| TOGGIT
IN SEARCH OF CERTIFICATION |
|
 |
Test 070-290 - Managing and Maintaining a Microsoft Windows Server 2003 Environment
|
Logon to ToggIT Join ToggIT |
|||||||||||||||||||||||
| Home | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Microsoft | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Cisco | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| CompTia | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Study tools for exam 070-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment | |||||||
| The Exam | Exam Tips | What to know | Study Guide | Study Tools | Practice Test | ||
Sponsored
Links:
|
|||||||
|
Managing and
Maintaining a Windows Server 2003 Networks Windows Server 2003 supports both Workgroup Networks and Domain-Based Networks. Workgroup Networks are also referred to as Peer-to-Peer networks and are the simplest type of network. They are ideal for networks of less than ten computers and supports file and print sharing. Domain-Based Networks are common to large companies and benefit from centralized administration. This results in the implementation of stronger security models with users requiring a user account to logon access network resources. Creating Network Connections In Windows Server 2003 you can create number of network connections. These include local area network (LAN) connections, remote connections, Virtual Private Network (VPN) connections and direct connections. All these connections are created in the NETWORK CONNECTIONS folder. A Local Area Network is also referred to as an intranet and has client support, such as Client for Microsoft Networks and Client Services for NetWare; services, such as Files and Printer Sharing; and user network protocols. A network protocol is a set of rules and conventions for computers use to communicate over a network. Windows Server 2003 supports TCP/IP; NetBEUI; PPPoE; SOAP; EAP and Protected EAP; AppleTalk; NWLink (IPX/SPX); and DLC. You can also specify the protocol binding order to optimize network performance by placing the protocol that is used the most at the top of the protocol bindings list. The computer will then attempt to use this protocol first when a user attempts to make a connection to a server. Automatic IP Addressing In Windows Server 2003 client computer can obtain automatically obtain an IP address from a DHCP server or through Automatic Private IP Addressing. Automatic Private IP Addressing Windows 2000 supports a new mechanism for automatic address assignment of IP addresses for simple LAN-based network configurations called Automatic Private IP Addressing (APIPA). This mechanism is an extension of dynamic IP addressing and enables the configuration of IP addresses without using static IP address assignment or installing the DHCP Service. IP Address An IP address is a logical 32-bit address that identifies a TCP/IP host. Each network adapter card in a computer running TCP/IP must have a unique IP address, which has two parts: a network ID that identifies all hosts on the same physical network, and a host ID that identifies a host on the network. An IP Address of 192.168.1.66 indicates that the network ID is 192.168.1, and that the host ID is 66. Subnet Mask Subnet mask is used to subnets that divide a large network into multiple physical networks connected with routers. A subnet mask blocks out part of the IP address so that TCP/IP can distinguish the network ID from the host ID. When TCP/IP hosts try to communicate, the subnet mask determines whether the destination host is on a local or remote network. To communicate on a network, the computers must have the same subnet mask. Default Gateway The default gateway is a device on a local network that stores network IDs of other networks in the enterprise or Internet. To communicate with a host on another network you must configure an IP address for the default gateway. TCP/IP sends packets for remote networks to the default gateway, which forwards the packets to other gateways until the packet is delivered to a gateway connected to the specified destination. On a computer running Windows 2000 you must configure a network LAN adapter for TCP/IP and click Obtain an IP Address Automatically in the Internet Protocol (TCP/IP) Properties dialog box for the Automatic Private IP Addressing feature to function properly. APIPA can be used to set up IP configuration to allow network communication on a single subnet and is also used when the client computer cannot contact the DHCP server for IP address configuration. APIPA uses an addressing range from 169.254.0.1 through 169.254.255.254 and a subnet mask of 255.255.0.0. DHCP Addressing If the network has a server running the Dynamic Host Configuration Protocol (DHCP Service, it can automatically assign TCP/IP configuration information to the client computers if the client computers are configured as DHCP clients. You can then configure any client running Windows Server 2003, Windows 2000, Windows XP Professional, Windows 98, and Windows 95 to obtain TCP/IP configuration information automatically from the DHCP Service. This can simplify administration and ensure correct configuration information. When you use DHCP to automatically configure TCP/IP information, the DHCP server supplies the necessary configuration information to the DHCP clients and ensures that the clients use the correct configuration information. Then, DCHP