Toggit 215 Windows 2000 Server MCSE Study Guide

Minimum requirements
Pentium 133 or greater.
128 MB RAM minimum (4GB Max) 256 min recommended.
1 Gig Free disk space on partition that will contain the system files. (1 GB recommended)
Server supports up to 4 processors.

Features:
replaces NT4.0 Server. Windows 2000 Server supports upgrades of NT4.0 server meaning all applications and settings will be saved.
Windows 2000 does away with the concept of the PDC and the BDC that we knew in the NT4.0 world. Windows 2000 simply has domain controllers that are all created equal and all share a writable copy of the directory database. All Windows 2000 servers are installed as member servers and can be promoted to a domain controller by running dcpromo. A domain controller can also be demoted to a member server by running dcpromo.
Increased Hardware Support (Plug and Play). - Windows 2000 brings back Plug and Play with a more stable version than the one we see in Win9.x.
Microsoft Management Console (MMC) - You might be familiar with this from IIS4.0. This is the new interface for all management tools in Windows 2000. Snap-ins to the MMC interface provide you with one location to go to for all administration.
Lightweight Directory Access Protocol (LDAP) - Allows you to query an object in the active directory. This allows you to do things like search for a computer or a printer or a user.
Kerberos version 5 protocol - In Kerberos authentication, a client is authenticated when logging on to the network by a Key Distribution Center (KDC). When a client needs to access a resource, the owner of that resource contacts the KDC to verify that the client has permissions to access the resource. The KDC issues a session ticket. The next time the client accesses the resource, the owner of the resource is able to authenticate the client itself using this session ticket instead of going back to the KDC thus cutting down a lot of overhead on the authentication process.
Distributed File System (DFS) - Windows 2000 addresses the issue of having many share points on many different servers by implementing DFS. DFS allows a user to connect to one share point which may contain shares from many different locations.
ex. User connects to a share called \\Server1\AccountingDocs and see two subfolders Spreadsheets and Worddocs which contain files.

Accounting Docs
	Spreadsheets
		Spreadsheet#1
		Spreadsheet#2
	Worddocs
		Worddoc#1
		Worddoc#2

Spreadsheet#1, Spreadsheet#2, Worddoc#1 and Worddoc#2 may be on totally different remote servers but the user will see the shared folder on the DFS server as if it was local

Printing - Windows 2000 introduces Internet Printing. Windows 2000 clients can use a URL to connect to network printers. The print server must be running IIS.
Windows 2000 and NT4.0 check for an updated print driver each time they connect to a printer. Win95 and 98 have to be updated manually. (If you update the 95 and 98 drivers on the server, the clients can easily update without needing floppy or CD for drivers.)

Netware Connectivity - NWlink - Microsoft's rendition of IPX/SPX - allows Microsoft clients to access NetWare resources and NetWare clients to access NT resources. NWlink alone allows you to connect to applications running on a NetWare server.
Client Services for NetWare (CSNW) - Allows NT clients to make direct connections to NetWare file and print servers.
Gateway Services for NetWare (GSNW) - used for occasional access to a NetWare server by a Microsoft client. The NT server connects to the NetWare File server and shares a directory. Microsoft clients can then access the share on the server running GSNW. This avoids having to install CSNW on all of the clients.

