Tutoriale Online

Tutoriale Online Invata Online cum se face si cum este corect. Learn Online How Must To Do !

Archive for the ‘Tutoriale Windows 2003’ Category

Tutoriale Online Windows Server 2003 Structural Modes, Subsystem, And Managers

Posted by ascultradio on October 6, 2009

STRUCTURAL MODES, SUBSYSTEMS, AND MANAGERS :

A surface view of the Windows Server 2003 structure reveals an eloquently simple arrangement of functions that separates system-related events from user-related events. As you move deeper into the components of Windows Server 2003, you will see that Microsoft has designed a very compartmentalized operating system. In this section we will review:

  • The structural layers of the kernel mode, the Hardware Abstraction Layer (HAL), and the user mode
  • The role of the Windows Server 2003 executive mode and its managers
  • The role of the Windows Server 2003 user mode and its subsystems

Structural Layer Modes

Windows Server 2003 functions in two primary modes: the privileged kernel, or executive, mode and the open nonprivileged user mode . Low-level operating system services, system data, and interfaces to hardware are controlled by the kernel mode.

user and kernel modes

The user mode handles everything else that is subject to user interface or intervention, including the default Win32 subsystem, optional subsystems, and applications. The user mode interacts with system data and hardware through a tightly integrated API.

The Windows Server 2003 Executive Mode

The Windows Server 2003 Executive is also known as the kernel mode and the privileged executive mode. Windows Server 2003 breaks its operations into five segments that run in the kernel or privileged mode:

  • Hardware abstraction layer (HAL)
  • Microkernel
  • Device drivers
  • Executive managers
  • Executive services buffer

exexutive kernel mode

Collectively, these elements handle the system responsibilities that are hidden from the user. In Windows Server 2003, the Executive controls essential operating system functions. Other functions are pushed into the nonprivileged area or into protected subsystems, as discussed in the next section. The elements of the Executive are discretely independent and exchange data through defined interfaces. In theory, any component can be deleted and replaced with a technologically updated version. Assuming adherence to the interface APIs, the operating system should function without difficulty after swapping Executive components.

Each element of the Executive provides two discrete functions. The system services are available in both user-mode and kernel-mode mode operations. By contrast, the internal routines are used only to communicate with other managers or components within the Executive itself.

THE HARDWARE ABSTRACTION LAYER

At the base of the Windows Server 2003 Executive is the Hardware Abstraction Layer. Microsoft originally placed hardware-related interfaces in a discrete segment of code as a means of ensuring greater portability across platforms. Early Windows NT was to be a cross-platform operating system in which HAL provided a layer of code that accounted for system differences. This design criterion has been eliminated. In Windows Server 2003, HAL deals with Intel-compatible CPU and related device-dependent issues.

Concentrating on a single architecture makes the writing of device drivers considerably more straightforward. With a published API, application developers can write instructions for a device that is optimized for Windows Server 2003. Whenever possible, system administrators should use such enhanced device drivers.

In multiprocessor systems, HAL serves an additional function of automatically synchronizing hardware-related threads with the next available CPU. Priorities range from real-time processes (with the highest priority) to variable, or dynamic, processes (lower priority), as discussed in a subsequent section.

THE MICROKERNEL

In operating systems such as Windows Server 2003 and UNIX, the base-level functions in operating system operations are managed by a kernel. In Windows Server 2003 this component takes the form of a nonconfigurable and nonpageable microkernel. By nonconfigurable, we mean that the microkernel is never modified and never recompiled; by nonpageable we mean that the 4-KB memory pages associated with the microkernel are fixed and not referred to the pagefile.sys file, where dynamic paging activities are retained.

The microkernel dispatches and controls threads. (Where multiprocessors are involved, it also synchronizes that workload.) Dispatcher objects implement and synchronize events, semaphores, timers, threads, and mutants (defined by mutually exclusive resource access). Control objects regulate virtual address processes, system interrupts, thread profiles, and asynchronous procedure calls.

DEVICE DRIVERS

A device driver is a set of instructions that coordinates the operating system with hardware such as printers, storage units, modems, network equipment, fax machines, scanners, and digital cameras. The Windows Device Model (WDM) theoretically allows a common set of device drivers. In theory, the WDM should greatly reduce the system administration’s burden of maintaining multiple device driver versions. With the release of Windows Server 2003 and Windows XP, this objective has been largely achieved for the first time.

In the case of streaming media software, the WDM has shifted the processing from the user mode to WDM Kernel Streaming. The objective was to improve overall speed and performance. An application must be specifically written for WDM to take advantage of this architecture. The same principle applies to the new WDM Still Image Architecture for specific support of digital cameras and scanners.

The space available for device drivers and system space has significantly increased. In Windows 2000, device drivers were limited to 220 MB; Windows Server 2003 supports up to 960 MB. Windows 2000 had a total system virtual address space of 660 MB, compared to the 128 GB of Windows Server 2003.

EXECUTIVE MANAGERS

The fourth segment of the Executive is a collection of tightly coupled applications. Known collectively as the Executive managers, they allow the subsystems and user applications to access system resources. Perhaps the biggest change since Windows 2000 is the inclusion of a Cache Manager, which replaces memory storage in paged pools, and the Configuration Manager, which now implements the Registry. The Executive managers are the following:

  • The Object Manager. This manager is responsible for the creation, deletion, and interim management of object resources: files, directories, threads, processes, ports, semaphores, events, symbolic links, and shared memory.
  • The Virtual Memory Manager (VMM). The VMM regulates the allocation of 32-bit or 64-bit linear memory. Windows 2003 supports virtual addressable memory—by default, half is allocated to system tasks and half to application workload. (Windows 2003 Enterprise and DataCenter Editions in certain configurations permit the shifting of memory allocation to allow additional dedicated memory for application support. Applications must be coded to use the Very Large Memory (VLM) APIs.) As required, the VMM pages information to disk or physical memory. It also regulates demand paging, which uses the physical hard drive to effectively expand total memory availability.
  • The Process Manager. Windows Server support for program processes is controlled by threading. A thread is a logical sequence of instructions that is executed to completion or until a higher-priority thread temporarily preempts it. The Process Manager specifically monitors thread and related process objects. Later discussion will clarify the roles of threads and processes.
  • The Interprocess Communication Manager. This Executive manager regulates both local procedure calls (LPCs) and remote procedure calls (RPCs). The Local Procedure Call Facility manages client and server communications within the computer. As a local procedure that impacts system resources is launched from the user mode, the server elements in the kernel mode are called. The Remote Procedure Call Facility manages client/server communication across different computers.
  • Security Reference Monitor (SRM). To create or gain access to an object, a request must first flow through the Security Reference Monitor. Unlike some of the other Executive managers, the SRM operates in both kernel and user modes. As discussed later, each Windows Server object has a descriptor known as the access control list (ACL). Each user and group with object rights is provided an individual access control entry (ACE) that contains its security ID (SID). Upon logging on, each user is assigned an access token that operates as a passkey to objects that match his or her entry levels. For greater detail, refer to  “Permissions Security, Folder Sharing, and Dfs.”

reference monitoring

I/O Manager. All input and output functions are controlled by the I/O Manager. These activities are broken into several components that regulate the input and output of the system cache, file system, network drivers, and specified devices

I-O Manager

  • Windows Manager and Graphics Device Drivers. The Windows Manager and Graphics Device Drivers (GDDs) were moved from the user mode, where they resided in Windows NT 3.5 and earlier versions, to the kernel mode in Windows Server 2003. Applications can address the Win32K.sys interface; the GDD talks directly to HAL.
  • Plug and Play Manager. The new Plug and Play Manager reduces the mundane system administration burden of identifying and configuring devices on the network. It activates devices and adds devices via automatic discovery or with the assistance of the Hardware Wizard.
  • Cache Manager. This manager monitors pages faults that are required for disk reads and data already in memory. The operating system faults data and code into memory from disk in 4-KB page chunks and then releases before demand. The Cache Manager helps to prefetch pages. It also monitors the initial stages of an application startup (up to 10 seconds). The Cache Manager works in conjunction with the Task Scheduler to signal a named event, and it calls the Memory Manager to read data or code.
  • Configuration Manager. This manager has been recoded to regulate between registry settings with the executive kernel-mode subsystem. It is designed to significantly increase the size of Registry hive (formerly 376 MB) and therefore have no hard-coded limitations. This increases performance and adds greater support for Terminal Server systems. The Configuration Manager also plays a security role, maintaining its own cache of security descriptors that may be used by multiple keys.
  • Power Manager. This manager regulates the power to computers and devices. In systems with power management client interfaces, Windows Server 2003 can automatically and remotely order a system to boot, shut down, or go into temporary hibernation.

THE EXECUTIVE SERVICES BUFFER

The Executive Services buffer consists of a relatively small layer of code that sits on top of the other Executive components. It separates the kernel and user modes and acts as the medium for passing API and system calls.

The Windows Server 2003 User Mode

The user mode comprises components that work together to facilitate user and application integrity. It has two parts:

  • Protected environmental subsystems. Windows Server 2003 supports user-mode subsystems that maintain specific requirements for native Windows (16/32-bit and legacy MS-DOS), POSIX, and OS/2 applications as well as user-related system calls. An examination of protected subsystems follows.
  • Dynamic integral user intervention. This part oversees the unprotected actions of individual users. We discuss the impact of this dynamic intervention when we deal with the processes later in this chapter.

THE PROTECTED USER MODE SYSTEM

The subsystem structure can be viewed as a buffer between user applications and the kernel-mode services structure. The term protected refers to these subsystems because they are not directly changed or modified by the administrator or the user but merely pass and manage API calls. They are configurable only through APIs and built-in utilities.

Windows Server 2003 supports two protected subsystems:

  • The integral subsystem performs underlying operating system tasks—for example, security management.
  • The environmental subsystem establishes the foundation for applications and user interfaces.

Integral Subsystems

The integral subsystems overlay and interact with the environmental subsystems. For example, the API that provides access to the network is either the Workstation Services or the Server Services subsystem, depending on the version of Windows Server installed. As another example, the integral Security subsystem acknowledges logon requests, authenticates logons, monitors the use of resources by a user, and manages user rights and permissions.

Environmental Subsystems

The user mode supports three environmental subsystems, as shown in  The intent behind this was to provide support for applications originally written for other operating systems or to make porting of applications easier. Depending on the environmental subsystem, this “support” ranges from executing shrink-wrapped applications to merely providing programming APIs. With Windows Server 2003, this multiple environment subsystem support has been reduced.

subsystem relationship

Environmental subsystems may be thought of as operating system “multiple personalities.” The Win32 subsystem provides native support for applications written to support Microsoft’s 16- and 32-bit APIs. The other subsystems are a set of APIs that emulate other operating system calls.

  • Win32 subsystem. Win32 is the mother of all subsystems. It supports standard Windows Server input and display output. Specifically, it controls the graphical user interface. All Win32 applications are run directly inside this subsystem. Win32 also takes on a type of arm’s-length relationship with the other sub systems by switching personalities when necessary.

    MS-DOS and 16-bit applications use both the Virtual DOS Machine (VDM) and the Win32 system. The VDM is created automatically when these programs are launched. The application process technically runs as a VDM process, but its display handling is offloaded to Win32. Because API “stubs” support the old graphical drivers and dynamic-link libraries (DLLs), Win16 applications generally operate without affecting other operating system activities. It should be remembered that Windows Server 2003 is a preemptively multitasking operating system that supports numerous single processes simultaneously. In the case of Win16 applications, WOW, or Windows on Windows, defines the interplay between VDM and Win32.

  • OS/2 subsystem. The OS/2 subsystem was available in Windows NT and Windows 2000 but is not supported on Windows Server 2003.
  • POSIX subsystem. The Portable Operating System Interface computing environment subsystem was available in Windows NT and Windows 2000 but is not supported on Windows Server 2003.

For those interested in POSIX and UNIX interoperability, Microsoft has made available its Services for UNIX 3.0. This offers an assortment of third-party UNIX applications and utilities, including Korn and C shell support and NFS. By adding these features, it is possible to use many scripts written in a UNIX environment and move them directly across to Windows Server 2003. This is to be offered as part of an optional service package known as Microsoft Services for UNIX. The Interix code actually replaces Microsoft’s POSIX subsystem and overlays a complete UNIX 95 environment within Windows. In this configuration, true operating system interoperability is achieved. It is also possible to migrate existing UNIX applications to Windows Server 2003 with comparative ease. Among the common UNIX features that Interix provides are the following:

  • More than 300 UNIX commands and utilities
  • Shell support for the Korn shell, Bourne shell, and C shell
  • Scripting languages—awk, Perl, sed, Tcl/Tk—with full shell job control
  • POSIX.1, POSIX.2, and ANSI C interfaces
  • BSD sockets implemented with Winsock
  • SVID IPC (message queues, semaphores)
  • Shared memory, memory-mapped files
  • ODBC and OpenGL application library support
  • X11R5 Windowing System clients and libraries
  • The X11R6.3 Windowing System display server
  • X11R6 fonts and font management
  • The OSF/Motif® 1.2.4 Window Manager and libraries
  • Execution of Win32 applications from Microsoft Services for UNIX
  • Full tty semantics mapped to console windows and pseudoterminal support
  • Full integration with the Windows NT security model, administration, file systems, networking, and printers
  • Telnetd and rlogind services (multiuser logon support)
  • Berkeley r-utilities (servers and clients)

MKS and its DataFocus division’s NutCRACKER development product also provide POSIX utilities and application porting directly to the Win32 API.

Advertisements

Posted in Tutoriale Windows 2003, Windows Server 2003 Structural Modes | Tagged: , , , | Leave a Comment »

Tutoriale Online Windows Server 2003 Postscript

Posted by ascultradio on October 6, 2009

POSTSCRIPT :

Windows Server 2003 is a powerful enterprise operating system, particularly in its management tools and security features. The consolidation of many system administrator activities under the Microsoft Management Console streamlines the administrative burden, and the Web-based interface provides the consistency that was missing in earlier versions of Windows NT. Moreover, the addition of scripting should make life more controllable for system administrators grounded in other operating systems such as UNIX. The addition of tools makes management of Microsoft Windows Server 2003 both easier and more complex. Such is the reality of modern enterprise system administration.

