want to change, and then click Edit.5. In the console tree (on the left), click Encrypting File System. This can

be found at Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.

6. In the details pane (on the right), right-click, and then click Create Data Recovery Agent.

Note: The Create Recovery Agent Wizard prompts you to add a user as a recovery agent either from a file or from Active Directory. When you add a recovery agent from a file, the user is identified as USER_UNKNOWN. This is because the user name is not stored in the file.


In order to add a recovery agent from Active Directory, EFS recovery agent certificates (file recovery certificates) must be published in Active Directory. However, because the default EFS file recovery certificate template does not publish these certificates, you need to create a template that does so. To do this, in the Certificate Templates snap-in, copy the default EFS file recovery certificate template to create a new template, right click the new template, choose Properties, and, on the General tab of the Properties dialog box for the copied certificate, and select the Publish certificate in Active Directory check box.

7. Follow the instructions in the Create Recovery Agent Wizard to finish creating a domain-based recovery agent.

7.Establishing Intrusion Detection for Public Server.

Network-based Intrusion Detection OverviewData centers are experiencing an increase in network security threats resulting in the loss of revenue, productivity, and business opportunity. Comprehensive security policies and architectures that include network-based intrusion detection systems (NIDS) are a means to combat this expanding threat. NIDS perform analysis of all traffic passing on a network segment or subnet. This chapter provides insight into the need for NIDS in the data center and the benefits of a properly deployed, configured, and managed system.This chapter also describes the techniques used by "electronic thieves" and attackers when attacking networks, and the methods they use to avoid detection. It also explains the methods that Cisco IDS products employ to detect and thwart network intrusion. The goal is to mitigate the impact of these attacks and improve network visibility. The Cisco IDS product line provides a flexible range of deployment options for securing modern network architectures. This chapter also reviews the Cisco management alternatives available in the data center for creating a secure, efficient, and thorough intrusion protection solution.

The Need for Intrusion Detection SystemsData centers enable the consolidation of critical computing resources in controlled environments under centralized management. They allow enterprises to operate around the clock, according to their business needs. A data center provides the following services to support application availability:• Infrastructure—Layer 2, Layer 3, intelligent network services, and data center

transport• Application optimization services—Content switching, caching, SSL offloading,

and content transformation• Storage—Consolidation of local disks, network attached storage, and storage

area networks (SANs)• Security—Access control lists (ACLs), firewalls, and intrusion detection systems• Management—Management devices applied to the elements of the architecture


When a malfunction occurs in the data center and critical business services are not available, the bottom line usually suffers. Security policies must be developed and implemented to mitigate vulnerabilities and assure data center resilience against external and internal threats.You should deploy security services in the data center as an end-to-end, layered solution consisting of firewalls, access lists, and intrusion prevention and detection systems. You should implement security policies to prevent the following security vulnerabilities:• Unauthorized access• Denial of service (DoS)• Network reconnaissance• Viruses and worms• IP spoofing• Layer 2 attacksApplications are targets in the data center. Packet inspectors, such as firewalls, are not enough to protect business critical applications from external and internal threats. The devices employed to enforce security policies must scrutinize the protocols and application data traversing the network. NIDS satisfy this requirement by identifying harmful network traffic and performing the appropriate action based on the established security policy. Possible actions include logging, shunning, or resetting traffic that is identified as detrimental to the network.

Solution TopologyThe enterprise data center is designed to satisfy the business and application requirements of the organization, and is a complex structure segmented into service and security domains. The following service domains exist in the enterprise data center:• Internet gateway• Internet edge• Extranet data center• Internet server farm• Intranet data centerData center networks have multiple points of vulnerability that are susceptible to attack. To fortify this architecture, strategically position NIDS to protect all the areas within the data center.Figure 8-1 indicates the multiple network vulnerability points that the enterprise security policy must address across service domains. The deployment of NIDS is essential to a comprehensive security implementation.

Figure 8-1 Enterprise Data Center—Network Vulnerability Points


NIDS monitor these domains and provide protection from various threats. Network sensors (intrusion detection devices) are essential to building a secure enterprise data center architecture. For example, sensors can protect critical assets in the intranet data center from internal threats, such as disgruntled employees. Network sensors can also provide an extra level of safety in the extranet domain by monitoring traffic between partners. Cisco recommends the deployment of network intrusion sensors in the following locations:• Behind firewalls• On demilitarized zone (DMZ) segments that house public servers (web, FTP,

Domain DNS, or e-commerce)• Behind VPN concentrators for monitoring unencrypted virtual private network

(VPN) traffic• On segments that house corporate servers or other intranet services that are

defined as sensitive in the security policy• On segments that house network and security management servers• On the corporate intranet where critical resources are located• At corporate extranet junction points between the campus network and branch

networks as well as between the enterprise and partner networks


8. Configuration the administrator account user profile to restrict the dial-up Access.

About Administrator AccountsFrom the Administration Control page, you can link to pages that establish the names, passwords, and privileges for individual administrators or groups of administrators.ACS administrator accounts are:• Unique to ACS and not related to other accounts, such as Windows

administrator accounts, ACS TACACS+ accounts, or any other ACS user accounts.

• Unrelated to external ACS users because ACS stores ACS administrator accounts in a separate internal database.

PrivilegesThe privileges that you grant to each administrator determine access to areas of the web interface. By default, new administrators do not have any privileges.

Administration Control PrivilegeAdministrators who have the Administration Control privilege can access the complete Administration Control page. For these administrators, this page provides management of administrators and access to pages that control administrative access policy. Restricted administrators can update their passwords. Figure 11- 1 shows the access granted by the administration control privilege.

Figure 11-1 The Administration Control Privilege

Examples of privileges that you can grant to administrators or groups of administrators include:• Shared profile components• Network, system, and interface configuration• Administration control• External user databases, posture validation, and network access profiles (NAPs)• Reports and activities


For example, you are an administrator with the Administration Control privilege who wants to configure access to the Network Configuration section of the web interface for administrators whose responsibilities include network management. Therefore, you check only the Network Configuration privilege for the applicable administrator accounts.

Group Access PrivilegesACS includes options that determine the type of administrator access to groups or users in groups. When enabled, these options grant an administrator the following privileges with respect to any available group:• Add or edit user pages• Edit group pages• Read access to user pages• Read access to the group pagesTable 11-1 describes the interaction of the options:

Table 11-1 Group Access Options

Add and Edit Access

Read Access Result

No No Administrators cannot view the users in the Editable groups.

No Yes Administrators can view the users in the Editable groups, but Submit is not available.

