Publish resources in Active Directory. Types of resources include printers and shared folders
·   Publishing a resource refers to the process of creating an object in the directory that either contains the information you want to make available or that provides a pointer to the object.
·   General information is automatically published for all network users while account security information is only available to select administrator groups.
·   Printers must be installed before they are added to Active Directory.
·   Shared folders are published using Active Directory Users And Computers snap-in.
·   Creating objects in Active Directory that either directly contain the information that you want to make available, or provide a reference to that information is called publishing.
·   You do not need to publish resources that already exist in Active Directory, such as user accounts, only resources that do not exist in Active Directory.
·   Resources that do not exist in Active Directory are:
o   Printers on a computer that is not running Windows 2000.
§   Printers are automatically published in Active Directory when you create printers in Windows 2000.
§   Windows 2000 includes a script, called Pubprn.vbs that you can use to publish printers on computers not running Windows 2000.
o   Shared folders.
§   You can publish shared folders in Active Directory by using Active Directory Users and Computers snap-in.

Perform a search in Active Directory Users and Computers
·   Administrators can search Active Directory via an LDAP query against the global catalog.
·   To find objects in Active Directory:
1.   Open Administrative Tools in Control Panel.
2.   Open Active Directory Users And Computers.
3.   Right-click a domain or container in the console tree and select Find.
·   Users can access directory objects via:
1.   The search command in the Start menu.
2.   My Network Places.
3.   The Find command in the Active Directory Users And Computers snap-in.
·   Users can search for computers, shared folders, printers, and users.
o   Computer – information on a computer that belongs to the domain.
o   Contact – contact information about a user connected to the organization.
o   Domain Controllers – information on domain controllers.
o   Group – collections of users, groups, or computers used to simplify administration.
o   OU – container used to organize Active Directory objects including other OUs.
o   Printer – a pointer to a printer.
o   Shared Folder – a pointer to a shared folder on a computer.

Configure a printer object
·   Use Group Policy to configure printer object.
·   Two types of configurations can be set:
o   Computer Configuration.
1.   Open Administrative Tools in Control Panel.
2.   Click Active Directory Users and Computers snap-in.
3.   Right-click the Active Directory container, and then click Properties.
4.   Click New and then expand the Computer Configuration, Administrative Templates, and Printers folders.
o   User Configuration
1.   Open Administrative Tools in Control Panel.
2.   Click Active Directory Users and Computers snap-in.
3.   Right-click the Active Directory container, and then click Properties.
4.   Click New and then expand the User Configuration, Administrative Templates, Control Panel, and Printers folders.

Manage data storage. Considerations include file systems, permissions, and quotas.

Implement NTFS and FAT file systems

 

• Configure file systems by using NTFS, FAT32, or FAT.

• Use FAT when dual-booting with DOS/Windows 3.x and Windows 95

• Use FAT32 when dual-booting with Windows 95 OSR2

• Only Windows NT can access NTFS partitions

• NTFS has support for File and folder security, compression, encryption and quota management. FAT supports none of these.

• When formatting a partition as FAT, disks smaller than 2 GB will be FAT16 and disks larger than 2 GB will be FAT32.

• FAT32 and NTFS both support Long File names.

• Use convert.exe to convert FAT/FAT32 to NTFS without data loss.

• Cannot convert NTFS to FAT/FAT32. Must reformat.

• To convert FAT/FAT32 to NTFS:

1.   Click on Run in the Start menu.
2.   Type cmd
3.   Type convert x: /fs:NTFS (where x: is the drive letter).

Enable and configure quotas
·    Use disk quotas to enforce disk space limits for all users per individual user.
·    Quota's can only be set at disk level and only on NTFS volumes.
·    File and folder Ownership is used to measure space on a per user basis.
·    Set a disk space limit and a warning level (MB)
·    Logging an event when the limit or warning level is reached is optional and disabled by default.
·    Windows 2000 ignores compression when it measures hard disk space usage.

Implement and configure Encrypting File System (EFS)
·    EFS provides encryption of files and folders on a NTFS volume.
·    To encrypt a file or the content in a folder select the option Encrypt Contents To Secure Data which you can access by clicking the Advanced button on the General tab of the file or folder properties.
·    A public key encrypts the files and a private key decrypts the files.
·    To decrypt (deselect Encrypt Contents To Secure Data) you must have the appropriate private key (you can decrypt your own encrypted files) or you must be a Recovery Agent.
·    By default the domain administrator is the Recovery Agent. If the computer is not a member of a domain the local administror is the Recovery Agent.
·    Add encrypted data recovery agents by adding their user accounts to the Encrypted File System Public Key policy.
·    Cipher.exe is a command-line utility that provides the ability to encrypt and decrypt files and folders.
·    Encrypted files can not be shared.
·    Encrypted files can not be compressed.
·    Disable EFS on the computer by applying an empty data recovery policy.

Configure volumes and basic and dynamic disks

• Use the Disk Manager Snap-in in the Computer Management console to manage disks

• Windows 2000 supports two types of storage
  • Basic Storage: can be divided in Primary and Extended partitions, the latter must be divided in Logical Drives.
  • Dynamic Storage: 1 partition per disk, divided in volumes.

• All disks use Basic Storage by default. Right-click a basic disk in Disk Manager and select Upgrade to Dynamic to convert a basic disk to dynamic.

• To revert a Dynamic disk back to Basic storage, all volumes must be removed and all data will be lost.

