server 2003 slides
DESCRIPTION
TRANSCRIPT
SkillSolvePUTTING SKILLS INTO PLACE
Ruth CundySales Manager
Quality training centre in a picturesque location
Purpose-built classrooms in a stunning barn conversion complexWell-specified hardwarePC for every delegate – hands-on trainingOfficial Curriculum Microsoft coursesComfortable break-out areaFully air-conditionedEasy access from main Motorwaysand Railway StationAmple on site parking
Microsoft education specialist
Focus on excellence in providing Microsoft skills:Technical professionalsEnd user desktop training
Microsoft Certified PartnerMicrosoft Certified Technical Education Centre
Technical Training
ClusteringInternetExchange Server 2003SQL ServerSMS 2003Windows 2003Windows 2000Microsoft .NETCiscoCitrixMacromedia
Public schedule of Microsoft/Cisco/Citrix/Macromedia technical training courses
Bespoke One Company training courses
Compressed to enable less time out of the workplace
Project-managed training programmes
Total flexibility
VUE testing centre
Delegates can take tests at the training centre in which they learn, making the experience more comfortable
SkillSolvePUTTING SKILLS INTO PLACE
Ian GeerckeMicrosoft Certified Trainer & Consultant
Windows Server 2003
Ian Geercke
Agenda
The Windows Server 2003 FamilyNew Active Directory FeaturesNew Group Policy FeaturesAccessing ResourcesInternet Information server 6.0System Security and BackupNew DNS FeaturesQuestions
The Windows Server 2003 Family
Use for Web servers
Use for small businesses and departments as domain controllers and member servers
Use for medium and large organizations as application servers and domain controllers, and for clustering
Use for mission-critical solutions for databases, enterprise resource planning software, high-volume real-time transaction processing, and server consolidation
New Active Directory Features in WindowsServer 2003
New Active Directory Features Overview
Members of the Anonymous Logon group are no longer in the Everyone groupMultiple selection of user objects Drag-and-drop functionality Saved queries Ability to add additional domain controllers using backup media Universal group membership caching Secure LDAP traffic Different location option for user and computer accounts Multiple Active Directory Application PartitionsActive Directory quotas
New Domain-Wide and Forest-Wide Active Directory Features
Domain controller rename toolDomain rename Forest trusts Forest restructuring Defunct schema objects Global catalog replication improvements Replication enhancements User access control to resources between domains or forests
Types of TrustsForest Trust
Forest Trust
Shortcut TrustShortcut Trust External Trust
External Trust
Kerberos realm
Realm Trust
Realm Trust
Forest 1
Domain BDomain ADomain E
Domain F
Forest(root)
Domain P Domain Q
Forest 2
Domain C
Domain DForest(root)
nwtraders.msft contoso.msft
Forest trust
Global catalog
Global catalog
Seattle
vancouver.nwtraders.msft seattle.contoso.msft
Vancouver
22 44
66
11
3355
7788
99
Forest 1 Forest 2How Trusts Work Across Forests
Forest Trust Authentication
Two types of Inter-Forest Authentication:Forest-Wide – traditional trust where the user needs to provide an Access Token with sufficient rightsSelective – The resource server’s Computer Account must also have the “Allowed to Authenticate” permission explicitly set for the User or Group attempting access across the trust
What Is SID Filtering?
Used with external trustsBlocks spoofing with the SIDHistory attribute.Prevents attacks from malicious users with domain administrator privileges in the trusted domain
Enabled on all new outgoing external trusts by defaultImpacts universal group access between forests
New Active Directory Replication Features
Universal group membership cachingPartial attribute set replicationLinked value replicationReplica domain controller deploymentNew Net Logon service and DNS settingsInter-Site Topology Generator enhancements
What Is Universal Group Membership Caching?
At first logon, the local domain controller requests
information from the global catalog server
At first logon, the local domain controller requests
information from the global catalog server
After the first logon, the local domain controller uses the cached
copy of the universal group membership
After the first logon, the local domain controller uses the cached
copy of the universal group membership Small site
Universal groupsUniversal groups
Large site
User’s cached universal groupUser’s cached universal group
LDAP Traffic Signing
Administrative tools running on computers with Windows XP Professional or Windows Server 2003 will sign all LDAP traffic to and from the domain
Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with
System State Data Backup and Restoration
First step for installing a domain controller frombackup mediaCan be placed on Tape, CD, DVD or Shared resource Restore on computer being promoted to domain controller
Domain RenamingRenaming Domain Controllers
Change the Domain Name System (DNS) andNetBIOS names of a DCUse NetDom.exe
Renaming Domains Change the Domain Name System (DNS) andNetBIOS names of a Domain
Forest restructuring Allows you to move a domain anywhere within the forest in which it resides (except the forest root domain)Use the domain rename utility (Rendom.exe) to rename or restructure a domain
Active Directory Application Partitions
Location in the Directory to store Application DataProgram installs would normally create partitionsUse NTDSUTIL or VB scripts to create partitions manuallyCan be replicated to:
All DCs in the ForestAll DCs in a particular DomainAny individual DCs anywhere in the Forest
What Is an Application Directory Partition?