Yes No Full access granted in either case. When enabled, Add/Edit Users in these groups overrides Read Access.Yes Yes

Password Expirations and Account LockoutsSuccessful logins take administrators to the main ACS web interface page. However, all logins are subject to the restrictions that have been configured in Administration Control, including expiration, account lockout, and password configuration options.Limits set for password lifetime and password inactivity can force password change or account lockout. In addition, the limit set for failed attempts can force password change, and privileged administrators can manually lock accounts. In the case of an account lockout, a privileged administrator must unlock the account.ACS includes the Account Never Expires option that can globally override automatic account lockouts and password configuration options. If the Account Never Expires


option is enabled for a specific administrator, all administrator lockout options are ignored.In the case of an account lockout, ACS displays the Login Process Fail page. Depending on the options, ACS displays the following pages for changing passwords:• A password update page appears when you attempt to log in.• The Change Password page appears when you click the Administration Control

button in the navigation bar, if you do not have the Administration Control privilege. The Change Password page includes a list of the password criteria.

Figure 11-2 shows the process flow at login time.

Figure 11-2 Login Process Flow1 When the administrator reaches the Incorrect Password Attempts limit, ACS

locks the account. At this point,

9.Use The Registry Editor to view and search for information in any registry.Show how to add a value in a registry.Save the Registry to some textfile.

Overview

The Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.

The physical files that make up the registry are stored differently depending on your version of Windows; under Windows 95 & 98 it is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me there is an additional CLASSES.DAT file, while under Windows NT/2000 the files are contained seperately in the %SystemRoot%\System32\Config directory. You can not edit these files directly, you must use a tool commonly known as a "Registry Editor" to make any changes (using registry editors will be discussed later in the article).

The Structure of the Registry

The Registry has a hierarchal structure, although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer.


Each main branch (denoted by a folder icon in the Registry Editor, see left) is called a Hive, and Hives contains Keys. Each key can contain other keys (sometimes referred to as sub-keys), as well as Values. The values contain the actual information stored in the Registry. There are three types of values; String, Binary, and DWORD - the use of these depends upon the context.

There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:

o HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.

o HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.

o HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.

o HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.

o HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

o HKEY_DYN_DATA - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.

Windows Registry Tutorial

Overview

The Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.


javascript:history.back()

The physical files that make up the registry are stored differently depending on your version of Windows; under Windows 95 & 98 it is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me there is an additional CLASSES.DAT file, while under Windows NT/2000 the files are contained seperately in the %SystemRoot%\System32\Config directory. You can not edit these files directly, you must use a tool commonly known as a "Registry Editor" to make any changes (using registry editors will be discussed later in the article).

The Structure of the Registry

The Registry has a hierarchal structure, although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer.

Each main branch (denoted by a folder icon in the Registry Editor, see left) is called a Hive, and Hives contains Keys. Each key can contain other keys (sometimes referred to as sub-keys), as well as Values. The values contain the actual information stored in the Registry. There are three types of values; String, Binary, and DWORD - the use of these depends upon the context.

There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:

o HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.

o HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.

o HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.

o HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.

o HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

o HKEY_DYN_DATA - This branch points to the part of


HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.

Each registry value is stored as one of five main data types:

o REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.

o REG_DWORD - This type represents the data by a four byte number and is commonly used for boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.

o REG_EXPAND_SZ - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)

o REG_MULTI_SZ - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)

o REG_SZ - This type is a standard string, used to represent human readable text values.

Other data types not available through the standard registry editors include:

o REG_DWORD_LITTLE_ENDIAN - A 32-bit number in little-endian format.

o REG_DWORD_BIG_ENDIAN - A 32-bit number in big-endian format.

o REG_LINK - A Unicode symbolic link. Used internally; applications should not use this type.

o REG_NONE - No defined value type.o REG_QWORD - A 64-bit number.o REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian

format.o REG_RESOURCE_LIST - A device-driver resource list.


Editing the Registry

The Registry Editor (REGEDIT.EXE) is included with most version of Windows (although you won't find it on the Start Menu) it enables you to view, search and edit the data within the Registry. There are several methods for starting the Registry Editor, the simplest is to click on the Start button, then selectRun, and in the Open box type "regedit", and if the Registry Editor is installed it should now open and look like the image below.

An alternative Registry Editor (REGEDT32.EXE) is available for use with Windows NT/2000, it includes some additional features not found in the standard version, including; the ability to view and modify security permissions, and being able to create and modify the extended string values REG_EXPAND_SZ & REG_MULTI_SZ.

Create a Shortcut to RegeditThis can be done by simply right-clicking on a blank area of your desktop, selecting New, then Shortcut, then in the Command line box enter "regedit.exe" and click Next, enter a friendly name (e.g. 'Registry Editor') then click Finish and now you can double click on the new icon to launch the Registry Editor.

Using Regedit to modify your RegistryOnce you have started the Regedit you will notice that on the left side there is a tree with folders, and on the right the contents (values) of the currently selected folder.

Exercise 10 : Enable network connectivity between netware,Macintosh,and Unix networks.

UNIX

For basic integration with UNIX systems, Windows NT Server includes support for the industry-standard protocols used by UNIX systems, such as TCP/IP and DNS. To make it easier to integrate existing UNIX environments with Windows NT Server, Microsoft offers the Windows NT Services for UNIX


Add-on Pack. This includes technologies for resource sharing, remote administration, password synchronization and common scripting across platforms.

Network

Transmission Control Protocol/Internet Protocol (TCP/IP). Windows NT Server includes TCP/IP, the primary transport protocol for the Internet and intranets as well as for homogeneous and heterogeneous networks. Having TCP/IP built into the operating system enables Windows NT Server to exchange data with both UNIX hosts and the Internet.

FTP, HTTP, and Telnet. Through FTP and HTTP services, users can copy files across networks of heterogeneous systems and then manipulate them locally as text files or even Microsoft Word documents. In addition to copying UNIX files, PC users can access character-based UNIX applications through the Windows NT support for remote logon. By running terminal emulation software built into the Microsoft Windows® 95, Windows 98, and Windows NT operating systems, a user of a Windows-based computer can log on to a UNIX timesharing server in a manner similar to a dial-up connection. After entering an authorized user name and password, PC users will be able to employ character-based applications residing on the remote UNIX workstation as if they were logged on to the system directly.

Domain Name System (DNS) Service. DNS is a set of protocols and services on a TCP/IP network that allows users of the network to employ hierarchical user-friendly names when looking for other computers instead of having to remember IP addresses. Windows NT Server 4.0 has a built-in, standards-based DNS service. This allows administrators to easily migrate from their existing DNS to the Windows NT Server DNS, or coexist with a non-Microsoft DNS.

Dynamic Host Configuration Protocol (DHCP) and BOOTP. The standards-based DHCP protocol can automatically configure a host during boot up on a TCP/IP network as well as change settings while the host is attached. This lets all available IP addresses be stored in a central database along with associated configuration information such as the subnet mask, gateways, and address of DNS servers. Since DHCP for Windows NT Server is based on industry standards, it supports requests from any clients supporting these RFC's. The Microsoft DHCP server also offers Boot Protocol (BOOTP) support, used for booting diskless workstations.

