DF9N34-Part1 Coleg Notes

DF9N 34 Network Server Operating System Part 1 of 2
JULY 2005 SQA
Network Operating System Part 1
DF9N 34
Acknowledgements
Microsoft and Windows are registered trademarks of the Microsoft Corporation. Screenshots are reproduced by permission of Microsoft Corporation.
Scottish Qualifications Authority Material developed by GCNS. This publication is licensed by SQA to COLEG for use by Scotlands colleges as commissioned materials under the terms and conditions of COLEGs Intellectual Property Rights document, September 2004. No part of this publication may be reproduced without the prior written consent of COLEG and SQA.
SQA Version1
Developed by COLEG
DF9N 34
Contents
Acknowledgements Introduction to the unit What this unit is about Outcomes Unit structure How to use these learning materials Symbols used in this unit Other resources required Assessment information How you will be assessed When and where you will be assessed What you have to achieve Opportunities for reassessment Section 1: Manage and maintain physical and logical devices Introduction to this section Assessment information for this section Managing hard disk subsystems Monitoring and configuring disks System tools Implementing, managing and troubleshooting disk devices Monitoring, configuring and troubleshooting volumes Monitoring and configuring removable media Monitoring server hardware Optimising server disk performance File systems supported by Windows 2003 Server Basic and dynamic disks and the Disk Management console Managing disks and volumes Summary of this section Section 2: Manage users, computers and groups Introduction to this section Assessment information for this section Managing user profiles 2 5 5 5 5 6 6 8 9 9 9 9 9 11 13 14 15 17 22 29 33 34 36 45 45 48 48 53 55 57 58 59
SQA Version1
Developed by COLEG
DF9N 34
Creating and managing user and computer accounts Troubleshoot user and computer accounts Creating and managing groups Managing groups and computers Planning and troubleshooting user authentication Common user administration tasks Summary of this section Answers to SAQs Useful websites Glossary
67 81 90 98 106 114 119 120 122 123
SQA Version1
Developed by COLEG
DF9N 34
Introduction to the unit

What this unit is about
This unit is designed to introduce the issues involved in managing and maintaining a network server operating system. It is intended for candidates undertaking an HNC or HND in Computing, Computer Networking or a related area, who require a broad knowledge of network servers, including the main theories, concepts and principles in this area. Please note: This book contains only the first two study sections. To complete the unit you will also need the companion volume entitled: DF9N 34 Network Server Operating System: Part 2 of 2, which contains sections 3, 4 and 5.
Outcomes
Outcome 1: Manage and maintain physical and logical devices. Outcome 2: Manage users, computers and groups. Outcome 3: Manage and maintain access to resources. Outcome 4: Manage and maintain a server environment. Outcome 5: Manage and implement disaster recovery.
Unit structure
This unit contains five study sections. You will need two books to cover the whole unit. Study sections 1 and 2 are contained in this book. Study sections 3, 4 and 5 are contained in the companion volume for this Unit entitled: DF9N 34 Network Server Operating System: Part 2 of 2. Approximate study time 12 hours 12 hours 12 hours 12 hours 12 hours
Section number and title 1 2 3 4 5 Manage and maintain physical and logical devices Manage users, computers and groups Manage and maintain access to resources Manage and maintain a server environment Manage and implement disaster recovery
SQA Version1
Developed by COLEG
DF9N 34
How to use these learning materials

These learning materials are designed for you to work through at your own pace, but the closed-book test(s) will have to be administered to the whole class group at the same time.
Symbols used in this unit

These learning materials allow you to work on your own with tutor support. As you work through the course, you will encounter a series of symbols which indicate that something follows that you are expected to do. You will notice that as you work through the study sections you will be asked to undertake a series of self assessed questions, activities and tutor assignments. An explanation of the symbols used to identify these is given below. Self assessed question
?
This symbol is used to indicate a self assessed question (SAQ). Most commonly, SAQs are used to check your understanding of the material that has already been covered in the sections. This type of assessment is self contained; everything is provided within the section to enable you to check your understanding of the materials. The process is simple: you are set SAQs throughout the study section you respond to these by writing either in the space provided in the assessment itself or in your notebook on completion of the SAQ, you turn to the back of the section to compare the model SAQ answers to your own if you are not satisfied after checking your responses, turn to the appropriate part of the study section and go over the topic again.
Remember the answers to SAQs are contained within the study materials. You are not expected to guess at these answers. Activity
A
This symbol indicates an activity, which is normally a task you will be asked to do that should improve or consolidate your understanding of the subject in general or a particular feature of it. The suggested responses to activities follow directly after each activity.
SQA Version1
Developed by COLEG
DF9N 34
Remember that the SAQs and activities contained within your package are intended to allow you to check your understanding and monitor your own progress throughout the course. It goes without saying that the answers to these should only be checked after the SAQ or activity has been completed. If you refer to these answers before completing the activities, you cannot expect to get maximum benefit from your course. Tutor assignment formative assessment
T
This symbol means that a tutor assignment is to follow. These will be found at the end of each study section. The aim of the tutor assignment is to cover and/or incorporate the main topics of the section and prepare you for unit (summative) outcome assessment.
SQA Version1
Developed by COLEG
DF9N 34
Other resources required

You will need the following resources: a computer capable of running Windows 2003 enterprise and Windows XP professional a copy of Windows 2003 enterprise and a copy of Windows XP professional and the matching product keys an Internet connection.
To complete this unit you will need the book entitled: DF9N 34 Network Server Operating System: Part 2 of 2, which contains study sections 3, 4 and 5.
SQA Version1
Developed by COLEG
DF9N 34
Assessment information
How you will be assessed
You will have a closed-book assessment of 40 restricted response questions. These will cover the knowledge and skills for the whole unit. This will be similar to the Microsoft examination on 70-290. You might find it helpful to search the Internet for free practice exam questions and cram-sheets for this exam as they are useful preparation. A list of resources I have found useful is given at the end of the unit. This can be a single test at the end of the unit, or can be split into several subtests, each covering one or more outcomes. You are also required to keep a logbook of practical tasks for each outcome. This logbook must be authenticated by your tutor.
When and where you will be assessed

When you are confident that you have worked through all of the SAQs and activities in the various sections, and have submitted all tutor assignments to your tutor, you will undertake unit (summative) assessment. These unit assessments will be set by your tutor. Your tutor will help you to decide whether or not you are ready to undertake unit (summative) assessment, and will make the necessary arrangements for you.
What you have to achieve

In the closed-book test you must answer at least 70% correctly to achieve a pass . If you are taking subtests, each of these must be answered 70% correctly to achieve a pass.
Opportunities for reassessment

Normally, you will be given one attempt to pass an assessment with one reassessment opportunity. Your centre will also have a policy covering 'exceptional' circumstances, for example if you have been ill for an extended period of time. Each case will be considered on an individual basis and is at your centre's discretion (usually via written application), and they will decide whether or not to allow a third attempt. Please contact your tutor for details regarding how to apply.
SQA Version1
Developed by COLEG
DF9N 34
SQA Version1
10
Developed by COLEG
DF9N 34
Section 1: Manage and maintain physical and logical devices
SQA Version1
11
Developed by COLEG
DF9N 34
SQA Version1
12
Developed by COLEG
DF9N 34
Introduction to this section

What this section is about In this section youll learn how to manage and maintain physical and logical devices. Outcomes, aims and objectives Manage hard disk subsystems. Monitor server hardware. Optimise server disk performance. Install and configure server hardware devices.
Approximate study time 12 hours. Other resources required Windows 2003 Enterprise edition and valid licence key. An Internet connection and an additional hard drive. If you are attempting Activity 1.3, you need a computer with two hard drives (so that you can implement RAID).
SQA Version1
13
Developed by COLEG
DF9N 34
Assessment information for this section

How you will be assessed You will be assessed through closed-book test and logbook. You must provide evidence of the knowledge and skills for the entire unit by answering a set of 40 restricted-response questions. These may be administered as a single test at the end of the unit or as several subtests, each covering one or more outcomes. When and where you will be assessed You will sit the closed-book test after you have completed the outcomes(s) it covers. Record the activities in you logbook as you complete them. You must do at least two of them. What you have to achieve You have to complete the activities and achieve at least 70% in the closed-book test or 70% in all the subtests individually. Opportunities for reassessment If needed, your tutor will give you the opportunity for one reassessment
SQA Version1
14
Developed by COLEG
DF9N 34
Managing hard disk subsystems

When you are managing your hard disk subsystems, you have to decide what file system you are going to use for them. How are you going to partition the disks? Are you going to format them, in which case all current data is lost, or in the case of going from FAT/FAT32 to NTFS, are you going to convert your disks, so you can keep your existing data? What happens when you have a disk failure? What happens when you introduce disks from elsewhere, possibly another part of your company? How does Windows 2003 deal with them? Remember, before you make any changes you should always back up your system so if the worst comes to the worst, you can restore it to the way it was. You should also have a regular backup schedule in case of any unforeseen circumstances. If you are making any major hardware or software changes to your system, you should allow enough time to restore the previous system before your users log on and allow time to have it thoroughly tested by your users before it is signed off as a change to your production systems. Otherwise you could end up with some angry users who cannot access the system, or if the changes have not been thoroughly tested then you might have to bring it down during working hours to fix it, which could result in substantial lost revenue. Windows operating systems classify devices by hardware type. Hardware types include such things as video adapter cards, keyboards, CD-rom drives, ports, and printers. When you use Device Manager or the Add Hardware Wizard, you will see a list of the hardware types that are installed on your computer. To access the Device Manager from Start, go to Control Panel (or Settings, Control Panel) and when you reach the control panel, as shown in Figure 1, double-click System, this will bring up the dialogue box System Properties. Here, select Hardware from the menu tabs, then click on Device Manager. This will display a list of hardware devices grouped by type. Note: You need administrator rights, otherwise you will be unable to access this.
SQA Version1
15
Developed by COLEG
DF9N 34
Figure 1: Control Panel Clicking on a device grouping will display the devices currently installed on your system. For example, as shown in Figure 2, expanding on the Modems group shows the modem currently installed on this computer.
Figure 2: Device Manager
SQA Version1
16
Developed by COLEG
DF9N 34
Devices can also be grouped by the way they are connected to your computer. Most devices are permanently connected to your computer and are typically installed only once. They are available every time you turn on your computer unless you disable or uninstall them. Sound cards, video display cards, modems and hard disks are examples of this type of device. Other devices are designed to be connected and disconnected from your computer as you need them. You can plug or insert this type of device into the appropriate port or expansion slot and the operating system will recognise the device and configure it without restarting your computer. Likewise, when you disconnect this type of device, you only need to inform the operating system that you are ejecting, removing or unplugging it. You do not need to shut down or restart your computer. Examples of this type of device include: PC Cards that connect to portable computers hardware that connects to a universal serial bus (USB) or an IEEE 1394 bus.
Monitoring and configuring disks

