Configure and Troubleshoot Hardware Devices and Drivers

Miscellaneous

• Windows 2000 now fully supports Plug and Play. (KB# Q133159)

• Use the "System Information" snap-in to view configuration information about your computer (or create a custom console focused on another computer - powerful tool!!). This snap-in consists of these categories: System Summary, Hardware Resources, Components, Software Environment and IE5.

• "Hardware Resources" under System Information allows you to view Conflicts/Sharing, DMAs, IRQs, Forced Hardware, I/O, IRQs and Memory.

• Hardware is added and removed using the "Add/Remove Hardware" applet in the Control Panel (can also be accessed from Control Panel > System > Hardware > Hardware Wizard).

• All currently installed hardware is managed through the "Device Manager" snap-in.

• To troubleshoot a device using Device Manager, click the "Troubleshoot" button on the General tab.

Disk devices

• Managed through "Computer Management" under Control Panel > Administrative tools or by creating a custom console and adding the "Disk Management" snap-in. Choosing the "Computer Management" snap-in for your custom console gives you the following tools: Disk Management, Disk Defragmenter, Logical Drives and Removable Storage. There is a separate snap-in for each of these tools except for Logical Drives.

• Using Disk Management, you can create, delete, and format partitions as FAT, FAT32 and NTFS. Can also be used to change volume labels, reassign drive letters, check drives for errors and backup drives.

• Defragment drives by using "Disk Defragmenter" under "Computer Management" or add the "Disk Defragmenter" snap-in to your own custom console. (KB# Q227463)

• Removable media are managed through the "Removable Media" snap-in.

Display devices

• Desktop display properties (software settings) are managed through the Display applet in Control Panel.

• Display adapters are installed, removed and have their drivers updated through "Display Adapters" under the Device Manager.

• Monitors are installed, removed, and have their drivers updated through "Monitors" under the Device Manager.

Input and output (I/O) devices

• Keyboards are installed under "Keyboards" in Device Manager.

• Mice, graphics tablets and other pointing devices are installed under "Mice and other pointing devices" in Device Manager.

• Troubleshoot I/O resource conflicts using the "System Information" snap-in. Look under Hardware Resources > I/O for a list of memory ranges in use.

Managing/configuring multiple CPUs

• Adding a processor to your system to improve performance is called scaling. Typically done for CPU intensive applications such as CAD and graphics rendering.

• Windows 2000 Server supports a maximum of four CPUs. If you need more consider using Windows 2000 Advanced Server (up to 8 CPUs) or Datacenter Server (maximum of 32 CPUs).

• Windows 2000 supports Symmetric Multiprocessing (SMP). Processor affinity is also supported. Asymetric Multiprocessing (ASMP) is not supported.

• Upgrading to multiple CPUs might increase the load on other system resources.

• Update your Windows driver to convert your system from a single to multiple CPUs. This is done through Device Manager > Computer > Update Driver. (KB# Q234558)

Install and manage network adapters

• Adapters are installed using the Add/Remove Hardware applet in Control Panel

• Change the binding order of protocols and the Provider order using Advanced Settings under the Advanced menu of the Network and Dial-up Connections window (accessed by right-clicking on My Network Places icon)

• Each network adapter has an icon in Network and Dial-up connection. Right click on the icon to set its properties, install protocols, change addresses, etc.

Updating drivers

• Drivers are updated using Device Manager. Highlight the device, right-click and choose Properties. A properties dialog appears. Choose the Drivers tab and then the Update Driver... button.

• Microsoft recommends using Microsoft digitally signed drivers whenever possible. (KB# Q244617)

• The Driver.cab cabinet file on the Windows 2000 CD contains all of the drivers the OS ships with. Whenever a driver is updated, W2K looks here first (e.g., c:\winnt\Driver Cache\i386\Driver.cab). The location of this file is stored in a registry key and can be changed: HKLM\Microsoft\Software\Windows\CurrentVersion\Setup\DriverCachePath  (KB# Q230644)

• The Driver Verifier is used to troubleshoot and isolate driver problems. It must be enabled through changing a Registry setting. The Driver Verifier Manager, verifier.exe, provides a command-line interface for working with Driver Verifier. (KB# Q244617)

Driver signing (KB# Q224404)

Configuring Driver Signing (KB# Q236029)

• Open System applet in Control Panel and click Hardware tab. Then in the Device Manager box, click Driver Signing to display options:

• Ignore - Install all files, regardless of file signature

• Warn- Display a message before installing an unsigned file

• Block- Prevent installation of unsigned files

• The Apply Setting As System Default checkbox is only accessible to Administrators

Using System File Checker (sfc.exe) (KB# Q222471)

• /scannow - scans all protected system files immediately

• /scanonce - scans all protected system files at next startup

• /scanboot- scans all protected system files at every restart

• /cancel- cancels all pending scans

• /quiet - replaces incorrect files without prompting

• /enable - sets Windows File Protection back to defaults

• /purgecache - purges file cache and forces immediate rescan

• /cachesize=x- sets file cache size

Windows Signature Verification (sigverif.exe)

• running sigverif launches File Signature Verification

• checks system files by default, but non-system files can also be checked

• saves search results to c:\winnt\Sigverif.txt

Windows Report Tool (KB# Q188104)

• Used to gather information from your computer to assist support providers in troubleshooting issues. Reports are composed in Windows 98 and Windows 2000 and then uploaded to a server provided by the support provider using HTTP protocol.