Installation - Upon install, only the partition that will be used to install Windows 2000 should be created. All other partitions should be created later using the Disk Management Utilities as Windows 2000 has additional features that will be available to disks created with this utility.
No start up floppies are created during the install. If you wish to have the start-up floppies, you can run makeboot.exe from the setup CD. this will create 4 setup floppies.
As in NT4.0, both winnt and winnt32.exe are available. winnt is for straight DOS based machines. winnt32.exe is now used for win9.x as well as NT systems.
WINNT
Performs an installation of or upgrade to Windows 2000.
winnt [/s:sourcepath] [/t:tempdrive] [/u:answer file][/udf:id [,UDB_file]] [/r:folder][/rx:folder][/e:command][/a]
Parameters
/s:sourcepath
Specifies the source location of the Windows 2000 files. The location must be a full path of the form x:\[path] or \\server\share[\path].
/t:tempdrive
Directs Setup to place temporary files on the specified drive and to install Windows 2000 on that drive. If you do not specify a location, Setup attempts to locate a drive for you.
/u:answer file
Performs an unattended Setup using an answer file. The answer file provides answers to some or all of the prompts that the end user normally responds to during Setup. You must also use /s.
/udf:id [,UDB_file]
Indicates an identifier (id) that Setup uses to specify how a Uniqueness Database (UDB) file modifies an answer file (see /u). The /udf parameter overrides values in the answer file, and the identifier determines which values in the UDB file are used. If no UDB_file is specified, Setup prompts you to insert a disk that contains the $Unique$.udb file.
/r:folder
Specifies an optional folder to be installed. The folder remains after Setup finishes.
/rx:folder
Specifies an optional folder to be copied. The folder is deleted after Setup finishes.
/e:command
Specifies a command to be executed at the end of GUI-mode Setup.
/a
Enables accessibility options.

Winnt32
Sets up or upgrades Windows 2000 Server or Windows 2000 Professional. You can run the winnt32 command at a Windows 95, Windows 98, or Windows NT command prompt.
winnt32 [/s:sourcepath] [/tempdrive:drive_letter] [/unattend[num]:[answer_file]] [/copydir:folder_name] [/copysource:folder_name] [/cmd:command_line]
[/debug[level]:[filename]] [/udf:id[,UDF_file]] [/syspart:drive_letter] [/checkupgradeonly] [/cmdcons] [/m:folder_name] [makelocalsource] [/noreboot]
Parameters
/s:sourcepath
Specifies the source location of the Windows 2000 files. To simultaneously copy files from multiple servers, specify multiple /s sources. If you use multiple /s switches, the first specified server must be available or Setup will fail.
/tempdrive:drive_letter
Directs Setup to place temporary files on the specified partition and to install Windows 2000 on that partition.
/unattend
Upgrades your previous version of Windows 2000, Windows NT 4.0, Windows 3.51, Windows 95, or Windows 98 in unattended Setup mode. All user settings are taken from the previous installation, so no user intervention is required during Setup.
Using the /unattend switch to automate Setup affirms that you have read and accepted the Microsoft License Agreement for Windows 2000. Before using this switch to install Windows 2000 on behalf of an organization other than your own, you must confirm that the end user (whether an individual, or a single entity) has received, read, and accepted the terms of the Windows 2000 Microsoft License Agreement. OEMs may not specify this key on machines being sold to end users.
/unattend[num]:[answer_file]
Performs a fresh installation in unattended Setup mode. The answer file provides Setup with your custom specifications.
Num is the number of seconds between the time that Setup finishes copying the files and when it restarts your computer. You can use num on any computer running Windows NT or Windows 2000.
Answer_file is the name of the answer file.
/copydir:folder_name
Creates an additional folder within the folder in which the Windows 2000 files are installed. For example, if the source folder contains a folder called Private_drivers that has modifications just for your site, you can type /copydir:Private_drivers to have Setup copy that folder to your installed Windows 2000 folder, making the new folder location C:\Winnt\Private_drivers. You can use /copydir to create as many additional folders as you want.
/copysource:folder_name
Creates a temporary additional folder within the folder in which the Windows 2000 files are installed. For example, if the source folder contains a folder called Private_drivers that has modifications just for your site, you can type /copysource:Private_drivers to have Setup copy that folder to your installed Windows 2000 folder and use its files during Setup, making the temporary folder location C:\Winnt\Private_drivers. Unlike the folders /copydir creates, /copysource folders are deleted after Setup completes.
/cmd:command_line
Instructs Setup to carry out a specific command before the final phase of Setup. This would occur after your computer has restarted twice and after Setup has collected the necessary configuration information, but before Setup is complete.
/debug[level]:[filename]
Creates a debug log at the level specified, for example, /debug4:C:\Win2000.log. The default log file is C:\%Windir%\Winnt32.log, with the debug level set to 2. The log levels are as follows: 0-severe errors, 1-errors, 2-warnings, 3-information, and 4-detailed information for debugging. Each level includes the levels below it.
/udf:id[,UDB_file]
Indicates an identifier (id) that Setup uses to specify how a Uniqueness Database (UDB) file modifies an answer file (see the /unattend entry). The /udf parameter overrides values in the answer file, and the identifier determines which values in the UDB file are used. For example, /udf:RAS_user,Our_company.udb overrides settings specified for the RAS_user identifier in the Our_company.udb file. If no UDB_file is specified, Setup prompts the user to insert a disk that contains the $Unique$.udb file.
/syspart:drive_letter
Specifies that you can copy Setup startup files to a hard disk, mark the disk as active, and then install the disk into another computer. When you start that computer, it automatically starts with the next phase of the Setup. You must always use the /tempdrive parameter with the /syspart parameter.
/checkupgradeonly
Checks your computer for upgrade compatibility with Windows 2000. For Windows 95 or Windows 98 upgrades, Setup creates a report named Upgrade.txt in the Windows installation folder. For Windows NT 3.51 or 4.0 upgrades, it saves the report to the Winnt32.log in the installation folder.
/cmdcons
Adds to the operating system selection screen a Recovery Console option for repairing a failed installation. It is only used post-Setup.
/m:folder_name
Specifies that Setup copies replacement files from an alternate location. Instructs Setup to look in the alternate location first and if files are present, use them instead of the files from the default location.
/makelocalsource
Instructs Setup to copy all installation source files to your local hard disk. Use /makelocalsource when installing from a CD to provide installation files when the CD is not available later in the installation.
/noreboot
Instructs Setup to not restart the computer after the file copy phase of winnt32 is completed so that you can execute another command.