Initialising and partitioning, and disk properties To monitor and configure disks: 1 In Control Panel, Select Administrative Tools, then Computer Management. The screen shown in Figure 3 is displayed.
Figure 3: Computer Management
SQA Version1
17
Developed by COLEG
DF9N 34
2 3
Click Disk Management (for which you need administrator rights). Right-click an unallocated region of a basic disk, and then click New Partition, or right-click free space in an extended partition, and then click New Logical Drive. This starts the New Partition Wizard. Click Next and click Primary partition, Extended partition, or Logical drive, depending on what you want. Then follow the instructions on the screen. To change the drive letter or path, click the drive you wish to change, select the option to Change Drive Letters and Paths. The screen shown in Figure 4 is displayed. You can alter it as you wish.
4 5
Figure 4: Changing drive letter or path There is also the option from the pull-down menu to format the disk. If you want to convert the disk from basic to dynamic, right-click the basic disk you want to convert, click Convert to Dynamic Disk and then follow the instructions on the screen. If the disk has already been converted you will not see this option, it is also not available if you are using the following: a portable computer, removable disks, detachable disks that use USB or IEEE 1394 (also called FireWire) interfaces, or on disks connected to shared SCSI (small computer systems interface) buses. In addition, you cannot convert cluster disks connected to shared SCSI or fibre channel buses to dynamic. The Cluster service supports basic disks only. After you convert a basic disk to a dynamic disk, you cannot change the dynamic volumes back to partitions. Instead, you must delete all dynamic volumes on the disk and then use the Convert To Basic Disk command. If you want to keep your data, you must first back it up or move it to another volume. Before you convert disks, close any programs that are running on those disks. For your conversion to succeed, any master boot record (MBR) disks to be converted must contain at least 1 Mb of space for the dynamic disk database. Windows 2000 and Windows XP Professional automatically
SQA Version1 Developed by COLEG
18
DF9N 34
reserve this space when creating partitions or volumes on a disk, but be aware that disks with partitions or volumes created by other operating systems may not have this space available. (This space may exist even if it is not visible in Disk Management.) Once converted, a dynamic disk can only be accessed with Windows 2000, Windows XP and Windows 2003 operating systems. After you convert a basic disk to a dynamic disk, any existing partitions or logical drives on the basic disk become simple volumes on the dynamic disk. If you are adding new disks, you have to first initialise them before Windows 2003 can use them to create volumes or partitions. The first time you start Disk Management after installing a new disk on your system, the Initialise Disk Wizard appears. It lists the new disks that Windows has detected. When you complete the wizard it initialises the new disk(s) by writing what is known as a disk signature or end of sector marker and a MBR. If the wizard is cancelled, the disk(s) will not be initialised. You can also initialise the disk by right-clicking on it from Disk Management, then clicking Initialise Disk, and then selecting MBR, if not selected automatically. The disk is now initialised as a basic disk. If you want to convert it to a dynamic disk, you upgrade it. Mounted drives There is also a function called Mounted Drives. These are when a drive is attached to an empty folder on an NT file system (NTFS) volume. They work in the same way as other drives but instead of a drive letter they are assigned a name or label. This is resolved to a full system path not just a drive letter. You have to have administrative privileges to create mounted drives or reassign drive letters. This has the advantage that there is not the 26-letter limit imposed on drive letters and the Windows operating system keeps the drive path association with the drive, so you can add or change storage devices without the drive path failing. Mounted drives make it easier to manage your data storage and tailor it to your environment and utilisation. Examples of using mounted drives 1 If you want to implement disk quotas on a folder, you need to make the folder a mounted drive. 2 3 If you want to provide additional storage for temporary files. If you want to be able to move a folder to a larger/smaller disk without impacting the users.
Implementing mounted drives You can implement mounted drives using Disk Management or using the command line. To use Disk Management: 1 2 3 Navigate to Disk Management. Right-click the partition or drive you want to mount. Click Change Drive Letter and Paths.
SQA Version1
19
Developed by COLEG
DF9N 34
Click Add, then click Mount in the empty NTFS folder, if you know the path to the empty folder, or Browse to locate it. From Start menu click Run and enter cmd to bring up command prompt. Go to the NTFS folder/drive you want to mount elsewhere, i.e. enter cd mount. To change this to the mount directory: a. Enter diskpart. b. At the diskpart prompt enter list volume (make a note of the simple volume that you want to mount elsewhere). c. Enter select volume n (where n is the simple volume you have chosen to mount elsewhere). d. Enter assign mount = path (the path to the folder).
To use command line: 1 2 3
1.1
Add a new hard disk and configure it While you are carrying out these tasks, take screen prints and a note of the settings you are using to configure your disk. You are going to add a new hard disk to your system and configure it. Follow the stepby-step instructions below. 1 2 3 4 Connect the hard drive to your system and turn it on. Install the driver using the Add Hardware Wizard, so that Windows recognises it. Select Disk Management and the Initialise New Disk Wizard should start. You should see your new drive on the list. Go through the wizard and select MBR. When the Wizard is completed you have initialised you disk. It is now a basic disk and you can configure it.
The first configuration task you are going to do is to partition your disk. Because the partition style is MBR, you can have up to four primary partitions on your disk or three primary partitions and one extended partition. 1 You are going to create two primary partitions. This is done by right-clicking an unallocated region of your basic disk and then clicking New Partition. This starts the New Partition Wizard. Click Next and choose Primary partition, then follow the instructions on your screen to make it take up 50% of the disk. Make sure you leave room for the other partition.
SQA Version1
20
Developed by COLEG
DF9N 34
Now you have created your partitions, you are going to configure some of their properties. Follow the step-by-step instructions below. 1 2 Physically connect the new hard disk to your system following the manufacturers instructions. Click on Add Hardware from the control panel to start the Add Hardware Wizard. If your new hard disk came with an installation CD, click Cancel to exit the wizard and use the manufacturers CD to install the driver. Otherwise, follow the prompts in the wizard to install the driver (make sure you have connected the hard disk first). Click on Computer Management from Administrative Tools and select Disk Management. As you have just added a new disk the Initialise New Disk Wizard should start. Use this wizard to configure your drive with the MBR option. Partition the disk using Disk Management. Left-click an unallocated region of your basic disk then select New Partition. This starts the New Partition Wizard. Configure it as a primary partition and make the size equal to 50% of the disk. Access disk properties by left-clicking on the disk and selecting properties. Under the Policy tab the default is Optimize for Performance. If write caching is not enabled on the disk, enable it (by checking the box beside it). Select the Volumes tab and take a note of the volumes that are configured on your disk and the size. Select the Driver tab and find out more about the driver under driver details. Is it signed and, if so, by who?
6 7
SQA Version1
21
Developed by COLEG
DF9N 34
System tools
You can access the Disk Defragmenter option from Computer Management as well as from System Tools. You will find that there are several ways of carrying out many of the administrative tasks. System Tools is found under Accessories and contains some useful tools such as Activate Windows, Backup and System Restore, Disk Cleanup, Character Map, Disk Defragmenter, Scheduled Tasks and System Information. Activate Windows This is used when you initially install Windows 2003 to activate it. If it is not activated within 30 days, you will have to re-install it. Backup If you click Backup, Windows first checks for any backup devices that you might have attached, then it takes you into the Backup and Restore Wizard. You first have to select whether you want to back up or restore. Select Backup and Windows prompts you to select what you want to back up (see Figure 5)
Figure 5: Backup or Restore Wizard Next it asks where you wish to make the back up. If you have any removable media it defaults to that, but you can override this (see Figure 6). Note: It is advisable to back up to removable media because this can stored off-site. Then, if a disaster strikes, e.g. the server room burns down, you can restore your data at an alternative location and continue your business.
SQA Version1
22
Developed by COLEG
DF9N 34
Figure 6: Choosing where to save your backup When you click Finish the backup starts immediately. In real life you might want to use the Task Scheduler and schedule the backup from there so you can choose when it starts and automate the process. This ensures that the backup doesnt get forgotten. Disk Cleanup This is a utility that helps delete files no longer required. Figure 7 shows the options that Disk Cleanup gives you.
SQA Version1
23
Developed by COLEG
DF9N 34
Figure 7: Disk Cleanup Three choices are displayed, together with the amount of space you will release with each option. As you can see in Figure 7, the only option that will release space is the Compress old files option. If you select the More Options, tab you are given the option to remove Windows components and/or installed programs that you do not use. Character Map This lets you see what characters are available in which font. Disk Defragmenter This is a tool that analyses your volumes to see how fragmented the files are on them and how much space you could free up by defragmenting them (see Figure 8). Defragmenting also speeds up read access as the files are in one place. Once analysis is complete, you are given the option to defragment the volume.
SQA Version1
24
Developed by COLEG
DF9N 34
Figure 8: Disk Defragmenter
Scheduled Tasks This tool is used to run routine tasks such as backups (see Figure 9).
Figure 9: Scheduled Tasks
SQA Version1
25
Developed by COLEG
DF9N 34
To add a task to the schedule, click Add Scheduled Task and select the program you want to run and when you want to run it. System Information This tool is very useful. The default screen is shown in Figure 10.
Figure 10: System Information Hardware Resources has the following sub-menus, which are useful for troubleshooting any problems such as resource conflicts. Conflicts/Sharing DMA Forced Hardware I/O IRQs Memory.
The Conflicts/Sharing screen is shown in Figure 11.
SQA Version1
26
Developed by COLEG
DF9N 34
Figure 11: Conflicts/Sharing From Conflicts/Sharing, any resource sharing and possible conflicts can be identified (addresses are in hexadecimal). DMA displays any Direct Memory Access devices and the resource they are configured for. Forced hardware is any device that has to be configured manually, or has system specified resources NOT system specified resources. If there is a conflict between a manually configured device, use Device Manager to find and troubleshoot the problem. I/O shows the resource address of every input/output device in the system. IRQs shows the interrupt priorities from 0 top (most important for system timer) to 15 least important for secondary IDE channel. Memory shows range of addresses assigned to various devices. Components has the following sub-categories: Multimedia (Audio Codecs, Video Codecs) CD-ROM Sound Device Display Infrared Input (Keyboard, Pointing Device)
SQA Version1
27
Developed by COLEG
DF9N 34
Modem Network (Adapter, Protocol, Winsock) Ports (Serial, Parallel) Storage (Drives, Disks, SCSI, IDE) Printing Problem Devices USB.
These components will vary depending on your hardware configuration. If you wanted to check on a device, you would select it and the right-hand pane would give you information about the device (see Figure 12).
Figure 12: Device Information If you want to find out more, click Tools and you will see the following options: Net Diagnostics File Signature Verification Utility DirectX Diagnostic Tool.
SQA Version1
28
Developed by COLEG
DF9N 34
Net Diagnostics is generally run to gather data. If you select Network Diagnostics and scan your system, you will notice that it pings several addresses. Go to a command prompt and enter Ipconfig/all, and you will see the IP addresses that Net Diagnostics was pinging. Make a note of them. Advanced File Signature Verification Settings lets you know if the drive for the device is digitally signed (see Figure 13).
Figure 13: Advanced File Signature Verification Settings You can check for files that are not digitally signed, be notified if any system files are not signed and log the information for future reference, as unsigned files pose a potential security risk.
Implementing, managing and troubleshooting disk devices

DVD and CD-rom drive devices are generally speaking ones that you want permanently available to your computer. They are part of the group that needs to be installed Some tasks can be carried out under Disk Management and others using various options from the Control Panel. The installation of new disk devices is done via Add Hardware from the Control Panel. You will need Administrator privileges to be able to access it. You also need to ensure your hardware is connected. The operating system will search for the new hardware and if it is not connected, will tell you to connect it. You will be given a list of software drivers for the hardware it has found that come with the Windows 2003 operating system. If your hardware is not on this list, you are prompted to insert the CD with the driver and navigate to it or find it form another server in your network. Alternatively, if you have Internet access, you can download the appropriate driver from the manufacturers website.
SQA Version1
29
Developed by COLEG
DF9N 34
If you are having problems with a disk drive after it is installed and your computer does not boot up properly, start with the Last Known Good Configuration option and you will be given a copy of the registry before the installation of the new driver. If you select System on the Control Panel, then System Properties and click the Hardware tab, the screen shown in Figure 14 will be displayed.
Figure 14: System Properties Hardware Clicking on Device Manager displays a list of the hardware that is currently installed on your computer. If you want to check the details for a specific piece of hardware, click a hardware group and it will expand until you see the actual hardware. (Note: If a group has a generic name and a yellow question mark, the hardware does not have the correct driver and you need to install the driver for that piece of hardware before the operating system can recognise it.) Right-click the disk drive and select Properties. The screen shown in Figure 15 is displayed.
SQA Version1
30
Developed by COLEG
DF9N 34
Figure 15: Device properties You have the option to disable the device if it is causing problems. Selecting Troubleshoot will provide the user with step-by-step help in diagnosing a fault. By clicking on the Driver tab, you have the option to check which version of the driver you are using and update it if required (see Figure 16). If your computer was running without problems until you installed the new driver, you might want to select the Roll Back option, which removes the updated driver and replaces it with the previous version.
SQA Version1
31
Developed by COLEG
DF9N 34
Figure 16: Driver information Once you have installed your disk devices, you can access Disk Management from Computer Management to create, delete and format partitions, change volume labels, reassign drive letters and check disks for errors. Once you have the CD Rom/ CD Writer or DVD drive installed, the actual storage media the CDs and DVDs are detected automatically, when they are placed in the drive.
?
1 2
1.1 Where would you monitor and configure your disks? What do existing partitions and logical drives on basic disks become when you convert them to dynamic disks?
SQA Version1
32
Developed by COLEG
DF9N 34
Monitoring, configuring and troubleshooting volumes

To monitor volumes you would look at them using Disk Management. To configure them right-click the volume you wish to configure. The following options are available from the pull-down menu: Change Drive Letter and Paths Format Properties Help.
Properties has a selection of tabs and contains several options; it is here you set disk quotas and decide whether to share the drive or not. There is also a Tools tab, which gives you access to some useful tools (see Figure 17).
Figure 17: Properties Tools Among other features, the Help option has a built-in troubleshooter to help you find a solution to your problem.
SQA Version1
33
Developed by COLEG
DF9N 34
Monitoring and configuring removable media

The monitoring and configuring of removable media, such as tape devices is also done through Disk Management. They are grouped under Removable Storage and you can configure them in a similar way to other drives but you cannot convert them to dynamic disks. You will find that options that are not supported are unavailable. If you want to dismount a tape or disk from a standalone drive, click Removable Storage and then Libraries. The screen shown in Figure 18 is displayed showing the removable devices you have attached. Click the one you want to eject/dismount and you will have the option to do so.
Figure 18: Removable Storage
Using Removable Storage Be aware that you might need to be logged on as an administrator or a member of the Administrators group in order to perform some of the tasks described below Removable Storage makes it easy for you to track your removable storage media (such as tapes and optical disks) and to manage the libraries that contain them (such as changers and jukeboxes). If you are carrying out a normal or full backup, changers and jukeboxes are very useful as you can preload them with tapes/cartridges etc. so when your backup starts, it does not have to wait on operator intervention to load the tape/cartridge etc. Note: You cannot create extended partitions, logical drives or dynamic volumes on removable media devices.
34
DF9N 34
If an unauthorised users gained access to your backup tapes, they could have a complete copy of you system. So you need to implement physical security measures as well as system ones. Before you implement Removable Storage, you need to check that your library hardware is compatible. If it is, it will be on Microsofts Hardware Compatibility List, which you can access from www.microsoft.com. If you have dirty drives, you will not get good backup copies. If your backup copy is corrupt, you will not be able to restore from it. If your library drives support it, it is a good idea to use cleaning tapes and the Cleaner Management facility. If you want to create a new media pool, you first have to put media into each automated library that you want to be under Removable Storage control, otherwise it will not be able to detect it. Performance will deteriorate if you manage more than 1,000 tapes or disks in a single Removable Storage system, so it is advisable to keep the number under that. Also, turn off operator requests if you do not need them and only turn them on when required, as this can also impact performance. If you need to turn them on, you should do it when you are administering pool permissions to restrict access to only those that need it.
?
1 2
1.2 Where would you find removable media such as tape devices using Disk Management? What are the advantages of Removable Storage?
SQA Version1
35
Developed by COLEG
DF9N 34
Monitoring server hardware

Once you have your system installed, you need to monitor it to be aware of any problems and be proactive when sorting them out. In an ideal world you want to be able to sort the problem before it has had any impact on your users, so they have a continuous level of high service and you meet your service level agreements (SLAs). This can only be achieved if you are monitoring your software. The Microsoft server 2003 operating system has a number of built-in tools that come with it for monitoring the server hardware. They are available from Performance, which you access from Administrative Tools. When you open Performance, a screen similar to one shown in Figure 19 is displayed.
Figure 19: Performance System Monitor System Monitor is used to monitor memory performance, processor utilisation, disk performance and application performance and numerous other items you choose to monitor, such as processor, web service, memory, physical disk, etc. Go to Add counters (items to be monitored), then choose the item. A drop-down menu is then displayed with a list of appropriate counters for you to choose from. If there is more than one instance of the item, e.g. two processors, five web sites, you can choose to monitor them all or just some of them. This makes this a very customisable tool, as you monitor the counters that are important to your hardware setup. The System Monitor lets you know how your system is doing at a glance. But for long-term monitoring statistics you would set up counter logs. And for emergency situations you would set up
SQA Version1
36
Developed by COLEG
DF9N 34
alerts. You will need administrator privileges in order to perform some tasks. By default, System Monitor uses the following objects and counters: Processor/% Processor Time: when this counters value exceeds 85% continuously, it may indicate you need to upgrade the processor. Memory/Pages/sec: when this counters value exceeds 20 continuously, it may indicate you need to add additional RAM (random access memory). Physical Disk/Avg. Disk Queue Length: when this counters value exceeds the number of spindles plus 2 continuously, it may indicate you need to add additional RAM. Disk queue length refers to the number of read and write requests waiting in the disks queue.
Performance Logs and Alerts As can be see from Figure 19, the Windows Performance tool is composed of two parts: System Monitor and Performance Logs and Alerts. With System Monitor, you can collect and view in real time data about memory, disk, processor, network, and other activities in graph, histogram, or report form. Through Performance Logs and Alerts you can configure logs to record performance data and set system alerts to notify you when a specified counter's value is above or below a defined threshold. Instead of displaying the counter values in a real-time graph, Performance Logs and Alerts writes the information to log files on disk. You can configure counter logs, which record data at a specified interval, or trace logs, which record system application events when a specific event occurs such as a disk activity. This tool allows you to set alerts on counters. Setting alerts allows you to start a program, send a message, start a log or write an entry to the Application log when a counters value exceeds, equals or drops below a value specified by you. The performance logs record the values of counters you choose when they measure them on a regular basis; they can be saved in CSV format, so they can then be converted into databases and queried. They are useful for long-term trend analysis and allow you to be proactive in tuning your system, so you can make sure that it has the capacity required by your users to carry out the tasks that they need the system to do. Troubleshooting server hardware If your server hardware is not functioning as it should, there are a number of built-in system tools to help you find out what is wrong and sort the problem. In the Control Panel you have the Add Hardware Wizard, which adds and troubleshoots hardware, Printers and Faxes, which has a troubleshooter option, Sounds and Audio Devices Properties, and System. Add Hardware Wizard When you are using this as a troubleshooter, select the device from the list already installed; it then checks the device driver for you. If the device is working correctly when the wizard completes, the screen shown in Figure 20 is displayed.
SQA Version1
37
Developed by COLEG
DF9N 34
Figure 20: Add Hardware Wizard If you are still having problems, the Troubleshooter which starts automatically after the wizard completes, may help you find a solution. The troubleshooter for sound devices is shown below
SQA Version1
38
Developed by COLEG
DF9N 34
Figure 21: Sound Troubleshooter The diagnosis of the troubleshooter depends on the symptoms you have. You will be asked to answer some questions, from which the troubleshooter should be able to advise you how to fix your problem, or at least where to go for further information. You can also access troubleshooters directly from the Start menu by selecting the Help and Support Center. If you select Troubleshooting strategies, there is a lot of useful information and you can access all the troubleshooters from there. The Help and Support Center is very useful. The main menu is shown in Figure 22.
SQA Version1
39
Developed by COLEG
DF9N 34
Figure 22: Help and Support Center When you are troubleshooting any server hardware the Help and Support Center should be your first port of call, as it has all the tools you are likely to need grouped together. If you are looking at a printer in Printers and Faxes, there is an option to access a troubleshooter for that specific device from the Help menu. In Sounds and Audio devices you have to enable sound in Windows 2003 enterprise before you can hear sound, the default is not enabled as shown in Figure 23.
SQA Version1
40
Developed by COLEG
DF9N 34
Figure 23: Sounds and Audio Devices Properties System is covered later in this section.
1.2
Monitor server hardware Now you have added and configured your new disk you want to monitor the system as a whole to ensure there are no problems. To do this you are going to use the Performance options. Navigate to Performance, which is in Administrative Tools. When you open Performance it defaults to the System Monitor and takes a screen print of the default counters that the system has set up and is currently monitoring. Add two more counters for a logical disk. To add counters, either right-click the word counter at the bottom of the screen or the + icon.
SQA Version1
41
Developed by COLEG
DF9N 34
Figure 24: System Monitor Take a screen print of System Monitor with the new counters. But what happens if there is a major problem with the system and it requires immediate attention? That is what alerts are for. So you are going to set an alert for the counter % processor time on the item Processor with a threshold of 10%. If the counter exceeds this level, you want it to send a message to the administrator. This level is artificially low to let you see an alert in practice. In real life you would set the trigger level at a value that could indicate a problem such as looping, so it would be greater than 90%. In real life you will want to store data for long-term trend analysis. To do this, create a new counter log and add the counters to it. Change the file type to CSV so it can be imported easily into another program. Once you have set up your counter log, it will not start capturing data until you start it. This can be done manually or via a schedule. Set it to sample every 5 minutes and let it run for 1 hour. Once you have stopped it, look at it in Microsoft Excel and print out the results. You will see that it quickly gathers a lot of information, too much to be sifted through by hand.
SQA Version1
42
Developed by COLEG
DF9N 34
Make sure that you note all configuration changes in your logbook along with the appropriate screen prints.
Follow the step-by-step instructions below. Check current settings: 1 2 Select Performance from Administrative Tools. Hold down the left Alt+ Print Screen key to put a copy of the present screen on the clipboard. Open Paint and Paste (from the Edit menu) and print it (from the File menu). Left-click the + icon at the top of the graph, the Add Counters screen should now open. Under Performance, select LogicalDisk. Under Select counters from list (make sure the radio button is selected), select two different counters, e.g. %Disk Write Time and Avg. Disk Queue Length. (You need to select the counter and then click Add.) Click All instances. Take a screen print with the additional counters (see step 2). Click on Performance Logs and Alerts and select Alerts. Right-click Alert and select New Alert Settings. Name the Alert your computername processor. On the General tab, select Add; make sure the Performance item is Processor (default). Make sure Select counters is selected and add the counter %Processor Time (see step 5). Select All instances. In box beside Alert when the value is select Over, Limit box enter 10, then click Apply Right-click Alert and select properties. Select the Action tab and click Send a network message to. In the box, enter administrator.
Add additional counters: 1 2 3
4 5 1 2 3 4 5 6 7 8 9
Set a new alert:
10 Take a screen print of the alert message. Create new counter log and set its sample frequency: 1 2 3 Right-click Counter Logs and select New Log Settings. Name it after your computername counter. Click Add counters and select Processor.
43 Developed by COLEG
SQA Version1
DF9N 34
4 5 6 7 8 9
Click Add counters and add %Processor Time for All instances. In Sample data every, change the interval to 5 and the units to minutes. Click on the Log Files tab and select Text File (comma delimited) under Log file type. Click apply Select the Schedule tab and Start Log 1 minute from now. Select Stop log After 1 and select hours for units. Click apply and OK. After 1 hour, click on your log file from Windows Explorer and it will open up in Excel.
10 Take a screen print.
?
1 2 3 4
1.3 What is system monitor used for? What do you have to setup before a counter log captures any data? If you wanted to import your counter log into a Microsoft Access database, what file type would you save it as? What tool would you use if you wanted to know immediately that an event had happened?
SQA Version1
44
Developed by COLEG
DF9N 34
Optimising server disk performance

