Windows 2000 Server

Windows 2000

Windows 2000 server was greeted with excitement and bewilderment. Most organisations cannot wait to install Windows 2000 server, but shy away from implementing Active Directory. Windows XP Server called .NET is now called Windows 2003 Server. It has all the features of 2000, the front end of XP Professional and lots of new server bits.

Windows 2000 is a huge product and XP is even bigger, this document concentrates on new features that were not present in NT 4.0.

How to unlock the benefits of Windows 2000 Server

Know what's available - run through the features below. Discover how to make the services work. Be aware of the pitfalls

Active Directory - Introduction
Active Directory - Extra capabilities
Disk - Lots of new features
Consoles - MMC and CMDCONS
Networking
Security
Disaster Recovery
Remote Installation Services (RIS)
Assorted New Features
Built-in Help

Active Directory - Introduction

Firstly let us ask, 'where has Active Directory coming from? In a nutshell AD replaces NT 4.0's SAM. Novell have had the NDS and Unix have directory services; now with Windows 2000 and XP Microsoft have a proper directory system. NT4.0's SAM database has been replaced by %SystemRoot%\ntds\NTDS.DIT.

Active Directory is more than just a Yellow Pages of user names, phone numbers and e-mail addresses; through LDAP it provides the mechanism to search for any of the stored attributes.

Large organisations need to plan for Trees, Forests as well as the Domains. However, organisations based in one country with common security needs should only deploy one domain. Lets hope small organisations learn from the expensive mistakes of having too many domains in NT 4.0. Having said that, if you need Trees and forests the trusts are now two way and transitive.

DNS or DDNS

Whereas DNS was an optional extra in NT 4.0, in Windows 2000 it has become a pre-requisite for installing Active Directory. So, before you run DCPROMO to install Active Directory, check that you understand DNS in general and SRV records in particular.

DNS has become Dynamic DNS and is integrated with DHCP. Check the two ways that clients can dynamically update their host records.

Guy's #1 Pick Windows 2003 Computer based training. Video & labs

Guy recommends Exchange 2003 MCSE video lab training

◦

Active Directory - Extra features

Delegation through OU's (Organisational Units)

High on administrators' wish list has been the desire to delegate some admin rights. The idea is to give key people administrative rights for their own departments, but not for the company at large. You can delegate a branch office manger or power user can reset passwords for that office, but not for head quarters. Delegation is granular, you can nest OU's and give users as much or as little power as you wish.

Group Policies

System policies in NT 4.0 have had a major overhaul to become Group Policies in Windows 2000. XP Server will extend the policies so you can control all aspects of, security, control panel, RAS and auditing. As well as being Mr. Nasty and locking down the desktops, you can be Mr. Nice and use Group Policies to assign software to users or machines.

Active Directory Sites

Those familiar with MS Exchange will see the familiar principle of using Sites to connect LAN across slow links. Now each site has its own connectors to join other sites, you can adjust the frequency of updates from 15 minutes to several hours. As you would expect, Windows 2000 makes it easy to move servers and computers between sites.

Mixed and Native Mode

If you are running NT 4.0 domain controllers then backwards compatibility dictates that you run Active Directory in mixed mode. Native mode allows extra capabilities for example, using Active Directory to update DNS, allow Universal groups, ability to control RAS connections through Policies. Challenge: Set a date when domain will go native.

Disk - Lots of New Features

Disk Quotas

High on network administrator's wish list is the ability to control how much disk space users consume on the server. With disk quotas you can control on a partition by partition basis how much disk space users are allowed.

EFS (Encrypted File System)

There have been several high profile cases of sensitive data been lost or stolen from laptops. EFS would have made much more difficult for anyone other than the owner to read the files on these lost laptops.

Upgrade basic disk to Dynamic Disk

When newly installed the disks are 'basic'. As soon as possible you should upgrade to 'dynamic disk' and take advantage of the new capabilities; spanned volumes, create new RAID partitions and break out of the NT 4.0 limitation of 4 Primary partitions.

DFS (Distributed File System)

NT 4.0 trailed DFS the idea is to simplify the Network Neighbourhood for your users by creating a directory tree of network shares. Windows 2000 has added the ability to create replica shares for fault tolerance and load balancing. The file replication service has been completely redesigned so now it works properly.

Mount Points

A neat idea to extend partitions without the pain of recreating the partition. Take a situation with a folder called 'data'; you need to create more files but the disk is full. With mount points you can rename the original folder 'data old', then create an empty folder, and use unpartitioned space to create a new 'data' folder. Finally move the file folders from 'data old' into 'data' and use the extra disk space.

Defrag

Windows 2000 has a chopped down version of Diskkeeper. Where is the defrag in NT 4.0? Trick question there wasn't one!

Worried about disk problems try the HardDrive Mechanic

The Mechanic uses artificial intelligence to diagnose PC problems.
Once the problem is identified, The Mechanic directs the user to the proper repair procedures.
The Mechanic then lifts the damaged file system into virtual memory, reconstructs the system and reinserts the newly constructed system onto the hard drive.
The Mechanic works with Windows Versions: DOS,3.x, 95, 98, NT, Me, 2000, XP and 2000 NTFS.
For more information Click Here!