Posted in Tutoriale Windows 2003, Windows Server 2003 Postscript | Tagged: , | Leave a Comment »

Tutoriale Online Windows Server 2003 Features And Administrative Implication

Posted by ascultradio on October 6, 2009

Windows Server 2003 Features And Administrative Implication :

Windows Server 2003 enhances Windows NT and Windows 2000 features and adds many functions, each of which has a direct impact on system administration. Rather than merely outline the major new features and enhancements, we will look at them from the administrator’s perspective.

.NET Framework

The greatest single implication of the .NET Framework for administrators is the requirement to look at the network as a global entity. The enterprise is no longer just a group of users that must get access to clients and servers. Traditional views of static applications must give way to the concept of computing services. This global view forces the administrator’s job to expand greatly in scope and complexity. Therefore, in order for an operating system like Windows Server 2003 to be successful, it must enhance the flexibility and power of the system administrators.

Make no mistake about this brave new world…for every functional advancement, there will be additional challenges. Clearly, any time productivity depends on the exchange of communication outside the enterprise, security takes center stage. With each opportunity to perform management functions remotely, the potential for unwanted intrusion can raise its ugly head.

Despite these issues, the role of the system administrator should be augmented greatly by Windows Server 2003. Mundane responsibilities such as applying an endless number of software patches will be reduced. In the same instant, your ability to improve the user experience is also possible. By providing the ability to gain access to real-time services that are managed safely by the system administrator, the universe of computing will be greatly enhanced. As you begin to understand and use Windows 2003 Servers and the .NET Enterprise Server applications, understand that you must move cautiously but deliberately toward an Internet services paradigm.

The Active Directory

In Windows Server 2003, everything is treated as an object, including users, computers, files, and network elements. A core innovation of Windows 2000 and Windows Server 2003 is the Active Directory, which manages all domain objects in a hierarchical and replicated structure, thus allowing a significant difference in the way an administrator can conduct business. From a central location, administrators with appropriate permissions can add, delete, modify, and view objects and services anywhere in the domain, domain tree, or forest.

Some highlights of the Active Directory, detailed in and , are:

  • Advanced data query functions. The Active Directory’s Global Catalog of objects on the network makes it easy for the system administrator and authorized users to drill down to the object attribute level.
  • Directory replication. The Windows NT structure of a primary and a backup domain controller is replaced by a multimaster arrangement in which directory replication occurs across peer domain controllers. This provides greater redundant operations and higher data availability.
  • Adherence to standards. System name resolution in the Active Directory depends on the Domain Name System (DNS) over TCP/IP. System administrators with network knowledge of TCP/IP and DNS will have an advantage when managing the directory.
  • Extensible schema. The Active Directory can be dynamically altered to include new objects and even to modify attributes of existing objects. This means that the administrator can dynamically change the object definitions and associated attributes to meet enterprise requirements. Windows Server 2003 specifically improves the manageability of the schema by permitting the deactivation of attributes and classes.
  • Interoperability. Working with different operating systems and directory services is a constant challenge. The goal of the Active Directory is greater interoperability. Consequently, for example, the directory allows integration with the Lightweight Directory Access Protocol (LDAP v3) to resolve objects in Windows Server 2003 and heterogeneous environments. With Windows Server 2003, LDAP binds are now supported. The Name Service Provider Interface (NSPI) provides directory services interplay with Microsoft’s Exchange Server. The Windows Server 2003 enhancement that allows the removal of RDN restrictions that are not X.500-compliant should also enhance interoperability.
  • Greater flexibility. Windows Server 2003 specifically expands the flexibility of Active Directory in many directions including an expanded ability to handle objects and reconfigure trees and domains.

The Interface

The interface to the operating system involves much more than how windows are displayed and the pull-down menus function. Yes, a clean and familiar user interface makes user training and support easier. With regard to system management, it also dictates how easily administrative tasks can be accomplished locally, through a network, or over the Internet. Equally important is the flexibility of the interface to accommodate both standard tools and custom scripts.  focuses on the administrative and user interface improvements provided in Windows XP and Windows Server 2003.

THE USER INTERFACE

The default user interface of Windows XP and Windows Server 2003 is newly enhanced to reduce clutter and improve accessibility. However, if a user prefers the familiar Windows 98 look and feel, the “classic view” can be applied.

Easy navigation through the operating system is basic to overall usability. The Adaptive Start function, for example, tracks the most used features and promotes them on the menu, and hides other items until they are required. This reduces the clutter of older menus. Even so, system administrators can count on receiving calls from users about “missing” functions until the users become familiar with the Adaptive Start feature.

The enhanced search and help features should lighten the system administrator’s load. On the client side, users can now seek support online from fellow workers. Working with the Active Directory, users can locate objects anywhere in the domain. All persons and resources are treated as objects with specific attributes. Searches can be conducted based on the name of the object (or a part thereof) or its attributes. In the case of a document, one attribute would be its contents.

Personal settings established by users can be mirrored in a central store that permits easy retrieval. Thus, users can log on to any computer on the network and have their personal preferences reflected in that environment. A comfortable user is generally a happy user.

In global enterprises, internationalization becomes an important end-user support issue for the administrator. The multilingual support of Windows Server 2003 makes it possible to edit in any supported language or combination of languages.

THE ADMINISTRATOR INTERFACE AND TOOLS

Most system administrators seek simplicity but demand power in their interface. For that reason, administrative tools—in particular, those that hide the background process, like Windows wizards—must be rock solid, stable, and reliable. Many administrators coming from character-based environments distrust automated tools they cannot directly control at all stages. Administrators coming from largely character-based environments such as UNIX should alter this view, because much of Windows Server 2003 administration is based on wizards. Fortunately, our testing shows that the stability and reliability of wizards have been largely achieved. For greater interoperability, Microsoft also offers the optional Services for UNIX 3.0 suite that provides a complete POSIX environment and hundreds of UNIX commands within Windows Server 2003.

System administrators also rely on facilities that support character-based command-line interfaces and a wide variety of scripts. The Windows Scripting Host provides a direct interface to VBScript and Jscript facilities. The user can write and execute scripts to these engines in the same way a UNIX user might write a Perl or Korn shell script.

Underlying the management of Windows Server 2003 is Microsoft’s Zero Administration Windows (ZAW) initiative. While the term “zero administration” is at best an oxymoron because all operating systems require some level of management, Microsoft’s goal was to provide a more intelligent approach to system management. Many of the tools under the ZAW umbrella go a long way toward it. ZAW is divided into several initiative areas that deserve mention here:

  • Central policy administration. User and group policies can be effectively managed by a centralized system administration function. These policies can be applied by a site, a domain, or an organizational unit. The most common types of centralized policy administration involve security, file use, software publishing/distribution, and scripting.
  • Web-Based Enterprise Management (WBEM). Windows Server 2003 embraces Web-Based Enterprise Management using the industry standard Common Information Model (CIM) for application and system management as adopted by the Desktop Management Task Force. WBEM is designed to provide consistency across operations and configuration management. Scripts can be written to interface with it, through the Windows Scripting Host, and to query enterprise systems. The Common Object Model (COM) API is employed with WBEM, ensuring greater extensibility for both system administrators and third-party software and hardware vendors. As an example, the WBEM initiative resulted from the efforts of Microsoft, BMC Software, Cisco Systems, Compaq Computer, Intel, and many other DMTF member companies to establish management infrastructure standards; it provides a standard way to access information for various hardware and software components. Windows Management Instrumentation (WMI) is a management infrastructure that allows administrators to monitor and control managed objects in the network that emerged from the WBEM initiative.
  • System management tools . As discussed throughout this book, administrators are provided a wide range of graphical tools for administration of both local systems and domains. For example, with the Computer Management tool a local user can assume an administrative role (providing Administrator rights are granted) to fine-tune the performance of a local machine. For the system administrator, this tool also supports troubleshooting for remote systems on the same network or virtually anywhere. The Task Scheduler allows the user and the system administrator to establish specific parameters for the execution of programs and events at the desired time. Windows Server 2003 system backup is now integrated with the Task Scheduler, giving automatic system backup without direct human intervention to hard drives, tape, recordable CD-ROM, robotic changer tape banks, and the like. The Removable Storage Manager can administer tape or disk mounting at the scheduled time. However, file shares, system sessions, and connections are more effectively managed with the Files Service Manager. The foregoing represents only a small portion of the tools available to the system administrator.
  • Software management. The software management infrastructure permits the assignment of applications to specific users and computers. Applications can also be “published” to a server and then added, upgraded, or removed as the user requires. The concept of publishing applications to the enterprise reduces traditional system administrator support of common applications installation. Users who must roam among systems can get access to those applications in which they have assignment through the IntelliMirror technology. Finally, as systems are replaced, the need for individualized application installation is greatly reduced.
  • Microsoft Management Console (MMC). A common frustration in computer management is attempting to learn and manage a variety of disjointed tools. To alleviate it, Windows Server 2003 permits the consolidation of tools into one or more Microsoft Management Console(s), illustrated in  Because the MMC is extensible, “snap-in” application tools can be included as Windows Server 2003 evolves and as third-party management software becomes available. Microsoft publishes an API to facilitate the development of management tools with a common look and feel. Thus, administrators can now go to a single point and use tools that have the same interface. The MMC can be shared with other administrators and used to delegate selected tasks.

Microsoft Management Console

Networking and Communications

Network connectivity and other forms of communication are another area of concern to system administrators. Given the central role of Web services for Windows Server 2003, this may be the most significant focus for administrators. Windows Server 2003 has a number of wizards that facilitate connectivity and reduce some of the more mundane system administrator activities. Its tools and support for protocols aid in the management of Internets and intranets.

Windows Server 2003 supports a Network Connections Wizard that walks the end user and system administrator through network, dial-up, virtual private network (VPN), and serial connections. This facility controls configuration setup and management, allowing protocols and services to be set for each connection. From a user’s perspective, offline browsing that permits review of a Web page after disconnection and subscription support for automatic Web page updates is a valuable addition.

In addition to the more standard forms of connectivity, Windows Server 2003 provides administrator tools to support advanced communications—for example, the creation, viewing, and management of VPNs. Windows Server 2003 embraces both the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP), and Internet Protocol Security (IPSec) can be employed as an alternative approach. VPNs permit a sales office to connect “virtually” through the Internet to corporate headquarters in a secure tunnel.

The Windows Server 2003 family has added many enhancements in the communications and networking arena. They include:

  • Enhanced support for the TCP/IP suite, including a Telnet server and SMTP native support
  • Reliance on dynamic Domain Name Services (dynamic DNS)
  • Multiple protocol routing through the Routing and Remote Access Service (RRAS) that enables IP, IPX, and AppleTalk routing
  • The PPTP and L2TP
  • The Routing Information Protocol (RIPv2).
  • Asynchronous Transfer Model (ATM) support
  • Fibre Channel 1-GB-per-second bus data transfer

Hardware Support

Hardware management can be a nightmare. However, Windows Server 2003 is based solely on Intel-compatible systems, so the requirement to support dozens of proprietary architectures is reduced. Even so, hardware support will continue to be an important administrative task. To confirm hardware compatibility, it is recommended that you refer to the regularly updated Hardware Compatibility List on the Microsoft Web site.

The Win32 Driver Model (WDM) theoretically establishes binary driver compatibility and I/O services with earlier Windows environments and Windows .NET. Windows NT system administrators frequently complained about the lack of support for certain devices supported by Windows 95/98. Windows Server 2003 is working to overcome this limitation, which should greatly reduce administrative headaches caused by hardware incompatibility. However, given the thousands of devices available, the updating process will surely continue for many years.

Windows Server 2003 provides a more robust Plug and Play facility with a significantly larger set of device drives. Support for the universal serial bus (USB) permits the operating system to dynamically detect connected hardware and then the device driver is automatically installed. Printer device improvements are particularly significant. Users can send documents (including those using the Image Color Management 2.0 API) to printers connected to an intranet or the Internet. The Advanced Configuration and Power Interface streamlines both Plug and Play and power management. Also supported is fibre channel technology for the transmission of data at 1 GB per second. Smart cards (e.g., for secure transmission of online banking) and flash memory can also be used in connection with Windows Server 2003. Finally, Windows Server 2003 supports such graphics and multimedia standards as DirectX 8.0, Direct3D, and DirectSound acceleration technology.

Windows provides an assortment of utilities that make life easier on the desktop. The Hardware Wizard attempts to find and configure attached devices, although we found this to be a mixed blessing because it is difficult to turn off. The Device Manager, however, is a handy application designed to configure devices and resources interactively. Also useful is the Windows Installer service, which manages application installation, and the OnNow applet, which places the system in hibernation when not in use, thereby reducing battery use on portable systems.

File and Storage Systems

Disk management and storage and backup cause many headaches for system administrators. A number of automated tools in Windows Server 2003 greatly reduce these manual burdens while enhancing utilization. They include:

  • Windows 95/98 and Windows NT file system compatibility. Windows Server 2003 maintains base-level compatibility with earlier Windows environments. Its native file system is NTFS 5, enhancements to which include file encryption using public keys and tracking of distributed links. With respect to Windows 98, Windows Server 2003 fully supports the FAT32 file system; disk defragmentation is supported for FAT, FAT32, and NTFS volumes.
  • Disk quota utility. The Windows Server 2003 supports disk quotas to limit user storage and to monitor the status of such limits.
  • Universal Disk Format. This format permits the exchange of data with DVD and compact disk media.
  • Removable Storage Management. RSM supports tape and disk libraries through a common interface.
  • Remote Storage Service. RSS intelligently monitors frequently used files and periodically sends the most used items to backup. In conjunction with RSM, RSS sends infrequently used files to the library, where they can be filed until retrieved as needed. All directory information on the files is retained so that retrieval becomes seamless. RSS greatly reduces the need to add local hard disk capacity.
  • Distributed File System (DFS). With this distributed model, a single directory tree can be created and maintained across several file systems, file servers, or even the entire enterprise. This permits a more global view of resources and data across the network.

Security and Authentication

Windows Server 2003 comes of age as a greatly enhanced security-aware enterprise operating system. As discussed in detail in  through , it fully embraces a wide variety of technologies to protect the enterprise. For example, Kerberos security standard is used by the Active Directory for single-point enterprise logons. Public key certification is based on the X.509 standard and is integrated with the Active Directory. To facilitate administration, the Security Configuration Editor permits fine-tuning of security-sensitive registries, files, and system services.