Once you have invested in your system, you want to ensure that the performance is optimised. One way of doing this is to implement a disk subsystem. RAID stands for Redundant Array of Independent (Inexpensive) Disks. It is used to provide fault tolerance by writing data to more than one disk so if that disk fails, the data is still available. There are three levels of RAID used in dynamic disks: Stripe volume (RAID 0): disk striping is where you have several hard drives and data is spread out in blocks of each file across them. The data is striped across them. This gives the fastest write access but there is no provision for hardware failure; if you had a hardware problem, you would have to use your backup tapes. It has no fault tolerance. Mirror volume (RAID 1): only available on servers. If you use a mirror set, you will have a duplicate of everything. It is the best solution for disaster recovery speed, as you have two complete sets, so if you have a hardware failure you can switch to the other set. But this is the most expensive in terms of hardware and has to write everything twice, so it is not optimised for write access. As you are writing everything to two separate disks, it has the same write transaction speed as single disks. It is generally recommended to use a mirror set for the operating system and system state data. Stripe volume with parity (RAID 5): only available on servers. This is a mix of both options and you need a minimum of three hard drives to implement it. The key feature of RAID 5 is that it has stripe error correction information, so if you lose one disk you can recreate the data from the other members of the RAID 5 disk set. So you have good fault tolerance and excellent performance (only slightly slower than RAID 0.) This makes it one of the most popular implementations of RAID.
You will also have to regularly defragment your disks, otherwise the response time could become unacceptable as it has to search in numerous places for fragmented information instead of just one if the data was in contiguous slots.
File systems supported by Windows 2003 Server

Windows 2003 Server can support all file systems used by Microsoft operating systems, such as: FAT This is used by removable media and older operating systems. Its limitations are that the maximum supported volume size is 4 Gb; the maximum file size is 2 Gb. FAT32 This file system has been around since Windows 95 and is often used in multi-boot situations with operating systems that do not support NTFS. FAT32 file system is
SQA Version1 45 Developed by COLEG
DF9N 34
supported by Windows 95 OSR2, Windows 98 and Millennium Edition (ME), Windows 2000, and Windows XP. Windows NT 4 and earlier cannot access FAT32 volumes. (so they would have to use FAT). The limitations of FAT32 are that the maximum supported volume size for FAT32 is 2 Tb, but Windows XP can format up to 32 Gb only, so limitation applies when using server operating systems. The maximum file size is 4 Gb compared to the maximum size for FAT of 2 Gb for a file and 4 Gb for a volume. The minimum size for a FAT32 volume is 512 Mb. You cannot format removable media such as floppy disks with FAT32. NTFS Disks formatted with NTFS version 5 can only be accessed by Windows NT 4.0 with Service Pack 4 or higher, Windows 2000, and Windows XP. NTFS supports a volume size over 2 Tb and the maximum file size is limited only by the available free space. You cannot format removable media such as floppy disks with NTFS. Besides being able to handle large disks, NTFS is the preferred file system for Windows 2000 and XP because of the extra features has such as file and folder permissions and compression, Encrypted File System (EFS) and Disk Quotas. CDFS This is the file system used on compact discs. You cannot format other disks with this file system. If you wish to convert between FAT32/FAT and NTFS files systems you can use the convert utility: convert c: /fs:ntfs This only works one way; you need to reformat if want to convert from NTFS to FAT32 or FAT. To configure and manage file systems, use the Computer Management tool, which is accessible from Administrative Tools (see Figure 25).
SQA Version1
46
Developed by COLEG
DF9N 34
Figure 25: Computer Management If you click Disk Management you will see the following screen.
Figure 26: Disk Management
SQA Version1
47
Developed by COLEG
DF9N 34
Basic and dynamic disks and the Disk Management console

There is support for two storage types for disks, basic and dynamic, in Windows 2003. They are both described below. Basic disks Basic disks support a maximum of four primary partitions or three when an extended partition exists. An extended partition contains one or more logical drives. Each primary partition and each logical drive is assigned a drive letter and these are known as basic volumes. There are a number of ways of combining basic disks to either increase the maximum disk space for a volume or to provide fault tolerance. But if you want RAID configurations under Windows 2003, you need to upgrade your disks to dynamic disks. Dynamic disks Dynamic disks contain volumes instead of the traditional primary/extended partitions. Dynamic volumes cannot be accessed by MS-DOS, Windows 95, Windows 98, Windows ME or Windows NT operating systems. Both basic and dynamic disks can contain any combination of FAT16, FAT32, or NTFS volumes. The following hardware does not support dynamic disks: IEEE 1394 (FireWire) disks, USB disks, removable disks, disks in laptops. Disk configurations are named differently when using dynamic disks. The following list shows the possible configurations for dynamic disks: Simple volume: this is made from free space on a single physical disk. A simple volume is not fault-tolerant. If it is formatted with NTFS, it can be extended to include unallocated space from the same disk, or another disk, to create a spanned volume. Spanned volume: this is made from free disk space from between two and 32 combined disks. Data is written to the first disk until it is full, then it writes to the second disk, and so on. But if one of the disks in the spanned volume fails, the entire volume set is lost and needs to be rebuilt and then restored from backup. Note: A spanned volume is not fault-tolerant. For the RAID options, striped volume (RAID 0), mirrored volume (RAID 1) and RAID 5 volume, see above under Optimising server disk performance.
Managing disks and volumes

Disks and volumes are managed by using the Disk Management console. Right-click My Computer and select Manage to open Computer Management. Under Storage, click Disk Management. Below are some of the common disk management tasks that can be carried out on Windows 2003: Upgrading disks A basic disk can be converted to a dynamic disk without losing any of the data. To upgrade a disk from basic to dynamic, right-click the disk, and select Convert to Dynamic Disk. You will need to restart the computer after the upgrade for the changes to take effect.
SQA Version1
48
Developed by COLEG
DF9N 34
Reverting disks If you want to revert a dynamic disk back to a basic disk, you first need to remove all the volumes, create a full backup, and remove all data. After that, right-click the disk and select Convert To Basic Disk. Extending volumes Simple and spanned volumes formatted with NTFS can be extended to included unallocated space from the same disk(s) or from a new disk, without losing any of the data. Only the new space will be formatted. The boot or system volume cannot be extended. When a simple volume is extended to include free space from another physical disk it becomes a spanned volume. To extend a volume, right-click the volume you want to extend, select Extend Volume and select unallocated space from a dynamic disk. Creating a striped volume To create a striped volume, right-click unallocated space on a dynamic disk and select Striped Volume. Remember that you need at least two physical disks to create a stripe set. Adding disks When you add a new disk or a disk from another system to a Windows 2000 or 2003 server operating system, you may need to use the Rescan option from the Action menu in Disk Management. If the computer cannot find or initialise the disk, you may need to restart your computer. The Rescan command updates information about the hardware configuration of storage devices. Importing foreign disks When you add a dynamic disk from another computer, you need to import the disk. You can do this by right-clicking the disk that is marked Foreign, and select Import Foreign Disks. When you want to import a disk that is part of a striped or spanned volume, you need to move all the disks that were part of the volume, because the data is spread across all the disks that are part of the spanned or striped volume. Refreshing The Refresh option, also located on the Action menu, allows you to refresh the displayed disk and volume information about drive letters, file systems, volumes, and removable media. This option also checks to see if previously unreadable volumes are now readable. If you have just added some removable media, e.g. a CD, you need to refresh to see it. Formatting When you create a new partition or volume, or want to reformat a current volume, you can format it with the choice of either FAT, FAT32 or NTFS. As well as selecting the file system, you can enter the volume name and allocation unit size. You can also choose to perform a quick format and enable the file and folder compression.
SQA Version1
49
Developed by COLEG
DF9N 34
Marking a partition as active When the computer boots it reads the MBR from the active partition. On a Windows computer this should be the system partition that contains the files needed to boot Windows (NTLDR, BOOT, INI, etc). Remote disk management As well as local disk management, Disk Management can be used to manage disks on a remote computer running Windows 2000/XP/2003. To be able to use Remote Disk Management, you need to have administrative permissions and rights on the remote computer that you want to manage. Mounting volumes When a basic or dynamic disk is formatted with NTFS it can be assigned a drive path instead of a drive letter. The disk can be mounted to an empty NTFS folder allowing it to be accessed like any ordinary folder. To mount a volume to a folder, create an empty folder on an NTFS volume, right-click the new volume, select Change Drive Letter and Paths and click Add. Select Mount in the following empty NTFS folder and enter the path to an empty folder on an NTFS volume. Diskpart Windows also offers a command-line tool to manage disks called Diskpart. You can use the command-line tool to perform the tasks you would normally perform in Disk Management. The advantage of this command-line tool is that it allows you to create scripts to automate tasks.
?
1 2 3 4 5 6
1.4 What are not supported as dynamic disks? What RAID subsystems are not fault tolerant? What is the command to convert from FAT file systems to NTFS? Do spanned volumes exist in basic or dynamic disks? How is fault tolerance provided in RAID 5 disks? How would you upgrade from basic to dynamic disk?
SQA Version1
50
Developed by COLEG
DF9N 34
1.3
Manage disks using Disk Management Update disk drivers and upgrade your disks to dynamic disks. Create a mirrored volume. Disconnect one of your disks and attempt to recover it. Finally, remove your disk and replace it with another one and create a new mirrored volume (swap disks with another person in the class).
Follow the step-by-step instructions below. To update a disk driver: 1 2 3 4 5 Open up Disk Management. Right-click the disk you want to work with (you will have to upgrade both of them) select Properties. Select the Driver tab . Select Update Driver (this opens the Hardware Update Wizard). Select Install the Software Automatically (Recommended). The wizard now checks to see if you have the most up-to-date driver, if you have, the screen shown in Figure 27 will be displayed. If this is the case, click Finish; otherwise go through the Wizard and install the new driver if it is more up-to-date.
Figure 27: Hardware Update Wizard
SQA Version1
51
Developed by COLEG
DF9N 34
To upgrade a disk: 1 Right-click Disk and select Convert to Dynamic (Can Convert More Than One at a Time). You will be given a list of the volumes on the disk and some warnings. Windows 2003 will shut down and restart. Go to Disk Management and inspect your disks. You will now see that instead of partitions you have simple volumes and the disks are labelled dynamic. Take a screen print for your logbook. If you have two dynamic disks with unallocated space, you can create a mirrored volume from them. Go to Disk Management, right-click unallocated space on one of the dynamic disks that you wish to use for your mirrored volume. Select New Volume to open the New Volume Wizard. Select Mirrored, then take all default settings. For mirrored you have to select two disks. Disconnect one of your dynamic disks, go to Disk Management and inspect your disks; the disconnected disk should display as missing. If not, refresh the screen. Right-click the missing disk and try and reactivate it by clicking Reactivating Disk. This will not work. Reconnect the disk and try Reactivate Disk. If the disk is connected correctly, it should return to a status of Healthy and the mirrored volume should be automatically regenerated. Disconnect one of the mirrored volumes. In Disk Management select the mirrored volume and select Remove Mirror. Click the failed disk when the system prompts you for the mirror to remove and click Remove Mirror. Click Yes to confirm. Connect the dynamic disk Right-click the volume you want mirror. Select Add Mirror. Select the disk that is going to be the mirror copy and select Add Mirror.
To create a mirrored volume: 1
To disconnect and recover a disk: 1
2 3
To remove and replace a disk, and create a new mirrored volume: 1 2 3 4 5 6
SQA Version1
52
Developed by COLEG
DF9N 34
Summary of this section