Network File System (NFS). Included in the Windows NT Services for UNIX Add-on Pack, NFS is a standard for sharing files and printers in the UNIX environment. The NFS client and server software Add-on lets Windows NT Server users access files on UNIX and lets UNIX users access files on Windows NT Server.


Advanced Server for UNIX (ASU). ASU extends interoperability between Windows NT and UNIX providing full Windows NT domain controller support on UNIX. The UNIX system can be either a Primary Domain Controller or Backup Domain Controller in a Windows NT environment. This means that the users can log on to the Windows NT-based network once and gain access to resources distributed between a UNIX server and Windows NT Server on the network. AT&T exclusively licenses the ASU technology to virtually all major UNIX suppliers, such as Compaq, Hewlett-Packard, Data General, Fujitsu-ICL, and Siemens-Nixdorf.

Data

Oracle database access. The Microsoft Visual Studio® Enterprise Edition development system offers comprehensive support for Oracle 7.3 and later databases. Using Visual Studio, developers can visually build or edit data-driven Web pages quickly from multiple data sources. In addition, developers can use Visual Studio to build and edit stored procedures, database diagrams, triggers, and scripts.

Open Database Connectivity (ODBC) and OLE DB. ODBC is a software interface that separates the access to data from the data sources, making it easier to access a database on a network. The ODBC database access interface lets programmers access data from a diverse set of sources, using a standard series of functions and commands. This means an application developer using ODBC can create applications that can connect to databases running on either UNIX or Windows NT Server and have their application code run in exactly the same way. This shields programmers from having to code to each specific data source's requirements, an efficiency that can significantly increases productivity. OLE DB takes ODBC a step further. Whereas ODBC is designed around accessing relational data sources using Structured Query Language (SQL), OLE DB is focused on providing access to any data, anywhere. For example, there is an ODBC provider that provides access to Windows NT Server 4.0, Novell version 3, and NDS directory services—all through OLE DB.

NetWare

Windows NT Server 4.0 includes several technologies that let it readily integrate with Novell NetWare networks. These technologies address interoperability at the network, data, and management layers. Additional connectivity technologies are offered in the Microsoft Services for NetWare Add-on Pack.

Network

NWLink. Windows NT Server includes NWLink (IPX/SPX Compatible Transport Protocol). NWLink lets you add a Windows NT Server to a NetWare 2.x/3.x and 4.x (in bindery emulation mode) network without requiring modifications


to other servers or clients. NWLink lets NetWare clients access applications—such as Microsoft Exchange, SQL Server™, or other software—running on a Windows NT Server-based machine. The Microsoft implementations of the IPX/SPX and Novell NetBIOS-compatible protocols can coexist with other protocols on the same network adapter card. That means you can have several networks running independently on the same network hardware connection. NWLink supports Windows Sockets, Novell NetBIOS, and Named Pipes protocols.

Client Services for NetWare . Microsoft Windows NT Workstation 4.0 includes Client Services for NetWare (CSNW). This lets Windows NT Workstation-based clients access files and print resources on Novell NetWare 4.x servers.

File and Print Services for NetWare (FPNW). Included in the Microsoft Services for NetWare Add-on Pack, FPNW lets users log on to a machine running Windows NT Server and have their interface look the same as if they had logged on to a NetWare 3.x Server. FPNW—which runs as part of the NWLink IPX/SPX-compatible service—enables Windows NT Server to emulate a NetWare file and print server, providing file and print resources using the same dialogs as NetWare servers. The Windows NT Server file and print services can be managed with NetWare tools, eliminating the need for retraining. Plus, using FPNW does not require changes to NetWare clients. For example, a client program that uses NetWare protocols and naming conventions needs no redirection or translation.

Gateway Service for NetWare (GSNW). Included with Windows NT Server, GSNW lets Windows NT Server act as a gateway to a NetWare network, allowing you access to all the resources on a NetWare server. Windows NT Workstation-based clients can access NetWare resources using TCP/IP, the native network communication protocol for Windows NT. In addition, GSNW allows Windows NT Server-based network clients to access files on a NetWare server without requiring a NetWare client redirector on an IPX/SPX protocol stack (such as NWLink). These efficiencies reduce the administrative load for each client and improve network performance.

GSNW also supports Novell's NetWare Directory Services (NDS) navigation, authentication, printing, and login scripts. This support allows NetWare clients to take advantage of the Windows NT Server platform and still retain fully functional access to their NetWare 4.x servers via the Windows NT Server gateway. Lastly, GSNW lets a machine running Windows NT Server act as a communications server to a NetWare network, re-sharing the network connections from the NetWare server. So, for example, you can use Windows NT Server Remote Access Service to access NetWare server resources.

Management


Client Services for NetWare (CSNW). Included with Windows NT Workstation 4.0, CSNW lets you use a single login and password for Windows NT and NetWare. CSNW supports Novell's NDS authentication, including authentication to multiple NDS trees. It also provides full support for NDS property pages, NDS passwords, and processing NetWare login scripts.

Directory Service Manager for NetWare (DSMN). Included in the Microsoft Services for NetWare Add-on Pack, DSMN allows you to centrally manage NetWare binderies. Using DSMN, NetWare Servers can be added to a Windows NT Server domain, where they can be centrally managed with Windows NT Server utilities. By offering a simple, direct administration for growing networks, DSMN helps administrators manage multiple environments with a central point of administration. Administrators can manage NetWare servers and manage the user accounts on the servers as if they were native Windows NT Server user accounts. In addition, DSMN gives users a single network login to all services, including applications.

Connecting with Macintosh

Microsoft Windows NT Server Services for Macintosh is an integrated component of Windows NT Server, making it possible for computers running Windows NT Server and Apple Macintosh Clients to share files and printers. Services for Macintosh File and Print Services allow Macintosh users access to Windows NT Server 4.0. Macintosh clients can print Postscript jobs to either Postscript or non-Postscript printers using the Windows NT Server print server. Server-side print spooling means faster return to the application and increased productivity for Macintosh clients

SESSION 10: Windows 2000 - Troubleshooting

Exercise-1 :Recover a windows 2000 server that Does Not Start.

To run the Recovery Console on a computer that does not start:

1. Insert the Windows 2000 Server Setup Disk 1 floppy disk into your disk drive, or, if you have a bootable CD-ROM drive, you can instead insert the Windows 2000 Server CD-ROM into your CD-ROM drive. 2. Restart your computer. 3. Follow the directions that are displayed on the screen. If you are using the Setup disks, you are prompted to insert the other Setup disks into the disk drive. It may take several


minutes to load files. Select the appropriate options to repair your Windows 2000 installation and to start the Recovery Console. 4. Once in the Recover Console, type HELP, and then press ENTER to see a list of commands.