Microsoft has adopted the IPSec model in its IP Security management tools. The Encrypted File System extends the NTFS with the ability to provide public key encryption of disk-based files. Finally, a smart card infrastructure permits secured transmission of sensitive data between systems and in mobile situations.

The enhanced support of new security technologies by Windows Server 2003 represents a real opportunity for system administrators. Through the proper development and deployment of security policies, better protection from unwanted breaches can be achieved. For example, the administrator can monitor potential attacks and close possible security leaks before damage is done. In essence, the administrator becomes a proactive agent for security rather than a reactive defender of the realm.

Posted in Features And Administrative Implication, Tutoriale Windows 2003 | Tagged: , | Leave a Comment »

Tutoriale Online Windows 2003 Server Administrative Roles

Posted by ascultradio on October 6, 2009

Windows 2003 Server Administrative Roles :

Windows Server 2003 defines a universe of system administration responsibilities. Yet only a few system administrators have the broad enterprise-level view. Instead, they have specialized responsibility for planning and deployment of such things as domain controller servers, domain models, the Active Directory, sites, security policies, and network infrastructures.

Because the majority of administrators perform these more specialized functions, Windows Server 2003 allows the assignment and delegation of both broad and function-specific roles. An administrator could have all or a portion of these management responsibilities:

  • Operating system maintenance— the health of the operating system’s processes and services. The monitoring and logging tools help tune individual computers, domain controllers, and specialized server performance. In this work, many administrators find both standard tools and custom scripts handy.
  • User and group management— adding, modifying, and deleting user accounts and group policies. Windows Server 2003 security groups are used to establish the rights and privileges of individuals and groups of users. Underlying group policies are the establishment and enforcement of security and user behavior. The Active Directory services manage the distribution of group policies. This includes such activities as logon and password management, and granting or restricting permissions and access.
  • Hardware and device management— the health of the physical network devices, computers, and peripherals. Microsoft provides a Hardware Compatibility List (HCL) to assess the viability of a given item of hardware in a Windows environment. This also permits the system administrator to ensure that the most recent device drivers for the hardware components are being used. This involves not only traditional network hardwired connections but also such items as wireless devices and assessment of Internet and intranet bandwidth.

Roles System Administrative

Scope of Responsibility

Windows Server 2003 provides for levels of administrative authority, for which there exists a relative hierarchy. An administrator gains authority by becoming a member of one or more built-in or default security groups, inheriting the rights, privileges, and restrictions associated with each . In we explore group policies in depth. However, for the sake of this discussion of administrative roles, we note that responsibilities are assigned through the accumulation of group memberships.

Levels Of Administrative Responsabilty

Another important concept is specialized function versus broad responsibility. Members of different groups have broad-based authority to manage domain activities. These include Administrators, Domain Admins, and Enterprise Admins. The scope of authority can be granted to other users with specialized functions—for example, printer support or backup operations. The specialized security groups are Account Operators, Backup Operators, Printer Operators, Replicators, and System Operators. Membership in these groups can be assigned individually or in any combination.

The final major concept is granularity. The organizational unit (OU) is a structural mechanism (also viewed as a container object) by which domains can be divided into smaller elements such as a sales department. In turn, this OU can be divided into other units that involve users, devices such as printers, and network components. Each parent and child OU can then be assigned specific system administrators to manage the allotted functions.

Posted in Tutoriale Windows 2003, Windows 2003 Server Administrative Roles | Tagged: , | Leave a Comment »

Tutoriale Online Windows 2003 Understanding The .Net Framework

Posted by ascultradio on October 6, 2009

Windows 2003 Understanding The .Net Framework :

The .NET Framework attempts to transform applications to online services that can be used over the Internet or in intranet environments. The underlying goal is to provide customized and comprehensive solutions to users regardless of a user’s location or computer system. To achieve this goal, the server-centric approach to computing that currently defines the Internet must change. Another challenge is to break away from the concept of localized client-based applications. Looking into the future, a user should be able to log on to any system and get access to its data, applications, and even familiar settings. To realize this ability requires looking at applications and systems not as standalone entities but as services that are called on demand by the user. These application services could replace packaged software and be rented or leased over the Internet. Packaged software will probably not disappear, but Microsoft officials believe that this new model will radically affect the way businesses and consumers obtain up-to-date products and conduct business. Individual and corporate users conceptually will be able to get applications on demand through either a subscription or a rental arrangement. A prime example of how this could work is the automatic operating system update facilities provided by Windows XP and Windows Server 2003. When patches need to be applied, updates over the Internet can be applied automatically or interactively.

Foundation Technologies

The concepts underlying .NET are industry-standard technologies that should enhance its acceptance and interoperability. Microsoft believes that this approach is founded on the basic principles of common description, connection, communication, and discovery.

The eXtensible Markup Language (XML) is the centerpiece of the .NET strategy. This open standard is managed by the World Wide Web Consortium (W3C). Stated simply, XML changes the way in which applications talk to one another. It is designed to enable the development of applications that permit the easy exchange of data between any enabled computing devices. XML separates the underlying data from how the data is displayed. This schema effectively “unlocks” the data so that it can be reorganized, edited, and exchanged with any Web site, device, or enabled application.

In addition to XML, the .NET Framework utilizes other rapidly emerging standards:

  • The Simple Object Access Protocol (SOAP) was developed by Microsoft but turned over to the W3C for open standards management. SOAP enables communications and makes service requests.
  • The Web Service Description Language (WSDL) is a standard format that publishes function names, required parameters, and returned results from an XML Web service.
  • Discovery services are provided by the Universal Description, Discovery, and Integration (UDDI) standard. In theory, it makes it easy to locate XML services and facilitates. UDDI is the “yellow pages” of XML Web services.

Components of .NET and Product Layers

The .NET Framework consists of three primary layers. The universal run-time engine handles the lowest level of services, which includes thread management. Conceptually similar to Sun Microsystems’s Java Virtual Machine, this engine manages environmental matters. A common class library rests on the universal run-time engine. The code objects can communicate with applications written in any programming language. This facility makes it possible to use large amounts of legacy code for .NET-enabled environments. Active Server Pages Plus is the highest layer and serves to separate scripts from Web-based code.

The .NET initiative was initially a vision exposed by Microsoft Chairman and Chief Software Architect Bill Gates. Unlike so many industry “visions” of the future, the concepts were soon transformed in a Framework with a wide range of Windows 2000-centric products. Products such as Microsoft Exchange 2000 and Microsoft SQL Server 2000 are the first component products to be released with .NET-enabling technology. As the following list shows, the complete suite of .NET products provides an impressive solution set. In addition to server back-end products, flagship customer products like Microsoft Office are emerging as .NET-enabled.

BACK-END APPLICATIONS AND TOOLS

  • BizTalk Server 2000/2002. This product uses XML to integrate Web services with business application logic and data.
  • Host Integration Server 2000. This product is designed to communicate with legacy networks, applications, and data.
  • SQL Server 2000. This advanced database provides more analytical support and data warehousing capacity than previous versions.
  • Visual Studio.NET and C#. This is the next iteration of the Visual Studio suite and it encompasses the C# language, XML support, and other features. Probably more than any other offering by Microsoft, the Visual Studio .NET suite should ensure the viability of the .NET Framework and the success of the Windows Server 2003 family.

MID-TIER SUITES

  • Application Center 2000. This server product provides the management, scaling, and deployment of applications.
  • Commerce Server 2000/2002. This server is designed for greater Web site design including enhanced user tracking.
  • Content Management Server 2001. As the name implies, this manages Internet-based content delivery.
  • SharePoint Portal Server. This server is used to find, share, and publish information easily by employing a flexible portal solution model.
  • Exchange Server 2000. This version expands its integration with Active Directory and provides more Web-enabled collaborative work and messaging.
  • Mobile Information Server. Mobile Information Server enables secure access to data on Exchange and Enterprise servers for mobile users.

FRONT-END TIER

  • Internet Security and Acceleration Server 2000. This server provides caching of Web data together with firewall protection.

The development of applications that take full advantage of .NET is critical to its ultimate success. Microsoft released Visual Studio.NET in early 2002.

The release of new versions of .NET Servers together with completely new products is anticipated to continue at fever pace. Don’t be surprised if the names of the products just mentioned undergo change. As more .NET components are added, the ability of these products to take full advantage of underlying Windows Server 2003 functionality should be enhanced.

NOTE

At the time of this book’s publication, Microsoft was making considerable noise about .NET My Services (formerly code named “hailstorm”). This is a rapidly evolving technology that should be commercially available soon.

.NET My Services is a family of user-centric Web services. The purpose of the technology is to enable businesses to build deeper customer relationships and improve operational efficiency. Another stated objective is to make applications and devices easier for consumers to use. One portion of the technology is .NET Alerts, which includes communication tools that permit direct interaction between businesses and clients.

Use of .NET My Services is activated and controlled by the user optionally. For example, a .NET Alerts provider can send an XML message to the .NET Alerts service. The service routes the message to a user’s desktop, cellular phone, mobile device, or e-mail address. The user determines where the message is delivered. As an administrator, you should keep an eye on how this technology evolves.

BackOffice Suite Moves Forward as Renamed .NET Products

The much ballyhooed BackOffice suite that supplemented Windows NT and Windows 2000 has quietly slipped to the very back of the office. Although the Back Office bundle is no longer marketed, the individual components are available. Several of these products have been renamed, as have other server products, including:

  • The Commercial Internet System is now Commerce Server.
  • The Exchange Server retains its name but with a new extension.
  • The Proxy Server is now the vastly enhanced Internet Security Acceleration Server 2000.
  • The Site Server can still be used as an intranet deployment tool primarily but is largely replaced by Commerce Server 2000.
  • The System Management Server, version 2.0, is still one of the primary management tools and is widely used for software administration.
  • The SNA Server is now Host Integration Server.
  • The SQL Server retains its name but with new extensions and vastly expanded functions.

Microsoft Operations Manager

Microsoft provides three options in server products designed to assist administrators: (1) Application Center, (2) System Management Server (SMS), and (3) the new Microsoft Operations Manager (MOM). We provide an overview of these three optional administrative server products in here we offer an overview of MOM to underscore the potential importance of this tool set for administration. Stated simply, MOM extends the management tool set of Microsoft operating system servers and .NET Enterprise Server products. Through third-party extensions from vendors like NetIQ, other platforms can also be consistently managed. The following are some major features of MOM:

  • Event management. MOM provides event management for Windows 2000 Server, Active Directory, Internet Information Services (IIS), some .NET Enterprise Servers and Windows NT Server 4.0. This includes an enterprise event log that collects and reports on problems and information.
  • Proactive monitoring and alert messaging. MOM’s distributed capabilities track and monitor information. Based on levels of urgency, the MOM will issue alerts to pagers, through e-mail, or by other external means.
  • Reporting and trend analysis. MOM provides reporting and trend analysis features that examine problems across time and generate detailed reports.
  • Specialized management packs. In order to focus domain-specific operations better, detailed management packs for different Microsoft technologies and products are available. Packs are available for Windows NT Server 4.0, Windows 2000 Server, Active Directory, IIS, Terminal Services, Microsoft Distributed Transaction Coordinator (MDTC), Windows Internet Naming Service (WINS), Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), Routing and Remote Access Service, Microsoft Transaction Service (MTS), Microsoft Message Queuing (MSMQ), Exchange Server, Microsoft SQL Server, Proxy Server, Systems Management Server, Commerce Server, and Host Integration Server.
  • Scalable management. MOM provides a sophisticated, load-balancing, multitier architecture designed to manage IT environments with thousands of Windows-based servers and applications.
  • An agile solution to meet the changing needs of business. MOM 2000 provides business flexibility via management rules. It is shipped with default rules that allow you to benefit quickly from the product. The rules can be customized to meet the changing needs.
  • Interoperation with other management systems. MOM 2000 integrates with other enterprise management systems by using Simple Network Management Protocol (SNMP) and Windows Management Instrumentation (WMI), which is based on the Common Information Model (CIM) supported by the Desktop Management Taskforce (DMTF).

Posted in Tutoriale Windows 2003, Understanding The .Net Framework | Tagged: , , | Leave a Comment »

Tutoriale Online Windows Server 2003 Family

Posted by ascultradio on October 6, 2009

THE WINDOWS SERVER 2003 FAMILY: WHAT’S IN A NAME ? :

What’s in a name? Apparently Microsoft believes there is much to be gained from shifting the name of its flagship operating system from Windows NT to Windows 2000 and then to Windows Server 2003. Since NT stood for “new technology,” the 2000 moniker seemed to herald a new millennium of computing. Windows Server 2003 is designed to take on the brave new world of Internet services. In development, the client and server versions were code named Whistler. By the time of release and despite common architectural structure, Microsoft decided to launch the client and server product lines with different names. The client versions inherited the Windows XP name to underscore what Microsoft hoped would equate to a new user eXPerience. The Windows Server 2003 line’s designation underscores its Internet readiness. In renaming Windows XP and Windows .NET, the company has created a family of OS products that addresses the entire market from desktop to the largest enterprise.  Compares the Windows NT and Windows Server 2003 product lines.

Windows XP Home and Professional Editions

Until the release of Windows XP, Microsoft’s client software was divided into two radically different architectures. Windows 3.x and Windows 9x operating systems were based on MS-DOS with a graphical front end. The last iteration of the MS-DOS operating system was the marginally successful Windows Millennium Edition. While Windows ME had a short shelf life, a few new design features, such as expanded device support, found their way into Windows XP. With Windows XP, support for MS-DOS ends. By contrast, Windows NT and Windows 2000 Professional were the first client operating systems based on the Windows NT kernel. Windows XP exploits Windows 2000 Professional with two editions…one designed for home use and one for business and small workgroup environments. Microsoft’s promotion of Windows XP has centered on the cleaner user interface, which reduces clutter and expands usability. In addition, Windows XP makes significant leaps in interconnectivity, multimedia support, security, general system stability, and Help functions. Although this book focuses on the server versions, Windows XP’s enhanced features are noted as they relate to administration. For a list of Windows XP’s specific features, see Microsoft’s Web site.