Before you can manage your hard disk subsystems effectively, you have a lot of planning to do, as there are a number of options for physical disk configurations and logical disk configurations. You want to have one that matches your current configuration and allows for growth in the future. For physical disks you have can choose from FAT, FAT32 and NTFS configurations. If you are using media such as plug n play devices, you are limited to FAT. But if you have a choice, it is preferable to use NTFS, as you will then have access to all Windows 2003 functionality. For logical drives you have a choice between basic and dynamic disks. If you want to implement RAID implementations, you need to upgrade to dynamic disks. You manage disks from Disk Management, which you access from Computer Management. Use System Monitor to check on what is happening to your system in a graphical form. If you need to know when something happens immediately, you can set up an alert. If you want to track long-term trends, set up counter logs. The counter logs should be saved in CSV format if you want to use another application such as Microsoft Access to manipulate the data.
SQA Version1
53
Developed by COLEG
DF9N 34
Answers to SAQs 1.1 1 2 1.2 1 2 In the libraries under Removable Storage. Removable Storage makes it easy for you to track your removable storage media (such as tapes and optical disks) and to manage the libraries that contain them (such as changers and jukeboxes). If you are carrying out a normal or full backup, changes and jukeboxes are very useful, as you can preload them with tapes/cartridges etc. so that when your backup starts, it does not have to wait for operator intervention to load the tape/cartridge etc. Disk Management. They become volumes.
1.3 1 2 3 4 1.4 1 2 3 4 5 6 IEEE 1394 (FireWire) disks, USB disks, removable disks, disks in laptops. Stripe Volume (RAID 0). convert c: /fs:ntfs. Dynamic. Parity. To upgrade a disk from basic to dynamic, right-click the disk and select Upgrade To Dynamic Disk. Giving you a graphical representation of what is happening in your system. You have to add counters to the counter log so that it knows what to record. CSV. An alert.
SQA Version1
54
Developed by COLEG
DF9N 34
Section 2: Manage users, computers and groups
SQA Version1
55
Developed by COLEG
DF9N 34
SQA Version1
56
Developed by COLEG
DF9N 34
Introduction to this section

What this section is about In this section youll learn how to manage users, computers and groups. Outcomes, aims and objectives Manage user profiles. Create and manage user and computer accounts. Troubleshoot user and computer accounts. Create and manage groups.
Approximate study time 12 hours. Other resources required A computer capable of running Windows 2003 Enterprise and Windows XP Professional. A copy of Windows 2003 Enterprise and a copy of Windows XP Professional, together with the matching product keys. An Internet connection.
SQA Version1
57
Developed by COLEG
DF9N 34
Assessment information for this section

How you will be assessed Youll be assessed through closed-book test and logbook. You must provide evidence of the knowledge and skills for the entire unit by answering a set of 40 restrictedresponse questions. These may be administered as a single test at the end of the unit or as several subtests, each covering one or more outcomes. When and where you will be assessed Youll take the closed-book test after you have completed the outcomes(s) it covers. Record the activities in you logbook as you complete them. You must do at least two of them. What you have to achieve You have to complete the activities and achieve at least 70% in the closed-book test or 70% in all the subtests individually. Opportunities for reassessment If needed, your tutor will give you the opportunity for one reassessment.
SQA Version1
58
Developed by COLEG
DF9N 34
Managing user profiles

To ensure that you have control of the resources users can access in your domain environment, you must first be able to identify users, and then be able to identify the rights and permissions associated with those user identities. In Microsoft Windows Server 2003 Active Directory service users are associated with individual user objects. These objects are used for authentication purposes and the configuration of user environment settings. To be able to manage users, groups and computers effectively, you need to know how to create, modify and delete these objects. User profiles define the following: individual display settings, network and printer connections, and other specified settings. The user profile allows the user to define and customise their desktop or, if you have mandatory profiles, allows the system administrator to define desktop settings that users are unable to modify. (This promotes corporate identity, as all desktops look the same, and makes fault finding easier, as all settings are the same.) There are four types of user profile, described below. Local user profile A local user profile is created the first time you log on to a computer and is stored on a computer's local hard disk. Any changes made to your local user profile are specific to the computer on which you made the changes. So, if someone else logs onto that computer after you, they will have the settings that you specified. (This is why roaming profiles were introduced, see below.) Roaming user profile A roaming user profile is created by the system administrator and is stored on a server. This profile is specific to a user and is available every time that user logs on to any computer on the network. Changes made to a roaming user profile are updated on the server. To create a roaming profile, you first have to create a user account in Active Directory. Mandatory user profile A mandatory user profile is a roaming profile that can be used to specify particular settings for individuals or an entire group of users. Only users with administrator rights can make changes to mandatory user profiles. This is useful if you want to give different groups of users their own settings, but you do not want them to be able to change them. Therefore, the system administrator customises profiles, not the user. Temporary user profile A temporary profile is issued any time that an error condition prevents the users profile from being loaded. Temporary profiles are deleted at the end of each session. Changes made by the user to their desktop settings and files are lost when the user logs off. So if you log in and get an error message when Windows tries to access your profile, be aware that the temporary profile will not have your customised settings and you will lose any changes you make to it.
SQA Version1
59
Developed by COLEG
DF9N 34
Managing user profiles You manage user profiles under Active Directory Users and Computers. Before you create a profile, you create the user account that is going to use it. Then you right-click the user account and pick the Profile tab. If you store the user profile on a server (this does not need to be done by a domain controller), when the user logs on, Windows checks to see if a user profile path exists. If it does, it finds the user profile and loads it on to whatever local computer the user logs on to. This means that any changes the user makes to the settings follow them, whatever local computer they use. To manage user profiles, you must be a member of the Enterprise Admins, Domain Admins, or Account Operators group, or you must have been delegated the necessary permissions.
Figure 28: User properties Figure 28 shows the screen displayed when you right-click a user. When you click on the Profile tab you see the screen shown in Figure 29.
SQA Version1
60
Developed by COLEG
DF9N 34
Figure 29: User profile It is here that you enter the profile path. If you want the users home folder stored on a server (easier to backup) then you would fill in the Full path. That is, if the server was DORRIAN and the sharename was SHARED and the Username was b.idol then the profile path would be \\DORRIAN\SHARED\b.idol If you have created roaming profiles for users and want them to be mandatory roaming profiles (which users cannot change), simply give the profile the file extension .man when you enter the full path name for the profile.
SQA Version1
61
Developed by COLEG
DF9N 34
A
1
2.1
Manage user profiles Follow the step-by-step instructions below: Select Active Directory Users and Computers from Administrative Tools. A screen similar to the one shown in Figure 30 is displayed. The Users container is opened by default and its contents displayed in the right-hand pane. When you create users, you initially create them here.
Figure 30: Active Directory Users and Computers 2 3 4 5 6 Select Action, then New , then User. Fill in the user details as Bill Yoursurname and Ben Yoursurname with User logon names of BiYoursurname and BeYoursurname. Make the password PA55word (so that it meets complexity requirements for upper- and lowercase and numbers) and select User cannot change password. Right-click User and select Properties Select the Profile tab and in Profile enter the path for where you want the roaming profile kept. Figure 31 gives an example.
SQA Version1
62
Developed by COLEG
DF9N 34
Figure 31: Profile tab 7 Once you have set up both users profiles, ensure that they can log on locally. (You do this by opening Domain Controller Policy from Administrative Tools, selecting Local Policies, selecting User Rights Assignments and adding them to Logon Locally.) Log on as Bill and change the background. Log off. Log on as Ben and check that you have the original background, not Bills. Now change the background (to a different one from Bills). Log off.
8 9
10 Log on as Ben and check you have changed background. Log off. 11 Log on as Bill and check that you see Bills background. Log off. Roaming profiles are generally used over a network, not when logging in locally to the Domain Controller. If you want to implement this over a network, do the following (not step-by-step) working in groups of two (work as a group of three if there is an odd number). Use the users you have already setup in Active Directory: Bill Yoursurname and Ben Yoursurname: Set up an additional profile for Bill called Flowerpot. Store Bills and Bens profiles in a shared folder called Puppets, which you will need to create and share with the sharename of Puppets. On your computer, the profile path will be in the form: \\Computername\Puppets\%username%.
SQA Version1
63
Developed by COLEG
DF9N 34
If you use the wildcard %username%, Windows 2003 automatically fills in the user for you. Log on to a computer that is in your domain. To join a computer to a domain, first ensure it is booted on a client operating system such as Windows XP or 2000, and that it is in the same subnet and has the Domain Controller which contains the users set as the DNS (Domain Name Services) Server. DNS is one of the pre-requisites when you install Active Directory. If you do not already have this installed, Windows installs it for you, with the Domain Controller as the DNS Server. If you go into TCP/IP properties you will see that it has filled in the preferred DNS with 127.0.0.1, which is the loopback address.) If you are in a group of two and the other person has Windows 2003 booted up while you have Windows XP, they have to join your domain to access the user accounts in Active Directory. To do this go to System from the Control Panel and select the computer name tab, click the Change button and you will see the screen shown in Figure 32.
Figure 32: Joining a computer to a domain Click on Domain and enter the name of the domain you wish to join. If you do not have the correct DNS Server, or are on a different subnet, or have mistyped the domain name you will get the message shown in Figure 33.
SQA Version1
64
Developed by COLEG
DF9N 34
Figure 33: Error message If the system can contact the domain controller, you will be asked to enter an administrator user and password from the Domain Controllers system. Once you have been successfully authenticated, you will receive a message telling you have now joined the domain. Log on as Bill and change the screensaver, now log off. Now logon as Ben and change the desktop theme. (When you log on as Ben check the screensaver, you should still have the original.) Now log on as Bill and check that you have kept the changes to the screensaver and that the theme is the original one. (To change screensavers and themes go into Display properties from the Control Panel). Once every one in the group has had a chance to carry out these tasks, go to the User Profiles tab and change the file extension in Bills profile path to .man. Log on as Bill, change the background and log off and on again. Have the changes been kept? Bill will have lost the changes when he logged off, as you have changed his roaming profile to a mandatory roaming profile and he does not have the authority to make changes to it. Make sure that you document configuration changes in your logbook and take screen prints where appropriate.
SQA Version1
65
Developed by COLEG
DF9N 34
?
1 2 3
2.1 What is kept in User Profiles? List the different types of user profiles. Why would an administrator use mandatory roaming profiles and how are they implemented?
SQA Version1
66
Developed by COLEG
DF9N 34
Creating and managing user and computer accounts