• Use Rescan to update the hardware information regarding disks, e.g. when adding disks.

• A Simple volume uses space from one physical disk.

• A Spanned volume combines multiple disks and fills a disk completely before is starts writing to the next disk in line. Can be extended if format is NTFS.

• A Striped volume combines free space from multiple disks to a single volume and writes data evenly in 64Kb pieces to all disks.

• Spanned and Striped Volumes can support op to a maximum of 32 disks.

• Windows 2000 Professional does not support Fault Tolerance volumes.

• Dynamic volumes can be mounted to an empty folder on a dynamic disk.

Configure file and folder permissions
·    File and Folder access permission is only supported when drive is formatted as NTFS
·    NTFS Folder Permissions:
o   Read: See files and subfolders and view all attributes and permissions
o   Write: Create files and subfolders, view and change all attributes, view permissions.
o   List Folder Contents: Just see files and subfolders.
o   Read & Execute: Read permissions plus the ability to navigate through the folder structure even without the appropriate permissions on subfolders
o   Modify: Read and Write permission and Delete (the folder itself)
o   Full Control: All permissions (incl.Change permissions, take ownership)
·    NTFS File Permissions
o   Read: Read the file, and view all attributes and permissions.
o   Write: Change the file and all attributes, and view permissions.
o   Read: & Execute Read perm. and ability to run applications.
o   Modify: Delete, Modify and the Write and Read & Execute permission.
o   Full Control: All permissions (incl.Change permissions, take ownership)
·    File Permissions after copying or moving:
o   Lost when moving to another partition
(inherits compression state from target folder)
o   Lost when copying (inherits compression state from target folder)
o   Retained when moving to the same partition
·    Deny all access to a user account or group for a folder by denying the Full Control permission.
·    Permissions are cumulative, except for Deny.
·    Clear the 'Inherit permissions from parent object" to prevent inheritance of permissions for a specific folder.
·    If permissions to a file or folder has changed for a group, members have to re-logon before the changes are effective.

Manage a domain-based distributed file system (DFS)
·   Dfs organizes shared folders on different computers in a network to provide a logical tree structure for file system resources.
·   Computers running Windows 98, Windows NT 4 and Windows 2000 have a Dfs client built-in. Computers running Windows 95 will need to download and install a Dfs client to have access to Dfs resources.
·   A domain Dfs root must be hosted on either a member server or a domain controller in the domain.
·   Changes to a Dfs tree are automatically synchronized through Active Directory.
·   Fault-tolerance is implemented by assigning replicas to a Dfs link.

Manage file and folder compression
·   Compact is the command-line version of the real-time compression functionality used in Windows Explorer. It can be used to display or alter the compression attributes of files or folders on NTFS volumes only.
·   Files and folders on NTFS volumes can have their compression attributes set through My Computer or Windows Explorer.

Create shared resources and configure access rights. Shared resources include printers, shared folders, and Web folders.

Share folders and enable Web sharing
·   Web sharing requires IIS to be running on the machine where folders are to be shared.
·   Use My Computer or Windows Explorer to share folders using Web Sharing tab.
·   Access permissions are:
o   Read.
o   Write.
o   Script Source Access.
o   Directory Browsing.
·   Application permissions are:
o   None.
o   Scripts.
o   Execute (includes scripts).

Configure shared folder permissions
·    Use the Permission button on the Sharing tab to secure shares.
·    The following are the available permissions that can be assigned to a share:
o   Full Control
o   Change
o   Read
·    When you use NTFS permissions in conjunction with Share permissions the most restrictive permissions is the one that applies.
·    Default Share permissions is Full Control for the Everyone group.
·    Assign permissions to the Users group instead of the Everyone group so only users with a user account can connect.

Create and manage shared printers
·    User has to be a member of the Administrators or Server Operators (Power users) group to create shared folders.
·    Append a $ sign to the share name to make it a invisible share.
o   Disk are automatically shared as x$ where x is the drive letter.
o   The winnt folder is shared as admin$.
o   The System32\Spool\Drivers folder is shared as Print$.
·    Use the Sharing tab on the properties sheet of the appropriate folder to enable sharing, defining a name, comment and maximum simultaneous user limit.
Configure shared printer permissions
·    Secure printers by setting (or clearing) one or all of the following permissions:
o   Print (connect, print and control own jobs)
o   Manage Documents (Also control all other jobs)
o   Manage Printers (Adding and removing printers, sharing printers, taking ownership and changing printer properties or permissions)
Configure and troubleshoot Internet Information Services (IIS).
·   You can host multiple Web sites on a single server because Windows 2000 and IIS use the Web site identification to distinguish between multiple sites.
·   Each Web site has a unique, three-part identity: a port number, an IP address, and a host header name.
·   IIS 5.0 is installed by default as a windows component of Windows 2000 Server when you install Windows 2000 Server.
·   Use the Internet Information Services snap-in in Administrative Tools program group to configure web sites.

Configure virtual directories and virtual servers
·   A virtual directory is a directory that is not contained in the home directory but appears to client browsers as though it were.
·   It has an alias name that Web browsers use to access that directory.

Troubleshoot Internet browsing from client computers
·   Check proxy settings if using a proxy server.
·   Error codes returned from the web server.

Troubleshoot intranet browsing from client computers
·   Configure the browser to bypass the proxy for Intranet servers.

