MCSE Top-Rated Sites


 

Managing Windows Server 2003

Control Panel can be used to configure hardware settings, manage user-specific settings, and manage computer-specific settings.

Installing New Hardware

Installing a new device to a Windows Server 2003 computer typically involves physically connecting the device to the computer; loading the appropriate device drivers; and configuring the device properties and settings if required.

Note: To be able to install a device you must be logged on as an administrator or as a member of the Administrators group.

When you install a Plug and Play device, Windows Server 2003 automatically configures the device so that it works properly with the other devices that are already installed on the computer. This includes assigning the appropriate system resources, such as Interrupt Request (IRQ) line number, Direct Memory Access (DMA) channels, Input/Output (I/O) port addresses and Memory Address ranges, to the device. Each device must be assigned a unique system resource or the device will not function properly. When you install a non-Plug and Play, or a legacy device, you must use the Add/Remove Hardware Wizard. If Windows 2000 does not detect the device you must configure the system resources for the device manually. You can assign system resources to the device in Device Manager.

Note: Some old legacy ISA devices require the use of a specific IRQ number that Windows Server 2003 may have assigned to a Plug and Play device. In this event you should reserve the IRQ that is required by the device in your system BIOS. Windows Server 2003 will then assign another an IRQ to the Plug and Play device that was using the IRQ that you have reserved.

Note: When you install Windows Server 2003 on a new computer that does not have a standard Hardware Abstraction Layer (HAL) or a RAID device that is not detected by the Windows Setup program, you must install the drivers for these devices during the text portion of the Windows Server 2003 Setup program.

Using Driver Signing

Some device drivers and some applications overwrite existing operating files as part of their installation process. These files can cause system errors that are difficult to troubleshoot. Microsoft has simplified the tracking and troubleshooting of altered files by digitally signing the original operating system files and allowing you to verify these signatures.

Configuring Driver Signing

You can configure how the computer responds to unsigned files on HARDWARE tab of SYSTEM. Here you can configure one of three responses:

• Ignore allows any files to be installed regardless of whether they are digital signature or not.

• Warn displays a warning message before allowing the installation of an unsigned file. This is the default option.

• Block prevents the installation of unsigned files.

When you change the default Driver Signing option, you must select the Apply setting as system default check box in the Driver Signing Options dialog box. This will make the new settings the default system setting. If you do not select the Apply setting as system default check box, the settings will revert to the old setting when the computer is next rebooted.

You will want to become familiar with the driver signing dialog box.

The File Signature Verification Utility

Windows Server 2003 also provides a File Signature Verification utility, sigverif, that allows you to view the file's name, its location, its modification date, its type, and its version number.

Adding Hardware

Adding Additional CPUs

When you install Windows Server 2003 on a multiprocessor computer with only one central processor unit (CPU), the Windows Server 2003 Setup program will install a uniprocessor kernel on the computer. You can add a second CPU to the computer by inserting the CPU in the motherboard, according to the manufacturer's instructions, and restarting the computer. On reboot, the system will detect the additional CPU and will replace the uniprocessor system drivers with the multiprocessor equivalents.

You can verify that the system sees the second CPU by opening the Performance window in Task Manager. The Performance window should show graphs for each CPU. If the Performance window does not display a graph for the second CPU, make sure it is fully seated and that no changes are required in CMOS. Also, make sure the voltage regulators or other motherboard devices are in place and firmly seated.

Adding Removable Media Drives

Windows Server 2003 supports a new service called the Removable Storage Manager (RSM). The RSM service simplifies managing removable media if you have large CD-ROM jukeboxes or a robotic tape library. In previous versions of Windows, each disk in a jukebox or disc changer is assigned a separate drive letter, which could be problematic when configuring large CD libraries because there are not enough drive letters to accommodate a 25-disc library. RSM solves this problem by assigning a single drive letter to the device itself and manipulating the CDs in the background.

However, each disk must be mounted by name using the RSM Mount command. This requires that you know the logical media ID assigned to the CD by RSM. This information is available in the RSM snap-in within the Computer Management console.

Configuring Hard Disks

Disk Storage Types

Windows Server 2003 provides support for two types of disk storage: basic storage, which uses basic disks and is the standard storage type; and dynamic storage, which uses dynamic disks. Basic disks can be divided into up to four partitions that can either be primary partitions or extended partitions. You can have multiple primary partitions but only one extended partition. You can create multiple primary partitions to which enables you to dual boot between Windows Server 2003 and other operating systems such as Windows XP Professional and Windows 98. One of the primary partitions must be set in fdisk as the active partition as the boot files required to start the operating systems must be located on the active partition.

Note: If you plan to dual boot between Windows Server 2003 and Windows 95, Windows 95 OSR2, or Windows 98 the primary partition must be formatted with the FAT or FAT32 file system.