Active Directory users In order to identify the people who log on to your system, you need to create a user account for each of them. Over time, as their role and the resources they require access to changes, you will have to modify the account, and eventually, when they no longer work for the company, to delete the account. In Active Directory, an individual needs a user account to verify their identity before they can access network resources. This is known as authentication. The cornerstone of authentication is the user account, with its user logon name, password and unique security identifier (SID). When a user logs on, Active Directory authenticates them by using the user name and password provided. Once successful authentication occurs, the Windows Server 2003 security subsystem creates the security access token that represents that user on the network. The access token contains the user account SID, as well as the SIDs of groups to which the user belongs. (This is because membership of groups can give the user additional permissions. In fact permissions should be assigned to groups not directly to users). This access token is then used to verify user rights and to authorise access to resources secured by access control lists (ACLs). A user is represented in Active Directory by a user object. A user object includes not just a users name, password, and SID, but also personal information such telephone number and address. You can also add extra fields if you want to keep information such as emergency contacts here as well. Creating user accounts/objects The main tool used to create user accounts/objects is Active Directory Users and Computers. Although user accounts can be created in the root of a domain or in any of the default containers, it is usually best to locate users in organisational units (OUs) so that you can delegate administrative authority and utilise group policy settings based on the OUs. So if your company had an administration department, a sales department, a purchasing department and a manufacturing department, you could create four OUs, one for each department, and they could be administered independently. To access Active Directory Users and Computers, go to Start, select Programs and then Administrative Tools. As long as your server is a Domain Controller you should see it here. If not, go back and promote your server to a Domain Controller. This can be done by entering dcpromo at the command prompt (click Run). Alternatively, you can use the Configure Your Server Wizard, which is accessed from Administration Tools. Windows inspects your system and tells you what you have currently configured, as shown in Figure 34.
SQA Version1
67
Developed by COLEG
DF9N 34
Figure 34: Configure Your Server Wizard As you can see from Figure 34, you can add and remove a number of server roles using this tool, not just promote a server to Active Directory and demote it to a normal server. Creating a domain user To create a user, right-click the container in which you want to create the user, select New, and then click User. The New Object-User dialog box appears. The first screen of the New Object-User dialog box asks for the user name. Note: To create a new user object, you must be a member of the Enterprise Admins, Domain Admins, or Account Operators group, or you must have been given the necessary permissions for the container in which the account will be created. Alternatively, you could click Action from Active Directory Users and Computers, which brings up the drop-down menus shown in Figure 35. If you then click New, you are given a choice of new directory objects, one of which is User.
SQA Version1
68
Developed by COLEG
DF9N 34
Figure 35: Adding a new user When you complete the screen shown in Figure 36 remember the name entered here must be unique relative to all other objects in the OU (or other container) in which you create the user object. You could have a Sales organisational unit (OU) and a Marketing OU and within each have a Mary Smith. This is OK as they are objects in different containers.
SQA Version1
69
Developed by COLEG
DF9N 34
Figure 36: User names
User principal name The user principal name (UPN) consists of a logon name and a UPN suffix, which is, by default, the DNS name of the domain in which you create the object. This property is required, as well as the entire UPN, in the format: logon name@UPN-suffix This must be unique within the Active Directory forest. For example, AndyPandy@Loobyloo.com. The UPN can be used to log on from any Microsoft Windows system running Windows 2000, Windows XP, or Windows Server 2003. User logon name This logon name is used to log on from down-level clients, such as (preWindows 2000) Microsoft Windows 95, Windows 98, Windows ME, Windows NT 4.0, or Windows NT 3.51. This field is required and must be unique within the domain. When you create a new user, you are initially prompted to configure the most common properties for the user object, including logon names and a password. The next screen prompts you for the password options. Be aware that there are password complexity checks, and if you set a password that fails the complexity it will not let you configure the user. You have two options. One is to loosen the password complexity policy (this could be a security violation) or ensure your password complies with it. The default is as shown in Figure 37.
SQA Version1
70
Developed by COLEG
DF9N 34
Figure 37: Default password policy The password complexity and other settings shown above are configured in the Default Domain Policy. To access them, click Start, select Administrative Tools, click Default Domain Policy, click Settings and then click Password Policy. Password complexity, if enabled, requires the following: Not contain all or part of the user's account name. Be at least six characters in length. Contain characters from three of the following four categories: o o o o English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (e.g. $, #, %).
Complexity requirements are enforced when passwords are changed or created. If the password fails the complexity test, the user account is not created or the password is not changed. There are numerous additional properties that you can configure at any time with Active Directory Users and Computers. These properties help you to administer your users and you have the ability to search for objects by using LDAP (lightweight directory access protocol) queries. To configure the properties of a user, right-click on
SQA Version1
71
Developed by COLEG
DF9N 34
the user and choose Properties. The users Properties dialog box appears (see Figure 38).
Figure 38: User properties From this you can modify all the properties on the tabs. There is a very useful new tool, which was released just after Windows 2003, called Group Policy Management Console. You can download it from: http://www.microsoft.com/windowsserver2003/gpmc/default.mspc When it is installed you will have an interface like that shown in Figure 39. This tells you at a glance the effective settings and which security policy they are taken from.
SQA Version1
72
Developed by COLEG
DF9N 34
Figure 39: Group Policy Management
Creating a computer account When you join a computer to a domain, Active Directory automatically creates a computer account for it in Active Directory Users and Computers in the Computers container. But if you have a network of several hundred computers, it might make administration easier if you split them up into more manageable chunks. This can be done in two ways. In both cases you split your computers into OUs either by department or location, whichever is easiest for you. Then you can: let Active Directory create the computer account automatically, then move it into the appropriate OU (Organisational Unit); or pre-stage that computer account, which means that you create the computer account where you want it to go first before the computer joins the domain.
You can assign rights to computer accounts as well as users but it tends to make troubleshooting quite complex. If possible, it is easier to manage if you grant all rights and permissions via user accounts. Although there will be exceptions such as kiosks with anonymous logons, you want to minimise their rights in order to minimise your security exposure and, if possible, have them standalone.
SQA Version1
73
Developed by COLEG
DF9N 34
A
1
2.2
Create a computer account in an organisational unit and restrict its rights Work in groups of two or more. Follow the step-by-step instructions below. Open up Active Directory Users and Computers from Administrative Tools. (If you are not logged on as Administrator, use the Run As option, right-click Active Directory Users and Computers and select it.) Right-click domain and select New and then Organisational Unit. The name of the OU is Support. Right-click Support, then select New Computer. Enter a computer name of Supportyourname. See the example in Figure 40.
2 3 4
Figure 40: Creating a computer account 5 Take turns to join the domain of another (follow the instructions provided earlier in this section). This will automatically create an account in Computers with the name of the computer joining the domain. Change this back to a workgroup called Class from domain. This is done by: a. Select Control Panel b. Select Classic View c. Select System
74
DF9N 34
d. Select Computer Name tab e. Select Change f. 7 Click Workgroup radio button and fill in name of Workgroup Class g. Select OK. Rename it to the name of the account that has been pre-staged: a. From the Control Panel select System. b. Select the Computer Name tab. c. Select Change (you will get a warning, as it is a domain controller but in Windows 2003 you can rename it). d. Enter the pre-staged computer name. e. Restart your computer. f. Rejoin the domain. You should be able to access the domain and, as the computer account has already been created, another one will not be created under Computers. 8 In Active Directory Users and Computers on the computer that has the prestaged account not the one that has just been renamed select the Organisation Unit Support Right-click the computer and select Disable Account.
10 On the computer you have renamed shut down and restart. Can you access the domain? You should not be able to as the computer account is disabled. 11 On the domain controller that has the pre-staged computer account go into Active Directory and enable the computer account. (Select Organisation Unit Support, then right-click computer and select Enable Account.) 12 Shut down and restart the renamed computer, you should now be able to access the domain. 13 Ensure that everyone in the group has a chance to be both the domain controller and the computer joining the domain with the pre-staged account.
2.3
Configure and troubleshoot user accounts Working in groups with Bill and Ben, the users you have created earlier, you are now going to configure some of their account properties. You are also going to configure some properties for the client computer, which, when it joins Active Directory Domain, will appear under Active Directory Users and Computers. You are going to carry out these tasks for each member of the group. So you will all get the chance to do the following:
75
DF9N 34
Manage user and computer accounts. See the error messages the user would see.
Make sure you record all your actions in your logbook and print out screens as appropriate. An Administrator can allow users access only during working hours; this would give problems if their hours change. The default for logon hours is shown in Figure 41.
Figure 41: Default logon hours Modify Bills Account tab in Properties so he can only logon in after 6pm. Now try and log in as Bill from a client and see if you are able to. You can also allow users access to only certain computers. This is done under Logon Workstations. Change Bens account to allow him to log on from the client he is connecting from only. (Note: You have to install NETBIOS protocol from Network Settings). Check Ben can log on. Now change to another computer name while he is logged on, what happens? Now log off and on again. Can he connect? The system will not throw him off if already connected, but it will prevent him from logging in. Select Active Directory Users and Computers from Administrative Tools. Select the Users container and right-click Bills user account. Select Properties. Select the Account tab and select Logon Hours.
Follow the step-by-step instructions below. 1 2 3 4
SQA Version1
76
Developed by COLEG
DF9N 34
5 6 7 8 9
Modify the logon hours so Bill can only logon after 6:00 pm. Click OK. Try and logon as Bill. (You should not be able to unless it is after 6:00 pm. If you are already logged on as Bill, changes will not take affect until you log off.) In Active Directory Users and Computers, select the Users container. Right-click Bens user account. Select Properties.
10 Select the Account tab and select Logon to. 11 Select The following computers, and enter the name of your computer. 12 Try logging on with Bens user account to: a. your computer b. another one in the group. 13 You will find that you are able to log on to your computer but not the other one, as you have limited which workstations you can log on from. If you have problems with the workstation finding the domain controller, it could be because you do not have NETBIOS installed. To install NETBIOS: 1 2 3 4 5 From the Control Panel, select Network Connections and then Local Area Connection. Click Properties. Click Install. Select Protocol, then click Add. Select NETBIOS protocol and click OK.
If a user cannot remember their password, they will not be able to access the system. This tends to happen after holidays. You are going to reset Bills password. To reset a domain user account password: 1 2 3 4 5 6 Open Active Directory Users and Computers. Click on the Users container and right-click Bills user account. Select Reset password. Enter the new password keeping to the complexity rules, otherwise it will not be accepted. Select User must change password at next logon. If Bill is currently logged on, log off and on again for changes to take effect.
SQA Version1
77
Developed by COLEG
DF9N 34
?
1 2 3
2.2 Before you can access resources in an Active Directory Domain, what do you need? What does your server have to be before you have Active Directory Users and Computers available from Administrative Tools? What is the default password policy in Windows 2003?
Managing properties on multiple accounts simultaneously Windows Server 2003 has some new functionality in Active Directory Users and Computers. You can now modify certain properties of multiple user accounts at the same time. To do this, you use the CTRL key in the same way as you would in Windows Explorer to select multiple objects. You hold down the CTRL key as you click each user object. Be sure to select only objects of one object class, such as users. Once you have selected multiple objects, click the Action menu and then choose Properties. This screen shows the limited tabs available for modification when you have selected more than one user (see Figure 42).
Figure 42: Properties On Multiple Objects When you have selected multiple user objects, you can modify the properties on the following tabs: General: Description, Office, Telephone Number, Fax, Web Page, E-mail.
78 Developed by COLEG
SQA Version1
DF9N 34
Account: UPN Suffix, Logon Hours, Computer Restrictions (Logon Workstations), All Account Options, and Account Expires. Address: Street, P.O. Box, City, State/Province, ZIP/Postal Code, and Country/Region. Profile: Profile Path, Logon Script, Home Folder. Organization: Title, Department, Company, Manager.
Moving a user If a user is transferred to a different department or unit within your company, you might need to move their user object to reflect administration or configuration changes. To move an object in Active Directory Users and Computers, first select the object and then choose Move from the Action menu. Alternatively, you can right-click the object and select Move from the shortcut menu. Once the Move dialog box appears, you can select the container the object should be moved into. Windows Server 2003 now allows drag-and-drop operations within many administrative tools, including Active Directory Users and Computers. This makes it much easier to use and is very similar to Windows Explorer. You can drag and drop a user, or a number of users if you have multiselected them, from one container to another. Using user templates You can set up templates for common user objects such as telesales, administration, and field sales where you are going to be giving users standardised permissions. For example, all administration staff might work between 9:00 am and 5:00 pm, Monday to Friday. Therefore the logon hours properties of the user object would reflect this. Also, they might all require read access to procedure files and write access to customer records. To create a template, first create a new user object and populate the properties that will be common to all users that you are creating the template for logon hours, group membership, etc. Make sure that the account you are creating as a template is disabled so it cannot be used. You might want to consider prefixing the user name with an underscore (_) to identify the user as a user template. This means that when you sort by name in Active Directory Users and Computers the templates will appear at the top. Only a subsection of the properties from each tab are copied when you copy a user, as follows: General: none. Address: all properties except Street Address. Account: all properties except logon names, which you are prompted to enter when copying the template. Profile: all properties and the profile and home-folder paths are modified to reflect the new users logon name. Telephones: none. Organization: all properties except Title. Member of: all properties are copied.
SQA Version1
79
Developed by COLEG
DF9N 34
Dial-In, Environment, Sessions, Remote Control, Terminal Services Profile, and COM+: none.
Note: if you create a user by copying a template, it will have the same group memberships as the template, but any rights or permissions assigned directly to the user are NOT copied over. Using account management tools, importing user accounts There are also some command line utilities you can use to create users, particularly users that have been created in other systems. You can also use them to export Active Directory objects to other systems. They are the Csvde.exe and the Ldifde.exe utilities Csvde.exe Csvde.exe is a command-line utility that allows you to import or export objects in Active Directory to or from a comma-delimited text file. You can export/import information from Active Directory for use with other applications such as Microsoft Excel and Microsoft Access. The basic syntax of the Csvde command is: csvde [-i] [-f FileName] [-k] You need to specify [-i] if you want to import, as the default is export. [-f FileName] identifies the import file name, [-k] ignores errors, including object already exists, constraint violation, and attribute or value already exists during the import operation, and continues processing. The file used by Csvde is a commadelimited text file (*.csv or *.txt), in which the first line is a list of LDAP names for the attributes to be imported, followed by one line for each individual object. Each object must contain the attributes listed on the first line, as shown in the following example: DN, objectClass, sAMAccountName, sn, givenName, userPrincipalName "CN=Billy Idol, OU=Employees, DC=swimming, DC=com", user,bidol,Idol,Billy,b.idol@swimming.com In this example, the text file used with Csvde would create a user object in the employees OU, named Billy Idol. The file also configures the associated user logon name, first name, last name, and UPN. You can get more information in the Microsoft Help and Support Center.
?
1 2
2.3 How would you select multiple user objects in Active Directory Users and Computers? What is CSVDE, and what is it used for?
SQA Version1
80
Developed by COLEG
DF9N 34
Troubleshoot user and computer accounts

Account management tools Windows Server 2003 supports a number of powerful new command-line tools. These tools are designed to make administration tasks easier. The tools are: Dsadd.exe: adds objects to the directory. Dsget.exe: displays or gets properties of objects in the directory. Dsmod.exe: modifies select attributes of an existing object in the directory. Dsmove.exe: moves an object from its current container to a new location. Dsrm.exe: removes an object or the complete subtree of an object. Dsquery.exe: queries Active Directory for objects that match specified search criteria.
These tools use one or more of the following components in their command-line switches: Target object type: one of a predefined set of values that correlates with an object class in Active Directory. Common examples are: computer, user, OU, group, and server (domain controller). Target object identity: The DN of the object against which the command is running. The DN of an object is an attribute of each object that represents the objects name and location within an Active Directory forest. For example, CN = Arial White, OU = Employees, DC = Soap, DC = com. Note: When using DNs that include spaces in a command parameter, be sure to enclose the name in quotes. Server: you can specify the domain controller against which you want to run the command. User: You can specify a user name and password with which to run the command. This is useful if you are logged in with non-administrative privileges and want to launch the command with elevated credentials. (similar to using RUNAS).
Or you can use the Active Directory Users and Computers Microsoft Management Console (MMC). See Figure 43.
SQA Version1
81
Developed by COLEG
DF9N 34
Figure 43: Active Directory Users and Computers
Delegate control Under the Action button you have the option to delegate control. This is useful if you have independent departments and you want to give them control of their part of the company computer system. To do this, organise your users and computers into OUs (this makes it easier to administer). If you click on Delegate from the Action menu, this kicks off the Delegation of Control Wizard and you are prompted for who you want to delegate to. Choose the users and groups and then decide the tasks you want to delegate to them as shown in Figure 44.
SQA Version1
82
Developed by COLEG
DF9N 34
Figure 44: Delegating tasks You can also make up custom tasks as well if you want. Find There is a Find option that enables you can search on the attributes of user, contacts or groups. This is therefore a very powerful tool (see Figure 45).
SQA Version1
83
Developed by COLEG
DF9N 34
Figure 45: Finding a user The Find option also includes fields from Microsoft Exchange Server, because when it is installed it extends the Active Directory Schema, so Exchange attributes (fields) are available to search on. If you want to create new Active Directory User and Computer objects, click New from the Action menu and you get the options shown in Figure 46.
SQA Version1
84
Developed by COLEG
DF9N 34
Figure 46: Creating new Active Directory User and Computer objects If you click Properties, the properties you can change depend on what object you pick. To change user or group properties, click Users on the right-hand pane, then Action and then Properties. You will see the options displayed in Figure 47.
SQA Version1
85
Developed by COLEG
DF9N 34
Figure 47: Properties Again if you have Exchange installed, you can send mail to users from here. This is useful if you want to mail a group of people and saves you logging on to your mail system, because Exchange is integrated. Queries Another new feature in Windows 2003 is the ability to run and save queries. You might want to query all your temporary employees and if they have user names prefixed with t_, you could set up your query and run when required, e.g. daily, weekly or monthly. To use Queries click Saved queries in the left hand pane and you will see the menu shown in Figure 48.
SQA Version1
86
Developed by COLEG
DF9N 34
Figure 48: Saved queries If you click New, you have the option to create a new query or a new folder. So if you have a lot of queries you can save them in appropriately named folders making administration easier. If you click New, Query Windows prompts you for a name and description for your query. If you make these relevant, it is easier to find and reuse your query. Then you can choose which container to query. If your query is only relevant to users, then there is no point in searching the whole of Active Directory. So, if you are searching only one container, check that box to speed up your queries/searches and uncheck the others. Next define what you are querying. An example is shown in Figure 49
SQA Version1
87
Developed by COLEG
DF9N 34
Figure 49: Defining a query If you click on the black triangle, you will see more options. Try it and see. When you have completed the query options and clicked OK, the query will run and you will see the results as shown in Figure 50.
Figure 50: Results of query This query is now saved and can be rerun whenever required. You do not have to set it up again.
SQA Version1
88
Developed by COLEG
DF9N 34
RSoP Another new administrative tool that comes with Windows 2003 and is useful in group policy planning and troubleshooting is RSoP (Resultant Set of Policy). It lets you know exactly which group policy settings apply to a given user or computer. First you have to create a MMC, so enter MMC at the command prompt. Then go to the file and add a snap-in, choose Resultant Set of Policy and click Add. You now have a tool you can use in logging mode to check current settings for a user or computer, or in planning mode to see the effect of a potential policy change before you implement it. Figure 51 shows this in logging mode on a user.
Figure 51: Using RSoP
?
1 2 3
2.4 List the command line account management tools. What is the advantage of using command line tools? What tool would you use to give selected users some autonomy in their organisational unit?
SQA Version1
89
Developed by COLEG
DF9N 34
Creating and managing groups