Table 1.1. Comparison of Windows NT and Windows Server 2003 Products
Windows Server 2003 Windows 2000 Windows NT Equivalent
Windows XP Windows 2000 Professional Windows NT Workstation
Windows Server 2003, Web Edition No equivalent No equivalent
Windows Server 2003, Standard Edition Windows 2000 Server Windows NT Server
Windows Server 2003, Enterprise Edition Windows 2000 Advanced Server Windows NT Server EE
Windows Server 2003, Datacenter Edition Windows 2000 Datacenter Server No equivalent

Windows Server 2003, Web Edition

The new addition to the Windows operating system server family is Windows Server 2003, Web Edition. Given Microsoft’s commitment to Internet readiness, this is a functionally focused Web server, as the name implies. It does not include many of the common features, like Active Directory, that other Windows Server 2003 servers provide. However, it is specifically optimized as a platform for Web services and hosting. With .NET Framework components like the innovative ASP.NET feature, the sharing of application services in a Web environment becomes possible. The Windows Server 2003, Web Edition facilitates the development and deployment of XML-based services and applications.

Windows Server 2003, Standard Edition

Windows Server 2003, Standard Edition refocuses the previous Windows 2000 Server version to address everyday organizational needs such as sharing files and printers and secured Internet connectivity. Like its predecessor, this version is designed for smaller client/server environments, but can manage a moderately complex organization. In system administrator terms, this server is best for an extended LAN and small WAN infrastructure, such as an enterprise that comprises a central office of modest size and several remote branch offices. Windows Server 2003, Standard Edition supports two-way symmetric multiprocessing (SMP) and up to 4 GB of memory.

Windows Server 2003, Enterprise Edition

Windows Server 2003, Enterprise Edition expands the core of networking and Internet functionality for medium and large enterprises. It is the default general business server operating system. Specifically designed for multidepartment use, it is equally well suited as an applications server and for e-commerce transactions. Windows Server 2003, Enterprise Edition supports up to 32 GB of main memory—a significant advance over the 8-GB limitation of Windows 2000. It also supports eight-way SMP and four-node clustering with enhanced load-balancing applications. Windows Server 2003, Enterprise Edition ships in either 32-bit or 64-bit versions.

Windows Server 2003, Datacenter Edition

Windows 2000 Datacenter was Microsoft’s first entry designed to seriously compete in the heavy iron marketplace of the enterprise. Windows Server 2003, Datacenter Edition provides yet greater availability, especially for mission-critical solutions. The crown jewel of Microsoft’s server line, it supports 32 SMP and eight-node clustering. This product is also available in 32-bit and 64-bit versions.  offers a comparison of features available with Windows Server 2003.

provides a quick reference for system requirements for each of the Windows Server 2003 platforms. In practical terms, the minimum requirements are woefully inadequate. The recommended levels should be regarded as a practical target.

Table 1.2. Comparison of Windows Server 2003 Features
Feature Web Edition Standard Edition Enterprise Edition Datacenter Edition
.NET Framework Yes Yes Yes Yes
Internet Information Services (IIS) 6.0 Yes Yes Yes Yes
ASP .NET Yes Yes Yes Yes
UDDI Services No Yes Yes Yes
Clustering Load Balancing Yes Yes Yes Yes
Cluster Services No No Yes Yes
VPN Support Partial Yes Yes Yes
Session Initiation Protocol Service (SIP) No Yes Yes Yes
IAS Internet Authentication Service No Yes Yes Yes
Network Bridge No Yes Yes No
Internet Connection Share No Yes Yes No
Active Directory No Yes Yes Yes
Metadirectory Services No No Yes No
Distributed File System Yes Yes Yes Yes
Shadow Copy Restore No Yes Yes Yes
SharePoint Team Services No Yes Yes Yes
Removable/Remote Storage No Yes Yes Yes
Fax Services No Yes Yes Yes
Services for Macintosh No No Yes Yes
IntelliMirror No Yes Yes Yes
Resultant Set Policy No Yes Yes Yes
WMI Command Line No Yes Yes Yes
Remote OS No Yes Yes Yes
Remote Install Services No Yes Yes Yes
Internet Connection Firewall No Yes Yes No
PKI Services & Smart Card Services No Yes Yes Yes
Remote Desktop Administration Yes Yes Yes Yes
Terminal Server No Yes Yes Yes
Terminal Server Session Directory No No Yes Yes
64-Bit Itanium Support No No Yes Yes
Hot Add Memory No No Yes Yes
Non-uniform Memory Access (NUMA) No No Yes Yes

Table 1.3. Comparison of Server System Requirements
Requirement Web Edition Standard Edition Enterprise Edition Datacenter Edition
Minimum CPU Speed 133 MHz 133 MHz 133 MHz x 86

733 MHz 64-bit

133 MHz x 86

733 MHz 64-bit

Recommended CPU 550 MHz 550 MHz 733 MHz 733 MHz
Minimum RAM 128 MB 128 MB 128 MB 512 MB
Recommended Minimum RAM 256 MB 256 MB 256 MB 1 GB
Maximum RAM 2 GB 4 GB 32 GB x 86

64 GB 64-bit

64 GB x 86

128 GB 64-bit

Multiprocessor Support 1 or 2 1 or 2 Up to 8 Minimum 8

Maximum 32

Disk Space for Setup 1.5 GB 1.5 GB 1.5 GB x 86

2.0 GB 64-bit

1.5 GB x 86

2.0 GB 64-bit

Posted in Tutoriale Windows 2003, Windows Server 2003 Family | Tagged: , | Leave a Comment »

Tutoriale Windows 2003 WINDOWS A HISTORICAL PERSPECTIVE

Posted by ascultradio on October 6, 2009

WINDOWS SERVER 2003: A HISTORICAL PERSPECTIVE :

Enlarge

The fundamental difference between Windows Server 2003 and its predecessor Windows 2000 resides in its embrace of the Microsoft .NET framework. While .NET is explored later, it can be safely stated that this framework helps propel the Windows environment into a transparent Internet services–based operating system. Yes, Windows Server 2003 includes hundreds of other operating system enrichments…but it is the .NET Framework enhancements that shift the paradigm from a classic client/server environment to an Internet services orientation. Microsoft has carefully crafted a computing environment that borrows heavily from earlier operating systems while adding an enhanced front-end, advanced features, and numerous administrative tools. The operating system incorporates some of the best functional elements of UNIX, NetWare, VMS, DOS, and OS/2 while providing a uniquely Microsoft interface. To a very large extent, Microsoft has succeeded in producing a robust environment that captures the best of older technologies while leveraging the new way of Internet services.

The history of Windows Server 2003 is short, but its lineage can be traced back over two decades. Windows Server 2003 is built on Windows NT technology and its formal history began in 1993. At that time, Microsoft had recently parted company with IBM on OS/2 and decided to change directions. The first released version of Windows NT was widely viewed as a curious little network operating system (NOS) designed as an alternative to IBM’s OS/2 LAN Manager. However, Microsoft had bigger plans than what was perceived by early industry naysayers. The first upgrade came a year later as version 3.5 and offered many significant improvements in performance and functionality. Microsoft then upstaged itself with the release of Windows 95, and Windows NT was relegated to the back burner. The 1995 release of Windows NT 3.51 added to the networking functionality and offered a greatly enhanced suite of server products known as BackOffice. With this release, Microsoft became a serious threat to NOS vendors like Novell.

Since its release in late 1996, Windows NT 4.0 has experienced significant market acceptance. The most important advancement made with the release of Windows NT 4.0 is the incorporation of the Windows 95 user interface (UI). In fact, Microsoft internally referred to NT 4.0 as the Shell Update Release (SUR), referring to the Windows 95 front end. (By contrast, Windows Server 2003 might be considered the Internet services update to Windows 2000.) In addition to a UI, Windows NT 4.0 added the Distributed Common Object Model (DCOM) and enhanced Domain Name Server (DNS) support for its TCP/IP transport. Moreover, a great number of components—in particular, the Exchange Server—were added to the optional BackOffice suite.

Despite its many enhancements and solid sales, Windows NT 4.0 was criticized for a number of real and perceived shortfalls, especially within larger enterprise environments. Windows 2000 was designed to overcome these shortfalls with a product family to meet the needs of environments ranging from workgroups to the largest enterprises. Windows Server 2003 expands on this targeted market.

Windows 2000 was more than a renaming of the next version of Windows NT. Significant changes revolved around the new server domain architecture, inclusion of Active Directory, and vastly enhanced networking and security features. Although Windows 2000 was originally slated to be released as Windows NT 5.0 to mark a significant OS upgrade, Windows XP and Windows Server 2003 might be regarded as something closer to Windows NT 5.5. Although many enhancements and new features are available in Windows Server 2003, it remains faithful to the basic Windows 2000 design and architecture. Windows 2000 system administrators will find adopting Windows Server 2003 relatively easy.

Tthe history of and influences on Windows Server 2003.

evolution and Influences

Posted in A HISTORICAL PERSPECTIVE, Tutoriale Windows 2003 | Tagged: , , , | Leave a Comment »

Online Tutoriale Configure DNS Server in Windows

Posted by ascultradio on September 18, 2009

How to Configure the DNS Server in Windows

To configure DNS by using the DNS snap-in in Microsoft Management Console (MMC), follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2. Right-click Forward lookup zones, and then click New Zone
3. When the New Zone Wizard starts, click Next.

You are prompted for a zone type. The zone types include:

Primary zone: Creates a copy of a zone that can be updated directly on this server. This zone information is stored in a .dns text file.
Secondary zone: A standard secondary zone copies all of the information from its master DNS server. A master DNS server can be an Active Directory, primary, or secondary zone that is configured for zone transfers. Note that you cannot modify the zone data on a secondary DNS server. All of its data is copied from its master DNS server.
Stub zone: A Stub zone contains only those resource records that are necessary to identify the authoritative DNS servers for that zone. Those resource records include Name Server (NS), Start of Authority (SOA), and possibly glue Host (A) records.

There is also an option to the store zone in Active Directory. This option is only available if the DNS server is a Domain controller.

4. The new forward lookup zone must be a primary or an Active Directory-integrated zone so that it can accept dynamic updates. Click Primary, and then click Next.
5. The new zone contains the locator records for this Active Directory-based domain. The name of the zone must be the same as the name of the Active Directory-based domain, or be a logical DNS container for that name. For example, if the Active Directory-based domain is named “support.microsoft.com”, valid zone names are “support.microsoft.com” only.

Accept the default name for the new zone file. Click Next.

NOTE: Experienced DNS administrators may want to create a reverse lookup zone, and are encouraged to explore this branch of the wizard. A DNS server can resolve two basic requests: a forward lookup and a reverse lookup. A forward lookup is more common. A forward lookup resolves a host name to an IP address with an “A” or Host Resource record. A reverse lookup resolves an IP address to a host name with a PTR or Pointer Resource record. If you have your reverse DNS zones configured, you can automatically create associated reverse records when you create your original forward record.

Posted in Configure DNS Server, Tutoriale Windows 2003 | Tagged: | 1 Comment »

Online Tutoriale Configure Root Hints

Posted by ascultradio on September 18, 2009

How to Configure Root Hints

Windows can use root hints. The Root Hints resource records can be stored in either Active Directory or in a text file (%SystemRoot%\System32\DNS\Cache.dns). Windows uses the standard Internic root server. Also, when a server running Windows Server 2003 queries a root server, it updates itself with the most recent list of root servers.

1. Click Start, point to Administrative Tools, and then click DNS.
2. Right-click ServerName, where ServerName is the name of the server, and then click Properties.
3. Click the Root Hints tab. The DNS server’s root servers are listed in the Name servers list.

This article has been refered from http://www.microsoft.com

Posted in Configure Root Hints, Tutoriale Windows 2003 | Tagged: | Leave a Comment »

Online Tutoriale Remove DNS Zone

Posted by ascultradio on September 18, 2009

How to Remove the Root DNS Zone

A DNS server running Windows Server 2003 follows specific steps in its name-resolution process. A DNS server first queries its cache, it checks its zone records, it sends requests to forwarders, and then it tries resolution by using root servers.

By default, a Microsoft DNS server connects to the Internet to process DNS requests more with root hints. When you use the Dcpromo tool to promote a server to a domain controller, the domain controller requires DNS. If you install DNS during the promotion process, a root zone is created. This root zone indicates to your DNS server that it is a root Internet server. Therefore, your DNS server does not use forwarders or root hints in the name-resolution process.

1. Click Start, point to Administrative Tools, and then click DNS.
2. Expand ServerName, where ServerName is the name of the server, click Properties and then expand Forward Lookup Zones.
3. Right-click the “.” zone, and then click Delete.

How to Configure Forwarders

Windows Server 2003 can take advantage of DNS forwarders. This feature forwards DNS requests to external servers. If a DNS server cannot find a resource record in its zones, it can send the request to another DNS server for additional attempts at resolution. A common scenario might be to configure forwarders to your ISP’s DNS servers.

1. Click Start, point to Administrative Tools, and then click DNS.
2. Right-click ServerName, where ServerName is the name of the server, and then click the Forwarders tab.
3. Click a DNS domain in the DNS domain list. Or, click New, type the name of the DNS domain for which you want to forward queries in the DNS domain box, and then click OK.
4. In the Selected domain’s forwarder IP address box, type the IP address of the first DNS server to which you want to forward, and then click Add.
5. Repeat step 4 to add the DNS servers to which you want to forward.
6. Click OK.

Posted in Remove DNS Zone, Tutoriale Windows 2003 | Tagged: | Leave a Comment »

Online Tutoriale DNS Server in Windows

Posted by ascultradio on September 18, 2009

How to Configure the DNS Server in Windows

To configure DNS by using the DNS snap-in in Microsoft Management Console (MMC), follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2. Right-click Forward lookup zones, and then click New Zone
3. When the New Zone Wizard starts, click Next.

You are prompted for a zone type. The zone types include:

Primary zone: Creates a copy of a zone that can be updated directly on this server. This zone information is stored in a .dns text file.
Secondary zone: A standard secondary zone copies all of the information from its master DNS server. A master DNS server can be an Active Directory, primary, or secondary zone that is configured for zone transfers. Note that you cannot modify the zone data on a secondary DNS server. All of its data is copied from its master DNS server.
Stub zone: A Stub zone contains only those resource records that are necessary to identify the authoritative DNS servers for that zone. Those resource records include Name Server (NS), Start of Authority (SOA), and possibly glue Host (A) records.

There is also an option to the store zone in Active Directory. This option is only available if the DNS server is a Domain controller.