The typical disk structure supporting primary partitions, extended partitions and logical drives. You will be able to repair and delete mirror and RAID 5 volumes but you cannot create them on a Basic disk.

Windows 2000 introduces dynamic disks. All disks are basic disks on install, You can upgrade your disks from basic to dynamic through the MMC. You can't go from dynamic back to basic disks without repartitioning and losing your data. Dynamic disks allow you to manage disks and volumes without having to reboot. Dynamic disks are not readable to any other operating systems that are installed on the same box. Fault tolerant disk sets will only be able to be created on a dynamic disk.

File Systems - Windows 2000 supports FAT16, FAT32, NTFS. Choose NTFS if you are only running Windows 2000 on your system as it has many security and performance improvements.

Windows 2000 NTFS advantages:
Disk Compression - NTFS5 offers disk compression. Windows 2000 can not read drives compressed with an earlier operating system so be sure to uncompress drives before upgrading.
Disk Quotas - Windows2000 features built-in disk quota management. Users can be limited to a certain amount of disk space on the file server on a volume by volume basis. You can customize how much space and can configure warnings when a certain amount is used. You can also not allow the user to save any additional data when their limit is reached.
Encrypting File System (EFS) - allows files to be stored encrypted on the hard disk. This protects against people booting from a floppy or logging into a machine locally and gaining access to your files. They will be denied access to the files as they will not have the proper encryption key.

Encrypted information includes a key that will allow a recovery agent to decrypt the file. By default, the domain administrator is the recovery agent. You can assign additional recovery agents. Be aware that the recovery information is built into the encrypted file so you cannot make someone a recovery agent for a file that was already encrypted.

Sharing Data:
The main reason we have networks is for the sharing of data and printers. Lets take a look at data sharing.
When a folder is shared, permissions are given to users that need to access the folder. The two types of permissions are Share level and NTFS permissions.

Share Level Permissions:
By default, the everyone group is given full control permissions when a file is shared. Share Level permissions are only in effect when a folder is accessed over the network. If a user logs on locally, Share level permissions will have no effect., only NTFS permissions will be in effect.

Share level permissions can be applied on a user or on a group level. When a user attempts to access a shared folder, all of the permissions for that user are combined If a user is in one group with Full Control, one group with Change and the user himself has read, The combined permissions will be the least restrictive or Full control. Any time the user is explicitly denied access whether it is a user or group permission, this overrides all other permissions. A user can be in one group with Full Control, one group which is denied access and the user himself can have Change permissions, the effective permissions will be no access as this overrides all of the other permissions. Always assign the most restrictive permissions you can to a user. You don't want them to be able to do anything more than they need to. The easiest and most efficient way to assign permissions is to do it on a group basis. If everyone in your accounting department needs certain permissions to several folders, assign the permissions to a group called accounting, then when a new employee joins the accounting team, all you have to do is place this employees user account in the accounting group and all of their permissions will be there.