automatically updates client configuration information to reflect changes in network structure and the relocation of users to other physical networks, without manually reconfiguring client IP addresses. Name Resolution Windows Server 2003 supports the use of user-friendly domain names to represent the IP address of a host or a client. This however requires name resolution so that the computer can identify the IP address that the user-friendly name refers to. Windows Server 2003 supports two types of name resolution: NetBIOS name resolution and host name resolution. NetBIOS Name Resolution Although Microsoft has phased out NetBIOS name resolution, it remains in Windows Server 2003 for compatibility purposes. Two of the mechanisms implemented for NetBIOS name resolution are Windows Internet Naming Service (WINS), which is a NetBIOS name server that stores NetBIOS names and their IP Addresses; and the LMHOSTS file, which is a static text file that contains a list of NetBIOS names and their corresponding IP addresses and is stored on the local computer. Host Name Resolution Windows Server 2003 supports the use of user-friendly domain names to represent the IP address of a host or a client. This requires name resolution so that the computer can identify the IP address that the user-friendly name refers to. Windows Server 2003 supports two types of name resolution: NetBIOS name resolution and host name resolution. • NetBIOS Name Resolution remains in Windows Server 2003 for compatibility purposes. Two of the mechanisms implemented for NetBIOS name resolution are Windows Internet Naming Service (WINS), which is a NetBIOS name server that stores NetBIOS names and their IP Addresses; and the LMHOSTS file, which is a static text file that contains a list of NetBIOS names and their corresponding IP addresses and is stored on the local computer. Clients using earlier versions of Windows, such as Windows 98 or Windows NT Workstation 4.0, which use NetBIOS names for network communication, require Windows Internet Name Service (WINS) to register NetBIOS computer names and resolve them to IP addresses. • Host Name Resolution is supported by Domain Name Services (DNS). DNS is a distributed database that is used in TCP/IP networks to translate computer names to IP addresses. It is most commonly associated with the Internet but is also used extensively in private networks. DNS provides the following benefits:
Domain Name Space The DNS database hierarchical naming scheme called a domain name space. Each node in the name space hierarchy represents a partition of the DNS database. These nodes are referred to as domains, each of which must have a name as the DNS database is indexed by name. When you add domains to the hierarchy, the name of the parent domain is appended to the domain, which becomes a child domain or a subdomain. Consequently, a domain’s name identifies its position in the hierarchy. Thus, the corp.acme.com domain name identifies the corp domain as a subdomain of the acme.com domain and acme as a subdomain of the com domain. Note: The term domain, in the context of DNS, is not related to domain as used in the Microsoft Windows Server 2003 directory services. A Windows Server 2003 domain is a grouping of computers and devices that are administered as a unit. The hierarchical structure of the domain name space consists of a root domain, top-level domains, second-level domains, any sub-domains, and host names. • The Root Domain is at the top of the hierarchy and is represented as a period (.). • Top-Level Domains are two or three-character name codes. Top-level domains are organized by organization type or geographic location. Top-level domains can contain second-level domains and host names. • Second-Level Domains are registered to individuals and organizations for use on the Internet. A second-level name has two name parts: a top-level name and a unique second-level name. An example is acme.com. • Sub-domains are created when organizations extend their DNS tree to represent departments, divisions, or other geographic locations. Sub-domains have three name parts: a top-level name, a unique second-level name, and a unique name representing the department or location. An example is corp.acme.com. • Host names are the names of specific computers on the Internet or in a private network. A host name is the leftmost portion of a fully qualified domain name (FQDN), which describes the exact position of a host within the domain hierarchy. Computer1.corp.acme.com. is an FQDN and includes the end period. DNS uses a host’s FQDN to resolve a name to an IP address. The host name does not have to be the same as the computer name. DNS Zones A zone is a contiguous portion of the domain namespace for which a DNS server has authority to resolve DNS queries. You can divide the DNS namespace into zones, which store name information about one or more DNS domains or portions of a DNS domain. For each DNS domain name included in a zone, the zone becomes the authoritative source for information about that domain. To limit the number of DNS servers on your network, you can configure a single DNS server to support, or host, multiple zones. You can also configure multiple servers to host one or more zones to provide fault tolerance and distribute the name resolution and administrative workloads. Multiple zones in a domain name space are used to distribute