Definitions and rules for creating and manipulating objects and attributes
Definitions and rules for creating and manipulating objects and attributes
Information about the Active Directory structureInformation about the Active Directory structure
Information about domain-specific objectsInformation about domain-specific objects
Information about applicationsInformation about applications
Schema
Configuration
<Domain>
<Application>
Contains:
Forest
Domain
Configurablereplication
Active Directory Quotas Configuration
Active Directory quotasLimit the number of objects that a security principal can own in a partitionHelps prevent scripts running that create large number of objects (either accidentally or maliciously)Are specified and administered for each directory partition separatelyCan assign quotas for any security principal
If security groups are not assigned a quota, then the default quota on partition governs security principal
Group Policy
Resultant Set of Policies
Makes planning, implementation and troubleshooting of Group Policy easierGroup Policy Modelling
Use the Group Policy Management ConsoleSimulate the policy settings with different scenarios
Group Policy ResultsUse the Group Policy Management ConsoleCheck which Policies are currently applied to a User or Computer
Run from a Windows 2003 Server or Windows XPUse on Windows 2000 and 2003 Domains
Group Policy Management Console
What Are Software Restriction Policies?
You can use software restriction policies to:Allow all programs to run unless explicitly prohibitedAllow no programs to run unless explicitly enabled
Rule typesHash ruleCertificate rule
Evaluated before the path rule, e.g. to allow only signed scripts to run
Path ruleInternet zone rule
Terminal Services Computer Management Using Group Policy
Terminal Services User Management Using Group Policy
New Software Distribution Policy Options
DescriptionOption
Limits the application of a GPO to computers that meet criteria that you specify in the WMI filterWMI filtering
Allows an assigned application to be fully installed at logonInstall this application at logon
New Group Policy Security Features
DescriptionFeature
Allows an administrator to require the use of Triple Data Encryption Standard (3DES) encryption for Encrypting File System (EFS) encryption and for Transport Layer Security (TLS) communications
3DES encryption
Allows an administrator to automate the issuance of user certificates
Autoenrollment of user certificates
Allows an administrator to use Group Policy to automatically configure the security settings on client computers that connect to the organization’s wireless network
Wireless network policies
Accessing Resources
Shared Folder PermissionsAllows the user to:Permission
Add files and subfoldersChange data in filesDelete subfolders and files
Change(Includes all Read permissions)
View data in files and attributesView file names and subfolder namesRun program files
Read(Default, applied to the Everyone group)
Includes all Read and Change permissionsEnables you to change NTFS files and folders permissions
Full Control
Changes to the Default Root Directory Permissions
Windows 2000Windows 2000 Windows Server 2003Windows Server 2003
Special Permissions on NTFS Files and Folders
Windows 2000Windows 2000 Windows Server 2003Windows Server 2003
Effective Permissions on NTFS Files and Folders
Internet Information Server 6.0
Changes in Internet Information Services 6.0
Metabase is now a pair of plain-text, XML-formatted files:MetaBase.xml and MBSchema.xml
Metabase
IIS 6.0 is not installed on members of Windows Server 2003 family by defaultWhen installed, it is set to highly secure and “locked” mode by default
Security
DescriptionChange
IIS 5.0 isolation mode (legacy)Worker process isolation mode (new)
New mode of operation
Secure Installation of IIS 6.0
--- not available* depends
disabled
enabled
Components that are enabled, disabled or unavailable given a default installation.
---NNTP------
---
---
---
IIS 4.0
**BITS ---ASP.NET
FTPSMTPPassword Change FunctionalityFrontPage Server ExtensionsCGIInternet Printing ISAPI
ASP
IIS 5.0 IIS 6.0
Internet Data ConnectorWebDAVIndex Server ISAPI
IIS component
Server-side includes
Static file support
What’s New in IIS 6.0?