Windows 2000 shares some folders by default for administrative purposes. These shares will show up with a $ behind the name. The dollar sign signifies that the share is hidden from the browse list, these default administrative shares are only accessible by users with administrative rights. If you want to hide any of the shares that you create, simply put a $ after the name (i.e. Share$)

When a volume is formatted with the NTFS file system, NTFS permissions can be used to secure resources. NTFS permissions allow you to assign permissions at the folder and file level while Share permissions are limited to the folder level. NTFS permissions are also a lot more granular than Share level permissions allowing you to permission such things as traverse folders, write attributes and much more.

Users can be assigned permissions directly or can be put into groups that have permissions assigned. All individual permissions and group permissions are combined to find out the users effective permissions. It is highly recommended to put users into groups and give permissions to the groups.

File permissions take precedence over folder permissions. If you have no access to folder but have full control to a file in that folder, you can still access the file using the full UNC path to that file.

When figuring permissions, look at share and NTFS separately. Take the least restrictive share permission and the least restrictive NTFS permission. Now take the most restrictive of the two and that is your effective permission.

Accounting Group has Full control on the share 'RedSox'

Joe's cumulative permissions on the share 'RedSox' would be full control.

Accounting Group has read access NTFS permissions on the directory 'RedSox

IT group has change access NTFS permissions on the directory 'stuff'

Joe's cumulative NTFS permissions on the directory 'RedSox' are Change

Now we take the most restrictive of the two results which is change which is the access Joe has when accessing 'RedSox' over the network.

Keep in mind that if Joe is logged on locally to the machine holding the 'RedSox' directory, you will only be using NTFS permissions and not regarding share permissions. Share permissions are only used when coming across the network share.

Also keep in mind that if Joe is explicitly denied access anywhere, he automatically gets no access regardless of what other permissions he has elsewhere with the exception of no access to a folder but access to a file within the folder that can be accessed through a UNC path.

By default the everyone group is given full control. This should be removed or else anyone who is able to log on locally to a system will have full control.

When copying folders or files either from one partition to another or on the same partition, the permissions will be inherited from the target folder.

When moving files to another partition, the permissions will be inherited from the target folder.

When moving files or folders on the same partition, the permissions will remain intact. This is the only time permissions are retained and not inherited.

Whenever files are moved or copied to a fat partition, all permissions are lost as FAT does not support NTFS permissions.

Recovery and Protection:

Boot Disk - If your system is unable to boot, you may need to use the Emergency Repair Disk or the Recovery console. To do this, you will need to either boot from floppy disks or from the setup CD. To make a set of boot disks, get four floppy disks and run makeboot.exe from the bootdisk folder of your setup CD. After booting from these disks, you will be able to do an emergency repair or run the recovery console. Boot disks made on a system running Windows 2000 Professional can only be used to start a system running Windows 2000 Professional. boot disks made on a system running Windows 2000 Server can only be used to boot a system running Windows 2000 Server.

Recovery Console - Windows 2000 has a recovery console to help when you have trouble booting. The recovery console is not installed by default. Install the recovery console by running winnt32.exe /cmdcons from the I386 directory of the CD. You will now see an option to enter the Windows 2000 recovery console at boot up. (or it can be run by booting from the setup floppies or CD and choosing repair)
The recovery console is limited to administrators (you will be authenticated when entering) and will allow you to do such things as:

You are fairly restricted as to what you are able to do. You can't throw files on a floppy or removable media, only copy them to the hard drive from the floppy or removable media.

Emergency Repair Disk (ERD) - Windows 2000 ERD's are created through the backup program (you will see an option to create an ERD on the welcome screen). RDISK (from NT4.0) is no longer available. The repair process will attempt to repair system files, the partition boot sector on your system disk, and your startup environment if you have a dual boot system. To run the repair process, boot either from the Windows 2000 CD or from the setup floppies. Choose the 'repair or recover' option when prompted. Fast repair will attempt to repair everything, manual repair will allow you to choose.