To make administration easier, users with common needs (i.e. common requirements for permissions and user rights) are grouped together. If you use groups (Microsoft recommends that you do), you only need to assign a permission once to the group not to each individual user. If the group had 100 members, for example, for each permission you would be cutting your administrative work by a factor of 100. And you can nest groups within groups, further reducing your workload. In Windows 2003 there are a two group types. They are designed for use in different situations. Security groups are used for the purpose of assigning permissions and rights to shared resources, while distribution groups are used to create distribution lists for use with directory-enabled e-mail applications such as Microsoft Exchange Server. Security groups A security group is a security-related object much like a user account/object. In the same way that user accounts have an associated SID, so do security groups. Because of this, members of a security group can be assigned rights and permissions to resources in an Active Directory environment. It is crucial to understand the differences between permissions and rights. Permissions grant users a certain level of access to shared network resources, such as the ability to read a file or manage documents for a particular printer. But rights represent abilities throughout an Active Directory domain or forest. For example, the ability to log on locally to a domain controller would be a user right, as would the ability to back up files and folders. In Active Directory environments, rights are assigned to groups through the configuration of group policy settings. There are three levels: Domain Controller Security Policy, Domain Security Policy and Local policy (when not part of a domain). Be careful when you are changing rights to make sure that it is the effective policy you are changing. If you go into the Local Policy option from Default Domain Security Settings to check security options and right-click the rights you will see the screen shown by Figure 52.
SQA Version1
90
Developed by COLEG
DF9N 34
Figure 52: Default Domain Security Settings A right can be undefined, enabled or disabled and group policies can be defined at local level in the Security Access Manager (SAM) of the local computer, site level, domain level, domain controller level and OU level. Account policy options are only effective at domain level, so if you set password complexity at OU level, it is ignored. Also if the same right is defined at a higher level, it can be overridden. So fault finding rights can be quite complex. Local policies are applied, then site policies, then domain policies (domain controller policies if you are connecting to a domain controller), then finally OU policies. Remember this as follows: L S D OU Windows 2003 has some additional tools you can download and install to make this easier, such as GPMC (Group Policy Management Console). When a domain is configured to the Windows 2000 native or Windows Server 2003 domain functional level, you can change the type of a group after it has been originally defined. For example, an administrator might have created a security group when they meant to create a distribution group, or vice versa. It is important to remember that when you change a groups type from security to distribution, any permissions or rights that were originally associated with the security group will be lost. Note: To change the type of an existing group, you must have the appropriate authority.
DF9N 34
Domain local groups These were new with Windows 2000 Active Directory; They are used to assign rights and permissions within the domain in which they exist. Unlike local groups, domain local groups are defined in Active Directory and can be used on different Windows 2000, Windows XP and Windows Server 2003 systems within a domain (depending on the domain functional level). These groups help to ease the administrative workload associated with the use of local groups, which can be used only to apply rights or permissions to the system on which they are created. They exist in all forest and domain functional levels, but they can be applied only to systems in the domain in which the group exists; i.e. you cannot apply permissions to a domain local group for resources outside of its home domain. When a domain is configured to the Windows 2000 mixed functional level, a domain local group can be used only on domain controllers, much like a local group. It can include members from global groups in the same domain or any trusted domain, universal groups from the same forest or any trusted forest, and other domain local groups in the same domain. Microsoft recommends that administrators add users to global groups, then add the global groups to the domain local groups. If possible, do not add users directly to domain local groups. It makes it easier to maintain and administer. Global groups These also existed in Windows 2000 Active Directory. Their purpose is to group together users with similar security requirements. It is common for global groups to be used to group together users or computers from the same domain that share similar jobs, roles, or functions. For example, a company might create a global group to aggregate its entire administration staff or all users working on a particular project, such as the merger group for users working on a merger project. Global groups are available in all domain and forest functional levels. They can be used to assign rights or permissions for resources in any domain throughout a forest, as well as in any trusting domains outside the forest. They can be made a member of any local group or domain local group in the same forest, as well as in any trusting domains outside of the forest. Global groups can be made a member of any universal group in the same forest and when the domain is configured to the Windows 2000 native or Windows Server 2003 domain functional levels they can contain other global groups from the same domain. Microsoft recommends that rights and permissions are assigned to domain local groups and the global groups added to the domain local groups as members. Note: Try to avoid assigning permissions or rights directly to global groups; it makes administration easier to manage and maintain. Universal groups Universal groups were new with Windows 2000 Active Directory. They are used to group together users and groups from different domains with similar needs. Commonly, universal groups are used to collect users or groups from the same forest that share similar jobs, roles, or functions. For example, a company might create a universal group to aggregate its entire sales staff. Unlike a global group, which contains members from the same domain only, a universal group can contain members from different domains. In this example, the sales universal group would likely contain all the
SQA Version1
92
Developed by COLEG
DF9N 34
sales global groups from the various domains in the same forest. Then, when permissions or rights need to be assigned to all sales users throughout the forest, they can be applied to the single universal group rather than to each individual global group, thus reducing administrative workload. Universal groups only exist at the Windows 2000 native and Windows Server 2003 domain functional levels. You can use universal groups to assign rights or permissions to resources in any domain throughout a forest, as well as in any trusting domains outside the forest .You can include members from any domain in the same forest, including global groups and other universal groups. Universal groups are stored on global catalogue servers in the forest where the group was defined. Microsoft recommends that permissions and rights are not assigned directly to universal groups, but assigned to domain local groups and the universal groups added to the domain local group. It is also advisable not to place users directly in universal groups but place the users in global groups, then add the Global groups to the Universal groups. Group membership options and changing group In the same manner as configuring a group type, the scope of an Active Directory group is configured as part of creating a new group. However, when a domain is configured to the Windows 2000 native or Windows Server 2003 domain functional level, you can change the group scope, although the ability to do so depends on what the group currently contains as members. For each group scope, there are rules as to the types of objects that are valid as members. At Windows 2000 native or Windows Server 2003, the following are valid: domain functional level, domain local users, computers, global groups, and universal groups from the same domain or any trusted domain; domain local groups (nested) from the same domain, global users, computers, and other global groups (nested) from same domain; universal users, computers, global groups and other universal groups (nested) from any domain in same forest. At Windows 2000 mixed or Windows Server 2003, the following are valid: interim domain functional level domain local users, computers and global groups from any domain in the same forest; global users and computers from same domain only. Universal groups are not valid. Although both the Windows 2000 native and Windows Server 2003 domain functional levels support the nesting of groups (e.g. placing a global group within a global group), the Windows 2000 mixed and Windows Server 2003 interim domain functional levels do not. Once a domain is configured to the Windows 2000 native or Windows Server 2003 domain functional levels, you can change the scope of a group, but only if doing so does not break any of the membership rules listed below. The following points outline the group scope conversions supported in Windows Server 2003, as well as the restrictions associated with each: Global to universal: a global group can be converted to a universal group, but only if it is not a member of any other global groups.
SQA Version1
93
Developed by COLEG
DF9N 34
Domain local to universal: a domain local group can be converted to a universal group, but only if it does not have any other domain local groups as members. Universal to global: a universal group can be converted to a global group, but only if it does not have any other universal groups as members. Universal to domain local: a universal group can be converted to a domain local group at any time without restrictions.
Note: To change the type of an existing group, you must have administrative permissions. A domain must be configured to the Windows 2000 native or Windows Server 2003 domain functional levels for group scope conversions to be possible. Default groups Windows Server 2003 automatically creates a number of security groups when Active Directory is installed on the first domain controller in a new domain. Administrators can use these default groups to control access to network resources or to assign rights to users and groups. Many of the default groups already have rights associated with them that are required to carry out common network functions. Members of the Backup Operators group are pre-assigned the rights to back up files and directories, allow logon locally, restore files and directories and shut down the system. Default groups are stored in two different locations, the Built-in container and the Users container. Default groups in the User container Account Operators: can create, modify, and delete accounts for users, groups, and computers in all containers in the domain, with the exception of the Domain Controllers OU. Members cannot modify the membership of the Administrators or Domain Admins groups, but they can log on to domain controllers and shut them down. Administrators: have full control of domain resources. Default members include the Administrator account, along with Domain Admins and Enterprise Admins. Backup Operators: can back up and restore files on domain controllers, as well as log on to domain controllers and shut them down. Guest members of this group have restricted access to the domain environment. By default, both the Domain Guests and built-in Guest account (disabled by default) are members. Incoming Forest Trust: can create one-way incoming trust relationships to the forest root domain, allowing users in the same forest to access resources in another. This group exists only in the forest root domain and has no members by default. Network Configuration Operators: can change the TCP/IP settings on a domain controller. This group has no members by default. Performance Log: can manage performance counters, logs and alerts for both local and remote domain controllers in the domain.
SQA Version1
94
Developed by COLEG
DF9N 34
Performance Monitor Users: can manage performance counters for both local and remote domain controllers in the domain. This group has no members by default. Pre-Windows 2000 Compatible: have the read permission for all user and group objects in the domain. This group is used for backward compatibility with Windows NT 4.0. The special identity Authenticated User is a member of this group by default. Print Operators: can manage, create, add and delete printers connected to any domain controller and manage printer objects in Active Directory. Members of this group can also log on locally to a domain controller and shut it down. This group has no members by default. Remote Desktop Users: can remotely log on to domain controllers in the domain by using Remote Desktop. This group has no members by default.
Default groups in the Built-in container Description Replicator: used to support replication functions required by the File Replication Service (FRS). This group has no members by default, and users should not be added to this group. Server Operators: can create and delete shared resources, stop and start services, back up and restore files, format drives, and shut down domain controllers. This group has no members by default. Users: can perform common network tasks such as running applications and accessing shared resources. The Domain Users, Authenticated Users, and Interactive objects are members of this group by default. Cert Publishers: can publish certificates for both users and computers. This group has no members by default. DnsAdmins Members of this group have administrative access to the DNS (installed with DNS) service. This group has no members by default DnsUpdateProxy (installed with DNS): DNS clients that can perform dynamic updates on behalf of other clients such as DHCP servers. This group has no members by default. Domain Admins: have full control of the domain. The only member of this group by default is the Administrator account. This group is a member of the Administrators group. Domain Computers: contains all the computers added to the domain. When computers are added to the domain, they automatically become a member of this group. Domain Controllers: contains all the domain controllers in the domain. When computers are promoted to domain controllers, they automatically become a member of this group. Domain Guests: contains all domain guests.
SQA Version1
95
Developed by COLEG
DF9N 34
Domain Users: contains all domain users. All new user accounts created in the domain automatically become a member of this group. This group is a member of the Users group by default. Enterprise Admins: exists in the forest root domain only and has full control of all domains in the same Active Directory forest. By default, only the Administrator account in the forest root domain is a member of this group. This group is a member of the Administrators group in all domains in the same forest. Creator Owners: can modify Group Policy objects in the domain. The Administrator account is the only member by default. IIS_WPG (installed with IIS group): the worker process group used with Internet Information Services (IIS) version 6. Accounts added to this group are used to serve specific namespaces on an IIS server. Users should not be added to this group. This group has no members by default. RAS (Remote Access Services) and IAS (Internet Authentication Services) servers placed in this group have access to the remote access properties of user accounts. Schema Admins: exists in the forest root domain only and can modify the Active Directory schema. The Administrator account from the forest root domain is the only member of this group by default. TelnetClients: members of this group are able to access the Telnet service on the system. The group has no members by default.
Special identities Special identities are managed by the operating system. Special identities cannot be created or deleted and their membership cannot be modified by administrators. Special identities do not appear in the Active Directory Users and Computers snap-in or in any other computer management tool, but they can be assigned permissions in an ACL. Everyone: represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, that user is automatically added to the Everyone group. Network: represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally). Whenever a user accesses a given resource over the network, the user is considered part of the Network group. Interactive: represents all users currently logged on to a particular computer and accessing a resource located on that computer (as opposed to users who access the resource over the network Anonymous Logon: refers to any user who is using network resources but did not go through the authentication process. In a Windows Server 2003 Active Directory environment, the Anonymous Logon group is not a member of the Everyone group. Authenticated Users: includes all users who are authenticated into the network by using a valid user account.
SQA Version1
96
Developed by COLEG
DF9N 34
Creator Owner: refers to the user who created or has ultimately taken ownership of a resource. Dialup: includes anyone who is connected to the network through a remote access connection.
Note: Special identities can be assigned permissions to network resources, but be careful when assigning permissions to some of these groups. For example, if you assign permissions for a shared folder to the Everyone group, users connecting from trusted domains will also have access to the resource. Creating security groups The main tool used to create groups in Windows Server 2003 is Active Directory Users and Computers. To create a new group, then, as would with users, right-click where you want to create your new group. (You can always move it later if you want to.) New group objects can be created in the root of the domain, any of the built-in containers or defined OUs. Select New from the pull-down menu then Group. You are then asked to enter the group scope (domain local, global or universal) and the group type (security or distribution). Once you have created the group, you can move users and groups into it, or you can right-click it and create new users and groups from within it.
?
1 2 3
2.5 What is the difference between group type and group scope? What group scope is not supported at Windows 2003 interim domain functional level? In what two containers will you find the default groups that are installed automatically on the first domain controller in the Active Directory domain?
SQA Version1
97
Developed by COLEG
DF9N 34
Managing groups and computers