administrative tasks to different groups. However, a zone must encompass a contiguous domain name space. For example, you cannot create a zone that consists of only the corp.acme.com and research.acme.com domains, because these two domains are not contiguous – the corp and the research sub-domains are independent of each other and can only be combined into a single DNS zone if the acme.com domain is also included in the zone. Zone Types Windows Server 2003 supports three types of zones. Standard Primary: Contains a read/write version of the zone file that is stored in a standard text file. Standard Secondary: Contains a read-only version of the zone file that is stored in a standard text file. Active Directory Integrated: Stores the zone information in Active Directory, rather than a text file. Active Directory In a network environment, a directory service is a network service that identifies all resources on a network and makes them accessible to network users and applications. Active Directory is an integral part of a Windows Server 2003 network and the directory service in a Windows Server 2003 network. It stores information about network resources and makes the resources accessible to users and applications by uniquely identifying resources on a network. It also provides you with mechanisms to name, describe, locate, access, manage, and secure network resources. It also allows for the central management of the Windows Server 2003 network, and for the delegation of administrative control over Active Directory objects, which are resources such as user data, printers, servers, databases, groups, computers, and security policies that are stored in the directory. This allows administrators to assign specific administrative permissions for objects to other users and administrators. The Active Directory directory service provides the structure and functions for organizing, managing, and controlling network resources. Active Directory Support for Client Computers Windows 2000, Windows XP and Windows Server 2003 computers can take full advantage of all the features provided by Active Directory. However, you must enable client extensions for computers running Windows 95, Windows 98, and Windows NT 4.0 Workstation to take advantage of some of these features. Note: The Active Directory Client Extensions for Windows 95 and Windows 98 are can be located on the Windows 2000 Server installation disk while the Active Directory Client Extensions for Windows NT 4.0 Workstation must be downloaded from the Microsoft Web site. Active Directory features that are supported by the Active Directory Client Extensions include: • Site Awareness which allows users to log on to domain controllers on the same site and thereby reduces bandwidth usage across wide area network (WAN) links. • Active Directory Services Interface (ADSI), which enables scripting to Active Directory and other directory services. • Distributed File System (DFS) Fault Tolerance Client, which enables access to the fault-tolerant file shares that are specified in Active Directory. • Active Directory Windows Address Book Property Pages, which enable users who have the required permissions to change properties on user objects. • NTLM Version 2 Authentication, which is an improvement on the NTLM authentication feature of Windows NT 4.0. The Active Directory Client Extensions does not support: • Kerberos Authentication Protocol, which is the default authentication protocol for communication between Windows 2000 computers. • Group Policy Support, which allows you to configure security permissions that apply to the domain or a computer rather than to users. • Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec), which is a set of protocols used to secure transmissions on a Virtual Private Network. • Service Principal Name (SPN) or mutual authentication Domains A domain comprises computer systems and network resources that share a logical security boundary. Although a domain can cross physical locations, all domains maintain their own security policies and security relationships with other domains. They can be created to define functional boundaries such as those between administrative units, or to group of resources or servers that use a common domain namespace. The first domain that is created in Windows Server 2003 network is called the forest root domain. When other domains are created on the network, they added to the root domain to form the tree structure or the forest structure, depending on the domain name requirements. A tree is a hierarchical arrangement of Windows Server 2003 domains that share a contiguous namespace. In such an arrangement the root domain name is attached as a suffix to the new domain names. The new domain is called a child domain of an existing parent domain and has a two-way, transitive trust relationship with its parent domain. A forest can either consist of a single tree or number of trees that do not share a contiguous namespace but do share a common schema and global catalog. In this arrangement, every tree root domain has a transitive trust relationship with the root domain. A single tree that is not related to any other tree constitutes a forest of one tree. The root domain contains the configuration and schema data for all trees in the forest. Both a tree and a forest are namespaces, which is a bounded area in which a name can be