Driver Signing - Microsoft digitally signs all drivers that are qualified to run with Windows 2000. You have the option to install only drivers that have been signed, see a warning when drivers haven't been signed so you can decide then, or never allow unsigned drivers to be installed. This can be set from control panel, system on the hardware tab.

System File Checker - System File Checker (sfc.exe) is a command line utility that scans and verifies the versions of all protected system files after you restart your computer. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file.

Windows File Protection - runs in the background and watches for applications trying to replace your system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. If an application attempts to replace a system file with one that is not signed, Windows file protection replaces it back with one stored in dllcache and logs the attempt in the Event log. There are 4 instances where File protection will allow the files to be replaced:

Task Scheduler - allows you to automate running commands, scripts or programs at a set time. This is accessed through the scheduled tasks folder in control panel. It offers the ability to choose a user account for each task.

Offline Files - Windows 2000 offers the ability to use files offline. Any files that you set up to have available offline will be there when you disconnect from the network. Your permissions will be the same as if you were connected to the network. When you connect back to the network, the files are synchronized with the network.

Transmission Control Protocol/Internetworking protocol (TCP/IP) - TCP/IP is the default protocol used with Windows 2000. In the NT 4.0 world, TCP/IP was a separate topic and exam. In the Windows 2000 world it was incorporated into the core exams so expect to see it in every exam you sit.

History - Protocol suite designed for Wide Area Networks (WAN's)
Originally used by the department of defense back in the late 60's, TCP/IP is now the common Protocol used for the Internet. All major operating systems offer support for TCP/IP.
The standards for TCP/IP are published in a series of documents called Request for Comments (RFC's).
TCP/IP utilities
FTP - File Transfer Protocol - provides file transfers between TCP/IP hosts with one running FTP software.
Telnet - Provides Terminal Emulation to a TCP/IP host running Telnet server software.
RSH - Remote Shell - runs commands on a UNIX host.
REXEC - Remote Execution - Runs a process on a remote computer.
LPR - Line Printer Remote - Prints a file to a host running the LPD Service.
LPQ - Line Printer Queue - Obtain status of a print queue on a host running the LPD Service.
LPD - Line Printer Daemon - Services LPR requests and submits print jobs to a printer device.
PING - Packet Internet Groper - Verifies that TCP/IP is configured correctly and that another host is available.
IPCONFIG - Verifies TCP/IP information. with a /all switch will give DHCP, DNS and WINS addresses. WINIPCFG is used in Win9.x
NSlookup - examines entries in the DNS database pertaining to a particular host or domain.
Hostname - returns the local computers host name.
Netstat - Displays Protocol statistics and the current state of TCP/IP connections.
NBTstat - Checks the state of current NetBIOS over TCP/IP connections, updates LMHOSTS cache, determines registered name.
Route - views or modifies the local routing table.
Tracert - verifies the route used from the local host to the remote host.
ARP - Address Resolution Protocol - displays a cache of locally resolved IP addresses to Media Access Control(MAC) addresses.
Finger - Retrieves system info from a remote computer that supports the TCP/IP finger service.
TCP/IP Address Properties.
IP Address - 32 bit address used to uniquely identify a TCP/IP host.   The address has two parts. The network ID and the host ID. The network ID identifies all hosts that are on the same logical network. The host ID identifies the host. Hosts can be workstations, Servers, Routers, ex.. A sample IP address is 24.128.102.7
Lets compare this to the Calendar. We have 12 Networks:   January, February, March.... On each Network, we have hosts: 1,2,3,4...
January 1 and January 14 are unique hosts on the same network.   March 4 and June 17 are on different networks.
Subnet Mask - Blocks part of the IP address to distinguish the network ID from the Host ID. This will determine if the TCP/IP clients are on the same network or on a remote network. An example of a subnet mask is 255.255.255.0.   An improper Subnet mask can cause connectivity problems.
Default Gateway - If a packet is determined not to be on the same network, it is sent to the default gateway. This is usually a router. An incorrect default gateway will produce errors when trying to communicate outside of your network.
A TCP/IP client must at least have an IP address and a subnet mask for communications to work.
A TCP/IP client must have a minimum of IP address, Subnet mask and default gateway for TCP/IP to work through a router.
Hosts communicate by Media Access Control (MAC) address. If a MAC address is not known then an ARP broadcast is sent out. The destination hardware will respond with its MAC address and its IP address and these are stored in the ARP cache. The ARP cache is always checked before doing an ARP broadcast.