Back to the topRemove the Recovery ConsoleAs a precaution, you should not normally remove the Recovery Console. However, if you want to remove the Recovery Console, you must do so manually.

To remove the Recovery Console:

1. Restart your computer, double-click My Computer, and then double-click the hard disk on which you installed the Recovery Console. On the Tools menu, click Folder Options, and then click the View tab. 2. If needed, click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK. 3. Delete the Cmdcons folder from the root folder, and then delete the Cmldr file. 4. In the root folder, right-click the Boot.ini file, and then click Properties. Click to clear the Read-only check box, and then click OK. 5. If you incorrectly modify the Boot.ini file, your computer may not start correctly. Because of this, only delete the entry for the Recovery Console from the Boot.ini file.

Use a text editor (such as Notepad) to open the Boot.ini file, and then remove the entry for the Recovery Console. The entry should look similar to this entry: C:\cmdcons\bootsect.dat="Microsoft Windows 2000 Recovery Console" /cmdcons Save the file and close it.

Back to the topPrecautionary MeasuresHow to Install the Recovery Console as a Startup ConsoleIt may be useful to install the Recovery Console on a computer that is functioning properly so that it is available for use after a system failure. This precautionary measure can save time should you have to use the Recovery Console.

To install the Recovery Console as a startup option:

1. While Windows is running, insert the Windows 2000 Professional CD-ROM into


your CD-ROM drive. 2. When you are prompted to upgrade to Windows 2000, click No. 3. At the command prompt, switch to your CD-ROM drive, type \i386\winnt32.exe /cmdcons, and then press ENTER. 4. Follow the instructions on the screen. To use the Windows 2000 Recovery Console, restart your computer, and then select Windows 2000 Recovery console from the Startup menu.

Create an Emergency Repair DiskYou can also use a Windows 2000 Emergency Repair Disk (ERD) to fix problems that prevent your computer from starting. It may be useful to prepare an ERD when your computer is functioning well, so you can be prepared to use it if you need to repair system files. To start a computer that needs repair, use the Windows 2000 Setup CD-ROM or floppy disks you created from the CD-ROM and choose the Repair method to utilize the ERD. The repairs that are possible with this method are limited to basic system files, the partition boot sector, and the startup environment. The repair process does not recover the registry.

Note that the repair process relies on information that is saved in the SystemRoot\Repair folder. You must not change or delete this folder. If you also back up the registry to the Repair folder, you can save your current registry files in a folder within your SystemRoot\Repair folder. This is useful if you must recover your system in the event that your hard disk fails.

1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup. 2. On the Tools menu, click Create an Emergency Repair Disk. 3. Follow the instructions that appear on your screen.

Exercise 2 :Troubleshoot the "NTLDR Is Missing" Error Message in machine.When you start your Windows 2000-based computer, you may receive the following error message:NTLDR is missingPress any key to restartThis problem may occur if the basic input/output system (BIOS) on your computer is outdated, or if one or more of the following Windows boot files are missing or damaged:NtldrNtdetect.comBoot.iniTo resolve this issue, verify that the BIOS on your computer is current, and then use one or more of the following methods, as appropriate to your situation, to repair the Windows 2000 startup environment.


Verify That the BIOS on the Computer Is CurrentMake sure that the latest revision for BIOS is installed on the computer. Contact the computer manufacturer to inquire about how to obtain, and then install the latest BIOS update that is available for the computer.

For information about how to configure and how to verify the correct BIOS settings for the computer, see the computer documentation or contact the manufacturer of the computer. For information about how to contact your computer manufacturer, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:65416 Hardware and software vendor contact information, A-K

60781 Hardware and software vendor contact information, L-P

60782 Hardware and software vendor contact information, Q-ZFor more information about how to contact BIOS manufacturers, click the following article numbers to view the articles in the Microsoft Knowledge Base:243909 List of BIOS manufacturer Web sites Part 1243971 List of BIOS manufacturer Web sites Part 2To repair the Windows startup environment, use one or more of the following methods, as appropriate to your situation.

Method 1: Use a Boot Disk to Start the Computer

1. Create a Windows 2000 boot disk that contains the following files: Ntldr Ntdetect.com Boot.ini Ntbootdd.sys For more information about how to create a boot disk, click the following article numbers to view the articles in the Microsoft Knowledge Base: 301680 How to create a boot disk for an NTFS or FAT partition in Windows 101668 How to use a Windows boot disk to prevent boot failure 2. Modify the Boot.ini file to point to the correct hard disk controller and to the correct volume for your Windows installation. For more information about how to create a boot disk, click the following article number to view the article in the Microsoft Knowledge Base: 311578 How to edit the Boot.ini file in Windows 2000 3. Insert the boot disk into the computer's floppy disk drive, and then restart the computer. 4. Copy the Ntldr file, the Ntdetect.com file, and the Boot.ini file from the boot disk to the system partition of the local hard disk.


Method 2: Use the Recovery Console

1. Use the Windows 2000 Setup disks to restart the computer, or use the Windows 2000 CD-ROM to restart the computer. 2. At the Welcome to Setup screen, press R to repair the Windows 2000 installation. 3. Press C to repair the Windows 2000 installation by using the Recovery Console. 4. Type the number that corresponds to the Windows installation that you want to repair, and then press ENTER. For example, type 1, and then press ENTER. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 229716 Description of the Windows Recovery Console 5. Type the Administrator password, and then press ENTER. 6. Type map, and then press ENTER. Note the drive letter that is assigned to the CD-ROM drive that contains the Windows 2000 CD-ROM. 7. Type the following commands, pressing ENTER after you type each one, where drive is the drive letter that you typed in step 4 of "Method 2: Use the Recovery Console," of this article: copy drive:\i386\ntldr c:\

copy drive:\i386\ntdetect.com c:\ If you are prompted to overwrite the file, type y, and then press ENTER.

NOTE: In these commands, there is a space between the ntldr and c:\, and between ntdetect.com and c:\. 8. Type the following command, and then press ENTER: type c:\Boot.ini A list similar to the following list appears:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

If you receive the following message, the Boot.ini file may be missing or damaged:


The system cannot find the file or directory specified. 9. If the Boot.ini file is missing or damaged, create a new one. To do so, follow these steps: 1. Use a text editor, such as Notepad or Edit.com, to create a boot loader file similar to the following boot loader file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

For more information, click the following article number to view the article in the Microsoft Knowledge Base: 102873 Boot.ini and ARC path naming conventions and usage 301680 How to create a boot disk for an NTFS or FAT partition in Windows 2. Save the file to a floppy disk as Boot.ini.

NOTE: If you used Notepad to create the file, make sure that the .txt extension is not appended to the Boot.ini file name. 3. Type the following command at the Recovery Console command prompt to copy the Boot.ini file from the floppy disk to the computer: copy a:\Boot.ini c:\ 10. Type exit, and then press ENTER. The computer restarts.