4. The new forward lookup zone must be a primary or an Active Directory-integrated zone so that it can accept dynamic updates. Click Primary, and then click Next.
5. The new zone contains the locator records for this Active Directory-based domain. The name of the zone must be the same as the name of the Active Directory-based domain, or be a logical DNS container for that name. For example, if the Active Directory-based domain is named “support.microsoft.com”, valid zone names are “support.microsoft.com” only.

Accept the default name for the new zone file. Click Next.

NOTE: Experienced DNS administrators may want to create a reverse lookup zone, and are encouraged to explore this branch of the wizard. A DNS server can resolve two basic requests: a forward lookup and a reverse lookup. A forward lookup is more common. A forward lookup resolves a host name to an IP address with an “A” or Host Resource record. A reverse lookup resolves an IP address to a host name with a PTR or Pointer Resource record. If you have your reverse DNS zones configured, you can automatically create associated reverse records when you create your original forward record.


Posted in Download Windows Server 2003 (32-bit x86), Download Windows Server 2003 x64 Editions, Tutoriale Windows 2003 | Tagged: | Leave a Comment »

Tutorial Online Configureaza Sites Windows Server 2003

Posted by ascultradio on September 18, 2009

Creating and Configuring Web Sites in Windows Server
2003

In this article we’ll walk you through the steps of creating web sites in
Windows Server 2003 using both Internet Services Manager and
scripts. The tutorial will also walk you through the steps for hosting
content both locally and remotely using virtual directories, and will
explain how to perform common administration tasks involving web
servers.

Internet Information Services 6 (IIS 6) is a powerful platform for hosting web sites on both the public Internet and on private intranets.
Creating and configuring web sites and virtual directories are bread-and-butter tasks for IIS Administrators, and in this article we’ll walk
through the process of doing this using both the GUI (IIS Manager) and using various scripts included with Windows Server 2003. The seven
specific tasks we’ll walk through will include:

— Creating a Web Site
— Creating a Local Virtual Directory
— Creating a Remote Virtual Directory
— Controlling Access to a Web Site
— Configuring Web Site Logging
— Configuring Web Site Redirection

—  Stopping and Starting Web Sites

For sake of interest, we’ll explain these tasks in the context of a fictitious company called TestCorp as it deploys IIS for its corporate intranet.
Preliminary Steps
Unlike earlier versions of Microsoft Windows, IIS is not installed by default on Windows Server 2003. To install IIS, open Manage Your Server
from the Start menu and add the Application Server role:

windows server 2003

Note that for simple security reasons IIS should only be installed on member servers, not domain controllers. The reason is that if you install
IIS on a domain controller and your web server becomes compromised, the attacker could gain access to your accounts database and wreak
havoc with your network.
Creating a Web Site
The simplest approach is to use a separate IP address to identify each web site on your machine. Let’s say our server has five IP addresses
assigned to it from the range 172.16.11.220 through 172.16.11.224. Before we create a new Human Resources web site, let’s first examine the
identify of the Default Web Site. Open IIS Manager in Administrative Tools, select Web Sites in the console tree, and right-click on Default Web
Site and open it’s properties:

windows server 2003

The IP address for the Default Web Site is All Unassigned. This means any IP address not specifically assigned to another web site on the machine opens the Default Web Site
instead. A typical use for the Default Web Site is to edit it’s default document to display general information like a company logo and how to contact the Support Desk.
Let’s use IP address 172.16.11.221 for the Human Resources site and make D:\HR the folder where the home page for this site is stored. To create the HR site, right-click on
the Web Sites node and select New –> Web Site. This starts the Web Site Creation Wizard. Click Next and type a description for the site:

windows server 2003 2

Click Next again and specify 172.16.11.221 as the IP address for the site:

windows server 2003

Click Next and specify D:\HR as the home folder for the site. We’ve cleared the checkbox to deny anonymous access to the site because this is an internal intranet so only
authenticated users should be able to access it (public web sites generally allow anonymous access):
http://www.

server 2003

Click Next and leave only Read access enabled since the Human Resources site will initially only be used to inform employees of company policies:

server 2003

Click Next and then Finish to create the new web site:

server 2003

Now let’s create another intranet site, this time for Help Desk, which will use IP address 172.16.11.222 and home folder D:\Help. We’ll create this one using a script instead of
the GUI:

server 2003

And here’s the result:

server 2003

The script we used here is Iisweb.vbs, one of several IIS administration scripts available when you install IIS on Windows Server 2003. The basic syntax of this script is easy to
figure out from the previous screenshot, and a full syntax can be found here. Note that unlike the Web Site Creation Wizard used previously. you can’t use this script create a
web site with anonymous access disabled. So if you want to disable anonymous access you should do it by opening the properties sheet for the Help Desk site, selecting the
Directory Security tab, and clicking the Edit button under Authentication and Access Control. This opens the Authentication Methods box where you can clear the checkbox to
disable Anonymous Access and leave Windows Integrated Authentication as the only authentication method available for clients on your network:

server 2003

Creating a Local Virtual Directory
Let’s say Human Resources keeps their policies in a folder called D:\HR Policies on your web server and you would like users to be able to use the URL http://172.16.11.221/
policies when they need to access these policies. To do this we need to create a virtual directory that associates the /policies portion of the URL, called the alias for the virtual
directory, with the physical directory D:\HR Policies where these documents are actually located.
Let’s do this now. Right-click on the Human Resources site and select New –> Virtual Directory to start the Virtual Directory Creation Wizard. Click Next and type the alias for
the virtual directory:

server 2003

Click Next and specify the physical folder on the local server to map to this alias:

server 2003

Click Next and specify permissions (again we’ll just leave Read enabled) and finish the wizard. Here’s the result:

server 2003

Let’s do something similar using another IIS script named Iisvdir.vbs, only we’ll create a /procedures virtual directory instead: http://www.

server 2003

Open IIS Manager to display the new virtual directory:

server 2003

Note the difference in the icons for the two virtual directories. That’s because when the script creates a virtual directory it also creates an application starting point for that
directory, while the wizard does not. This doesn’t matter though, since for now we’re only hosting static content in these directories. For the full syntax of Iisvdir.vbs see here.
Creating a Remote Virtual Directory
Help Desk likes to do things differently than Human Resources does, and their user manual is stored in HTML form in the share \\srv230\helpdesk on a network file server.
Let’s create a remote virtual directory within the Help Desk site that associates the alias /usermanual with this share. Right-click on the Help Desk site and select New –>
Virtual Directory to start the Virtual Directory Creation Wizard again, specify usermanual as the alias for the directory, and type \\srv230\helpdesk as the UNC path to the
share:

server 2003

Click Next and a new screen appears prompting you to either specify credentials for accessing the share or use the authenticated user’s credentials for this purpose (we’ll use
the latter):

server 2003

Click Next and finish the wizard. Let’s look at the result:

server 2003

The Iisvdir.vbs script can similarly be used for creating remote virtual directories.
Controlling Access to a Web Site

Now that we have a couple of web sites and virtual directories created, let’s look at a few administration tasks. This will be only a brief overview–you can find a much more
detailed treatment of the subject in my book IIS 6 Administration (Osborne/McGraw-Hill).
First let’s look at how we can control access to our web sites. There are basically four ways you can do this: NTFS Permissions, web permissions, IP address restrictions, and
authentication method. NTFS permissions is your front line of defense but it’s a general subject that we can’t cover in detail here. Web permissions are specified on the Home
Directory tab of your web site’s properties:

server 2003

By default only Read permission is enabled, but you can also allow Write access so users can upload or modify files on your site.
Script source access so users can view the code in your scripts (generally not a good idea), or Directory browsing so users can view a list of files in your site (also not a good
idea). Web permissions apply equally to all users trying to access your site, and they are applied before NTFS permissions are applied. So if Read web permission is denied but
NTFS Read permission is allowed, users are denied access to the site.
IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, have an IP address within a range of addresses, or have a
specific DNS domain name. To configure this, select the Directory Security tab and click the Edit button under IP Address and Domain Name Restrictions. This opens the
following dialog, which by default does not restrict access to your site:

server 2003

The main thing to watch for here is that denying access based on domain name involves reverse DNS lookups each time clients try to connect to your web site, and this can
significantly impact the performance of your site.
The final way of controlling access to your sites is to use the Authentication Methods dialog box we looked at previously:

server 2003

In summary, the five authentication options displayed here are:
l Anonymous access. Used mainly for web sites on public (Internet) web servers.
l Integrated Windows authentication. Used mainly for web sites on a private intranet.
l Digest authentication. Challenge/response authentication scheme that only works with clients running Internet Explorer 5.0 or later.
l Basic authentication. Older authentication scheme that transmits passwords over the network in clear text, so use this only in conjunction with SSL.
l .NET Passport authentication. Allows users to use their .NET Passport for authentication.
Configuring Web Site Logging
Since web sites are prime targets for attackers, you probably want to log hits to your site to see who’s visiting it. By default IIS 6 logs traffic to all content as can be seen on
the bottom of the General tab of the properties for a web site or virtual directory:

server 2003

The default logging format is the W3C Extended Log File Format, and clicking Properties indicates new log files are created daily in the indicated directory. It’s a good idea to
specify that local time be used for logging traffic as this makes it easier to interpret the logs:

server 2003

The key of course is to review log files regularly to look for suspicious activity. IIS doesn’t include anything for this purpose, but the IIS 6.0 Resource Kit Tools does include
version 2.1 of Microsoft Log Parser, which can be used for analyzing IIS logs. You can download these tools here.
Configuring Web Site Redirection
Sometimes you need to take your web site down for maintenance, and in such cases it’s a good idea to redirect all client traffic directed to your site to an alternate site or page
informing users what’s going on. IIS lets you redirect a web site to a different file or folder on the same or another web site or even to an URL on the Internet. To configure
redirection you use the Home Directory tab and choose the redirection option you want to use:

server 2003

Stopping and Starting Web Sites
Finally, if sites become available you may need to restart IIS to get them working again. Restarting IIS is a last resort as any users currently connected will be disconnected
and any data stored in memory by IIS applications will be lost. You can restart IIS using IIS Manager by right-clicking on the server node:

server 2003

You can also do the same from the command-line using the Iisreset command:

server 2003

Type iisreset /? for the full syntax of this command. You can also start and stop individual web sites using IIS Manager or the Iisweb.vbs script. And you can stop or start
individual IIS services using the net commands, for example net stop w3svc will stop the WWW services only.
Summary
In this article I’ve explained how to create and configure web sites and virtual directories on IIS 6. Most of what we’ve covered also applies to IIS 5 on Windows 2000 as well.
In the next article I’ll delve into creating and configuring FTP sites and implementing FTP User Isolation, a new feature of Windows Server 2003. For a deeper look at IIS 6 see
my book IIS 6 Administration (Osborne/McGraw-Hill).
About Mitch Tulloch

Posted in Download Windows Server 2003 (32-bit x86), Download Windows Server 2003 x64 Editions, Tutoriale Windows 2003 | Tagged: | Leave a Comment »

Online Tutoriale How to upgrade Windows 2000 domain controllers to Windows Server 2003

Posted by ascultradio on September 3, 2009

How to upgrade Windows 2000 domain controllers to Windows Server 2003

This article discusses how to upgrade Microsoft Windows 2000 domain controllers to Microsoft Windows Server 2003 and how to add new Windows Server 2003 domain controllers to Windows 2000 domains.

Domain and forest inventory

// Before you upgrade Windows 2000 domain controllers to Windows Server 2003 or before you add new Windows Server 2003 domain controllers to a Windows 2000 domain, follow these steps:

  1. Inventory the clients that access resources in the domain that host Windows Server 2003 domain controllers for compatibility with SMB signing:Each Windows Server 2003 domain controller enables SMB signing in its local security policy. Make sure that all network clients that use the SMB/CIFS protocol to access shared files and printers in domains that host Windows Server 2003 domain controllers can be configured or upgraded to support SMB signing. If they cannot, temporarily disable SMB signing until updates can be installed or until the clients can be upgraded to newer operating systems that support SMB signing. For information about how to disable SMB signing, see the “To disable SMB signing” section at the end of this step.Action plans

    The following list shows the action plans for popular SMB clients:

    • Microsoft Windows Server 2003, Microsoft Windows XP Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional, and Microsoft Windows 98No action is required.
    • Microsoft Windows NT 4.0Install Service Pack 3 or later (Service Pack 6A is recommended) on all Windows NT 4.0-based computers that access domains that contain Windows Server 2003-based computers. Alternatively, temporarily disable SMB signing on Windows Server 2003 domain controllers. For information about how to disable SMB signing, see the “To disable SMB signing” section at the end of this step.
    • Microsoft Windows 95Install the Windows 9x directory service client on the Windows 95-based computers or temporarily disable SMB signing on Windows Server 2003 domain controllers. The original Win9x directory service client is available on the Windows 2000 Server CD-ROM. However, that client add-on has been replaced by an improved Win9x directory service client. For information about how to disable SMB signing, see the “To disable SMB signing” section at the end of this step.
    • Microsoft Network Client for MS-DOS and Microsoft LAN Manager clientsThe Microsoft Network Client for MS-DOS and the Microsoft LAN Manager 2.x network client may be used to provide access to network resources, or they may be combined with a bootable floppy disk to copy operating system files and other files from a shared directory on a file server as part of a software installation routine. These clients do not support SMB signing. Use an alternative installation method, or disable SMB signing. For information about how to disable SMB signing, see the “To disable SMB signing” section at the end of this step.
    • Macintosh clientsSome Macintosh clients are not SMB signing compatible and will receive the following error message when they try to connect to a network resource:
      – Error -36 I/O

      Install updated software if it is available. Otherwise, disable SMB signing on Windows Server 2003 domain controllers. For information about how to disable SMB signing, see the “To disable SMB signing” section at the end of this step.

    • Other third-party SMB clientsSome third-party SMB clients do not support SMB signing. Consult your SMB provider to see if an updated version exists. Otherwise, disable SMB signing on Windows Server 2003 domain controllers.

    To disable SMB signing

    If software updates cannot be installed on affected domain controllers that are running Windows 95, Windows NT 4.0, or other clients that were installed before the introduction of Windows Server 2003, temporarily disable the SMB service signing requirements in Group Policy until you can deploy updated client software.

    You can disable SMB service signing in the following node of Default Domain Controllers policy on the domain controllers organizational unit:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)

    If domain controllers are not located in the domain controller’s organizational unit, you must link the default domain controller’s Group Policy object (GPO) to all organizational units that host Windows 2000 or Windows Server 2003 domain controllers. Or, you can configure SMB service signing in a GPO that is linked to those organizational units.