The 32 bit IP Address is broken down into 4 8-bit fields called octets separated by a period. Each octet represents a number between 0 and 255.

The Network portion of the IP is on the left side. The host portion of the ID is on the right side.

In the early days things were simple and IP addresses fell into classes. Let's start with the default classful IP addresses. Class A or /8(pronounced slash 8) network, Class B or /16 network, Class C or /24 network.

The first 8 bits to the left (the first octet) are the network ID and the next 24 bits(3 octets) are the host ID. The first bit in a class A address is always set to zero which actually leaves us 7 bits to toggle for the network ID.

The 127 addresses are reserved for the loopback addresses thus leaving us 1 to 126.

The first 16 bits(2 octets) to the left are the network ID and the next 16 bits(2 octets) are the host ID. The first two bits in a class B address are always set to 1-0 which actually leaves us 14 bits to toggle for our Network ID.

The first 24 bits(3 octets) to the left are the network ID and the next 8 bits(1octet) are the host ID. The first three bits in a class C address are always set to 1-1-0 which actually leaves us 21 bits to toggle for our network ID.

Class D network. Class D addresses are reserved for multicasting. The first four bits in a class D address are always set to 1-1-1-0.

Class E network. Class E addresses are reserved for future and experimental use. The first four bits in a class E address are always set to 1-1-1-1.

(1) - Number of available networks is determined by using powers of 2. There are 2 possible positions for a bit. On(1)and Off(0). Keeping in mind that the first bit is always set to 0, we have 7 bits left to toggle. This means that there are 2^7 networks available for a Class A. By rule (because some older routers can't route them) the all(0)'s and all (1)'s networks are not used which leaves us with 2^7-2 Networks available for the Class A. Using this same 2^x-2 formula we can determine the number of networks for Class B and Class C. Remember that in Class B, the first two bits are always set to 1-0 giving us 14 bits to toggle for a formula of 2^14-2. Remember that in Class C, the first three bits are always set to 1-1-0 giving us 21 bits to toggle for a formula of 2^21-2.

(2) - Number of Hosts is derived using the same formula as the number of networks. Class A network uses 8 bits for the Network ID leaving us 24 bits for the Host ID. Using our formula 2^24-2, we get 16777214. We can calculate the Hosts for Class B and Class C the same way.

To decide whether or not two IP addresses are on the same network, we use a subnet mask. This is used to mask the network portion of the IP Address. The network portion of the IP address has a 1 in the corresponding bit of the subnet mask. The host portion of the IP has a 0 in the corresponding bit of the subnet mask. Lets take a look at the subnet mask in binary form.

11111111 . 00000000 . 00000000 . 00000000 = 255.0.0.0 - This is the default Subnet Mask for Class A networks.

In the above example, 119 is the network ID because it corresponds with the bits turned on in the subnet mask. Both of the above IP's are on the same network.

Dynamic Host Configuration Protocol (DHCP) – automatically assigns TCP/IP addresses and information to client computers. The client requests an IP from the DHCP server at startup. The DHCP server chooses an IP from a pool and offers it to the client, along with the subnet mask, default gateway, and many other optional items. If the client accepts the offer the IP will be leased for a specified period of time. A DHCP server must have a static IP address. Windows 2000 introduces us to authorized DHCP servers in which an administrator has to give the OK for a DHCP server to run or it will shut down its services. This prevents anyone from setting up a DHCP server and handing out addresses that you don't want. A scope is set up which is a range of valid IP addresses that a DHCP server can assign. If you have multiple DHCP servers, they must each have a unique scope to avoid assigning duplicate IP addresses. You can have multiple scopes on a DHCP server.