Method 3: Use the Windows 2000 CD-ROM

1. Insert the Windows 2000 CD-ROM into the computer's CD-ROM drive or DVD-ROM drive, and start Windows 2000 Setup. 2. On the Welcome to Setup page, press R. 3. On the Windows 2000 Repair Options page, press R. 4. When you are prompted to select one of the repair options, press M. 5. Press the UP ARROW, press the UP ARROW again, to select Verify Windows 2000 system files, and then press ENTER to clear the selection. 6. Press the DOWN ARROW to select Continue (perform selected tasks), and then press ENTER. The following message appears: You need an Emergency Repair disk for the Windows 2000 installation you want to repair.


7. Do one of the following, as appropriate to your situation: * If you have an Emergency Repair Disk, follow these steps: 1. Press ENTER. 2. Insert the Emergency Repair Disk into the computer's floppy disk drive, and then press ENTER. 3. Follow the instructions to repair the installation, and then restart the computer. -or- * If you do not have an Emergency Repair Disk, follow these steps: 1. Press L. You receive a message similar to the following: Setup has found Windows 2000 in the following folder: drive:\WINNT "Microsoft Windows 2000" 2. Press ENTER.

Setup examines the disks, and then completes the repair process. For more information about the emergency repair feature, click the following article number to view the article in the Microsoft Knowledge Base: 231777 How to create an Emergency Repair Disk in Windows 2000

If Setup Cannot Locate Windows 2000If you do not have a Windows 2000 Emergency Repair Disk, and if Setup cannot locate the Windows 2000 installation, follow these steps:

1. Start Windows 2000 Setup. 2. On the Setup will install Windows 2000 on partition page, select Leave the current file system intact (no changes), and then press ENTER. 3. Press ESC to install Windows 2000 to a new folder. 4. In the Select the folder in which the files should be copied box, type \tempwin, and then press ENTER.

Setup installs a new copy of Windows 2000. 5. Log on to the new copy of Windows 2000. 6. Click Start, and then click Run. 7. In the Open box, type cmd, and then click OK. 8. At the command prompt, type drive:, where drive is the boot drive of the computer, and then press ENTER. For example, type c:, and then press ENTER. 9. Type attrib -h -r -s Boot.ini, and then press ENTER. 10. Type edit Boot.ini, and then press ENTER.

Edit.com opens a Boot.ini file that is similar to the following file:


[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN [operating systems] multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN="Microsoft Windows 2000 Professional" /fastdetect

11. Replace all instances of TEMPWIN with WINNT. The Boot.ini file that appears is similar to the following file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

12. Press ALT+F, and then press S. 13. Press ALT+F, and then press X. 14. Type attrib +h +r +s Boot.ini, and then press ENTER. 15. Type exit to quit the command prompt. 16. Restart the computer. 17. At the Please select the operating system to start screen, use the ARROW keys to select Microsoft Windows 2000, and then press ENTER. 18. Start Windows Explorer, locate the following folders, and then delete them: Tempwin All Users.Tempwin

Back to the topAdditional ResourcesFor more information about how to troubleshoot the "NTLDR is Missing" error message, click the following article numbers to view the articles in the Microsoft Knowledge Base:255220 "NTLDR is missing" error message when you upgrade or install Windows 2000 over Windows 95, Windows 98 or Windows Millennium Edition228004 Changing active partition can make your system unbootable883275 You cannot start your computer after you modify the permissions in Windows Server 2003, in Windows XP, or in Windows 2000Back to the topPerform a Parallel Installation of Windows 2000If you cannot resolve the behavior described in the "Symptoms" section of this article by using any of the methods discussed in this article or by viewing the


Knowledge Base articles in the Additional Resources section of this article, perform a parallel installation of Windows 2000, and then use Windows Explorer to copy the data that you want to recover from your original Windows installation.

For more information about how to perform a parallel installation of Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:266465 How to perform a parallel installation of Windows 2000 or Windows Server 2003

Exercise 3 :What you should do when you find that th drive letter (e.g.c:/drive,A:/drive changes after yopu restart your computer. If your computer has one hard disk and a CD-ROM: 1. Install one of the versions of Windows that is listed earlier in this article. For information about how to install an operating system, view the documentation that is included with your operating System. 2. Start your computer normally, and then change the CD-ROM drive letter to T: 1. Click Start, point to Settings, click Control Panel, and then double-click System. 2. Click the Device Manager tab, and then double-click the CD-ROM branch to expand it. 3. Click your CD-ROM, click Properties, and then click the Settings tab. 4. Click T in the Start drive letter box, and then click T in the End drive letter box. 5. Click OK, click Close, and then click Yes when you are prompted to restart your computer.255867 How to Use Fdisk and Format to Partition/Repartition a Hard DiskIf you want to add a removable media drive such as a CD-ROM, DVD, or CD-RW drive and prevent drive letters from changing, read the "Notes" section of this article before you install any programs.Back to the topComputer Has Two or More Hard Disks and a CD-ROMIf your computer has two or more hard disks and a CD-ROM:

1. Before you install an operating system or any programs, set your first hard disk to use a primary position, and all other hard disks should be set to use an extended partition. After you create partitions on your hard disks, format them.For additional information about how to partition and format a hard disk, click the article number below to view the article in the Microsoft Knowledge


Base: 255867 How to Use Fdisk and Format to Partition/Repartition a Hard Disk 2. Install one of the versions of Windows that is listed earlier in this article. For information about how to install an operating system, view the documentation that is included with your operating system.

IMPORTANT: After you install your operating system, do not install any other programs. Instead, continue to the next step. 3. Start your computer normally, and then change the CD-ROM drive letter to T: 1. Click Start, point to Settings, click Control Panel, and then double-click System. 2. Click the Device Manager tab, and then double-click the CD-ROM branch to expand it. 3. Click your CD-ROM, click Properties, and then click the Settings tab. 4. Click T in the Start drive letter box, and then click T in the End drive letter box. 5. Click OK, click Close, and then click Yes when you are prompted to restart your computer.

255867 How to Use Fdisk and Format to Partition/Repartition a Hard DiskIf you want to add a removable media drive such as a CD-ROM, DVD, or CD-RW drive and prevent drive letters from changing, read the "Notes" section of this article before you install any programs.

Exercise 4 : Backup the recovery agent Encrypting File System (EFS) private key.To export the recovery agent’s private key from a computer that is a member of a workgroup, follow these steps:

1. Log on to the computer by using the recovery agent’s local user account. 2. Click Start, click Run, type mmc, and then click OK. 3. On the File menu, click Add/Remove Snap-in, and then click Add. 4. Under Available Standalone Snap-ins, click Certificates, and then click Add. 5. Click My user account, and then click Finish. 6. Click Close, and then click OK. 7. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates. 8. Locate the certificate that displays the words "File Recovery" (without the quotation marks) in the Intended Purposes column. 9. Right-click the certificate that you located in step 8, point to All Tasks, and then click Export. The Certificate Export Wizard starts.