Consoles

MMC (Microsoft Management Console)

Do take the time to add snap-ins to the MMC and run all the tools like DNS, DHCP and Event Viewer through the one interface. This has to be the way of the future, so use the MMC from the first day you use Windows 2000 or XP. Another example of a snap-in is the Active Directory Users and Computers this is a replacement for both User Manager and Server Manager.

Recovery Console

CMDCONS this will help you troubleshoot boot up problems, install by winnt\cmdcons. Windows 2000 and XP also have a safe mode. Just like Windows 9x, you press F8 on start up and choose your safe mode from the menu.

Groups and Permissions.

Global Groups are as NT 4.0 but Local Groups have become Domain Local Groups. In native mode a new powerful group called Universal Group enables one user to manage a whole forest of domains. Watch out for Active Directory tasks that need you to be a member of the Universal group, for other tasks an ordinary Domain Administrator is sufficient.

Permissions have changed slightly. No Access has been replaced by explicit deny. This gives greater flexibility in assigning permissions. For instance users are give Read permission but are explicitly denied Write permission. This means that if they are a member of another group that is allowed write, they can still read the document.

Networking

RAS has become Routing and Remote Access (RRAS). A sign of how seriously Microsoft takes RRAS is that it is installed by default whereas in NT 4.0 you had to add it as a service.

People wonder why RRAS is disabled by default. The reason is that if it was enabled, any hacker could dial in as soon as you installed and plugged in the phone. When you ready, run the RRAS wizard and select from a comprehensive range of options including VPN and RADIUS as well as the basic dial-in, dial-out services.

NT 4.0 administrators will find differences in how protocols and network services are installed. The look and feel is more Windows 98 than NT and there is a neat feature to display an icon in the systray when the network is running

IPSec and L2TP (Layer Two Transport Protocol), are new protocols showing how seriously Microsoft takes security. IPSec provides encryption while L2TP is a replacement for PPTP (Point to Point Tunneling Protocol).

Technical details of 64-Bit operating system

Windows XP 64-Bit Edition supports up to 16 GB of RAM and 16 terabytes of virtual memory, enabling applications to run faster when working with large data sets. Applications can preload substantially more data into virtual memory, allowing rapid access by the Intel Itanium processor. This reduces the time for loading data into virtual memory or seeking, reading, and writing to data storage devices, thus making applications run faster and more efficiently.

Security

IPSec, L2TP and EFS are not the only security features. Kerberos (named after the guard three headed dog of Greek mythology) is a brand new authentication method. Many administrators were dismayed at the ease that L0phtcrack discovered NT 4.0 SAM passwords. A tribute to Kerberos is that L0phtcrack will not crack Kerberos passwords, moreover at the time of writing there is no son of L0phtcrack or L0phtrack for Windows 2000.

Microsoft provides Security Policy Templates. These vividly demonstrate Microsoft's stance on security. As usual, 'out of the box' Microsoft's security is lightweight even poor. However, if you apply the 'hisec' settings then the system becomes incredibly secure. In fact it is so secure that unless you are M I5 or the CIA you will back track to something less restrictive.

I predict that within five years passwords will become obsolete. If I am correct Windows XP will be waiting with support for Smart cards, finger print logon or retina scanning.

Two factors that improve reliability: - Driver signing and system restore.

If you only install device drivers that are created for Windows XP and are digitally signed, you will experience fewer crashes and lockups than NT 4.0. Another great feature is System Restore, which allows you to roll back your operating system to a previous state when it was working perfectly.

Remote Installation Service (RIS)

Take the time to master RIS. Remote Installation Services will not only install Windows 2000 Professional, but also Office and other applications. The advantage of RIS over Ghost, is that if a user breaks a configuration the built-in intellisense will detect the missing files and automatically repair them from the installation folder on the server.

RIS needs Active Directory, DHCP and pre-execution boot (PXE), network cards. Ask for 'Pixie' cards when you order your Professional machines.

It is a real challenge to set up the RIS server, but all your work pays back when you just turn on a new machine and Windows 2000 is installed automatically. RIS typifies the idea that you will need fewer people to roll out Windows 2000 and XP, but that those fewer people will be more highly skilled.

Assorted new features

Ideas from Windows 98

Power Management
Task Scheduler
Device Manager

Improved NT Services

Printing - Network Printing
DHCP - Scope Class Options
IPCONFIG /switches
Services - Check options to restart on failure
Network Monitor - Improved settings of counters
Terminal Services - Now all included
Cluster Services

Why not look up these features in help?

Built-in Help - I urge you to give help a chance

I predict that you have been conditioned to ignore Microsoft's help. NT.4's help was poor, Windows 95 inadequate, Windows 3.11 useless. Well Windows 2000 is brilliant. I urge you to try these for yourself: -

New features
New ways to do familiar tasks
21 built in trouble-shooters when you get a problem
Check out any of the assorted new features