When a domain is configured to the Windows 2000 native or Windows Server 2003 domain functional level, the New Object-Group window defaults to the global group scope and security group type automatically. If the domain functional level is set to Windows 2000 mixed or Windows Server 2003 interim, the universal group scope cannot be selected. When creating a new group of any type or scope, you must provide a name that is unique within the domain. As this name is typed into the Group Name field, the same name is automatically populated in the Group Name (Pre-Windows 2000) field. Once a group has been created, access its properties to change configuration or membership settings as necessary. You can do this from the group properties, which are accessed by right-clicking the group. As seen in Figure 53, the General tab of a global group allows the group type to be changed from security to distribution if necessary, but the group scope can only be changed to universal.
Figure 53: Group properties Windows Server 2003 does not allow you to convert a global group to a domain local group, as mentioned earlier in this section.
SQA Version1
98
Developed by COLEG
DF9N 34
Modifying group membership Once a new group has been created, members can be added to the group by using a variety of methods in Active Directory Users and Computers. Some common methods for adding members to groups are: right-clicking a user object and selecting Add To A Group; accessing the properties of a user, computer, or group; selecting the Member Of tab; and then clicking Add.
Note: Although the Members and Member Of tabs in the properties of a group will display both the members of a group and its membership in other groups, the information provided by the interface is only one level deep. For example, if the Finance global group was a member of the Finance universal group, and then the Finance universal group was a member of the Asian universal group, the Members tab in the properties of the Asian universal group would show only the Finance universal group as a member. The Members and Member Of tabs do not display the multiple levels of nesting that might exist in your environment. Also, the properties of a user or computer object also include a Member Of tab. If you select the Member Of tab from a user accounts properties you will see the groups they are directly members of. If these groups are nested in other groups this will not show. You will see a screen similar to the one shown in Figure 54.
Figure 54: User membership of groups
SQA Version1
99
Developed by COLEG
DF9N 34
To see all the nested levels of group membership, you need to use the dsget command Using automation to manage group accounts Ldifde.exe Ldifde is the command-line utility included in Windows Server 2003 to support batch operations based on the LDIF file format standard. The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file formats used to perform batch operations against directories that conform to LDAP standards. LDIF can be used to both import and export data, allowing batch operations such as add, create, and modify to be performed against Active Directory. Use Ldifde.exe if you are creating a large number of groups at once, e.g. if you are migrating users from another system or getting input from another system to create users and groups. For example, colleges have an enrolment system and data from this is exported to their computer system to create user accounts automatically for a large number of students at the same time. Ldifde.exe provides both import and export capabilities, allowing large numbers of security objects (users, computers and groups) to be created at once with the least possible administrative effort. The primary switches available for the Ldifde command are listed in the table below. Variables in italics, such as filename, have to be replaced with the name of the file; e.g. if you were importing student names from a file called student.ldf you would replace filename with student.ldf. Switch -i -f filename -s servername -c FromDN ToDN -v -j path -t port -? -k -a UserDN Explanation Import mode (the default is export) Input or output filename The server to bind to Replace occurrences of FromDN to ToDN Verbose mode Log File Location. Port number (default = 389) Help. For a full list of parameters use the ? parameter Useful if importing, as it causes the import operation to ignore the errors Constraint Violation and Object Already Exists and continue A credential parameter that sets the command to run using the supplied user distinguished name and password, i.e.: CN=administrator,DC=swimming,DC=com password Another credential parameter and sets the command to run as username domain password. The default is to run using the credentials of the currently logged-on user which might not be sufficient.
-b UserName Domain
SQA Version1
100
Developed by COLEG
DF9N 34
When using the LDIF file to import data into Active Directory, the changeType value specifies the type of operation that needs to occur. The three valid changeType values are add, modify, and delete. Add imports new content into the directory, modify changes the configuration of existing content and delete removes the specified content. For example, if you wanted to use Ldifde to create two global groups named Sales and Admin in the Users container of the swimming.com domain, the contents of the LDIF file would look similar to the following example: DN: CN=Sales,CN=Users,DC=Swimming,DC=Com changeType: add CN: Sales description: Sales Users objectClass: group sAMAccountName: Sales DN: CN=Admin,CN=Users,DC=Swimming,DC=Com changeType: add CN: Admin description: Admin Users objectClass: group sAMAccountName: Admin Although doing so is not essential, this text file would usually be saved with a .ldf extension, e.g. newgroups.ldf. To import the contents of this LDIF file from the command line, use the command: ldifde.exe i f newgroups.ldf Once this command is issued, two new global groups named Sales and Admin would be added to the Users container of the swimming.com domain. Note: The Csvde.exe utility can also be used to add group objects to Active Directory. but Csvde.exe does not support the ability to modify or remove directory objects, while Ldifde.exe does. Adding, modifying, and deleting groups using the command line interface Windows Server 2003 includes a variety of new command line utilities used to add, modify, delete, and query Active Directory objects. These tools can also be used to add, modify, delete and query groups. They are Dsadd, Dsmod, Dsrm, and Dsquery. Below are some examples of their use. dsadd group The dsadd group command allows you to create new group objects from the command line. As part of creating a new group, various configuration settings can also be specified, including the type and scope of the group. For example, to create a new global security group named Sales in the Users container of the swimming.com domain, the command would be:
DF9N 34
dsadd group CN=Sales,CN=Users,DC=Swimming,DC=Com -samid Sales -secgrp yes -scope g In this example, the dsadd group command is followed by the distinguished name of the new object. The -samid switch configures the SAM name for the new group in this case Sales. The -secgrp yes part of the command specifies the group as a security group (whereas a value of no would create a distribution group), while scope g specifies that the group scope should be global. If you want a domain local group, specify a value of l after -scope or u if you want to create a universal group. Note: For a complete list of the switches available with the dsadd group command, see the Dsadd topic at Microsofts Help and Support Center. dsmod group The dsmod group command is used to modify existing groups. Changing/modifying existing groups could involve changing the type or scope of a group, but more commonly it would involve changing the membership of a group or changing the groups that a particular group is a member of. The following example demonstrates how the Sales group created previously could be changed from a security group to a distribution group: dsmod group CN=Sales,CN=Users,DC=Contoso,DC=Com -secgrp no However, if your goal was to add a user named Bianca White to the Sales global security group of the Users container of swimmer.com, the proper dsmod group command would be: dsmod group CN=Sales,CN=Users,DC=Swimming,DC=Com -addmbr CN=Bianca White,CN=Users,DC=Swimming,DC=Com Also you can use the dsget command to pipe output to another command (the output from the dsget command is used as input for the next command). In the following example, the dsget command is used to get information about all the members of the Sales group and then to add those users to the Admin group: dsget group CN=Sales,CN=Users,DC=Swimming,DC=Com members | dsmod group CN=Admin,CN=Users,DC=Swimming,DC=Com addmbr Note: For a complete list of the switches available with the dsmod group command, see the Dsmod topic at Microsofts Help and Support Center. dsrm The dsrm command can be used to delete an existing group. The syntax of this command is very basic because it only requires dsrm followed by the DN of the group to be removed. For example, to delete the Sales global security group created earlier, the command would be: dsrm CN=Sales,CN=Users,DC=Swimming,DC=Com Note: For a complete list of the switches available with the dsrm command, see the Dsrm topic at Microsofts Help and Support Center.
SQA Version1
102
Developed by COLEG
DF9N 34
dsquery group In the same way that the dsquery command can be used to search for user objects within a portion of Active Directory, it can also be used to search for groups based on a range of different criteria. For example, to view a list of all groups that currently exist in the swimming.com domain, the command would be: dsquery group DC=swimming,DC=Com In a similar fashion, if you wanted to search for all groups within an Active Directory forest that starts with the letters mark, the command would be: dsquery group forestroot name mark* Because this query searches for groups throughout a forest, a global catalog server would handle the query. If you are looking for an easy way to gather and document information about the various groups in an Active Directory environment, think about redirecting the output of the command to a text file. In the following example, all groups in the Admin OU (and any sub-OUs) would be redirected to a text file named admingroups.txt: dsquery group OU=Admin,DC=swimming,DC=Com scope subtree >> admingroups.txt Note: For a complete list of the switches available with the Dsquery Group command, see the Dsquery topic in Microsofts Help and Support Center.
2.4
Managing users and groups Follow the step-by-step instructions below. Create a global security group You are going to create a global security group called Cartoons, as follows: 1 2 3 Open Active Directory Users and Computers. Right-click the OU Support and select New, then select Group. Enter Cartoons as the group name, the default is a group scope of global and group type of security. Keep the defaults. Click OK. The Cartoons group is now displayed in the Support OU. To add members to the group, right-click cartoons and select Properties. Select the Members tab, then click Add. In Enter the object names, enter b, then click OK. All the user accounts beginning with b are displayed. Select all of them (hold down the CTRL key) and click Add, then select Apply and click OK.
4 5 6 7
SQA Version1
103
Developed by COLEG
DF9N 34
You have now added these users to this group and if you assign permissions to this group or add this group to a domain local group as recommended, all the members will have these permissions unless explicitly denied. Create a domain local security group and assign permissions To create a domain local security group: 1 2 3 Open Active Directory Users and Computers. Right-click Support OU, select New, then select Group. Name the group the Permissions and give it a scope of Domain local and Group type of Security. Click OK.
You are now going to create a file in notepad and allow only the Permissions group access to it. 1 2 3 4 5 6 Select Notepad from Start menu and enter Mary had a little lamb. Save as Nursery on the desktop. Right-click Nursery, select Properties and select the Security tab. Select Add in object name, enter p and click OK. Select permissions from the list of users and groups starting with p. Click OK. Switch off inheritable permissions and remove all other groups. Click Advanced. Click the box beside Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Select remove, then click Apply and OK.
This removes all inherited permissions and only the permissions group can access nursery. Add the global group to the domain local account To add the global group containing the user accounts to the domain local account with the permissions: 1 2 3 4 5 6 7 Open Active Directory Users and Computers, right-click Support OU. Right-click the Permissions group and select Properties. Select the Members tab and click Add. Under Object name to be selected, enter c and click OK From the list of users and groups beginning with c select Cartoons and click OK, then Apply. Click OK. Log on as a member of the Cartoon group and try and access the Nursery file. You should be able to do this. Log on as administrator and try and access Nursery file. You should not be able to do this, as you are not on the list.
SQA Version1
104
Developed by COLEG
DF9N 34
Change the domain functional level To use universal groups and group nesting you have to raise the domain functional level to 2003 functional level: 1 2 Right-click Domain from Active Directory Users and Computers Select Raise Domain Functional Level.
Convert a global group to a universal group You might need to do this if your company grew or was involved in takeovers. 1 2 From Active Directory Users and Computers, click Support OU. Right-click the Cartoons group, select Properties and click Universal, (you will notice that domain local is greyed out as you cannot convert from global to domain local). Select apply and OK.
Change group type from Security to Distribution Things change within organisations and you might decide that you do not want to use this group as a security group, but as a distribution group to make sending e-mails easier. To change the group type do the following: 1 2 3 From Active Directory Users and Computers, click Support OU. Right-click the Cartoons group, select Properties and click Distribution. Select Yes (you will notice that the type it is now Distribution Group). Try logging on as one of the members of Cartoons and accessing the Nursery file. You should not be able to, as Cartoons is now a distribution group.
SQA Version1
105
Developed by COLEG
DF9N 34
Planning and troubleshooting user authentication

Once user accounts have been created in Active Directory, then the users can begin using them for authentication purposes to access network resources. User accounts represent a critical component of the authentication process; without them how can you identify individuals? There are other factors that also need to be considered. One of these is domain group policy settings which affect various elements of user authentication, such as password complexity requirements and account lockout settings. Also if your environment has users running down-level operating systems such as Windows 98 or Windows NT they need to be able to log on to a Windows Server 2003 domain for authentication and the services that are available to them will also depend on whether they have the Active Directory client software installed. There are different modes of authentication in addition to the usual username and password. Some environments needing a higher level of security have implemented authentication using smart cards. Each of these factors needs to be considered when you are planning the authentication strategy on your network. They can also cause problems if not set up correctly, so you will have to address this when troubleshooting user authentication. Securing authentication Authentication is required to minimise the security risks that exist in any network environment. Administrators need to be very careful when planning their security strategy. They need to look at not only how to secure resources but also access to user accounts. If an intruder is able to successfully authenticate against Active Directory by using a guessed or stolen username and password combination (hacking), sensitive data on the network can more easily be compromised (read/modified/deleted). To minimise this risk, Windows Server 2003 has the functionality to configure strict account policies that apply to all users within an Active Directory domain. In Active Directory environments, account policy settings are implemented by the Group Policy object linked to the domain with the highest priority. With a default installation of Windows Server 2003, the Default Domain Policy controls the account policy settings for the domain. It would be possible to replace this Group Policy object, or to add a new Group Policy object linked to the domain with higher priority, and therefore override the Default Domain Policy. Microsoft recommends that the account policy settings are modified in the Default Domain Policy, and the Default Domain Policy is used only to control account policies. Note: Although the Account Policies node is available when configuring Group Policy objects at all levels, only account policy settings configured at the domain level will actually apply to domain users. The three main areas within the Account Policies section of a Group Policy object include Password Policy, Account Lockout Policy, and Kerberos Policy. The policy settings configured in each of these areas affect all domain users and should be configured in line with the security objectives and requirements of your company Even though it might initially seem like a good idea to configure all authentication security settings to the most secure levels possible, this can present its own set of problems. If you require users to use a 14-character password, which is definitely more secure than an eight-character password, many users would ultimately have a hard
SQA Version1
106
Developed by COLEG
DF9N 34
time remembering their password. This could lead to them writing their password down, which would make it less secure than an eight-character one they could memorise. It would also increase your workload resetting all the forgotten passwords! You want to implement a security system that is effective and to be effective it has to be useable. Account policy options Enforce Password History When this policy is enabled, Active Directory maintains a list of recently used passwords and will not allow a user to create a password that matches a password in that history. So, if Enforce Password History is set to 24, you can only reuse your password every 25th time, as it checks against the last 24 in memory. The policy is enabled by default, using the maximum value of 24. Maximum Password Age This policy determines how long a password remains valid. Once the maximum password age has elapsed, users are forced to change their password. The default value is 42 days. The longer you keep the same password, the more opportunity there is for someone to guess it and hack into the system, so to make the system more secure you would decrease the maximum password age. But if it is changed too often, users will have problems remembering it. Minimum Password Age When users are required to change their passwords even when a password history is enforced, they can simply change their passwords several times in a row, i.e. change it 24 times and go back to the original to get around password history requirements. The Minimum Password Age policy is designed to prevent this. The user must wait the specified number of days between password changes. An administrator or technical support person with sufficient permissions can reset a password at any time. The default value is 1 day. Minimum Password Length This policy specifies the minimum number of characters required in a password. The default in Windows Server 2003 is seven characters. Passwords Must Meet This This enforces complexity rules on new passwords. The default password filter in Windows Server 2003 (passfilt.dll) requires that a password: is not based on the users account name; is at least six characters long; contains characters from three of the following four character types: o o o uppercase alphabet characters (A through Z) lowercase alphabet characters (a through z) arabic numerals (0 through 9)
SQA Version1
107
Developed by COLEG
DF9N 34
non-alphanumeric characters (for example, !, $, #, %).
This is the default setting on Windows Server 2003. Store Passwords Using Reversible Encryption This option causes Active Directory to store user passwords without using the default non-reversible encryption algorithm. The policy is disabled by default, as it weakens password security. If you make any changes to Configuring password length and complexity requirements, this will not affect current passwords in use but when the user goes to change their password the new settings will be implemented. Any modifications made to password policy settings will affect new accounts as well as any changes to existing passwords after the policy is applied. Account Lockout Policy Password policy settings will help you to ensure that user passwords are changed regularly and meet minimum complexity requirements. Similarly, Account Lockout Policy settings are used to control what happens when any user attempts to log on using incorrect credentials. This could be someone trying to hack into your network or it could be a valid user with a typographical error. Through the configuration of account lock-out policy settings, an administrator can configure thresholds for invalid logon attempts that specify how many invalid attempts should result in an account being locked out, how long the lockout period should last, and whether locked-out accounts should be unlocked manually or automatically. This allows the real user some attempts if they have mistyped their password, but once it gets above a certain level, which could be indicative of a hacking attempt, the account is locked until the administrator resets it. Account Lockout Duration This policy determines the period of time that must pass after a lockout before Active Directory will automatically unlock a users account. The policy is not enabled by default, as it is useful if it is used with a configured account lockout threshold. Although the policy accepts values ranging from 0 to 99999 minutes (about 10 weeks), a low setting (5 to 15 minutes) is usually sufficient to reduce security risks without unreasonably affecting real users. A value of 0 requires the user to contact an administrator to unlock the account manually. Account Lockout Threshold This policy configures the number of invalid logon attempts that will trigger account lockout. The value can be in the range of 0 to 999. A value that is too low might cause lock-outs due to normal human error, and lock out real valid users. A value of 0 (the default value) will result in accounts never being locked out Reset Account Lockout This setting specifies the time that must pass after an invalid Counter After logon attempt before the counter resets to zero. The range is 1 to 99999 minutes and must be less than or equal to the account lockout duration.
SQA Version1
108
Developed by COLEG
DF9N 34
Down-level clients Many organisations still have a mixture of different client operating system platforms. In environments that include any combination of Windows 95, Windows 98, Windows ME, and Windows NT 4.0, you will need to install the Active Directory client software on these systems so they can participate in an Active Directory domain. The Active Directory client can be downloaded from the Microsoft website (http://www.microsoft.com). As an administrator, you will need to take into account the Active Directory clients capabilities and limitations. The Active Directory client software enables systems running previous editions of Windows to take advantage of many Active Directory features, including: Site awareness: A system with the Active Directory client installed will attempt to log on to a domain controller in its own site (this should give better response times as it is using the nearest one). Active Directory Service Interfaces (ADSI): ADSI allows the use of scripting to manage Active Directory (can automate tasks with scripting and minimise administrative workload). Distributed File System (DFS): Systems can access DFS shared resources on servers running Windows 2000 and Windows Server 2003. NT LAN Manager (NTLM) version 2 authentication: Clients running the software can take advantage of improved authentication features in NTLM version 2 (improved security). Active Directory Windows Address Book (WAB): Clients can change the properties of user object properties screens, such as phone numbers or addresses. (Otherwise the administrator has to make all the changes.) Active Directory search: This capability is integrated into the Start Find or Start Search commands.
Note: Although the Active Directory client software allows down-level operating systems to take advantage of many basic Active Directory features, it does not provide the following capabilities, which are available in both Windows 2000 Professional and Windows XP Professional: Kerberos V5 authentication Group Policy or Change and Configuration Management support Service principal name (SPN), or mutual authentication.
There are issues in mixed environments that you need to be made aware of. Password length is one. Windows 98 supports passwords of up to 14 characters long. Windows 2000, Windows XP, and Windows Server 2003 can support 127-character passwords. If a user changes a password on an XP client and then attempts to log in from a 98 client, they might be unable to if they have made their password too long for Windows 98. The logon process is another issue you need to be aware of. Without the Active Directory client, users on systems using versions of Windows earlier than Windows 2000 can change their password only if the system can contact the domain controller holding the primary domain controller (PDC) emulator role. With the Active Directory
DF9N 34
client installed, users of down-level operating systems can change their password via any domain controller. The user objects maintain two user logon name properties: the pre-Windows 2000 logon name, or SAM (Security Accounts Manager) name, which is equivalent to the username in Windows 95, Windows 98, or Windows NT 4.0, and the User Logon Name. This is the (UPN) User Principal Name. It must be unique within an Active Directory forest and is the logon name @DNS (Domain Name System) name of the domain where you created the user. An example would be Annclare@coleg.com. When users log on, they enter their username and must select the domain from the Log On To box. In other situations, the username can be entered in the format: <Domain-Name>\<UserLogonName> Another area for potential problems is Kerberos policy. In an Active Directory environment, systems running Windows 2000, Windows XP, and Windows Server 2003 all rely on Kerberos as their default authentication protocol. The Kerberos policy settings are configured via the Kerberos Policy node in the Account Policies section of a Group Policy object. Most administrators do not change the default settings. If they are modified they could prevent down-level clients from logging onto the domain. Auditing authentication Like Windows 2000, Windows Server 2003 provides the ability to track the success and failure of various authentication-related events by configuring Audit Policy settings. However, unlike Windows 2000, which had no audit events configured by default, Windows Server 2003 domain controllers have a number of audit settings (including logon events) that are configured by default via the default domain controllers policy. This Group Policy object is applied to domain controllers automatically as part of the Active Directory installation process. See Figure 55 for the settings.
SQA Version1
110
Developed by COLEG
DF9N 34
Figure 55: Audit policy settings When logon events specified in an audit policy occur, they are ultimately recorded in the security log, which can be accessed from Event Viewer, via Administrative Tools. This is shown in Figure 56.
SQA Version1
111
Developed by COLEG
DF9N 34
Figure 56: Security log Keep in mind the difference between the default domain policy (which is linked to the domain and determines password, lockout, and Kerberos policies) and the default domain controller policy (which is linked to the Domain Controllers OU and is configured to enable security auditing by each of the domain controllers in the OU). Audit policy settings are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. To audit logon events related to Active Directory authentication, you should configure settings in policies applied to the Domain Controllers OU, As shown earlier. But you can configure auditing for other domain computers, such as workstations or member servers, at any level to which group policy settings can normally be applied. The following list outlines the authentication-related audit policy settings available in Windows Server 2003. The results are viewed through Event Viewer as shown above. Audit Account Logon Events This setting audits each instance of user logon that involves domain controller authentication. For domain controllers, this policy is defined in the Default Domain Controllers Policy Group Policy object. Note: This policy creates a security log entry on a domain controller each time a user logs on interactively or over the network by using a domain account. Also, remember that to fully evaluate the results of the auditing, you must examine the security logs on all domain controllers, because user authentication will be distributed among the various domain controllers in a site or domain. The default domain controllers policy
SQA Version1
112
Developed by COLEG
DF9N 34
has this setting configured to audit success events by default. This means that a security log entry is created only when a domain controller successfully authenticates a user. You should also think about configuring this policy to record failure events (this might give an indication of someone trying to hack in). Audit Account Management This setting configures auditing of activities including the creation, deletion, or modification of user, group, or computer accounts. This setting also includes configuring activities such as resetting passwords and is enabled by default in the Default Domain Controllers Policy for Success events. Audit Logon Events Logon These events include log on and log off, whether done interactively or through a network connection. If you have enabled the Audit Account Logon Events setting for successes on a domain controller, workstation logons will not generate logon audits. Only interactive and network logons to the domain controller itself generate logon events. Account logon events are generated on the local computer for local accounts and on the domain controller for network accounts. Logon events are generated wherever the logon occurs. This setting is enabled by default in the Default Domain Controllers Policy for Success events. Once you have configured auditing settings for logon events, the security log in Event Viewer will begin to fill with messages according to the policy settings configured. You can view these messages by selecting Security from the Event Viewer and then double-clicking the event. If there is no room to write to the event log, the system hangs; make sure that you make your event log is big enough and that you delete/archive it on a regular basis to ensure it does not run out of space.
?
1 2
2.6 What domain levels support Universal groups? When would you use Ldifde.exe over Active Directory Users and Computers?
SQA Version1
113
Developed by COLEG
DF9N 34
Common user administration tasks