10. Click Next. 11. Click Yes, export the private key, and then click Next. 12. Click Personal Information Exchange – PKCS #12 (.PFX).

Note We strongly recommend that you also click to select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above check box to protect your private key from unauthorized access.

If you click to select the Delete the private key if the export is successful check box, the private key is removed from the computer and you will not be able to decrypt any encrypted files. 13. Click Next. 14. Specify a password, and then click Next. 15. Specify a file name and location where you want to export the certificate and the private key, and then click Next.

Note We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup. 16. Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

Export the domain recovery agent's private keyThe first domain controller in a domain contains the built-in Administrator profile that contains the public certificate and the private key for the default recovery agent of the domain. The public certificate is imported to the Default Domain Policy and is applied to domain clients by using Group Policy. If the Administrator profile or if the first domain controller is no longer available, the private key that is used to decrypt the encrypted files is lost, and files cannot be recovered through that recovery agent.

To locate the Encrypted Data Recovery policy, open the Default Domain Policy in the Group Policy Object Editor snap-in, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

To export the domain recovery agent's private key, follow these steps:

1. Locate the first domain controler that was promoted in the domain. 2. Log on to the domain controller by using the built-in Administrator account. 3. Click Start, click Run, type mmc, and then click OK. 4. On the File menu, click Add/Remove Snap-in, and then click Add.


5. Under Available Standalone Snap-ins, click Certificates, and then click Add. 6. Click My user account, and then click Finish. 7. Click Close, and then click OK. 8. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates. 9. Locate the certificate that displays the words "File Recovery" (without the quotation marks) in the Intended Purposes column. 10. Right-click the certificate that you located in step 9, point to All Tasks, and then click Export. The Certificate Export Wizard starts. 11. Click Next. 12. Click Yes, export the private key, and then click Next. 13. Click Personal Information Exchange – PKCS #12 (.PFX).

Note We strongly recommend that you click to select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or abovecheck box to protect your private key from unauthorized access.

If you click to select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent's private key only in situations when you need it to recover files. At all other times, export, and then store the recovery agent's private key offline to help maintain its security. 14. Click Next. 15. Specify a password, and then click Next. 16. Specify a file name and location where you want to export the certificate and the private key, and then click Next.

Note We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup. 17. Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.


Exercise 5 : Encrypt Files and Folders on a Remote Server Windows 2000 server.

1. Connect to the server that contains the files or folders that you want to encrypt. 2. Right-click the file or folder that you want to encrypt, and then click Properties. 3. On the General tab, click Advanced. 4. Click to select the Encrypt contents to secure data check box, click OK, and then click OK.

Note that if you encrypt a folder, you are prompted to confirm how you want to apply the attributes. Click either of the following options, and then click OK: * Apply to this folder only * Apply changes to this folder, subfolders and files 5. Repeat steps 2 through 4 for each file or folder that you want to encrypt.

Decrypt Files and Folders on a Remote Server 1. Connect to the server that contains the files or folders that you want to decrypt. 2. Right-click the file or folder that you want to decrypt, and then click Properties. 3. On the General tab, click Advanced. 4. Click to clear the Encrypt contents to secure data check box, click OK, and then click OK.

Note that if you decrypt a folder, you are prompted to confirm how you want to apply the attributes. Click either of the following options, and then click OK: * Apply to this folder only * Apply changes to this folder, subfolders and files 5. Repeat steps 2 through 4 for each file or folder that you want to decrypt.

Exercise 6 :If you cannot print to a network printer after adding Internet Connection Sharing,how will you resolve it?

You will need to designate a Windows XP computer as the host. This computer must have two network adapters, one for your internal network and one for the Internet connection. Before attempting to enable ICS, verify that the host computer has a working connection to the Internet through the network card connected to the cable modem or DSL line, or on the network connection associated with the modem. The easiest way to enable ICS is to use the Network Setup Wizard, by following these steps:

1.Click Start, point to All Programs, point to Accessories, point to Communications, and then click Network Setup Wizard.2.Click Next until you see the Select a connection method screen.


3.Click This computer connects directly to the Internet, and complete the wizard to install ICS.

This method has several advantages in that the wizard automatically detects the connection to the Internet, configures Internet Connection Firewall (ICF), bridges multiple network adapters connected to your home network and creates a log of information about the configuration named nsw.log in the Windows folder.

Turning on ICS manually is almost as easy as using the wizard except that you need to create the bridge for multiple network cards before enabling ICS. (See an earlier column, Building Network Bridges for more information on how to use the bridging capability in Windows XP.) Then take these steps:

1.In Control Panel, click Network and Internet Connections and then click Network Connections.2.Click the local area network (LAN) connection or the dial-up networking connection that you want to share (that is, the one that connects to the Internet), and then, under Network Tasks, click Change settings of this connection.3.Disable Client for Microsoft Networks and File and Print Sharing for Microsoft Networks by clearing the check boxes shown in Figure 1. This step is extremely important. Never leave these items enabled for any network card that is directly connected to the Internet (see sitting duck, above).Figure 1

Figure 1


4.Click the Advanced tab, and select the Allow other network users to connect through this computer's Internet connection check box.

Figure 2

5.You can enable or disable the allowing of other users to control the connection—users don't need to be able to control the connection to use it.6.Under Internet Connection Firewall, select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box for this network card, unless you have another firewall between the computer and the Internet. This is very important.7.Click OK, and Internet Connection Sharing will be enabled.

Troubleshooting ICS

If you have a problem with ICS, the best place to start is the Internet Connection Sharing Troubleshooter. You start the Troubleshooter with the following steps:

1.Click Start, and then click Help and Support.2.Under Pick a Help Topic, click Fixing a problem.3.In the left pane, click Networking problems.4.


In the right pane, click Internet Connection Sharing Troubleshooter and follow the instructions.

The Troubleshooter can address problems such as not being able to receive e-mail on an ICS client, the client or host computer fails to dial out or dials out without notifying you, you're unable to browse the Internet from a client or host computer, or your DSL or cable modem connection is slow. However, if the Troubleshooter leaves you troubled, here are some other common problems and their solutions.

ICS Not EnabledIf you're configuring ICS manually, be sure that the internal network adapter on the host computer doesn't have Internet Connection Firewall enabled. If ICF is enabled, you'll have to disable it before configuring ICS on the external adapter. Or take the easy way and run the Network Setup Wizard, which will automatically disable ICF on home networking adapters.