IPv4 and IPv6IPv4IPv4IPv6 Support
SMTP & POP3SMTPSMTPMail Support
32-bit and 64-bit32-bit32-bitArchitecture
In Windows NT 4.0
HTMLA
•Windows authentication
•SSL
Binary
Windows NT 4.0
IIS 4.0
IIS clustering
• HTMLA• Terminal Services
•Windows authentication
•SSL•Kerberos
Binary
Windows 2000
IIS 5.0
Windows support
• Remote Administration Tool (HTML)
• Remote Desktop
•Windows authentication •SSL•Kerberos•Security wizard•Passport support
XML
Windows Server 2003
IIS 6.0
Security
Remote administration
Cluster support
Metabaseconfiguration
Platform
What’s New in IIS 6.0?
All non-machine-specific properties can be copied to any other IIS 6.0 server
Metabase is machine-specificCopying settings
On the flyRestart IISReboot the serverUpdating IIS configuration
Not automatic
MetaEdit.exeADSI scripts
Binary
IIS 4.0 IIS 5.0
Automatic HistorySimplified Backup and Restore
Text editorsADSI scriptsMetabase Explorer
XML
IIS 6.0
Metabasedisaster recovery
Editing
Metabase structure
Architecture in IIS 6.0Isolate the core Web server from individual Web applications and applications from each other – HTTP Queuing
User modeUser mode
Kernel modeKernel mode
Application pools
HTTP.SYS
W3WP.exe
W3Core
All Apps
ISAPI Filters
W3WP.exe
W3Core
All Apps
ISAPI Filters
W3WP.exe
W3Core
ASP.NET Apps
.NET App Domain
INETINFO.exe
FTP
Metabase
SMTP
NNTP
SVCHOST.exe
W3 Config Mgr
W3 Process Mgr
W3SVC
What Are ApplicationPools?
A grouping of one or more URLs served by a worker process
Allow you to: Apply configuration settings to groups of applicationsIsolate applications by site, customer, level of functionality, or reliability requirements Kernel mode
User mode
Application Pool
W3WP.exe
W3Core
All Apps
ISAPI Filters
HTTP.SYS
What Are Web Gardens?Web Gardens:
Are application pools that use more than one worker process Enhance performance by providing robust processing of requests and reduced contention for resourcesUse multiple worker processes for an application pool, smoothing applications that may get stuck on one process
Kernel mode
User mode
Web Garden
W3WP.exe
W3Core
All Apps
ISAPI Filters
HTTP.SYS
System Security and Backup
Microsoft Baseline Security Analyzer
Scanning Modes
Test server
Test client computers Automatic Updates
Server running Software
Update Services
Automatic Updates
LAN
Software that downloads all critical updates and security patches to servers and client computers as soon as the updates are posted to the Windows Update Web site
Software that downloads all critical updates and security patches to servers and client computers as soon as the updates are posted to the Windows Update Web site
Software Update Services
Windows Update Web site
Internet
Software Update Services Process
Server-Side ProcessesServer-Side Processes
1. Start -Software Update Services server
runsscheduled synch
No?
2. Testing? Yes?
3. Admin approves new packages
Test new packages
Client-Side ProcessesClient-Side Processes
8. Finish -AU waits for next scheduled check
System reboots 7. Do any packagesrequire a restart?
6. Scheduled install job begins
4. Automatic Updates on client checks Software Update Services server
5. Is Administrator logged on?Yes?
No?
administrator sees status balloon, can deferinstallation
Yes?
No?