Ex. You have the subnet 222.222.222.x. You can give a scope of 222.222.222.1 to 222.222.222.200 to your primary DHCP server and a scope of 222.222.222.201 to 222.222.222.254 to a secondary server. This will allow clients to obtain a lease if the primary DHCP server is down but will avoid the leasing of duplicate IP’s. Microsoft’s recommendation is to have 80% of the addresses in the primary and 20% in the secondary. DHCP can also hand out many other pieces of information including Routers, DNS Servers, and WINS Servers… These can be configures on a global level, scope level or client level.

Automatic Private IP addressing (APIPA) - This is a feature that Windows 2000 offers that is similar to a mini DHCP server. If a computer is set up to use DHCP and a DHCP server is not available, Windows 2000 assigns an IP address from the private range 169.254.0.1 - 169.254.255.254 with a subnet mask of 255.255.0.0. This can be quite useful in a home office or small company as there is no need to set up a DHCP server. It is quite limited though in that you don't get a default gateway so it is useless in a routed environment. Another downside is that in a network in which the DHCP server is unavailable a client will log on and wont get any error messages so it might make troubleshooting a bit more difficult when they can't access network resources.

Windows Internet Name Service (WINS) - WINS is responsible for resolving NetBIOS names to IP addresses. When a WINS client boots up it announces itself to the WINS server. The WINS server stores the name and IP of the client in the database to hand out on future requests. This enables you to connect to a server named Appserver by name instead of having to remember Appserver's IP address. The WINS database is dynamic.

DNS (Domain Name System)

DNS is used to resolve fully qualified domain names (FQDN) to IP addresses. i.e. CERTguide.com resolves to 24.128.102.7. Windows 2000 uses DNS as its primary means of resolution including locating domain controllers.

Query Types
Iterative Query - If the DNS server does not have the answer, it will tell you that it can't help you.
Recursive Query - If the DNS server does not have the answer, it will go to another DNS server that does.

Lookup Zone Files
Forward Lookup Zone - resolves hostname to IP address
Reverse Lookup Zone - resolves IP address to hostname.

Host File - manually updated text file that contains IP address to host name combinations. This is how it was done before DNS.

Zone Types
DNS is divided into zones so you can be responsible only for your section or zone
Standard Primary - contains read/write copy of zone file stored in a text file.
Standard Secondary - contains read only copy of zone file stored in a text file. Changes are made on the primary and replicated to the secondary.
Active Directory Integrated - stores zone info in Active Directory. Changes update with Active directory replication automatically.

Record Types
A record - hostname to IP address. You must add these manually if your clients do not update. Also referred to as a host record.
MX record (Mail Exchanger) - Specifies which server to deliver mail to.
CNAME (canonical name) record - allows you to give additional names to an A record. If the server patriots.CERTguide.com hosts the website for www.CERTguide.com, create a CNAME to map www to patriots. Also referred to as an alias record.
Start of Authority (SOA record) - controls how often and with who replication takes place.

Zone Transfer - This is the process of replication data from one DNS server to another.
Windows 2000 introduces incremental zone transfer. (IXFR) which only transfers changes to the zone instead of the entire zone.

Subdomain - also known as a child domain. located below the domain. tips.CERTguide.com is a subdomain of CERTguide.com
DDNS (Dynamic DNS) - Windows 2000 includes DNS that is dynamically updated to prevent having to manually keep the DNS database current. When a Windows 2000 client boots up, it will send its info straight to the DNS server to be added. Windows9.x and NT clients can not pass their information directly to the DNS server so the DHCP server forwards their information along to allow them to take advantage of the Dynamic DNS. Dynamic updates are configured at the zone level so you can choose to update one or more zones manually if you choose.

Caching only servers - look up queries for clients and cache the information so the clients don't have to keep going to the server. They are not authoritative for anything.

Windows 2000 supports several remote access protocols including:
PPP (Point to Point Protocol) - most common Remote Access protocol. Allows for multivendor environments.
SLIP Serial Line Internet Protocol) - not supported on the server, only the client. Mostly used for telnet.
Microsoft RAS - Clients must use NetBEUI. Server acts as gateway to connect to NetBEUI, TCP/IP, or IPX/SPX.
ARAP (AppleTalk Remote Access Protocol) - A windows 2000 server running ARAP can accept connections from MAC clients.