Check the IP address on the external adapter to verify that it is obtaining an IP address from your ISP. Similarly, check the IP address on the internal network adapter to verify that it is 192.168.0.1. If it's not, disable ICS, and then make sure the internal adapter is configured to use DCHP. Then re-enable ICS.

Internet Connection Sharing (ICS) automates the IP numbering task for the ICS clients on your network with the Dynamic Host Configuration Protocol (DHCP) service. The DHCP service enables the ICS host computer to assign IP addresses to its clients automatically. By default, when ICS is installed, the DHCP service begins supplying addresses to computers on the network.Cannot Print to a Network Printer after Adding ICSAfter you add Internet Connection Sharing (ICS), you discover that you can't print. This can happen because ICS uses a Class C subnet with an address range of 198.168.0.x. To solve the problem, give the printer an IP address to match the subnet of the client computers.Computers on the Network Can't Connect to the HostAs part of the process of enabling ICS, the network adapter for the internal network on the host computer is set to a fixed IP address of 192.168.0.1 and a special DHCP server is enabled on that connection.If computers on your network can't see the ICS host, it may be because they are not enabled to use DHCP. Check to see if DHCP is enabled on the client computer:

1.In Control Panel, click Network and Internet Connections, and then click Network Connections.2.Right-click the connection icon, and then click Properties.3.Highlight Internet Protocol (TCP/IP), and then click Properties.4.On the General tab, if an IP address is specified, select the option Obtain an IP address automatically.If a client computer has DHCP enabled and still can't see the host computer, try rebooting the client. Make sure that there are no other DHCP providers on the


network, such as an Internet gateway device. Any such device should be on the outside segment of the network—between the host computer and the Internet, not between the host computer and the internal networkIf you use Windows XP at home or in a small business, and you have a topic you'd like to see covered in a future column, feel free to write me at: [email protected]. I'd be glad to receive ideas and suggestions.Sharon Crawford is a former editor now engaged in writing books and magazine articles. Since 1993, she has written or co-written two dozen books on computer topics. Her books include Windows 2000 Pro: The Missing Manual, Windows 98: No Experience Required, and Windows 2000 Professional for Dummies (with Andy Rathbone).

Exercise 7 : When you install Modem,how to enable/disable call waiting on computer.

Disable Call WaitingIf you subscribe to Call Waiting and you connect to the Internet via a dial-up account, you should temporarily disable the feature each time you go online. The audible tone that signals incoming calls can cause your modem to abruptly drop your connection. By configuring your settings properly, you can prevent this problem.If You Use the Hubris Communications CD-ROM Software

1. Double-click the icon on your Desktop labeled “Hubris.” 2. The “Connect to Hubris Communications” window will appear. Within this window, click the button labeled “Properties.” 3. The “Location Properties” window will appear. In this box, you can enter various settings to alter the way the phone number is dialed. * Click the checkbox beside the line labeled “To disable call waiting, dial.” * In the box to the right, select the correct Call Waiting code. For most customers, *70, is the correct choice. 4. Click “OK” to save your changes. Now whenever you dial into the Internet, your modem will dial the special code to temporarily disable Call Waiting before it dials the connection number.

If You Connect Directly through Windows Instructions for Windows 95/98 and Windows ME

1. Configure Dialing Properties to disable Call Waiting: 1. Click the Start menu, then click “Settings,” then “Control Panel.” 2. In the window that appears, double-click the icon labeled “Modems.” 3. In the window that appears, click the button near the bottom labeled “Dialing


Properties.” 4. In the box labeled “Area Code,” be sure to enter your actual area code. 5. Click the checkbox beside the option labeled “To disable call waiting, dial.” Then select the correct code in the drop down list that appears to the right. 6. Click “OK,” then click “OK” again to save your settings. 7. Close all windows to return to the Desktop. 2. Enable the Dialing Properties Feature in the Connectoid: 1. Double-click the My Computer icon on the Desktop. 2. In the window that appears, double-click the Dial-Up Networking icon. 3. In the window that appears, locate the icon for your Internet connection. Right-click this icon, then select “Properties” from the menu that appears. 4. In the window that appears, enable the option labeled “Use area code and Dialing Properties.” Please note that this does not necessarily mean that you are telling your computer to dial the number as a long-distance call! 5. In the box labeled “Area Code,” be sure to enter the area code for the dial-up access number you are using to connect to the Internet. In almost all cases, this is the same area code as your own phone number. 6. Click “OK” to save your changes. 3. Now, whenever you connect to the Internet, Windows will first dial the code to disable Call Waiting before dialing the Internet access number.

Instructions for Windows 2000 and Windows XP

1. Configure Dialing Rules to disable Call Waiting: 1. Click the Start menu, then click “Settings,” then “Control Panel.” (In Windows XP, “Control Panel” is listed directly on the Start menu.) 2. In the window that appears, double-click the icon labeled “Phone and Modem Options.” 3. In the window that appears, click the button near the bottom labeled “Edit.” 4. In the box labeled “Area Code,” be sure to enter your actual area code. 5. Click the checkbox beside the option labeled “To disable call waiting, dial.” Then select the correct code in the drop down list that appears to the right. 6. Click “OK,” then click “OK” again to save your settings. 7. Close all windows to return to the Desktop. 2. Enable the Dialing Properties Feature in the Connectoid: 1. Click the Start menu, then click “Settings,” then “Control Panel.” (In


Windows XP, “Control Panel” is listed directly on the Start menu.) 2. Double-click the icon labeled “Network and Dial-up Connections.” (In Windows XP, it’s called “Network Connections.”) 3. In the window that appears, locate the icon for your Internet connection. Right-click this icon, then select “Properties.” 4. In the window that appears, enable the option labeled “Use dialing rules.” Please note that this does not necessarily mean that you are telling your computer to dial the number as a long-distance call! 5. In the box labeled “Area Code,” be sure to enter the area code for the dial-up access number you are using to connect to the Internet. In almost all cases, this is the same area code as your own phone number. 6. Click “OK” to save your changes. 3. Now, whenever you connect to the Internet, Windows will first dial the code to disable Call Waiting before dialing the Internet access number.

Exercise 8 :If you are having trouble getting a dial-up connection and you want to change the modem speed or you want to check the modem's response how you will check to do it.if you are having noisy channel and you are not ab le to connect write down the series of steps you will be following to detect and correct it.

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2 To change the maximum modem port speed 1. Open Phone and Modem Options in Control Panel. 2. On the Modems tab, click the modem that you want to configure, then click Properties. 3. On the Modem tab, in the Maximum Port Speed list, click the speed for the modem.

Information about functional differences * Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.