Guidelines for Testing Content for a Software Update Services Environment
Set up a test server running Software Update ServicesSet up a test server running Software Update Services
Connect a test client computer that complies with the baseline configuration of your corporate desktops Connect a test client computer that complies with the baseline configuration of your corporate desktops
Install the update, then test all corporate applicationsInstall the update, then test all corporate applications
Approve Software Update Services to distribute the update to the client computersApprove Software Update Services to distribute the update to the client computers
Device Driver Rollback
After updating device drivers, you might encounter problems such as stop errors or startup problemsIf a problem occurs, you can revert to the previous version by using a Device Manager feature called Roll Back Driver You cannot:
Roll back beyond one driver versionRoll back printer driversSimultaneously roll back drivers for all functions of a multifunction device
Why use device driver rollback:If a problem occurs immediately after you update a device driver, you can restore the previous version by using device driver rollback
Automated System Recovery
What is Automated System Recovery?How to Back Up System Data Using ASRHow to Recover from a Server Failure Using ASR
What Is Automated System Recovery?A recovery option in the Backup utility that containstwo parts: ASR backup and ASR restoreCan back up the operating systemDoes not include data filesCreates a floppy disk, which contains information about:
Backup location dataDisk configurations (including basic and dynamic volumes) How to accomplish a restore procedure
You can choose the All information on this computer option to back up all data including system data
Restoring a Server using Automated System Recovery
Boot the server from the original Windows 2003 CDDuring the boot press F2 when asked if this is an ASR RecoveryInsert the Boot Floppy created during the ASR backup when promptedOS drive will be reformatted and the OS re-installed
What Are Shadow Copies?View the read-only contents of network folders as they existed at various points of timeUse shadow copies to:
Recover files that were accidentally deleted Recover files that were accidentally overwritten Allow Backup of open filesAllow version checking while working on documents
Are enabled on a per volume basis, not on specific sharesAre not a replacement for regular backupsWhen storage limits are reached, the oldest shadow copy is deleted and cannot be retrieved To change the storage volume, delete the shadow copies first
Previous Versions Client Software for Shadow Copies
Previous Versions client software for Shadow Copies of Shared Folders is installed on the server
%systemroot%\system32\clients\twclient\x86 directoryPlace the client software on a shared resource and send an e-mail with instructions on how to download and use
Client view of shadow copies Use if users work with files that are located in shared folders on your network Use to access previous versions of files
Shadow Copy SchedulingDefault shadow copy schedule is 7:00 A.M. and noonCreate a shadow copy schedule based on:
Do most workers work in the same time zone?Does your organization need more than the default of two shadow copies daily?How often can additional copies be made before additional storage will be needed?
Deploy a schedule and test it on a small group
Restore Files and Folders from Shadow Copies
A Shadow copy is restored using previous versions of files and folders
File permissions are set to defaultCopying a file
Shadow copy may not be enabledThe Previous Versions tab does not appear in Properties
ThenIf…
Shadow copy deletes the current version Restoring a previous version of a folder
The file has not changed since the oldest copy was made
No previous versions are listed
File permissions are not changedRestoring a file
DNS
Understanding New DNS Features
What Is an Application Directory Partition?Application Directory Partition ReplicationApplication Directory Partition CreationDNS Application Directory Partition ManagementWhat Is a Conditional Forwarder?DNS Zone TypesWhat Are the Differences Between Conditional Forwarders and Stub Zones?
What Is an Application Directory Partition?
Definitions and rules for creating and manipulating objects and attributes
Definitions and rules for creating and manipulating objects and attributes
Information about the Active Directory structureInformation about the Active Directory structure
Information about domain-specific objectsInformation about domain-specific objects
Information about applicationsInformation about applications
Schema
Configuration
<Domain>
<Application>
Contains:
Forest
Domain
Configurablereplication
Application Directory Partition Replication
DC / DNSDC
DC / DNS
Domain topologyDNS directory application partitionSchema and configurationtopology
Domain controllers and DNS serversDomain controllers and DNS servers
DC
Application Directory Partition Creation
Created when the computer is promoted to be a domain controllerStorage zone options
Standard zone storageDirectory-integrated zone storage
DNS Application Directory Partition Management
COM-based interface that supports multiple directories and multiple languages such as C++, C#, Java, Visual Basic, and Microsoft Visual Basic Scripting Edition (VBScript)
Active Directory Service Interfaces (ADSI)
Allows you to change zone type and zone replication scope
DNS console
Allows you to create and manage zones and directory partitions
DNSCmd tool
DescriptionTools
Allows you to add or delete an application directory partition, or add or remove a partition replica, by changing replication notification times
Ntdsutil command-line tool
Permits low-level access to a directory from applications written in the C and C++ languages
LDAP
What Is a Conditional Forwarder?
DescriptionType
A DNS server used to forward queries according to domain names
Settings on the DNS server consist of domain names for which the DNS server will forward queries and DNS server IP addresses for the domain names specified
Cannot use a domain name in a conditional forwarder if the DNS server hosts a primary, secondary, or stub zone for that domain name
Conditional forwarder
A DNS server that other internal DNS servers designate to forward queries for resolving external or offsite DNS domain names
Forwarder
DNS Zone Types
DescriptionZones
Copy of a zone containing limited recordsStub
Read/write copy of a DNS databasePrimary
Read-only copy of a DNS database
Secondary
Read/write
Read-only
Copy withlimitedrecords
What Are the Differences Between Conditional Forwarders and Stub Zones?
DescriptionItem
A stub zone keeps the DNS server hosting a parent zone aware of all the DNS servers authoritative for a child zone
Stub zone
A conditional forwarder setting configures the DNS server to forward a query it receives to a DNS server depending on the DNS name contained in the query
Conditional forwarder
Questions?