Basic disks can be converted to dynamic disks from which dynamic volumes can be created. Windows Server 2003 supports five types of dynamic volumes: simple volumes; spanned volumes; striped volumes; mirrored volumes; and striped volumes with parity.

Converting to Dynamic Disk Status

By default, all disks in Windows Server 2003 are configured as basic disks but you can convert them to dynamic disks. No data loss is incurred when converting to dynamic disks, however, if you convert a disk that is currently being accessed, such as the boot or system disks, you must reboot the computer in order to perform the conversion.

Once you have converted to dynamic disks, you cannot covert them back to basic disks without incurring data loss. Thus, to convert back to basic disks, you must back up your data, and then delete the dynamic volumes. You can then convert the disk back to basic using the disk management MMC or the diskpart utility.

Simple Volumes

Simple volumes are the default volume type on a dynamic disk. A simple volume is created from the free space on a single physical disk and is not fault tolerant.

Spanned Volumes

Spanned volumes contain disk space from up to 32 physical disks. This enables you to group different disks of the same or different sizes and access them as if they were one disk. However, only one disk in the volume is written to at a time. Spanned volumes provide 100 percent drive utilization but is not fault tolerant.

Striped Volumes

Like spanned volumes, striped volumes allow you to combine the free space from two to 32 physical disks into one logical volume. Unlike spanned volumes, the amount of unallocated space on each of the disks that is part of the volume must be of the same size. Striped volumes increase both read and write performance when accessing the volume by utilizing all the disks at one time. Striped volumes cannot be extended.

Mirrored Volumes

Mirrored volumes require exactly two disks that are of the same size. When information is written to a mirror volume, the same information is written to each disk. This provides fault tolerance and complete redundancy for your data. Should one disk fail, you can use the mirrored copy. Because the same information is written to two disks, mirrored volumes provide only 50% disk utilization. Mirrored volumes also cannot be extended.

Striped Volumes with Parity RAID-5 Volumes

Striped volumes with parity are also called RAID-5 volumes and can be created using three to 32 disks. They provide fault tolerance by calculating parity information, which can be used to recreate the data on the other disks, and writing it to a block on one disk as part of the striping operation. Data is striped across all the disks in the volume, while parity information is written to one disk in each stripe. The parity information can be used to regenerate the missing data should one disk fail. If you lose more than one disk, however, all your data will be lost.

As with mirrored volumes, RAID-5 volumes cannot be extended. However, RAID-5 volumes offer more efficient disk utilization than mirrored volumes. You lose the storage space of one disk in the RAID-5 volume because it is used for parity information.

Configuring File Systems

Windows Server 2003 supports the FAT, FAT32 and NTFS file systems. A computer can contain a combination of file systems but each file system must be located on a separate partition or volume.

Note: MS-DOS, Windows 95, Windows 98 and Windows Millennium Edition cannot access data on NTFS formatted disks.

The NTFS file system used by Windows 2000 and Windows Server 2003 is version 5. This version of NTFS has features that were not available in NTFS version 4 used by Windows NT 4.0. Windows NT 4.0 cannot therefore fully support all the features of NTFS version 5. NTFS version 5 offers a number of benefits that include:

•  File compression

•  File and folder level security

•  File encryption using Encrypting File System (EFS)

•  Disk quotas

•  NTFS permissions

Note: You can convert a disk from the FAT and FAT32 file to NTFS at any time without data loss by using the convert command from a command prompt and using the fs:/ntfs switch. When you format the data on the disk is lost.

Encrypting File System (EFS)

Windows Server 2003 supports Encrypting File System (EFS) which allows users to encrypt their files and folders. In Windows Server 2003, users can encrypt files and folders on the local computer and across the network. In addition, users can also encrypt offline files. However, EFS is only supported on NTFS volumes. When a user encrypts a file, only that user will be able to use the file. They can use the encrypted file without having to decrypt the file first. EFS can be implemented from Windows Explorer or from the command prompt using the Cipher command.

•  EFS is only supported on NTFS version 5 (Windows 2000 or 2003)

•  Compressed files cannot be encrypted using EFS

•  System files cannot be encrypted

•  Encrypted files cannot be shared

•  Encrypted files or folders that are moved or copied to partitions or volumes that are not formatted with the NTFS file system will become decrypted

•  Files and folders on network computers can be encrypted if you have the necessary access permissions to the network computer’s NTFS volume and if file encryption is enabled on the network computer.

See: 230520 - HOW TO Encrypt Data Using EFS in Windows 2000

Windows 2003 also supports encryption of offline files. This enables users to use offline file storage while retaining the ability to protect their files with encryption.