Exercise 9 : When you use a dial up remote access service (RAS) connection to browse the internet or to a private network,your computer may hang and return a stop error:'' Stop 0x0000000A''.resolve this problem.Use the Windows Error Reporting toolYou can use the Windows Error Reporting tool to send information about the error to us and to obtain information about any available fix or workaround. Follow these steps to use the Windows Error Reporting Tool:

1. When the Windows Error Reporting window pops up on your computer, click Send Error Report to send the error report to us. 2. In the confirmation window that appears after you send the error report to us, click More Information. This helps you find any available fixes for the problem or information about how to work around the issue. 3. If a fix or a workaround is not available, you can use the "Advanced Troubleshooting" section to try to resolve this issue. If you are not comfortable with advanced troubleshooting, you might want to contact Support. For information about how to contact Support, visit the following Microsoft Web site:

Advanced troubleshootingUse the following methods in the order in which they are presented.Method 1: Make sure that you have sufficient hard disk spaceFirst, make sure that you have sufficient hard disk space. The Stop error can be caused by insufficient hard disk space.

If you can use safe mode or the Recovery Console to start the computer, delete any unnecessary temporary files, Internet cache files, program backup files, and files that contain saved file fragments from disk scans (.chk files). You can also install Windows XP on another hard disk that has more free space.

If you cannot start the computer, go to the next method to update the computer BIOS.

For more information about safe mode or the Recovery Console, click the following article numbers to view the articles in the Microsoft Knowledge Base:315222 A description of the Safe Boot Mode options in Windows XP314058 Description of the Windows XP Recovery ConsoleMethod 2: Update the computer BIOSIf freeing space on your hard disk did not resolve the problem, the BIOS might have to be updated. Use the hardware and software vendor contact information articles that are listed in the "References" section to contact the computer manufacturer to


obtain the most recent BIOS update.

Method 3: Disable or update device driversIf you have updated the BIOS successfully and the problem persists, the video adapter drivers on the computer might have to be updated or disabled. Follow these steps to troubleshoot the video adapter drivers:

1. If a driver is listed by name in the Stop error message, disable or remove that driver. * If the error occurs during the startup sequence and the system partition uses the NTFS file system, you might be able to use safe mode to rename or to delete the faulty driver. * If the driver is used as part of the system startup process in safe mode, you must use the Recovery Console to start the computer. 2. If the Stop error message does not indicate a specific driver, update the video adapter drivers to the latest versions. 3. Disable or remove any drivers or services that you recently added. 4. Check the Microsoft Hardware Compatibility List (HCL) to determine whether the PCI devices in the computer are compatible with Windows XP. For information about the HCL, visit the following Microsoft Web site:

Method 4: Remove unsigned driversIf you have updated the video adapter drivers and the problem persists, or if you cannot start Windows in safe mode, the problem might be caused by a different, unsigned driver. Remove all drivers that are not digitally signed by Microsoft. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:316434 How to perform advanced clean-boot troubleshooting in Windows XP

Method 5: Remove all third-party driversYou might be unable to determine which third-party driver causes the error. If removing unsigned drivers does not resolve the issue, try moving all third-party driver files from the %Windir%\System32\Drivers folder to a different location. Follow these steps to move the third-party driver files:

1. Use the Recovery Console to start the computer, or start the computer from a different installation of Windows if you have performed a parallel Windows installation. 2. Create a temporary folder to hold the driver files. For example, you could create c:\DriverTemp. 3. Move all files that do not have a creation date for Windows XP of 8/13/2001


from the %Windir%\System32\Drivers folder into the temporary folder that you created in step 2. Caution If the computer relies on third-party IDE or SCSI controller drivers for correct operation, you must identify those driver files and then leave them in the %Windir%\System32\Drivers folder. 4. Restart the computer. 5. Continue the Windows Setup program. You can add the driver files back to the computer one at a time to identify the faulty driver.

Method 6: Remove third-party remote control servicesIf you still have the problem after you use the previous methods and the Stop error message contains the Win32k.sys file name instead of a driver file name, the problem might be caused by a third-party remote control program. To remove the service, use the Recovery Console to start the computer and then delete the third-party remote control service file.

Exercise 10 : When you attempt to view a web page and receive an error message ''Not accepting coockies'',how will you resolve it?

Method 1 Enable the option to accept cookies in Internet Explorer. To do so, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu (or View menu in Internet Explorer version 4.x). 2. In Internet Explorer 5, click the Security tab, and then click Custom Level. Click Enable or Prompt under Allow cookies that are stored on your computer.

In Internet Explorer 4.x, click the Advanced tab, and then click Prompt Before Accepting Cookies or Always Accept Cookies. 3. Click OK until you return to Internet Explorer. 4. Connect to the Web address from which you received the "Not accepting cookies" error message to verify that you are able to gain access to the Web page.

If you select the Prompt Before Accepting Cookies option and you still cannot access the Web page, follow the steps in method 1 again and select the Always Accept Cookies option (the Enable option in Internet Explorer 5).

Method 2


Rename the cookie file in the Windows\Cookies folder for the Web page from which you received the "Not accepting cookies" error message. To rename the cookie file, follow these steps:

1. Double-click My Computer, double-click the drive on which the Windows folder is located, double-click the Windows folder, and then double-click the Cookies folder. 2. In the Cookies folder, rename the "User name@Web site.txt" file, where user name is the name you used to log on to Windows, and Web site is the name of the Web site you tried to access. For example: [email protected] Using this example, you could rename the [email protected] file to [email protected]. For information about how to rename a file, click Start, click Help, click the Index tab, type renaming, and then double-click the Renaming files topic. 3. Connect to the Web page from which you received the "Not accepting cookies" error message to verify that you are able to access the Web page.

Method 3Change the cookies option to try to update the registry correctly. To do so, use the appropriate steps.Internet Explorer 5In Internet Explorer, click Internet Options on the Tools menu, click the Security tab, choose a lower security level for the Internet zone, and then click OK.Internet Explorer 4.x

1. In Internet Explorer, click Internet Options on the View menu. 2. Click the Advanced tab, and then click a cookies option other than the currently selected option. 3. Click OK. 4. In Internet Explorer, click Internet Options on the View menu. 5. Click the Advanced tab, and then click the cookies option you want to use. 6. Click OK. 7. Connect to the Web page from which you received the "Not accepting cookies" error message to verify that you are able to access the Web address.

Method 4Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore


the registry, click the following article number to view the article in the Microsoft Knowledge Base:322756 How to back up and restore the registry in WindowsInternet Explorer 5

1. Use Registry Editor to change the "1A02" value under the appropriate key in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones

Values:

1 = Local intranet 2 = Trusted sites 3 = Internet 4 = Restricted sites 2. Connect to the Web page from which you received the "Not accepting cookies" error message to verify that you are able to access the Web address.

Internet Explorer 4.x

1. Use Registry Editor to change the "AllowCookies" value in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings Use one of the following values for the "AllowCookies" value:

Meaning Value --------------------------------------- Prompt before accepting cookies 0 Always accept cookies 1 Disable all cookie use 2