Configure authentication and SSL for Web sites
·   IIS 5.0 offers four levels of authentication:
o   Anonymous
§   Grants anyone access to the public areas of your Web site without requiring a user name or password.
o   Basic Authentication
§   Requires a valid user name and password
§   Sends passwords in clear text.
§   Use Basic Authentication if you encrypt data through SSL
o   Integrated Windows Authentication
§   Uses Windows user accounts.
§   Is the best option for a directory on an intranet.
o   Digest Authentication
§   Is the best option when publishing information on a server over the Internet and through firewalls.
·   Use SSL to encrypt data that is transmitted over the internet to ensure the security and confidentiality of the data.
·   SSL confirms the authenticity of your Web site and can also confirm the identity of users accessing restricted Web sites.

Configure FTP services
·   The FTP service is not installed by default.
·   When you install the FTP service, the C:\Inetpub\Ftproot folder is created.
·   The Everyone group Full Control permissions to the C:\Inetpub|Ftproot folder by default.
·   Configure FTP options in the FTP service property pages in the Internet Services Manager console.
·   Change permissions and enabling disk quotas.
·   The IIS 5.0 FTP services can use the Windows account database to authenticate users log ons.
·   All FTP transmissions are in clear text, exposing user names and passwords.
·   To eliminate exposed passwords, configure the FTP server to permit anonymous logons only.
·   In IIS 5.0, the FTP service is configured for anonymous-only access by default.

Configure access permissions for intranet Web servers

Monitor and manage network security. Actions include auditing and detecting security breaches.
·   Use Security Template Snap-in to:
o   Configure user-account lockout settings.
o   Configure user-account password length, history, age, and complexity.

Configure Group Policy to run logon scripts
·   Logon/logoff scripts run when a user logs on or off the computer.
·   Windows 2000 executes the scripts from top to bottom.
·    Default timeout value for processing scripts is 10 minutes.
·   Adjust the timeout value with a software policy.

Link Group Policy objects
·   GPOs are linked with a container through which GPOs are applied to individual users and computers.
·   GPOs cannot be tied directly to users or computers.
·   A single GPO can be linked to multiple OUs, or multiple GPOs can be linked to a single OU.
·   Only Domain Admins and Enterprise Admins have permissions to link GPOs to domains, OUs, or sites.
·   To link a GPO to an existing domain or OU:
1.   Open Administrative Tools in Control Panel.
2.   Click on Active Directory Users And Computers.
3.   Right-click domain or OU, and choose Properties.
4.   On the Group Policy tab, click Add.
5.   Choose the policy and then click OK.
·   To link a GPO to an existing site:
1.   Open Administrative Tools in Control Panel.
2.   Click on Active Directory Sites And Services.
3.   Right-click domain or OU, and choose Properties.
4.   On the Group Policy tab, click Add.
5.   Choose the policy and then click OK.

Enable and configure auditing
·    Use Auditing to track events such as logon failures and file access.
·    Tracked events are logged as entries in the Security log.
·    Track successful and/or failed events.
·    To implement auditing, use the Local Security Policy Snap-in to enable success or failure auditing of:
o   Account Logon Events: Only applicable if the client joined a Windows 2000 domain.
o   Account Management
o   Directory Service Access: Also configure auditing on the properties sheet of the Active Directory objects you want to audit.
o   Logon Events: Initial logon and network connections.
o   Object Access: Configure auditing on the properties sheet of the specific files, folders, or printers you want to audit.
o   Policy Change
o   Privilege Use: A user exercised a right, not permission.
o   Process Tracking: Used by programmers to track program execution.
o   System Events: A user shut down or rebooted the computer.
·    When you want to track access to object such as files, folders and printers, use the local security policy snap-in to create an Object Access audit policy and use Windows Explorer to access the Audit properties sheet of the objects you want to audit and select the appropriate events.

Monitor security by using the system security log file

Configuring, Administering, and Troubleshooting the Network Infrastructure

Troubleshoot routing. Diagnostic utilities include the tracert command, the ping command, and the ipconfig command.

Validate local computer configuration by using the ipconfig, arp, and route commands.
·   Ipconfig is a command-line tool that displays the current configuration of the installed IP stack on a networked computer.
·   Can display a detailed configuration report for all interfaces, including any configured WAN miniports.
·   Ipconfig swtches:
o   /all - Produces a detailed configuration report for all interfaces.
o   /flushdns - Removes all entries from the DNS name cache.
o   /registerdns - The DNS domain name for client resolutions.
o   /displaydns - Displays the contents of the DNS resolver cache.
o   /release <adapter> - Releases the IP address for a specified interface.
o   /renew <adapter> - Renews the IP address for a specified interface.
o   /showclassid <adapter> - Displays all the DHCP class IDs allowed for the adapter specified.
o   /setclassid <adapter> <classID to set> - Changes the DHCP class ID for the adapter specified.
o   /? - Displays a list of ipconfig switches.
·   Use the Ipconfig command-line utility to verify, release, or renew the lease of the client with a DHCP server:
o   To verify the current DHCP and TCP/IP configuration, type ipconfig /all.
o   To release a DHCP client lease, type ipconfig /release.
o   To renew a DHCP client lease, type ipconfig /renew.
·   ARP obtains its hardware address by consulting the ARP cache or by broadcasting the destination host's IP address.
·   If the destination host is on a remote network, ARP obtains the hardware address of a router and the request is routed to the destination host.

Validate network connectivity by using the tracert, ping, and pathping commands.