  2. Inventory the domain controllers that are in the domain and in the forest:
    1. Make sure that all the Windows 2000 domain controllers in the forest have installed all the appropriate hotfixes and service packs.Microsoft recommends that all the Windows 2000 domain controllers run the Windows 2000 Service Pack 4 (SP4) or later operating systems. If you cannot fully deploy Windows 2000 SP4 or later, all the Windows 2000 domain controllers must have an Ntdsa.dll file whose date stamp and version is later than June 4th, 2001 and 5.0.2195.3673. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
      331161 (http://support.microsoft.com/kb/331161/ ) Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers

      By default, Active Directory administrative tools on Windows 2000 SP4, Windows XP, and Windows Server 2003 client computers use Lightweight Directory Access Protocol (LDAP) signing. If such computers use (or fall back to) NTLM authentication when they remotely administer Windows 2000 domain controllers, the connection will not work. To resolve this behavior, remotely administered domain controllers should have a minimum of Windows 2000 SP3 installed. Otherwise you should turn off LDAP signing on the clients that run the administration tools. For more information about LDAP, click the following article numbers to view the articles in the Microsoft Knowledge Base:

      325465 (http://support.microsoft.com/kb/325465/ ) Windows 2000 domain controllers require Service Pack 3 or later when using Windows Server 2003 administration tools

      The following scenarios use NTLM authentication:

      • You administer Windows 2000 domain controllers that are located in an external forest connected by an NTLM (non-Kerberos) trust.
      • You focus Microsoft Management Console (MMC) snap-ins against a specific domain controller that is referenced by its IP address. For example, you click Start, click Run, and then type the following command:
        dsa.msc /server=ipaddress

      To determine the operating system and the service pack revision level of Active Directory domain controllers in an Active Directory domain, install the Windows Server 2003 version of Repadmin.exe on a Windows XP Professional or Windows Server 2003 member computer in the forest, and then run the following repadmin command against a domain controller in each domain in the forest:

      >repadmin /showattr name of the domain controller that is in the target domain ncobj:domain: /filter:”(&(objectCategory=computer)(primaryGroupID=516))” /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

      DN: CN=NA-DC-01,organizational unit=Domain Controllers,DC=company,DC=com
      1> operatingSystem: Windows Server 2003
      1> operatingSystemVersion: 5.2 (3718)
      DN: CN=NA-DC-02,organizational unit=Domain Controllers,DC=company,DC=com

      1> operatingSystem: Windows 2000 Server
      1> operatingSystemVersion: 5.0 (2195)
      1> operatingSystemServicePack: Service Pack 1

      Note: The domain controller’s attributes do not track the installation of individual hotfixes.

    2. Verify the end-to-end Active Directory replication throughout the forest.Verify that each domain controller in the upgraded forest replicates all its locally held naming contexts with its partners consistently with the schedule that site links or connection objects define. Use the Windows Server 2003 version of Repadmin.exe on a Windows XP- or Windows Server 2003-based member computer in the forest with the following arguments:
      REPADMIN /REPLSUM /BYSRC /BYDEST /SORT:DELTA              <-output formatted to fit on page
      
      DestDC    largest delta    fails/total  %%  error
      
      NA-DC-01 13d.21h:10m:10s    97 / 143  67  (8240) There is no such object...
      NA-DC-02 13d.04h:11m:07s   180 / 763  23  (8524) The DSA operation...
      NA-DC-03 12d.03h:54m:41s     5 /   5 100  (8524) The DSA operation...

      All the domain controllers in the forest must replicate Active Directory without error, and the values in the “Largest Delta” column of the repadmin output should not be significantly greater than the replication frequency on the corresponding site links or connection objects that are used by a given destination domain controller.

      Resolve all replication errors between domain controllers that have failed to inbound replicate in less than Tombstone Lifetime (TSL) number of days (by default, 60 days). If replication cannot be made to function, you may have to forcibly demote the domain controllers and remove them from the forest by using the Ntdsutil metadata cleanup command, and then promote them back into the forest. You can use a forceful demotion to save both the operating system installation and the programs that are on an orphaned domain controller. For more information about how to remove orphaned Windows 2000 domain controllers from their domain, click the following article number to view the article in the Microsoft Knowledge Base:

      216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in Active Directory after an unsuccessful domain controller demotion

      Take this action only as a last resort to recover the installation of the operating system and the installed programs. You will lose unreplicated objects and attributes on orphaned domain controllers including users, computers, trust relationships, their passwords, groups and group memberships.

      Be careful when you try to resolve replication errors on domain controllers that have not replicated inbound changes for a particular Active Directory partition for greater than tombstonelifetime number of days. When you do so, you may reanimate objects that were deleted on one domain controller but for which direct or transitive replication partners never received the deletion in the previous 60 days.

      Consider removing any lingering objects that reside on domain controllers that have not performed inbound replication in the last 60 days. Alternatively, you can forcefully demote domain controllers that have not performed any inbound replication on a given partition in tombstone lifetime number of days and remove their remaining metadata from the Active Directory forest by using Ntdsutil and other utilities. Contact your support provider or Microsoft PSS for additional help.

    3. Verify that the contents of the Sysvol share are consistent.Verify that the file system portion of group policy is consistent. You can use Gpotool.exe from the Resource Kit to determine whether there are inconsistencies in policies across a domain. Use Healthcheck from the Windows Server 2003 support tools to determine whether the Sysvol share replica sets function correctly in each domain.If the contents of the Sysvol share are inconsistent, resolve all the inconsistencies.
    4. Use Dcdiag.exe from the support tools to verify that all the domain controllers have shared Netlogon and Sysvol shares. To do so, type the following command at a command prompt:
      DCDIAG.EXE /e /test:frssysvol
    5. Inventory the operations roles.The schema and infrastructure operations masters are used to introduce forest and domain-wide schema changes to the forest and its domains that are made by the Windows Server 2003 adprep utility. Verify that the domain controller that hosts the schema role and infrastructure role for each domain in the forest reside on live domain controllers and that each role owner has performed inbound replication over all partitions since they were last restarted.The DCDIAG /test:FSMOCHECK command can be used to view forest-wide and domain-wide operational roles. Operations master roles that reside on non-existent domain controllers should be seized to a healthy domain controller by using NTDSUTIL. Roles that reside on unhealthy domain controllers should be transferred if possible. Otherwise, they should be seized. The NETDOM QUERY FSMO command does not identify FSMO roles that reside on deleted domain controllers.

      Verify that the schema master and each infrastructure master has performed inbound replication of Active Directory since last booted. Inbound replication can be verified by using the REPADMIN /SHOWREPS DCNAME command, where DCNAME is the NetBIOS computer name or the fully qualified computer name of a domain controller. For more information about operations masters and their placement, click the following article numbers to view the articles in the Microsoft Knowledge Base:

      197132 (http://support.microsoft.com/kb/197132/ ) Windows 2000 Active Directory FSMO roles
      223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Active Directory domain controllers
    6. EventLog ReviewExamine the event logs on all the domain controllers for problematic events. The event logs must not contain serious event messages that indicate a problem with any of the following processes and components:
      physical connectivity
      network connectivity
      name registration
      name resolution
      authentication
      Group Policy
      security policy
      disk subsystem
      schema
      topology
      replication engine
    7. Disk Space InventoryThe volume that hosts the Active Directory database file, Ntds.dit, must have free space equal to at least 15-20% of the Ntds.dit file size. The volume that hosts the Active Directory log file must also have free space equal to at least 15-20% of the Ntds.dit file size. For additional information about how to free up additional disk space, see the “Domain Controllers Without Sufficient Disk Space” section of this article.
    8. DNS Scavenging (Optional)Enable DNS Scavenging at 7-day intervals for all DNS servers in the forest. For best results, perform this operation 61 or more days before you upgrade the operating system. This provides the DNS scavenging daemon sufficient time to garbage-collect the aged DNS objects when an offline defragmentation is performed on the Ntds.dit file.
    9. Disable the DLT Server Service (Optional)The DLT Server service is disabled on new and upgraded installations of Windows Server 2003 domain controllers. If distributed link tracking is not used, you can disable the DLT Server service on your Windows 2000 domain controllers and begin deleting DLT objects from each domain in the forest. For additional information, see the “Microsoft Recommendations for distributed link tracking” section of the following article in the Microsoft Knowledge Base:
      312403 (http://support.microsoft.com/kb/312403/ ) Distributed Link Tracking on Windows-based domain controllers
    10. System State BackupMake a system state backup of at least two domain controllers in every domain in the forest. You can use the backup to recover all the domains in the forest if the upgrade does not work.

Microsoft Exchange 2000 in Windows 2000 forests

// Notes

  • If Exchange 2000 Server is installed, or will be installed, in a Windows 2000 forest, read this section before you run the Windows Server 2003 adprep /forestprep command.
  • If Microsoft Exchange Server 2003 schema changes will be installed, go to the “Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003” section before you run the Windows Server 2003 adprep commands.

The Exchange 2000 schema defines three inetOrgPerson attributes with non-Request for Comment (RFC)-compliant LDAPDisplayNames: houseIdentifier, secretary, and labeledURI.

The Windows 2000 inetOrgPerson Kit and the Windows Server 2003 adprep command define RFC-complaint versions of the same three attributes with identical LDAPDisplayNames as the non-RFC-compliant versions.

When the Windows Server 2003 adprep /forestprep command is run without corrective scripts in a forest that contains Windows 2000 and Exchange 2000 schema changes, the LDAPDisplayNames for the houseIdentifier, labeledURI, and secretary attributes become mangled. An attribute becomes “mangled” if “Dup” or other unique characters are added to the beginning of the conflicted attribute name so that objects and attributes in the directory have unique names.

Active Directory forests are not vulnerable to mangled LDAPDisplayNames for these attributes in the following cases:

  • If you run the Windows Server 2003 adprep /forestprep command in a forest that contains the Windows 2000 schema before you add the Exchange 2000 schema.
  • If you install the Exchange 2000 schema in forest that was created where a Windows Server 2003 domain controller was the first domain controller in the forest.
  • If you add Windows 2000 inetOrgPerson Kit to a forest that contains the Windows 2000 schema, and then you install Exchange 2000 schema changes, and then you run the Windows Server 2003 adprep /forestprep command.
  • If you add Exchange 2000 schema to an existing Windows 2000 forest, then run Exchange 2003 /forestprep before you run the Windows Server 2003 adprep /forestprep command.

Mangled attributes will occur in Windows 2000 in the following cases:

  • If you add the Exchange 2000 versions of the labeledURI, the houseIdentifier, and the secretary attributes to a Windows 2000 forest before you install the Windows 2000 inetOrgPerson Kit.
  • You add the Exchange 2000 versions of the labeledURI, the houseIdentifier, and the secretary attributes to a Windows 2000 forest before you run the Windows Server 2003 adprep /forestprep command without first running the cleanup scripts.

Action plans for each scenario follow:

Scenario 1: Exchange 2000 schema changes are added after you run the Windows Server 2003 adprep /forestprep command

// If Exchange 2000 schema changes will be introduced to your Windows 2000 forest after the Windows Server 2003 adprep /forestprep command is run, no cleanup is required. Go to the “Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003” section.

Scenario 2: Exchange 2000 schema changes will be installed before the Windows Server 2003 adprep /forestprep command

// If Exchange 2000 schema changes have already been installed but you have NOT run the Windows Server 2003 adprep /forestprep command, consider the following action plan:

  1. Log on to the console of the schema operations master by using an account that is a member of the Schema Admins security group.
  2. Click Start, click Run, type notepad.exe in the Open box, and then click OK.
  3. Copy the following text including the trailing hyphen after “schemaUpdateNow: 1” to Notepad.
    dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X
    changetype: Modify
    replace:LDAPDisplayName
    LDAPDisplayName: msExchAssistantName

    dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X
    changetype: Modify
    replace: LDAPDisplayName
    LDAPDisplayName: msExchLabeledURI

    dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X
    changetype: Modify
    replace: LDAPDisplayName
    LDAPDisplayName: msExchHouseIdentifier

    dn:
    changetype: Modify
    add: schemaUpdateNow
    schemaUpdateNow: 1

  4. Confirm that there is no space at the end of each line.
  5. On the File menu, click Save. In the Save As dialog box, follow these steps:
    1. In the File name box, type the following:
      \%userprofile%\InetOrgPersonPrevent.ldf
    2. In the Save as type box, click All Files.
    3. In the Encoding box, click Unicode.
    4. Click Save.
    5. Quit Notepad.
  6. Run the InetOrgPersonPrevent.ldf script.
    1. Click Start, click Run, type cmd in the Open box, and then click OK.
    2. At a command prompt, type the following, and then press ENTER:
      cd %userprofile%
    3. Type the following command
      c:\documents and settings\%username%>ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X “domain name path for forest root domain

      Syntax notes:

      • DC=X is a case-sensitive constant.
      • The domain name path for the root domain must be enclosed in quotation marks.

      For example, the command syntax for an Active Directory forest whose forest root domain is TAILSPINTOYS.COM would be:

      c:\documents and settings\administrator>ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X “dc=tailspintoys,dc=com”

      Note You may need to change the Schema Update Allowed registry subkey if you receive the following error message:

      Schema update is not allowed on this DC because the registry key is not set or the DC is not the schema FSMO Role Owner.

      For more information about how to change this registry subkey, click the following article number to view the article in the Microsoft Knowledge Base:

      285172 (http://support.microsoft.com/kb/285172/ ) Schema update require Write access to schema in Active Directory
  7. Verify that the LDAPDisplayNames for the CN=ms-Exch-Assistant-Name, CN=ms-Exch-LabeledURI, and CN=ms-Exch-House-Identifier attributes in the schema naming context now appear as msExchAssistantName, msExchLabeledURI, and msExchHouseIdentifier before you run the Windows Server 2003 adprep /forestprep commands.
  8. Go to the “Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003 ” section to run the adprep /forestprep and /domainprep commands.