resolved. Using a common namespace allows you to unify and manage multiple hardware and software environments in your network. There are two types of namespaces: • Contiguous namespace. The name of the child object in an object hierarchy always contains the name of the parent domain. A tree is a contiguous namespace because the name of any child object in a tree always contains the name of the parent tree. • Disjointed namespace. The names of a parent object and of a child of the same parent object are not directly related to one another. A forest is a disjointed namespace because all trees in a forest do not share a common naming structure. Domain Controllers A domain controller is a server that contains a copy of Active Directory. All domain controllers are peers and maintain replicated versions of Active Directory for their domains. The domain controller plays an important role in both the logical and physical structures of Active Directory as it organizes all of the domain’s object data in a logical and hierarchical data store. It also authenticates users, provides responses to queries about network objects, and replicates directory services. Domain Functional Levels The Windows Server 2003 Active Directory supports three domain functional levels. Each level provides varying compatibility with pre-Windows Server 2003 domains. The three functional levels are Windows 2000 mixed domain functional level, which is the default functional level in Windows Server 2003 domains and provides compatibility with Windows NT 4.0 domain controllers as well as Windows 2000 domain controllers; Windows 2000 native domain functional level, which provides compatibility only with Windows 2000 domain controllers; and Windows Server 2003 domain functional level, which does not provide compatibility with any pre-Windows Server 2003 domain controllers. Note: You can raise a domain functional level but you cannot lower it. Thus, once a domain is raised to the Windows 2000 native domain functional level, you cannot return it to the Windows 2000 mixed domain functional level and once a domain is raised to the Windows Server 2003 domain functional level, you cannot return it to the Windows 2000 native domain functional level. You can use the Active Directory Users and Computers console to raise a domain’s domain functional level by right-clicking the top of the tree and selecting RAISE DOMAIN FUNCTIONAL LEVEL from the pop-up menu. Controlling Access to Active Directory Objects Windows Server 2003 uses an object-based security model, that is similar to the one used to implement NTFS security, to implement access control to all Active Directory objects. Each Active Directory object has a security descriptor that defines the permissions to the object and the type of access that is allowed. Windows Server 2003 uses these security descriptors to control access to the Active Directory objects. An administrator or the object owner must assign permissions to the object before users can gain access to the object. Windows Server 2003 stores a list of these assigned user access permissions for every Active Directory object in the access control list (ACL). This allows you to assign permissions or administrative privileges to a specific user or group for an OU, a hierarchy of OUs, or a single object, without assigning administrative permissions for controlling other Active Directory objects. Delegating Administrative Control Active Directory allows you to assign permissions and grant user rights in specific ways. You can assign permissions and grant user rights so as to delegate administrative privileges for certain objects to appropriate individuals in an organization. You can delegate: • Permissions for specific organizational units to different administrators. • The permissions to modify specific attributes of an object in a single organizational unit. • The permissions to perform particular tasks in all organizational units of a domain. Publishing Resources Publishing resources is the process of creating objects in Active Directory that either directly contain the information that you want to make available, or provide a reference to that information. This will make it easier for users to locate network resources. Resources should be published in Active Directory when the information contained in them is useful to a user or when it must be highly accessible. However, you do not need to publish resources, such as user accounts, that already exist in Active Directory. Though, you must publish resources that do not exist in Active Directory such as printers on a pre-Windows 2000 computer, and shared folders. Note: You should only publish information that is relatively static and does not change frequently in Active Directory. This will prevent excessive replication traffic across a network. The object that is published in the directory is completely separate from the shared resource that it represents. The published object contains a reference to the location of the shared resource. When a user accesses the published object, Windows Server 2003 redirects the user to the shared resource. Therefore, by publishing resources in Active Directory you can allow users to locate resources even if the physical location of the resources changes. Furthermore, because a shared resource and the published object that refers to the shared resource are two different objects, each