Configure and troubleshoot TCP/IP on servers and client computers. Considerations include subnet masks, default gateways, network IDs, and broadcast addresses.

Configure client computer TCP/IP properties.

Validate client computer network configuration by using the winipcfg, ipconfig, and arp commands.
·   Use winipcfg to validate Win9x computer network configuration

Validate client computer network connectivity by using the ping command.

Configure, administer, and troubleshoot DHCP on servers and client computers
·   DHCP centralizes and manages the allocation of TCP/IP configuration information by assigning IP addresses to client computers configured to use DHCP.
·   It uses a four-step process to lease IP addressing information to DCHP clients:
1.   IP lease request - Each time a DHCP client starts, it broadcasts a DHCPDISCOVER message requesting IP addressing information from a DHCP server.
2.   IP lease offer - All DHCP servers that have a valid IP address for the client’s network segment responds with a DHCPOFFER message, which includes:
o   The client’s hardware address
o   An IP address
o   A subnet mask
o   The length of the lease (default is 8 days)
o   The DHCP server’s IP address
3.   IP lease selection - The DHCP client responds to the first offer that it receives by broadcasting a DHCPREQUEST message to accept the offer.
4.   IP lease acknowledgement - The DHCP server issuing the accepted offer broadcasts a DHCPACK message to acknowledge the successful lease.
·   If the client does not receive an offer after four IP lease requests, it uses an IP address in the reserved range from 169.254.0.1 to 169.254.255.254 and continues in an attempt to find a DHCP server every five minutes.
·   A DHCP client automatically attempts to renew its lease when 50 percent of the lease duration expires by sending a DHCPREQUEST message to the DHCP server from which it obtained the lease. If the DHCP server is available, it renews the lease and sends the client a DHCPACK message with the new lease duration and any updated configuration parameters.
·   If a DHCP client cannot renew its lease at the 50 % interval, it broadcasts a DHCPDISCOVER message requesting IP addressing from any DHCP server when 87.5 % of the current lease duration expires.
·   If a client requests an invalid or duplicate address for the network, a DHCP server can respond with a DHCP denial message (DHCPNAK). This forces the client to release its IP address and obtain a new, valid address.
·   You can renew an IP lease manually to update DHCP configuration information by using the ipconfig command with the /renew switch.

Detect unauthorized DHCP servers on a network
·   Configure your network so that when the DHCP service starts, it sends out a DHCP informational message (DHCPINFORM) to the local broadcast address (255.255.255.255).
·   Other DHCP servers reply with DHCP acknowledgement messages (DHCPACK), which contain information about any Active Directory directory service root domain identified by each DHCP server.
·   The server that is attempting to initialize the DHCP service then contacts a domain controller in each of the domains that it identifies.
·   It queries Active Directory for a list of DHCP servers that are currently authorized to operate on
·   the network.
·   If the DHCP server is not authorized, the DHCP service logs an error in the system log and ignores all client requests.

Configure authorization of DHCP servers
·   To prevent unauthorized DHCP servers from offering invalid IP addresses to clients you must authorize the DHCP sever.
1.   Open DHCP from the Administrative Tools menu.
2.   Right-click DHCP, and then Manage authorized servers.
3.   Click Authorize.
4.   Type the name or IP address of the DHCP server to authorize, and then
5.   Click OK, and then Yes to confirm the authorization.

Configure client computers to use dynamic IP addressing

Configure DHCP server properties
·   DHCP Scopes or pool of IP addresses define a logical Subnetwork for which DHCP services are to be offered.
·   Allow the server to identify configuration parameters that are given to all DHCP clients on the Subnetwork.
·   A scope must be defined before DHCP clients can use the DHCP server for dynamic TCP/IP configuration.
·   Once a DHCP scope is defined and exclusion ranges are applied.
·   Reservations allow permanent address lease assignment by the DHCP server.
·   Superscopes are a number of distinct scopes, which are grouped together into a single administrative entity.

Create and configure a DHCP scope
·   Configure a scope or range of valid IP addresses for a DHCP to lease to DHCP clients on a particular subnet.
·   Configure Global scope and client scope options for a particular DHCP client.
·   Use the New Scope Wizard from the Administrative Tools menu to:
o   Configure scope parameters
o   Change the default lease duration
o   Activate a scope
·   Scope Options Supported by DHCP Include:
o   IP Address of a Router
o   IP Address of a DNS Server
o   DNS Domain Name
o   IP Address of a WINS Server
o   Type of NetBIOS over TCP/IP Name Resolution
·   You can configure scope options at four levels:
1.   Server Level options apply to all DHCP clients that lease an IP address from a particular DHCP server.
2.   Scope Level options apply only to clients that lease an address from a scope.
3.   Class Level options apply only to clients that belong to a particular class, such as mobile computers.
4.   Reserved Client Level options apply to specific clients to reserve a specific IP address for use by a DHCP client so that it always has the same address.
·   A superscope is a group of two or more scopes that are combined and managed as a single unit.
·   Superscopes are useful when:
o   You need to add more hosts on a subnet.
o   You replace existing address ranges with new address ranges.
o   The IP addresses that your organization owns are not in a contiguous range.
·   Configuring a superscope eliminates the need to delete and recreate the existing scopes.
·   To create a superscope:
1.   Open DHCP from the Administrative Tools menu.
2.   Right-click the name of the DHCP server, and then click New Superscope.
3.   Type the superscope name, and specify the existing scopes to include.
·   A multicast scope is used to issue a multicast address for deploying information from a single point to multiple computers at one time to selected computers on a network.
·   You can configure several computers with the same multicast address in addition to each computer’s individual IP address. All computers configured with the same multicast address receive IP packets that are sent to that address.