Encrypting Files Across the Network

File encryption and decryption requires the presence of EFS keys on the local computer where the files reside. When a user encrypts a file on a local desktop or laptop, EFS works with the Microsoft Crypto Provider to create EFS keys and to place those keys in the user's local profile. If the user attempts to encrypt a file across the network, EFS running at the server looks for the user's local profile at the server. EFS cannot access keys at a user's desktop because it does not have a security context anywhere except at the machine where it's running. This means that the server must have a local profile for the user that contains both the EFS public key to encrypt the file and the EFS private key to open the encrypted file. To build the local private key, the Protected Storage service at the server must have a copy of the user's password hash so it can encrypt the Master key that protects the user's private key. It obtains this information by "user impersonation". This requires obtaining a Kerberos session ticket on behalf of the user to present when requesting the user's security credentials from a domain controller. A server has two ways of obtaining this session ticket:

• It can ask the Kerberos client at the user's desktop to obtain the session ticket and pass it over to the server. Such a ticket would be marked as forwardable; or

• The server can ask the Kerberos client for a ticket-granting ticket (TGT) that it can use to obtain its own session tickets as if the server were the user. The TGT would be flagged as proxiable. However, before a server submitting forwardable and proxiable Kerberos tickets and TGTs to create encrypted files for network users, it must be Trusted For Delegation. This option is configured in the server's Computer object in Active Directory.

Encrypted File Recovery

If a user leaves the company or goes on vacation, the administrator can access the user's encrypted files by resetting the user's password in Active Directory and then logging on as the user. Windows Server 2003 will build a new encryption key with the new password hash to re-encrypt the private keys. Alternatively, you can open the user's encrypted files using the credentials of the Data Recovery Agent (DRA). The default DRA is the domain Administrator account.

Volume Mounting

The Disk Management snap-in can be used to mount local drives to an empty folder on an NTFS volume.

This empty folder becomes the mount point. When a physical disk is mounted to a folder, it is assigned a drive path rather than a drive letter. The Administrator can identify and manage volume mount points by using the mountvol.exe command-line tool.

File Compression

Windows Server 2003 supports file and folder level compression. Compressed files can be read and written to by any Windows-based or MS-DOS-based application without first having to be uncompressed by another program. When you access a file via a Windows-based or MS-DOS-based application, NTFS automatically uncompresses the file. When you save or close the file again, NTFS compresses it again.

Therefore NTFS allocates disk space based on the uncompressed file size and not on the compressed file size.

Copying and Moving Compressed Files and Folders

When copying a file within an NTFS volume, the file inherits the compression state of the target folder.

• When moving a file or folder within an NTFS volume, the file or folder retains its original compression state.

• When copying a file or folder to another NTFS volume, the file or folder inherits the compression state of the target folder.

• When moving a file or folder to another NTFS volume, the file or folder inherits the compression state of the target folder. Because Windows Server 2003 treats a move as a copy and then a delete, the files inherit the compression state of the target folder.

• When moving or copying a file or folder to a FAT volume, Windows Server 2003 automatically uncompresses the file or folder. This is because Windows Server 2003 only supports file and folder compression on NTFS volumes.

• When moving or copying a compressed file or folder to a floppy disk, Windows Server 2003 automatically uncompresses the file or folder, as floppy disks are formatted with the FAT file system. Floppy disks cannot support the NTFS file system.

Defragmenting Volumes and Partitions

Defragmenting the disks on all your servers can ensure optimal performance of your disks. Defragmentation is the process of reorganizing your disk so that clusters that make up each file are stored together, instead of being spread around the disk. Windows Server 2003 provides two tools that work with both basic and dynamic disks that are formatted with the FAT, FAT32, or NTFS file systems for performing defragmentation. These tools are the Disk Defragmenter and the defrag command-line utility.

You can also use the defrag command-line utility to defragment a disk.

Backing Up and Restoring Data

Performing regular back ups of the data on hard disks prevents data loss due to disk drive failures, power outages, virus infections, and other such incidents. If data loss occurs, and you have performed regular backup jobs, you can restore the lost data.

Performing regular back ups of the data on hard disks prevents data loss due to disk drive failures, power outages, virus infections, and other such incidents. If data loss occurs, and you have performed regular backup jobs, you can restore the lost data.

Windows Server 2003 provides Backup And Recovery Tools. This includes the Backup Wizard, which you can use to easily back up and restore data.

You can use Backup to back up data manually or you can schedule regular unattended backup jobs. You can back up data to a file or to a tape. Files can be stored on hard disks, removable disks, and recordable compact discs and optical drives.

To successfully back up and restore data on a Windows Server 2003 computer, you must have the appropriate permissions and user rights.

All users can back up their own files and folders, and files for which they have the Read, Read & Execute, Modify, or Full Control permission.

All users can restore files and folders for which they have the Write, Modify, or Full Control permission.