Common User Administration tasks include: unlocking accounts; resetting passwords; disabling/enabling; renaming; deleting user accounts/objects.
Unlocking a user account The Account Lockout Policy requires that when a user has exceeded the limit for invalid logon attempts, which the administrator specifies, the account is locked and no further logons can be attempted for a period of time that the administrator specifies, or until the administrator has unlocked the account. To unlock a user, open Active Directory Users and Computers, pick the user object and, from the Action menu, click Properties. Click the Account tab and uncheck the Account Is Locked Out check box. Resetting user passwords Click the user object in Active Directory Users and Computers, and select the Reset Password command. Enter the new password twice to confirm the change. If you select the User Must Change Password At Next Logon check box, you reduce the security risk, as only the user will then know their password. Disabling and enabling user accounts When a user does not require access to the network for an extended period of time, you should disable the account for security purposes. Then, when the user returns and needs access to the network again, enable the account. To perform either action, rightclick the account in Active Directory Users and Computers and then click Enable Account or Disable Account. Deleting a user When a user is no longer part of your company (e.g. they have resigned or retired) and their account is no longer required, you can delete it. Remember that by deleting a user, the associated SID is also deleted, meaning that rights and permissions associated with the account are also lost. If you create a new user object with the same name, it will have a different SID and you will have to reconfigure rights, permissions, and group membership information just as you would with any new account. So if there is any possibility they might come back, e.g. contract staff who are employed on an as needed basis, it might be easier to disable the account rather than delete it. Renaming a user User accounts can also be renamed rather than deleted when one user replaces another, which will reduce administrative effort (but you lose the audit trail). Deleting an existing user account and then creating one for the new user usually requires more effort than simply renaming the existing user account. Renaming maintains the user
DF9N 34
account SID and all the group membership settings, rights, and permissions of the old user. Renaming allows the new user to gain access to all the resources that the previous user required to do their job. Troubleshooting user authentication problems One of the most common problems is incorrect username and password combinations. If this is not the cause, then Windows Server 2003 has a number of utilities, including Event Viewer and Active Directory Users and Computers, that can be used to troubleshoot authentication problems. Logon problems When a user cannot be successfully authenticated during the logon process, refer to the key points for methods listed below for troubleshooting the problem. They start with the most common and easiest to fix and end with the less common and more timeconsuming to fix: Ensure that the user is attempting to log on using the correct username, password, and domain name. If this is not the case, get them to logon with the correct username, to the correct domain and reset their password if forgotten. If they have been trying to log on for a while, they could well have locked their account. Check to see if the account has been locked out or disabled and make sure it is re-enabled if disabled and unlocked if locked. If the user is logging on from a Windows 2000 or Windows XP workstation, ensure that the configured time on that workstation is within the Maximum Tolerance For Computer Clock Synchronization value (default 5 minutes) specified in the domain Kerberos policy settings. Reset the workstation time and try again. If the user is logging on from a Windows 95, Windows 98, Windows ME, or Windows NT 4.0 system without the Active Directory client software installed, ensure that the domain controller holding the PDC emulator role is available, as this is required to logon with a down-level system unless you have installed Active Directory client software. Check that the TCP/IP settings of the client system are configured correctly, including the address of the DNS server that will be queried for the address of a domain controller. This can be done by entering Ipconfig /all at the command prompt. For an example, see Figure 57. You can then use ping to check connectivity to you DNS Server(s)
SQA Version1
115
Developed by COLEG
DF9N 34
Figure 57: Checking TCP/IP settings If the user is logging on to the domain for the first time in a multiple-domain environment, ensure that a global catalog server is available, as the users universal group membership information will be needed for the initial logon. If Audit Account Logon Events has been configured for Failure events in the Default Domain Controllers Policy, check the Security log in Event Viewer on domain controllers for messages that might help to explain why the logon attempt failed. If the user is attempting to log on to a domain controller, ensure that the user has been granted sufficient rights in the default domain controllers policy. If the user is attempting to log on from a Windows 98 system, ensure that the users password does not exceed the 14-character maximum that Windows 98 supports. This can happen if they changed their password on a 2000 or XP workstation, then tried to log on to a Windows 98 system with their new password. If the user is attempting to log on using a UPN, ensure that a global catalog server is available to service the request.
SQA Version1
116
Developed by COLEG
DF9N 34
If the user cannot log on from certain workstations only, check the Log On To section of the Account tab in the users object properties to determine whether workstation restrictions have been configured. You can allow users to logon only from certain specified workstations. If the user cannot log on during certain times of the day, check the Logon Hours section of the Account tab in the users object properties to determine whether any logon hour restrictions have been configured. This is to prevent users trying to hack into the system outside the hours that they are supposed to be working. This is a security feature, but if users start doing overtime or night shift, you might need to modify it. If the user cannot log on to a Terminal Server, ensure that the Allow Logon To Terminal Server check box is selected on the Terminal Services Profile tab in the properties of the user account. If the user cannot log on to the network remotely, ensure that the Dial-In tab in the properties of the user account is not configured to Deny Access in the Remote Access Permission section.
Resource access problems Sometimes a user can successfully logon but they are unable to access the resources they require or they have insufficient permissions. These problems are caused by the following: The server or workstation hosting the resource is not available. You need to check whether the server or workstation hosting the resource is unavailable, or whether network settings are configured incorrectly. The user account does not have the correct permissions to access the resource. You need to check the access control lists associated with the resource that needs to be accessed to determine whether the user is a member of any group with sufficient permissions to access the resource. If not, add the user to a group with the appropriate permissions using Active Directory Users and Computers. Check the ACL of the object for any settings that might create a conflict, e.g. a user might be a member of one group that is allowed Read permission and a member of another group that is denied the same permission. As in Windows 2000, permissions explicitly denied override those explicitly allowed. The user does not have the right to carry out a task or tasks. Ensure that the user has sufficient rights to access servers and carry out tasks. For example, if a user should be able to back up and restore files and folders on a domain controller, you should add the user to the Backup Operators group. Also, you should use tools such as the Delegation Of Control Wizard in Active Directory Users and Computers to delegate the proper authority to users who need to perform tasks such as resetting passwords.
SQA Version1
117
Developed by COLEG
DF9N 34
?
1 2 3
2.7 If a user can log on during the day, but cannot logon when they are in at the weekend working overtime, what might be the problem and how would you fix it? Where is universal group catalog membership kept? What tool would you use to delegate the permission to reset passwords to the managers in the sales organisational unit?
SQA Version1
118
Developed by COLEG
DF9N 34
Summary of this section

Active Directory is used to store user objects, computer objects and group objects. To manage them use Active Directory Users and Computers. User Profiles are used to store user settings in such as Background, themes etc. If you logon at different computers and the profiles are roaming profiles the settings will be there at each computer you log on to. If you do not want users to change their profiles then you make them mandatory profiles. You have to create the User account Before you can create configure a roaming profile for it. If you put users into groups and give the permissions to the groups it makes your administration easier. If you are at Windows 2000 native level or Windows 2003 functional domain level you can nest groups and you have universal groups. Groups can be either distribution groups for mailing purposes or security groups for access to resources. If a group has access to resources it will be on the resources ACL (Access Control List). The Default Domain Policy is where account policies are set, this includes password policies. Windows 2003 has a number of tools to help you manage users and groups such as CSVDE, LIDIFDE, Dsadd, Dsget, Dsmod, Dsmove, Dsrm, Dsquery, Find, Query in Active Directory and RSoP
SQA Version1
119
Developed by COLEG
DF9N 34
Answers to SAQs
2.1 1 2 3 Individual display settings, network and printer connections. Local, roaming, mandatory and temporary. You would use mandatory roaming profiles when you did not want the user to change any settings. To implement them, create a roaming profile and in the profile path give it the file type of man. A user object/account. A domain controller. It has complexity enabled, which means it has to comply with the following: o o o not contain all or part of the user's account name; be at least six characters in length; contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) base 10 digits (0 through 9) non-alphanumeric characters (for example, !, $, #, %). 2.3 1 2 2.4 1 2 3 2.5 1 2 3 2.6 1 Windows 2000 native and Windows 2003 domain functional level. Group type is security or distribution. Group scope is universal, global, domain local and they are used to collect users together. Universal. Built-in and Users. Command line account management tools are: dsadd, dsget, dsmod, dsmove, dsrm, dsquery. They can be put into scripts and run automatically. Delegation of Control Wizard. Hold down the CTRL key the same way you multi-select in Windows Explorer. CSVDE creates comma delimited files and is used for creating files that can be imported and exported into other applications.
2.2 1 2 3
SQA Version1
120
Developed by COLEG
DF9N 34
2 2.7 1 2 3
You can use Ldifde.exe to create a large number of users at once by importing them from another system. The Logon hours section of the Account tab in User properties will need to be modified. On the Global Catalog Server. Delegation of the Control Wizard.
SQA Version1
121
Developed by COLEG
DF9N 34
Useful websites
To find out the meaning of any technical term, try http://www.webopedia.com To study for the restricted-response closed-book test(s), try: http://certification.about.com/cs/sampletests/a/mcse70290.htm http://www.hotscripts.com/Detailed/43554.html http://www.sharewareriver.com/product.php?id=14695 http://www.certyourself.com/
The website below has study guides as well: The website below is a tutorial that takes you through Administering Windows Server 2003: http://www.learnthat.com/certification/learn.asp?id=422&index=1 If you have any problems with any of the activities, the best place to go for troubleshooting advice is Microsoft itself: http://www.microsoft.com http://www.microsoft.com/windowsserver2003/default.mspx The home page for windows 2003 server systems is: And you can search the site using the search facility at the top right-hand side of the page.
SQA Version1
122
Developed by COLEG
DF9N 34
Glossary
Technical terms can be found in: http://www.webopedia.com ACL ADSI ASP ASR CAL CDFS CPU DFS EFS ERD EULA FAT FRS GPO I/O IAS IIS LDAP MBR MMC NetBIOS NTDS NTFS NTLM OU PDC RAID RAM RAS RDP RDP-Tcp Access control list Active Directory Service Interface Active Server Page Automated System Recovery Client Access License Compact Disk File System Central processing unit Distributed File System Encrypted File System Emergency Repair Disk End User License Agreement File Allocation Table. File Replication Service Group Policy Object Input/Output Internet Authentication Service Internet Information Services Lightweight Directory Access Protocol Master Boot Record Microsoft Management Console Network Basic Input/Output System. NT Directory Service NT file system NT LAN Manager Organisational Unit Primary Domain Controller Redundant Array of Independent (Inexpensive) Disks Random Access Memory Remote Access Service Remote Desktop Protocol Remote Desktop Protocol over TCP/IP.
SQA Version1
123
Developed by COLEG
DF9N 34
RSoP SAM SCSI SID SUS TCP/IP UPN USB VGA WAB WebDAV
Resultant Set of Policy Security Accounts Manager Small Computer Systems Interface Security Identifier Software Update Services Transmission Control Protocol/Internet Protocol User Principal Name Universal Serial Bus Video Graphics Array Windows Address Book Web Distributed Authoring and Versioning
SQA Version1
124
Developed by COLEG

DF9N34-Part1 Coleg Notes

Uploaded by

Copyright:

Available Formats

You might also like

DF9N34-Part1 Coleg Notes

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DF9N34-Part1 Coleg Notes

Uploaded by

Copyright:

Available Formats

DF9N 34 Network Server Operating System Part 1 of 2

JULY 2005 SQA

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

67 81 90 98 106 114 119 120 122 123

Network Operating System Part 1

Introduction to the unit

Network Operating System Part 1

How to use these learning materials

Symbols used in this unit

Network Operating System Part 1

Network Operating System Part 1

Other resources required

Network Operating System Part 1

When and where you will be assessed

What you have to achieve

Opportunities for reassessment

Network Operating System Part 1

Network Operating System Part 1

Section 1: Manage and maintain physical and logical devices

Network Operating System Part 1

Network Operating System Part 1

Introduction to this section

Network Operating System Part 1

Assessment information for this section

Network Operating System Part 1

Managing hard disk subsystems

Network Operating System Part 1

Figure 2: Device Manager

Network Operating System Part 1

Monitoring and configuring disks

Figure 3: Computer Management

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

To use command line: 1 2 3

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

Figure 8: Disk Defragmenter

Figure 9: Scheduled Tasks

Network Operating System Part 1

The Conflicts/Sharing screen is shown in Figure 11.

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

Implementing, managing and troubleshooting disk devices

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

Network Operating System Part 1

Monitoring, configuring and troubleshooting volumes

Network Operating System Part 1

Monitoring and configuring removable media

Figure 18: Removable Storage