Configure, administer, and troubleshoot DNS

Configure DNS server properties
·   Configure a root name server if:
o   Your intranet is not connected to the Internet.
o   Your organization is connected to the Internet through a proxy server.
·   Use the New Zone wizard to create a root zone that is represented by a period (.).

Manage DNS database records such as CNAME, A, and PTR
·   Resource records contain data that is used to configure a DNS server or to provide the information that DNS servers use when resolving queries from hosts and other servers.
·   Types of resource record:
o   A (address) Contains name-to-IP address mapping information.
o   NS (name server) Defines the servers that are authoritative for a certain zone or contain the zone file for that domain.
o   CNAME (canonical name) Allows you to provide additional names to a server that already has a name in an A record.
o   MX (mail exchanger) Specifies the server to which e-mail applications can deliver mail.
o   SOA (start of authority) Indicates the original point of authority for information stored in a zone.
o   PTR (pointer) Used in a reverse lookup zone.
o   SRV (service) Registered by services so that clients can use DNS to locate a service.

Create and configure DNS zones
·   The DNS namespace can be divided into zones, which store name information about one or more DNS domains or portions of a DNS domain. For each DNS domain name included in a zone, the zone becomes the authoritative source for information about that domain.
·   A single DNS server can host multiple zones.
·   Multiple servers can host one or more zones to provide fault tolerance and distribute the name resolution and administrative workloads.
·   The zone lookup type determines the tasks that a DNS server will perform.
o   Forward lookup maps a name to an IP address.
o   Reverse lookup maps an IP address to a name.
·   Three types of zones:
o   Standard primary zone contains a read/write version of the zone file. Any changes to the zone are recorded in that file. Create a standard primary zone for each new zone.
o   Standard secondary zone contains a read-only version of the zone file that is stored in a standard text file. Any changes to the zone are recorded in the primary zone file and replicated to the secondary zone file. When adding a standard secondary zone, designate a Master DNS server from which to obtain the zone information.
o   Active Directory integrated zone stores the zone information in Active Directory. Updates to the zone occur automatically during Active Directory replication.
·   Zone transfer is the process of replicating a zone file to another DNS server.
·   Occurs when names and IP address mappings change within your domain.
·   Windows 2000 uses incremental zone transfer (IXFR), which only replicates changes to the zone file.
·   The SOA resource record specifies the domains for which the zone is authoritative, and how zone transfers occur.
·   Three options for specifying servers that are authorized to receive zone transfers:
o   To any server
o   Only to servers listed on the Name Servers tab
o   Only to the following servers

Troubleshoot name resolution on client computers. Considerations include WINS, DNS, NetBIOS, the Hosts file, and the Lmhosts file.

Configure client computer name resolution properties
·   Configure WINS clients by configuring the TCP/IP properties on each client or by configuring DHCP scope options.
·   Use the Internet Protocol (TCP/IP) Properties dialog box in Network Settings.
·   To configure a client to use a DNS server for name resolution, open the Internet Protocol
·   (TCP/IP) Properties dialog box:
o   If you want DNS server addresses to be provided by a DHCP server, click Obtain DNS server address automatically.
o   If you want to manually configure an IP address for a DNS server, click Use the following DNS server addresses.

Troubleshoot name resolution problems by using the nbtstat, ipconfig, nslookup, and netdiag commands.

Create and configure a Hosts file for troubleshooting name resolution problems
·   A Hosts file is a text file that contains static mappings of host names to IP addresses.
·   You must update the Hosts file manually, because the mappings in the Hosts file are not dynamic.
·   Use a text editor to edit the Hosts file, which is located in the \systemroot\system32\drivers\etc folder.

Create and configure an Lmhosts file for troubleshooting name resolution problems
·   An Lmhosts file is a local text file that contains NetBIOS name-to-IP address mapping information.
·   The Lmhosts file is similar in functionality to the Hosts file in DNS, except that the Hosts file is used for mapping IP addresses for host names in the DNS namespace, rather than NetBIOS names.
·   Avoid using an Lmhosts file for regular name resolution because you must manually maintain a separate Lmhosts file on each computer.
·   Create an Lmhosts file and save it in the systemroot\System32\Drivers\Etc folder.
·   Use the sample Lmhosts file (Lmhosts.sam) as a template.
·   You can use a text editor to create an Lmhosts file. Save the file with the file name Lmhosts, and without a file extension.

Managing, Securing, and Troubleshooting Servers and Client Computers

Install and configure server and client computer hardware.

Verify hardware compatibility by using the qualifier tools
·   Verify that hardware is on the Hardware Compatibility List

Configure driver signing options
·   Three driver signing options:
o   Ignore - Install all files, regardless of file signature
o   Warn - Display a message before installing an unsigned file
o   Block - Prevent installation of unsigned files

Verify digital signatures on existing driver files
·   Use the System File Checker (sfc.exe) utility to scan all protected files and check the Digital Signatures, also can be used to schedule scanning of protected files on boot.
·   Use the File Signature Verification utility (sigverif.exe) to verify signatures of files.