Scenario 3: The Windows Server 2003 forestprep command was run without first running inetOrgPersonFix

// If you run the Windows Server 2003 adprep /forestprep command in a Windows 2000 forest that contains the Exchange 2000 schema changes, the LDAPDisplayName attributes for houseIdentifier, secretary, and labeledURI will become mangled. To identify mangled names, use Ldp.exe to locate the affected attributes:

  1. Install Ldp.exe from the Support\Tools folder of the Microsoft Windows 2000 or Windows Server 2003 media.
  2. Start Ldp.exe from a domain controller or member computer in the forest.
    1. On the Connection menu, click Connect, leave the Server box empty, type 389 in the Port box, and then click OK.
    2. On the Connection menu, click Bind, leave all the boxes empty, and then click OK.
  3. Record the distinguished name path for the SchemaNamingContext attribute. For example, for a domain controller in the CORP.ADATUM.COM forest, the distinguished name path might be CN=Schema,CN=Configuration,DC=corp,DC=company,DC=com.
  4. On the Browse menu, click Search.
  5. Use the following settings to configure the Search dialog box:
    • Base DN: The distinguished name path for the schema naming context that is identified in step 3.
    • Filter: (ldapdisplayname=dup*)
    • Scope: Subtree
  6. Mangled houseIdentifier, secretary, and labeledURI attributes have LDAPDisplayName attributes that are similar to the following format:
    LDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d;
    LDAPDisplayName: DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85f
    LDAPDisplayName: DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef
  7. If the LDAPDisplayNames for labeledURI, secretary, and houseIdentifier were mangled in step 6, run the Windows Server 2003 InetOrgPersonFix.ldf script to recover, and then go to the “Upgrading Windows 2000 domain controllers with Winnt32.exe” section.
    1. Create a folder named %Systemdrive%\IOP, and then extract the InetOrgPersonFix.ldf file to this folder.
    2. At a command prompt, type cd %systemdrive%\iop.
    3. Extract the InetOrgPersonFix.ldf file from the Support.cab file that is located in the Support\Tools folder of the Windows Server 2003 installation media.
    4. From the console of the schema operations master, load the InetOrgPersonFix.ldf file by using Ldifde.exe to correct the LdapDisplayName attribute of the houseIdentifier, secretary, and labeledURI attributes. To do so, type the following command, where <X> is a case-sensitive constant and <dn path for forest root domain> is the domain name path for the root domain of the forest:
      C:\IOP>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X “domain name path for forest root domain

      Syntax notes:

      • DC=X is a case-sensitive constant.
      • The domain name path for the forest root domain must be enclosed in quotation marks.
  8. Verify that the houseIdentifier, secretary, and labeledURI attributes in the schema naming context are not “mangled” before you install Exchange 2000.

For more information about a related schema conflict with Services for UNIX version 2.0, click the following article number to view the article in the Microsoft Knowledge Base:

293783 (http://support.microsoft.com/kb/293783/ ) Cannot upgrade Windows 2000 server to Windows Server 2003 with Windows Services for UNIX 2.0 installed

Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003

// The Windows Server 2003 adprep command that you run from the \I386 folder of the Windows Server 2003 media prepares a Windows 2000 forest and its domains for the addition of Windows Server 2003 domain controllers. The Windows Server 2003 adprep /forestprep command adds the following features:

  • Improved default security descriptors for object classes
  • New user and group attributes
  • New Schema objects and attributes like inetOrgPerson

The adprep utility supports two command-line arguments:

adprep /forestprep: Runs forest upgrade operations.
adprep /domainprep: Runs domain upgrade operations.

The adprep /forestprep command is a one-time operation performed on the schema operation master (FSMO) of the forest. The forestprep operation must complete and replicate to the infrastructure master of each domain before you can run adprep /domainprep in that domain.

The adprep /domainprep command is a one-time operation that you run on the infrastructure operations master domain controller of each domain in the forest that will host new or upgraded Windows Server 2003 domain controllers. The adprep /domainprep command verifies that the changes from forestprep have replicated in the domain partition and then makes its own changes to the domain partition and group policies in the Sysvol share.

You cannot perform either of the following actions unless the /forestprep and the /domainprep operations have completed and replicated to all the domain controllers in that domain:

  • Upgrade the Windows 2000 domain controllers to Windows Server 2003 domain controllers by using Winnt32.exe.Note: You can upgrade the Windows 2000 member servers and computers to Windows Server 2003 member computers whenever you want.
  • Promote new Windows Server 2003 domain controllers into the domain by using Dcpromo.exe.

The domain that hosts the schema operations master is the only domain where you must run both adprep /forestprep and adprep /domainprep. In all other domains, you only have to run adprep /domainprep.

The adprep /forestprep and the adprep /domainprep commands do not add attributes to the global catalog partial attribute set or cause a full synchronization of the global catalog. The RTM version of adprep /domainprep does cause a full sync of the \Policies folder in the Sysvol tree. Even if you run forestprep and domainprep several times, completed operations are performed only one time.

After the changes from adprep /forestprep and adprep /domainprep completely replicate, you can upgrade the Windows 2000 domain controllers to Windows Server 2003 by running Winnt32.exe from the \I386 folder of the Windows Server 2003 media. Also, you can add new Windows Server 2003 domain controllers to the domain by using Dcpromo.exe.

Upgrading the forest with the adprep /forestprep command

// To prepare a Windows 2000 forest and domains to accept Windows Server 2003 domain controllers, follow these steps first in a lab environment, then in a production environment:

  1. Make sure that you have completed all the operations in the “Forest Inventory” phase with special attention to the following items:
    1. You have created system state backups.
    2. All the Windows 2000 domain controllers in the forest have installed all the appropriate hotfixes and service packs.
    3. End-to-end replication of Active Directory is occurring throughout the forest
    4. FRS replicates the file system policy correctly throughout each domain.
  2. Log on to the console of the schema operations master with an account that is a member of the Schema Admins security group.
  3. Verify that the schema FSMO has performed inbound replication of the schema partition by typing the following at a Windows NT command prompt:
    repadmin /showreps

    (repadmin is installed by the Support\Tools folder of Active Directory.)

  4. Early Microsoft documentation recommends that you isolate the schema operations master on a private network before you run adprep /forestprep. Real-world experience suggests that this step is not necessary and may cause a schema operations master to reject schema changes when it is restarted on a private network. If you want to isolate schema additions that were made by adprep, Microsoft recommends that you temporarily disable outbound replication of Active Directory with the repadmin command-line utility. To do this, following these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. Type the following, and then press ENTER:
      repadmin /options +DISABLE_OUTBOUND_REPL
  5. Run adprep on the schema operations master. To do so, click Start, click Run, type cmd, and then click OK. On the schema operations master, type the following command
    X:\I386\adprep /forestprep

    where X:\I386\ is the path of the Windows Server 2003 installation media. This command runs the forest-wide schema upgrade.

    Note Events with event ID 1153 that are logged in the Directory Service event log, such as the sample that follows, can be ignored:Event Type : Error
    Event Source : NTDS General
    Event Category: Internal Processing
    Event ID : 1153
    Date: MM/DD/YYYY
    Time: HH:MM:SS AM|PM
    User : Everyone Computer : <some DC>
    Description: Class identifier 655562 (class name msWMI-MergeablePolicyTemplate) has an invalid superclass 655560. Inheritance ignored.

  6. Verify that the adprep /forestprep command successfully ran on the schema operations master. To do so, from the console of the schema operations master, verify the following items:
    • The adprep /forestprep command completed without error.
    • The CN=Windows2003Update object is written under CN=ForestUpdates,CN=Configuration,DC=forest_root_domain. Record the value of the Revision attribute.
    • (Optional) The schema version incremented to version 30. To do so, see the ObjectVersion attribute under CN=Schema,CN=Configuration,DC=forest_root_domain.

    If adprep /forestprep does not run, verify the following items:

    • The fully qualified path for Adprep.exe located in the \I386 folder of the installation media was specified when adprep ran. To do so, type the following command:
      x:\i386\adprep /forestprep

      where x is the drive that hosts the installation media.

    • The logged on user who runs adprep has membership to the Schema Admins security group. To verify this, use the whoami /all command.
    • If adprep still does not work, view the Adprep.log file in the %systemroot%\System32\Debug\Adprep\Logs\Latest_log folder.
  7. If you disabled outbound replication on the schema operations master in step 4, enable replication so that the schema changes that were made by adprep /forestprep can propagate. To do this, following these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. Type the following, and then press ENTER:
      repadmin /options -DISABLE_OUTBOUND_REPL
  8. Verify that the adprep /forestprep changes have replicated on all the domain controllers in the forest. It is useful to monitor the following attributes:
    1. Incrementing the schema version
    2. The CN=Windows2003Update, CN=ForestUpdates,CN=Configuration,DC=forest_root_domain or CN=Operations,CN=DomainUpdates,CN=System,DC=forest_root_domain and the operations GUIDs under it have replicated in.
    3. Search for new schema classes, objects, attributes, or other changes that adprep /forestprep adds, such as inetOrgPerson. View the SchXX.ldf files (where XX is a number between 14 and 30) in the %systemroot%\System32 folder to determine what objects and attributes there should be. For example, inetOrgPerson is defined in Sch18.ldf.
  9. Look for mangled LDAPDisplayNames.If Exchange 2000 was installed before you ran the Windows Server 2003 adprep /forestprep command, see the following article in the Microsoft Knowledge Base:
    314649 (http://support.microsoft.com/kb/314649/ ) Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers

    If you find mangled names, go to Scenario 3 of the same article.

  10. Log on to the console of the schema operations master with an account that is a member of the Schema Admins group security group of the forest that hosts the schema operations master.

Upgrading the domain with the adprep /domainprep command

// Run adprep /domainprep after the /forestprep changes fully replicate to the infrastructure master domain controller in each domain that will host Windows Server 2003 domain controllers. To do so, follow these steps:

  1. Identify the infrastructure master domain controller in the domain you are upgrading, and then log on with an account that is a member of the Domain Admins security group in the domain you are upgrading.Note: The enterprise administrator may not be a member of the Domain Admins security group in child domains of the forest.
  2. Run adprep /domainprep on the Infrastructure master. To do so, click Start, click Run, type cmd, and then on the Infrastructure master type the following command:
    X:\I386\adprep /domainprep

    where X:\I386\ is the path of the Windows Server 2003 installation media. This command runs domain-wide changes in the target domain.

    Note: The adprep /domainprep command modifies files permissions in the Sysvol share. These modifications cause a full synchronization of files in that directory tree.

  3. Verify that domainprep completed successfully. To do so, verify the following items:
    • The adprep /domainprep command completed without error.
    • The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgrading exists

    If adprep /domainprep does not run, verify the following items:

    • The logged on user who runs adprep has membership to the Domain Admins security group in the domain being you are upgrading. To do so, use the whoami /all command.
    • The fully qualified path for Adprep.exe located in the \I386 directory of the installation media was specified when you ran adprep. To do so, at a command prompt type the following command:
      x:\i386\adprep /forestprep

      where x is the drive that hosts the installation media.

    • If adprep still does not work, view the Adprep.log file in the %systemroot%\System32\Debug\Adprep\Logs\Latest_log folder.
  4. Verify that the adprep /domainprep changes have replicated. To do so, for the remaining domain controllers in the domain, verify the following items:
    • The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgrading object exists and the value for the Revision attribute matches the value of the same attribute on the infrastructure master of the domain.
    • (Optional) Look for objects, attributes or access control list (ACL) changes that adprep /domainprep added.

    Repeat steps 1-4 on the infrastructure master of the remaining domains in bulk or as you add or upgrade DC’s in those domains to Windows Server 2003. Now you can promote new Windows Server 2003 computers into the forest by using DCPROMO. Or, you can upgrade existing Windows 2000 domain controllers to Windows Server 2003 by using WINNT32.EXE.

Upgrading Windows 2000 domain controllers by using Winnt32.exe

// After the changes from /forestprep and /domainprep completely replicate and you have made a decision about security interoperability with earlier-version clients, you can upgrade Windows 2000 domain controllers to Windows Server 2003 and add new Windows Server 2003 domain controllers to the domain.

The following computers must be among the first domain controllers that run Windows Server 2003 in the forest in each domain:

  • The domain naming master in the forest so that you can create default DNS program partitions.
  • The primary domain controller of the forest root domain so that the enterprise-wide security principals that Windows Server 2003’s forestprep adds become visible in the ACL editor.
  • The primary domain controller in each non-root domain so that you can create new domain-specific Windows 2003 security principals.

To do so, use WINNT32 to upgrade existing domain controllers that host the operational role you want. Or, transfer the role to a newly-promoted Windows Server 2003 domain controller. Perform the following steps for each Windows 2000 domain controller that you upgrade to Windows Server 2003 with WINNT32 and for each Windows Server 2003 workgroup or member computer that you promote:

  1. Before you use WINNT32 to upgrade Windows 2000 member computers and domain controllers, remove Windows 2000 Administration Tools. To do so, use the Add/Remove Programs tool in Control Panel. (Windows 2000 upgrades only.)
  2. Install any hotfix files or other fixes that either Microsoft or the administrator determines is important.
  3. Check each domain controller for possible upgrade issues. To do so, run the following command from the \I386 folder of the installation media:
    winnt32.exe /checkupgradeonly

    Resolve any issues that the compatibility check identifies.

  4. Run WINNT32.EXE from the \I386 folder of the installation media, and the restart the upgraded 2003 domain controller.
  5. Lower the security settings for earlier-version clients as required.If Windows NT 4.0 clients do not have NT 4.0 SP6 or Windows 95 clients do not have the directory service client installed, disable SMB Service signing on the Default Domain Controllers policy on the Domain Controllers organizational unit, and then link this policy to all organizational units that host domain controllers.
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)
  6. Verify the health of the upgrade using the following data points:
    • The upgrade completed successfully.
    • The hotfixes that you added to the installation successfully replaced the original binaries.
    • Inbound and outbound replication of Active Directory is occurring for all naming contexts held by the domain controller.
    • The Netlogon and Sysvol shares exist.
    • The event log indicates that the domain controller and its services are healthy.Note: You may receive the following event message after you upgrade:

      Event Type: Error
      Event Source: NTDS Backup
      Event Category: Backup
      Event ID: 1913
      Date: Date
      Time: HH:MM:SSAM|PM
      User: N/A
      Computer: computername
      Description: Internal error: The Active Directory backup and restore operation encountered an unexpected error. Backup or restore will not succeed until this is corrected.

      You can safely ignore this event message.