Windows 2000 RAS supports several LAN protocols including:
TCP/IP
NetBEUI
NWlink
AppleTalk

Permissions can be set to allow access, deny access or control through Remote Access Policy. (control through RAS policy only available in native mode)
Caller ID can be enabled to check for a specific number before accepting connection. (only available in native mode)
RAS can be configured to call user back at a specific number to complete connection.
RAS can be set to assign a static IP address if a client requires a specific IP.
Windows 2000 RAS supports multilink in which several connections can be combined to increase bandwidth. Both client and server need to have multilink enabled.
BAP (bandwidth Allocation Protocol) - works with multilink to provide bandwidth on demand by adding or dropping links as needed.

Remote Access Authentication Protocols:
PAP (Password Authentication Protocol) - uses clear text passwords. provides little security.
SPAP - (Shiva Password Authentication Protocol) - more secure than PAP. use to connect to Shiva LANRover to Windows 2000. Medium Security.
CHAP - (Challenge Handshake Authentication Protocol) - uses the industry standard MD5 1-way encryption scheme to encrypt the response. Highly Secure.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)- 1-way encrypted password. This is enabled by default on a windows 2000 server running RAS. Highly Secure.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol v2)- Strong encryption. Windows 2000 clients use this by default for dialup. Windows 2000,NT4 and Win98 clients use this by default for VPN. Highly Secure.
EAP (Extensible Authentication Protocol) - Client and server negotiate the Authentication method to include MD5 username and password encryption, smart-cards, token cards, retina or fingerprint scanners and other third party authentication technologies.

Remote Access Data Encryption Protocols:
MPPE (Microsoft Point to Point Encryption) - Encrypts data moving between a PPTP connection and a VPN server. Can use 128-bit, 56-bit or 40-bit encryption.
IPSec (Internet Protocol Security) - IPSec encrypts data traveling across the network. The systems communicating via IPSec use keys to decipher data that has been encrypted using algorithms. The key can be generated using algorithms on the systems communicating so that the key does not have to travel across the network. Key lengths can be varied depending on how secure the data needs to be. Keys can also be dynamically changed during a session in case a key is captured and deciphered then the rest of the data will be encrypted using a different key. IPSec can be forced on users by using policies. IPSec communication can be assigned on a group to group basis.

IP Addressing - RAS can hand out IP addresses using 3 methods:

Remote Access Policies - RAS Policies consist of Conditions, permissions and profile.
Conditions - Conditions include things like time, user groups, IP addresses, caller ID's that must be matched for client to connect.
Permissions - RAS policy permissions work in conjunction with a user's dial-in permissions in Active Directory. Dial-n permissions will override RAS Policy permissions. i.e. The sales group is a granted remote access through a policy from 9:00 to 5:00. John, a member of the sales group is given 24 hour access in active directory. John will have 24 hour access.
Profiles - This contains settings such as time limits, authentication and encryption protocols.

IAS (Internet Authentication Service) - IAS in conjunction with Routing and Remote Access Service provide support for RADIUS (Remote Authentication Dial-in User Service). RADIUS is used for authentication of users outside of the internal network. IAS also allows for tracking of connections for things like usage for billing purposes and auditing for security purposes.

VPN (Virtual Private Networks)
A VPN is a tunnel between two systems. The data that passes between the systems is encrypted. This allows for secure communication across a public network such as the Internet.
VPN's use either PPTP or L2TP encryption.
PPTP (point to point tunneling protocol) - only works on IP network. Uses built-in PPP encryption
L2TP (Layer 2 Tunneling Protocol)- works on IP, Frame Relay, X.25 or ATM. Uses IPSec encryption

Web Services - Windows 2000 includes Internet Information Server (IIS) which is a full web hosting package that will allow you to host either an Intranet or Internet website. IIS also includes services for SMTP (E-mail) and NNTP (news).

Virtual directories – A web site can point at any directory on any physical hard drive on the IIS computer or on another computer in the same domain. It will appear to the surfer that that directory is the www root.

Account Policies are set at the domain level. If multiple account policies are needed, multiple domains must be formed.