Configure operating system support for legacy hardware devices

Troubleshoot starting servers and client computers. Tools and methodologies include Safe Mode, Recovery Console, and parallel installations.
·   Advanced Startup Options
o   Logged (\Bootlog.txt) Enable Boot Logging Logs all of the drivers and services that are loaded at startup to a file named Ntbtlog.txt
o   Safe mode Uses only the basic drivers and files needed to start the computer
o   Step-by-step confirmation (Windows 95 or Windows 98) Allows you to select each driver that loads as the system starts
o   Command prompt only (Windows 95 or Windows 98) Starts the operating system with startup files and registry, displaying only the command prompt
o   Enable VGA mode Same as a normal startup, but Windows uses the basic VGA driver rather than any other video driver
o   Last Known Good Configuration (Windows NT-based) Starts the computer by using the configuration that was saved the last time the computer started properly
o   Debugging mode (Windows NT-based) Sends debugging information through a serial cable to another computer
o   Safe mode command prompt only Same as Safe mode, but the command prompt is displayed instead of the Windows desktop, Start menu, and Taskbar
o   Safe Mode with Networking Same as Safe mode, but also provides network connectivity

Repair an operating system by using various startup options

Repair an operating system by using the Recovery Console
·   Use the Recovery Console to start the computer if Safe mode and other startup options do not work.
·   Use the Recovery Console to:
o   Start and stop services.
o   Reconfigure services that are preventing the computer from starting properly.
o   Format drives on a hard disk.
o   Read and write data on a local drive formatted with the FAT (file allocation table), FAT32, or NTFS file systems.
o   Repair the system by copying a file from a floppy disk or a compact disc.

Recover data from a hard disk in the event that the operating system will not start.

Restore an operating system and data from a backup.

Monitor and troubleshoot server health and performance. Tools include System Monitor, Event Viewer, and Task Manager.

Monitor and interpret real-time performance by using System Monitor and Task Manager.
·   System Monitor is an MMC snap-in that tracks processes on a Windows 2000 system in real time,
·   Use data from System Monitor to:
o   Target processes and components that need to be optimized
o   Monitor the results of tuning and configuration efforts
o   Observe trends in workloads and their effect on resource usage
o   Plan for upgrades.
·   System Monitor uses three types of items to monitor:
o   Object
§   A collection of counters associated with a resource or service that generates data.
§   Frequently used objects are:
▫   Browser – Monitors the Browser service.
▫   Cache – Monitors disk cache usage.
▫   Memory – Monitors memory performance.
▫   Objects – Monitors the number of events, mutexes, processes, sections, semaphores, and threads on the computer at the time of data collection.
▫   Paging File – Monitors pagefile usage.
▫   Physical Disk – Monitors hard disks with one or more partitions.
▫   Process – Monitors all processes running on a machine.
▫   Processor – Monitors each processor on the system.
▫   Server – Monitors bytes, sessions, certain system errors, pool nonpaged usage, and pool paged usage.
▫   System – Monitors the counters that affect all of the hardware and software running on the system.
▫   Thread – Monitors all threads running in the system.
o   Counter
§   A component within an object that represents data for a specific aspect of the system or service.
o   Instance
§   A single occurrence of multiple performance objects of the same type.
§   Track the statistics for each instance by adding a counter for each.
§   You can also add a counter to track all instances at once.

Configure and manage System Monitor alerts and logging
·   Performance Logs and Alerts expands the monitoring capabilities of System Monitor to include features for logging counter and trace data and for generating performance alerts.
·   Logged counter data information can be exported to spreadsheets or databases for analysis and report generation.
·   The data can be stored in three formats:
o   Comma-separated format
o   Tab-separated format
o   Binary log-file format.
·   To create a counter log or a trace log:
1.   Open System Monitor, and double-click Performance Logs And Alerts.
2.   Choose Counter Logs to create a counter log, or choose Trace Logs to create a trace log.
3.   Right-click in a blank area of the details pane and choose New Log Settings.
4.   In the Name text box, enter the name of the counter or trace log you are creating and click OK.
5.   Configure the counter or trace log to monitor your local or remote machine by choosing the proper counters for the resources to be monitored, selecting log file properties, and choosing the desired scheduling options.
·   The sample data interval for counter logs is set on the General tab of the Properties window for the log.
·   To create an alert:
1.   Open System Monitor, and double-click Performance Logs And Alerts.
2.   Click Alerts.
3.   Right-click in a blank area of the details pane, and choose New Alert Settings.
4.   In the Name text box, enter the name of the alert you are creating, and click the OK button.
·   Set thresholds to trigger an alert when the value of the counter falls either above or below a baseline.
·   Specify actions that should occur when a threshold is exceeded. Options are:
o   Log An Entry In The Application Event Log – Causes the alert to log an entry that is visible to you in Event Viewer.
o   Send A Network Message To – Triggers the Messenger service to send an alert message to a specified computer.
o   Start Performance Data Log – Runs an existing counter log.
o   Run This Program – Specifies a command file and command-line arguments to run when an alert occurs.

Diagnose server health problems by using Event Viewer
·   Event Viewer is a utility designed to track events recorded in the application, security, and system logs.
·   It enables you to gather information about software, hardware, and system problems and track Windows 2000 security events.
·   Windows 2000 records events in three kinds of logs:
o   Application log
§   Contains events logged by programs or applications.
§   All users can view this log.
o   Security log
§   Records security events such as invalid and valid logon attempts and events related to resource use, such as creating, opening, or deleting files.
§   The security log is turned off by default.
§   The administrator can turn on the security log to record events by setting auditing attributes or events through the Group Policy feature in Windows 2000.
§   Only administrators can view this log.
o   System log
§   Contains events logged by the Windows 2000 system components.
§   The event types logged here are predetermined by Windows 2000.
§   All users can view this log.
·   You can archive an event log by right-clicking the log name in Event Viewer and choosing Save Log File As.