  7. Install the Windows Server 2003 Administration Tools (Windows 2000 upgrades and Windows Server 2003 non-domain controllers only). Adminpak.msi is in the \I386 folder of the Windows Server 2003 CD-ROM. Windows Server 2003 media contains updated support tools in the Support\Tools\Suptools.msi file. Make sure that you reinstall this file.
  8. Make new backups of at least the first two Windows 2000 domain controllers that you upgraded to Windows Server 2003 in each domain in the forest. Locate the backups of the Windows 2000 computers that you upgraded to Windows Server 2003 in locked storage so you do not accidentally use them to restore a domain controller that now runs Windows Server 2003.
  9. (Optional) Perform an offline defragmentation of the Active Directory database on the domain controllers that you upgraded to Windows Server 2003 after the single instance store (SIS) has completed (Windows 2000 upgrades only).The SIS reviews existing permissions on objects stored in Active Directory, and then applies a more efficient security descriptor on those objects. The SIS starts automatically (identified by event 1953 in the directory service event log) when upgraded domain controllers first start the Windows Server 2003 operating system. You benefit from the improved security descriptor store only when you log an event ID 1966 event message in the directory service event log:Event Type: Information
    Event Source: NTDS SDPROP
    Event Category: Internal Processing
    Event ID: 1966
    Date: MM/DD/YYYY
    Time: HH:MM:SS AM|PM
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: <computername>
    Description: The security descriptor propagator has completed a full propagation pass.
    Allocated space (MB):
    XX Free space (MB): XX

    This may have increased free space in the Active Directory database.
    User Action: Consider defragmenting the database offline to reclaim the free space that may be available in the Active Directory database. For more information, see Help and Support Center at http://support.microsoft.com.

    This event message indicates that the single instance store operation has completed and serves as a queues the administrator to perform of offline defragmentation of the Ntds.dit using NTDSUTIL.EXE.

    The offline defragmentation can reduce the size of a Windows 2000 Ntds.dit file by up to 40%, improves Active Directory performance, and updates the pages in the database for more efficient storage of Link Valued attributes. For more information about how to defragment the Active Directory database, click the following article number to view the article in the Microsoft Knowledge Base:

    232122 (http://support.microsoft.com/kb/232122/ ) Performing offline defragmentation of the Active Directory database
  10. Investigate the DLT Server Service. Windows Server 2003 domain controllers disable the DLT Server service on fresh and upgrade installs. If Windows 2000 or Windows XP clients in your organization use the DLT Server service, use Group Policy to enable the DLT Server service on new or upgraded Windows Server 2003 domain controllers. Otherwise, incrementally delete distributed link tracking objects from Active Directory. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
    312403 (http://support.microsoft.com/kb/312403/ ) Distributed Link Tracking on Windows-based domain controllers
    315229 (http://support.microsoft.com/kb/315229/ ) Text version of Dltpurge.vbs for Microsoft Knowledge Base article Q312403

    If you bulk delete thousands of DLT objects or other objects, you may block replication because of a lack of version store. Wait tombstonelifetime number of days (by default, 60 days) after you delete the last DLT object and for garbage collection to complete, then use NTDSUTIL.EXE to perform an offline defragmentation of the Ntds.dit file.

  11. Configure the best practice organizational unit structure. Microsoft recommends that administrators actively deploy the best practice organizational unit structure in all the Active Directory domains, and after they upgrade or deploy Windows Server 2003 domain controllers in Windows Domain mode, redirect the default containers that earlier-version APIs use to create users, computers and groups to an organizational unit container that the administrator specifies.For additional information about the best practice organizational unit structure, view the “Creating an Organizational Unit Design” section of the “Best Practice Active Directory Design for Managing Windows Networks” white paper. To view the white paper, visit the following Microsoft Web site:

    For more information about changing the default container where users, computers and groups that earlier-version APIs create are located, click the following article number to view the article in the Microsoft Knowledge Base:

    324949 (http://support.microsoft.com/kb/324949/ ) Redirecting the users and computers containers in Windows Server 2003 domains
  12. Repeat steps 1 through 10 as required for each new or upgraded Windows Server 2003 domain controller in the forest and step 11 (Best Practice organizational unit structure) for each Active Directory domain.In Summary:
    • Upgrade Windows 2000 Domain controllers with WINNT32 (from the slipstreamed installation media if used)
    • Verify the hotfixed files have been installed on the upgraded computers
    • Install any required hotfixes not contained on installation media
    • Verify the health on new or upgraded servers ( AD, FRS, Policy etc)
    • Wait 24 hours after OS upgrade then offline defrag (optional)
    • Start the DLT Service if you must, otherwise delete DLT objects using q312403 / q315229 post forest wide domainpreps
    • Perform offline defrag 60+ days (tombstone lifetime and garbage collection # of days) after deleting DLT objects

Dry-run upgrades in a lab environment

// Before you upgrade Windows domain controllers to a production Windows 2000 domain, validate and refine your upgrade process in the lab. If the upgrade of a lab environment that accurately mirrors the production forest performs smoothly, you can expect similar results in production environments. For complex environments, the lab environment must mirror the production environment in the following areas:

  • Hardware: computer type, memory size, page file placement, disk size, performance and raid configuration, BIOS and firmware revision levels
  • Software: client and server operating system versions, client and server applications, service pack versions, hotfixes, schema changes, security groups, group memberships, permissions, policy settings, object count type and location, version interoperability
  • Network infrastructure: WINS, DHCP, link speeds, available bandwidth
  • Load: Load simulators can simulate password changes, object creation, Active Directory replication, logon authentication and other events. The goal is not to reproduce the scale of the production environment. Instead, the goals are to discover the costs and frequency of common operations and to interpolate their effects (name queries, replication traffic, network bandwidth, and processor consumption) on the production environment based on your current and future requirements.
  • Administration: tasks performed, tools used, operating systems used
  • Operation: capacity, interoperability
  • Disk Space: Note the starting, peak and ending size of the operating system, Ntds.dit and Active Directory log files on global catalog and non-global catalog domain controllers in each domain after each of the following operations:
    1. adprep /forestprep
    2. adprep /domainprep
    3. Upgrading Windows 2000 domain controllers to Windows Server 2003
    4. Performing offline defragmentation after version upgrades

An understanding of the upgrade process and complexity of the environment combined with detailed observation determines the pace and degree of care that you apply to upgrading production environments. Environments with a small number of domain controllers and Active Directory objects connected over high availability wide area network (WAN) links might upgrade in only a few hours. You may have to take more care with enterprise deployments that have hundreds of domain controllers or hundreds of thousands of Active Directory objects. In such cases, you may want to perform the upgrade over the course of several weeks or months.

Use “Dry-run” upgrades in the lab to perform the following tasks:

  • Understand the inner workings of the upgrade process and the associated risks.
  • Expose potential problem areas for the deployment process in your environment.
  • Test and develop fall-back plans in case the upgrade does not succeed.
  • Define the appropriate level of detail to apply to the upgrade process for the production domain.

Domain controllers without sufficient disk space

// On domain controllers with insufficient disk space, use the following steps to free up additional disk space on the volume that hosts the Ntds.dit and Log files:

  1. Delete the unused files including *.tmp files or cached files that internet browsers use. To do so, type the following commands (press ENTER after each command):
    cd /d drive\
    del *.tmp /s
  2. Delete any user or memory dump files. To do so, type the following commands (press ENTER after each command):
    cd /d drive\
    del *.dmp /s
  3. Temporarily remove or relocate files that you can access from other servers or easily reinstall. Files that you can remove and easily replace include ADMINPAK, Support Tools, and all the files in the %systemroot%\System32\Dllcache folder.
  4. Delete old or unused user profiles. To do so, click Start, right-click My Computer, click Properties, click the User Profiles tab, and then delete all the profiles that are for old and unused accounts. Do not delete any profiles that may be for service accounts.
  5. Delete the symbols at %systemroot%\Symbols. To do so, type the following command:
    rd /s %systemroot%\symbols

    Depending on whether the servers have a full or small symbol set, this may gain approximately 70 MB to 600 MB.

  6. Perform an offline defragmentation. An offline defragmentation of the Ntds.dit file may free up space but temporarily requires double the space of the current DIT file. Perform the offline defrag by using other local volumes if one is available. Or, use space on a best connected network server to perform the offline defragmentation. If the disk space is still not sufficient, incrementally delete unnecessary user accounts, computer accounts, DNS records and DLT objects from Active Directory.Note: Active Directory does not delete objects from the database until tombstonelifetime number of days (by default, 60 days) have passed and the garbage collection completes. If you reduce tombstonelifetime to a value lower than end-to-end replication in the forest, you may cause inconsistencies in Active Directory.

REFERENCES

For more information, click the following article number to view the article in…

//

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

821076 (http://support.microsoft.com/kb/821076/ ) Windows Server 2003 Help files contain incorrect information about how to update a Windows 2000 Domain

APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition

Posted in Tutoriale Windows 2003 | Tagged: , , | Leave a Comment »

Online Tutorial How to obtain the latest service pack for Windows Server 2003

Posted by ascultradio on September 3, 2009

How to obtain the latest service pack for Windows Server 2003

This article describes how to obtain Microsoft Windows Server 2003 Service Pack 2 (SP2) and Microsoft Windows Server 2003 Service Pack 1 (SP1).

Windows Server 2003 updates are distributed in service packs. Service packs help keep Windows Server 2003 current. Additionally, service packs extend and update the functionality of your computer.

Service packs include updates, system administration tools, drivers, and additional components. These components are conveniently bundled for easy downloading. Service packs are cumulative. Each new service pack contains all the fixes that are included in previous service packs and any new fixes. You do not have to install a previous service pack before you install the latest service pack.

Windows Server 2003 SP2

// Release date: March 13, 2007

You may download Windows Server 2003 SP2 from the Web. The following three versions of Windows Server 2003 SP2 are available:

  • A 32-bit version
  • A 64-bit (x64-based) version
  • An Itanium-based version

To obtain Windows Server 2003 SP2 from Windows Update

// You may download the 32-bit version of Windows Server 2003 SP2 from the following Windows Update site:

To obtain Windows Server 2003 SP2 from the Microsoft Download Center

// To download Windows Server 2003 SP2 from the Microsoft Download Center, visit the following Microsoft Web site:

Note If you have installed a prerelease version of Windows Server 2003 SP2, uninstall the prerelease version of the service pack, and then install the final product from the Download Center.

Important information

//

List of updates

// For more information about what is fixed in Windows Server 2003 Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:

914962 (http://support.microsoft.com/kb/914962/ ) List of updates in Windows Server 2003 Service Pack 2
Release notes

// For more information about issues with Windows Server 2003 Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:

914961 (http://support.microsoft.com/kb/914961/ ) General information regarding Windows Server 2003 Service Pack 2
Additional resources

// For documentation, tools, and resources to help you evaluate, deploy, and manage Windows Server 2003 SP2 on the servers in your organization, visit the following Microsoft Web site:

Windows Server 2003 SP1

// Release date: March 30, 2005

You may download Windows Server 2003 SP1 from the Web. Or, you may obtain a CD. The following two versions of Windows Server 2003 SP1 are available:

  • A 32-bit version
  • An Itanium-based version

To obtain Windows Server 2003 SP1 from Windows Update

// You may download the 32-bit version of Windows Server 2003 SP1 from the following Windows Update site:

To obtain Windows Server 2003 SP1 from the Microsoft Download Center

// To download the 32-bit version of Windows Server 2003 SP1, visit the following Microsoft Web site:

To download the Itanium-based version of Windows Server 2003 SP1, visit the following Microsoft Web site:

Note If you have installed a prerelease version of Windows Server 2003 SP1, uninstall the prerelease version of the service pack, and then install the final product from the Download Center.

Important information

//

List of updates

// For more information about what is fixed in Windows Server 2003 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

824721 (http://support.microsoft.com/kb/824721/ ) Windows Server 2003 Service Pack 1 list of updates
Release notes

// For more information about issues with Windows Server 2003 Service Pack 1, click the following article number to view the articles in the Microsoft Knowledge Base:

889101 (http://support.microsoft.com/kb/889101/ ) Release notes for Windows Server 2003 Service Pack 1
Additional resources

// For documentation, tools, and resources to help you evaluate, deploy, and manage Windows Server 2003 SP1 on the servers in your organization, visit the following Microsoft Web site:


APPLIES TO
  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

Posted in Tutoriale Windows 2003 | Tagged: , , | Leave a Comment »

Online Tutoriale Windows Server 2003 Service Pack 1 Support Tools

Posted by ascultradio on September 3, 2009

Windows Server 2003 Service Pack 1 Support Tools

This article describes updates to the Microsoft Windows Server 2003 Support Tools that are included in Microsoft Windows Server 2003 Service Pack 1 (SP1). If you are a support person or a network administrator, you can use the Windows Support Tools to manage networks and to troubleshoot network problems that you may experience.

Windows Server 2003 SP1 includes updates for the following Support Tools:

  • Acldiag.exe
  • Adsiedit.msc
  • Bitsadmin.exe
  • Dcdiag.exe
  • Dfsutil.exe
  • Dnslint.exe
  • Dsacls.exe
  • Iadstools.dll
  • Ktpass.exe
  • Ldp.exe
  • Netdiag.exe
  • Netdom.exe
  • Ntfrsutl.exe
  • Portqry.exe
  • Repadmin.exe
  • Replmon.exe
  • Setspn.exe

The Windows Support Tools are not automatically installed when you install Windows Server 2003 SP1. To install the Windows Support Tools on a computer that is running Windows Server 2003, run the Suptools.msi program that is in the Support\Tools folder on the Windows Server 2003 SP1 CD.

The Windows Server 2003 Support Tools Help file (Suptools.chm) is located in the Sup_srv.cab file. This Help file includes a description of each tool and its associated syntax. This Help file also includes sample output and notes. See this Help file for specific usage information for these tools.

For additional help, type the following command at the command prompt, and then press ENTER:

tool name/help

Note In this command, the placeholder tool name represents the name of the tool for which you want to obtain help.

For more information about how to obtain Windows Server 2003 SP1, click the following article number to view the article in the Microsoft Knowledge Base:

889100 (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003

To download the updated Windows Support Tools, visit the following Microsoft Web site:

Note If you have an earlier version of the Windows Support Tools installed on your computer, you must remove this version before you install the Windows Server 2003 SP1 Support Tools.


APPLIES TO
  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

Posted in Tutoriale Windows 2003 | Tagged: , , | Leave a Comment »