By default, members of the Administrators and Backup Operators groups have the Backup Files and Directories and the Restore Files and Directories user rights and can therefore back up and restore all files regardless of the assigned permissions.

Backup Types

Backup Wizard provides five types of backup that define which data is backed up. Some backup types use backup markers, also known as archive bits, which mark a file as having changed. When a file changes, an attribute is set on the file that indicates that the file has changed since the last backup. When you back up the file, this clears or resets the attribute.

• Normal- which backs up all selected files and folders and does not rely on markers to determine which files to back up. During a normal backup, any existing marks are cleared and each file is marked as having been backed up. Normal backups speed up the restore process because the as the files are the most current therefore you do not need to restore multiple backup jobs.

• Copy- which backs up all selected files and folders without looking for or clearing markers.

• Incremental- which only backs up selected files and folders that have a marker and then clears the markers. Thus, if you did two incremental backups in a row on a file and nothing changed in the file, the file would not be backed up the second time.

• Differential- which only backs up selected files and folders that have a marker but does not clear markers. Thus if you did two differential backups in a row on a file and nothing changed in the file, the entire file would be backed up each time.

• Daily- backs up all selected files and folders that have changed during the day and does not look for or clear markers.

Backing Up System State Data

You can use the Backup utility to back up the system state data. The system state data includes: the Registry; Component Services Class Registration database; System startup files; Certificate Services database; Active Directory directory services; and the Sysvol folder.

To back up the system state data on a local computer, do one of the following:

• In the Backup wizard, on the What To Back Up page, click Only Back Up The System State Data.

• In the Backup wizard, on the Items To Back Up page, expand My Computer, and then select the check box to the left of System State.

• In the Backup utility, on the Backup tab, expand My Computer, and then select the System State check box.

Restoring Files and Folders

You can use the Backup utility in Windows Server 2003 to restore files and folders. The Backup utility includes a Restore wizard that steps you through the entire restore process. However, you can also restore files and folders without using the wizard.

To restore files and folders without using the wizard, open the Backup utility, and specify the folders or files to restore; a restore location; and the Restore options, such as whether to replace existing files with backup files.

Note: To avoid data loss and to preserve file and folder features, such as encryption and permissions, you should restore data that is archived from a Windows 2000 or Windows Server 2003 NTFS volume to another Windows 2000 or Windows Server 2003 NTFS volume. Restoring the data to a FAT volume or to a Windows NT 4.0 NTFS volume might result in the loss of access permissions, Encrypting File System (EFS) settings, disk quota information, mounted drive information, or Remote Storage information.

Restoring Active Directory Directory Services

You can use the Backup utility to restore Active Directory directory services during the process of replacing a failed domain controller, to repair a damaged Active Directory database, or to recover one or more objects that are accidentally deleted from Active Directory directory services.

Failed Domain Controllers

If a domain controller fails completely, you must first restart the computer and make sure Windows Server 2003 is running. Then you can use the Backup utility to restore the latest version of the system state data, which includes Active Directory directory services. After you have restored Active Directory directory services, Windows Server 2003 automatically performs a consistency check on the Active Directory database and re-indexes it. Windows Server 2003 then updates Active Directory directory services and the

File Replication Service with data from their replication partners.

Damaged Active Directory Databases

If the operating system on a domain controller is functioning normally, but the Active Directory database is damaged, you must restart the computer, select the Directory Services Restore Mode advanced startup option, and then use the Backup utility to restore the system state data.

After you have restored the Active Directory database, restart the computer, and Windows Server 2003 will automatically re-index the Active Directory database and update Active Directory directory services and the File Replication Service.

Authoritative Restores

If you restore the most recent copy of the Active Directory database that contains the deleted objects, those objects will be deleted when replication occurs because the objects are marked for deletion in the replicas of the database. To prevent this from occurring, you can perform an authoritative restore. When you restore an object authoritatively, it persists after replication even though it is marked for deletion in the replicas of the database.

See: 241594 - HOW TO Perform an Authoritative Restore to a Domain Controller

2.7 Automated System Recovery

Every time you successfully edit your system’s configuration, you should back the configuration up against the time when you unsuccessfully edit the settings. This backup disk is called the automated system recovery (ASR) disk. The ASR is not a boot disk but contains pointers to the system state backup. You can create an ASR disk in Windows Backup.

To use the ASR to repair a damaged Windows Server 2003 installation, you will boot from the Windows Server 2003 Installation CD, not the ASR disk. In Windows 2003 setup, you will choose to repair an existing installation, and provide the ASR disk which contains recovery information. The recovery process will use the CD ROM to recover system files.

Note: The ASR performs a nonauthoritative restore of System State data. Thus, if you are restoring a domain controller you must use Ntdsutil.exe to make the restore authoritative for the domain.