Identify and disable unnecessary operating system services

Install and manage Windows 2000 updates. Updates include service packs, hot fixes, and security hot fixes.

Update an installation source by using slipstreaming
·   slipstreaming is the integration of service-packs with the Windows 2000 installation files.
·   This allows you to keep an image of the operating system.
·   When Windows 2000 is installed from this image, the appropriate files from the service pack are also installed.
·   To apply a new service pack, run the update.exe file from the service pack with the /slip switch.

Apply and reapply service packs and hot fixes.
·   A hotfix applies to a specific component of the software and repairs a single known issue.
·   A list of hotfixes can be found at the Microsoft web site.
·   Periodically, hotfixes are consolidated into a single major software update called a Service Pack.

Verify service pack and hot fix installation

Configuring, Managing, Securing, and Troubleshooting Active Directory Organizational Units and Group Policy

Create, manage, and troubleshoot User and Group objects in Active Directory

Create and configure user and computer accounts for new and existing users
·   Two types of accounts:
o   Local
§   Use Computer Management snap-in to create local user and computer accounts
o   Domain
§   Use Active Directory Users and Computers to create user and computer accounts.

Troubleshoot groups. Considerations include nesting, scope, and type

Configure a user account by using Active Directory Users and Computers. Settings include passwords and assigning groups

Use templates to create user accounts
·   A user account template is a standard user account that you can create to contain the properties that apply to users with common needs.

Reset an existing computer account
·   To reset a computer account:
1.   Open Active Directory Users and Computers.
2.   Locate the computer’s account.
3.   Right-click the affected computer’s account, and then click Reset Account.

Manage object and container permissions.

Use the Delegation of Control wizard to configure inherited and explicit permissions

Configure and troubleshoot object permissions by using object access control lists (ACLs).

Diagnose Active Directory replication problems.

Diagnose problems related to WAN link connectivity.

Diagnose problems involving replication latency. Problems include duplicate objects and the LostandFound container.
·   Replication latency is the time that is required for a change made on one domain controller to be received by another domain controller.

Deploy software by using Group Policy. Types of software include user applications, antivirus software, line-of-business applications, and software updates

Use Windows Installer to deploy Windows Installer packages
·   Group Policy integrates software installation in a feature known as Software Installation and Maintenance.
·   Automate the installing, upgrading, managing, and removing software from systems on the network.
·   Windows Installer packages have a .msi file extension.
·   Non-msi programs are published as .zap files. .zap files can only be published, not assigned.
·   Software packages are installed on a Windows 2000 Server in a shared directory.
·   The package is added to the GPO under User Configuration, Software Settings, Software Installation.
·   Active Directory can either uninstall the old application first or upgrade it.

Deploy updates to installed software including antivirus updates
·   When publishing upgrades:
o   They can be optional or mandatory for users.
o   Are mandatory when assigned to computers.
·   When applications are no longer supported, they can be removed from software installation.
o   Users can then continue using the software but no one will be able to install the software through the Start menu, Add/Remove Programs, or by invocation.

Configure Group Policy to assign and publish applications
·   Software packages can be assigned or published.
o   Software can be assigned to a user or a computer.
§   Soft software assigned to a user is advertised when a user logs on, but is not installed until the user starts the application.
§   Software assigned to a computer is installed automatically.
▫   Only a local administrator can remove software when it is assigned to a computer.
▫   Users can repair software assigned to computers, but not remove it.
o   Software can only be published to users.
§   Published software can be installed from Add/Remove programs in the Control Panel or through invocation.
§   Published applications are not advertised.
§   Published applications do not self-repair or re-install if deleted.
·   The removal of applications can be enforced by an administrator.
o   Software assigned to the user is automatically removed the next time that user logs on.
o   When software is assigned to a computer, it is automatically removed at start up.
o   Users cannot re-install the software.
o   Selecting the “Uninstall this application when it falls out of the scope of management” option forces the removal of the software when a GPO no longer applies.

Troubleshoot end-user Group Policy.

Troubleshoot Group Policy problems involving precedence, inheritance, filtering, and the No Override option.
·   If it appears that Group Policy settings are not being applied, the problem may be due to inheritance conflicts.
·   Check the order of the GPOs linked to each site, domain, and OU that may affect the user or computer that is not receiving Group Policy settings.
·   Check for conflicts between computer and user settings.
·   Check GPO links for No Override and check domains and OUs for Block Inheritance.
·   Limit the use of Block Inheritance, No Override, and filtering of GPOs, especially across domains. Each one of these introduces a further level of complexity. When you must use one of these methods, try to use only one at a time.

Manually refresh Group Policy
·   You can change the default refresh values by modifying the administrative template settings for the user or computer configuration.
·   Group Policy refreshing can not be scheduled to occur at a specific time.
·   Changes to a group policy object are not immediately applied, but rather are applied in accordance with the group policy refresh interval.
·   Use the SECEDIT command-line tool to apply group policy object settings immediately.

Implement and manage security policies by using Group Policy.