of these objects has its own discretionary access control list (DACL), which is used to control access to that shared resource. A user requires Read permission on the DACL of a published object to view the published object in the results list when searching for a published resource but may not be able to access the shared resource, depending on the DACL on the shared resource. Setting Up and Managing Published Printers All printers shared on Windows 2000 or Windows Server 2003–based print servers that are members of either a domain or a domain controller are automatically published in Active Directory. However, you must publish printers that run on pre-Windows 2000 computers by using Active Directory Users and Computers. When you publish a printer, it is the print queue is published, and the object in Active Directory is called a printQueue. You only need to manage printers if you change the default behavior of the printer. Note: When you publish a printer, the printer object is placed in the print server’s computer object in Active Directory. You can view printer objects in Active Directory. To view printer objects, you enable the option in Active Directory Users and Computers to view objects as containers. By default: • Any printer shared on a Windows 2000 and Windows Server 2003 print server that has an account in an Active Directory domain is published in Active Directory. • When a print server is removed from the network, its published printers are automatically removed from Active Directory. • When you configure or modify a printer’s properties, Windows Server 2003 automatically updates the appropriate published printer object’s attributes in Active Directory. Note: To prevent users from viewing or using a particular printer, you must prevent the automatic publishing of printers in Active Directory. You can control the automatic publishing of a printer by using the List in the directory check box on the printer’s Sharing tab. The List in the Directory check box is selected by default; therefore, the printers that are added by using the Add Printer Wizard are automatically published. You can use Group Policy to control the default behavior of published printers. You configure the Automatically publish new printers in Active Directory Group Policy setting in Computer Configuration\Administrative Templates\ Printers in Group Policy to disable or enable automatic publishing of printers. Managing printers includes tasks such as moving printers, connecting to printers on the network, and modifying properties of the print queue objects. After you publish printers in Active Directory, user and organization printing needs may change. This change may require you to configure printer settings so that your printing resources better fit these needs. To organize published printers, you can move related published printers that are installed on multiple computers into a single organizational unit. By moving printers into a single organizational unit, you can perform administrative functions on all of the printers in the organizational unit. Installing Printer Drivers To use a print device the operating system on each computer that must connect to the print server requires a different version of the printer driver that is written for that operating system. Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP Professional and Windows Server 2003 client computers will automatically downloads the appropriate printer driver if a copy of the driver on the print server. For clients running Windows 3.11 non-Microsoft operating systems, such as Macintosh or UNIX, you must manually install a printer driver on the client computers. You must also install a print service on the print server for these clients. Setting Up and Managing Published Shared Folders You can publish any shared folder that can be accessed by using a UNC name, in Active Directory. A computer running Windows 2000 or Windows Server 2003 can use Active Directory to locate and connect to the shared folder. You can also define keywords and a description for the shared folders in Active Directory and you can move shared folders to related organizational units. You publish shared folders by using Active Directory Users and Computers but you must first share the folder, and then publish the shared folder in Active Directory. To publish a shared folder: After you publish a shared folder, you can add a description, which can provide more information about the shared folder, and keywords, which are a list of words that you can define for the shared folder object, to make it easier for users to locate the folder. To add a description and keywords to the shared folder objects: Once a shared folder has been published, you can move the published folder to another container or organizational unit by moving the shared folder object, which contains information or references the shared folder, in Active Directory. The physical location of the shared folder does not change. Auditing Access to Active Directory Objects The procedure of enabling auditing consists of two steps: enabling the appropriate auditing policy and specify events to audit. Auditing access to Active Directory objects relates to operations performed on the domain controller. Therefore, the most appropriate place to enable audit is the Default Domain Controllers Policy or a GPO linked to the Domain Controllers OU.
|