Use security templates to implement security policies
·   Security Templates provide a centralized method of defining security in Windows 2000.
·   During installation of Windows 2000 a security policy template is used to configure the security settings of the system.
·   This includes:
o   Enforcing password and account lockout policies
o   Configuring auditing
o   Enforcing appropriate permissions on certain Registry items
o   Setting up correct access control lists (ACL) for relevant areas of the file system
o   Enabling or disabling services.
·   The enforced security policy can be viewed and customized using the Security Templates snap-in.
·   Windows 2000 has a number of pre-configured security templates located in the %SystemRoot%\Security\Templates folder
·   Four main security policies are:
o   Basic
§   Lowest level of security.
§   Default template.
o   Secure
o   Hisec
§   Highest level of security
o   Compat
§   Relaxes security policy to allow legacy applications to run

Analyze the security configuration of a computer by using the secedit command and Security Configuration and Analysis.
·   Use SECEDIT to analyze your current security settings against a baseline template:
o   To identify security holes that may exist in a current configuration.
o   To identify the changes that a security policy may make before you deploy the security policy.
o   To identify deviations from a policy that is currently imposed on a computer.

Modify domain security policy to comply with corporate standards

Configuring, Securing, and Troubleshooting Remote Access

·   Allows users to connect to the network from a remote location using a remote access protocol.
·   Remote Access Protocols
o   PPP
o   SLIP
o   Microsoft RAS
o   AppleTalk Remote Access Protocol (ARAP)
o   PPTP
o   L2TP
·   The remote access server authenticates users
·   Two types of remote access:
o   Dial-up Connections
o   Virtual Private Network Connections

Configure and troubleshoot remote access and virtual private network (VPN) connections.

Configure and troubleshoot client-to-server PPTP and L2TP connections
·   Use Routing and Remote Access to configure inbound connections
·   Enable a port for VPN connections, modem connections, and direct cable connections through which a client can connect to the server.

Manage existing server-to-server PPTP and L2TP connections.

Configure and verify the security of a VPN connection.

Configure client computer remote access properties.

Configure remote access name resolution and IP address allocation.
·   Implement DHCP for IP address allocation

Troubleshoot a remote access policy.

Diagnose problems with remote access policy priority.

Diagnose remote access policy problems caused by user account group membership and nested groups.

Create and configure remote access policies and profiles
·   Create remote access policies to control the level of remote access.
·   Remote access policy consists of:
o   Conditions are a list of parameters that are matched to the parameters of the client that is connecting to the server.
o   Permissions works with the user’s dial-in permissions in Active Directory.
o   Profile includes settings that are applied to the connection.
·   The remote access profile specifies what kind of access the user will be given if the conditions match.
·   Access will be granted only if the connection attempt does not conflict with the settings of the user account or the profile.

Select appropriate encryption and authentication protocols
·   Routing and Remote Access uses protocols to perform authentication:
o   PAP uses clear-text passwords.
o   SPAP is a two-way reversible encryption mechanism employed by Shiva.
o   CHAP is a challenge-response authentication protocol.
o   MS-CHAP is a oneway, encrypted password authentication protocol.
o   MS-CHAP v2 a new version of MS-CHAP
o   EAP allows for customized authentication to remote access servers by using:
§   MD5-CHAP
§   TLS
§   Third-party authentication methods
·   Data encryption provides security for data sent between a remote access client and a remote access server.
·   Only available if you use MS-CHAP, MS-CHAP v2 or TLS as the authentication protocol.
·   Enable encryption protocols on the Encryption tab in the Edit Profile dialog box for the remote access policy.
·   Two methods of encryption:
o   MPPE has three levels of encryption:
§   basic (40-bit)
§   strong (56-bit)
§   strongest (128-bit)
o   IPSec. Use IPSec policies to configure IPSec security

Implement and troubleshoot Terminal Services for remote access

Configure Terminal Services for remote administration or application server mode
·   Terminal Services allows clients computers to access Windows 2000 and the latest Windows-based applications, even if the client computers cannot run the Windows 2000 operating system.
·    Terminal Servers also allows system administrators to remotely administer network clients, servers and resources.
·   Terminal Services be configured for:
o   Application Server mode allows you to deploy and manage applications from a central location.
o   Remote Administration mode allows you to remotely access, manage, and troubleshoot clients and administer Windows 2000 servers over any TCP/IP connection, including remote access, Ethernet, the Internet, wireless, WAN, or VPN.
·   Terminal Services will permit a maximum of two concurrent Remote Administration connections without requiring a license for them.

Configure Terminal Services for local resource mapping

Configure Terminal Services user properties
·   Terminal Services Configuration, which is a Microsoft Management Console (MMC) snap-in that runs locally on each terminal server and can be used to modify the configuration of the local Terminal Services server. These include Encryption Level; Logon Settings; Session Override Settings; Environment Settings; Remote Control Settings; Client Settings; Network Adapter Settings and Permissions

Configure and troubleshoot Network Address Translation (NAT) and Internet Connection Sharing
·   Network devices that have IP addresses must be routed through a NAT device to access Internet sites.
·   NAT translates private IP addresses to external, public IP addresses.
·   Internet Connection Sharing enables multiple computers to share a single connection to the Internet.
·   Internet Connection Sharing configures NAT with preconfigured settings.

Configure Routing and Remote Access to perform NAT
·   Configure NAT properties by using Routing and Remote Access admin tool.

Troubleshoot Internet Connection Sharing problems by using the ipconfig and ping commands.