• Reports are stored in a compressed .CAB format and include a Microsoft System Information (.NFO) file.

• The report generated by Windows Report Tool (winrep.exe) includes a snapshot of complete system software and hardware settings. Useful for diagnosing software and hardware resource conflicts.

Manage, Monitor, and Optimize System Performance, Reliability and Availability

Monitor and optimize usage of system resources

Performance Console (KB# Q146005)

• Important objects are cache (file system cache used to buffer physical device data), memory (physical and virtual/paged memory on system), physicaldisk (monitors hard disk as a whole), logicaldisk (logical drives, stripe sets and spanned volumes), and processor (monitors CPU load)

• Processor - % Processor Time counter measure's time CPU spends executing a non-idle thread. If it is continually at or above 80%, CPU upgrade is recommended

• Processor -  Processor Queue Length - more than 2 threads in queue indicates CPU is a bottleneck for system performance

• Processor - % CPU DPC Time (deferred procedure call) measures software interrupts.

• Processor - % CPU Interrupts/Sec measures hardware interrupts. If processor time exceeds 90% and interrupts/time exceeds 15%, check for a poorly written driver (bad drivers can generate excessive interrupts) or upgrade CPU.

• Logical disk - Disk Queue Length - If averaging more than 2, drive access is a bottleneck. Upgrade disk, hard drive controller, or implement stripe set

• Physical disk - Disk Queue Length - same as above

• Physical disk - % Disk Time- If above 90%, move data/pagefile to another drive or upgrade drive

• Memory - Pages/sec - more than 20 pages per second is a lot of paging - add more RAM

• Memory - Commited bytes - should be less than amount of RAM in computer

• diskperf command for activating disk counters has been modified in Windows 2000. Physical disk counters are now enabled by default, but you will have to type diskperf -yv at a command prompt to enable logical disk counters for logical drives or storage volumes. (KB# Q253251)

Performance Alerts and Logs (KB# Q244640)

• Alert logs are like trace logs, but they only log an event, send a message or run a program when a user-defined threshold has been exceeded

• Counter logs record data from local/remote systems on hardware usage and system service activity

• Trace logs are event driven and record monitored data such as disk I/O or page faults

• By default, log files are stored in the \Perflogs folder in the system's boot partition

• Save logs in CSV (comma separated value) or TSV (tab separated value) format for import into programs like Excel

• CSV and TSV must be written all at once. They do not support logs that stop and start. Use Binary (.BLG) for logging that is written intermittantly

• Logging is used to create a baseline for future reference

Manage processes

• NT schedules threads to run by using application priorities. Application threads are assigned priorities, and run in order according to their priority level, from highest (31) to lowest (0).

• Starting applications in realtime mode can adversely effect other system processes and may even slow down total system performance. Running in realtime requires administrator or power user rights and is not generally recommended.

• You can change the priority of a running application by running Task Manager > Processes, right clicking the process and selecting "Set Priority."

Optimize disk performance

• Mirrored volumes and spanned volumes slow down system performance.

• Striping a disk set causes greatest performance increase. Striping with parity is fast, but not so fast as without parity.

• Page files are fastest when spread across several disks, but not the boot or system disks. (KB# Q197379)

• Defragmenting your hard disks regularly will improve read performance.

Manage and optimize availability of System State data and user data

System State data (KB# Q240363)

• Is comprised of the registry, COM+ class registration database and system startup files. Can also include Certificate Services database if Certificate Services is installed. If machine is a domain controller, Active Directory directory services and Sysvol directory are included. For machines running Cluster Service, resource registry checkpoints and quorum resource recovery log are included.

• On a domain controller, moving system state data to a separate volume from the system volume can increase performance.

• Can be backed up from the command line by typing:
  ntbackup systemstate /m normal /f d:\sysstate.bkf /j "System State Data Backup"
  Where /m=backup type (can be copy or normal), /f=filename and /j=job name.

• On a domain controller, an Authoritative Restore may need to be performed to force restored system state data to replicate to other domain controllers throughout Active Directory. (KB# Q241594 & Q216243)

Establishing Fault-tolerance (KB# Q113932)

• Disk mirroring requires a second drive to make a duplicate copy of the first drive. When both drives are on separate controllers, it is referred to as disk duplexing. (RAID level one).

• Disk mirroring can be used on system and boot partitions but it degrades server performance somewhat. (KB# Q141702)

• When a basic disk that is part of a mirror set is disconnected or fails, the status of the mirror set becomes Failed Redundancy. You will need another basic disk of the same size to repair the mirror set - you cannot use a dynamic disk. When you repair the set, Disk Management creates a new mirror on a separate basic disk and resynchronizes the new mirror set.

• To break a mirror set, right-click on the mirror set you wish to break and choose Break Mirror.

• Disk striping with parity provides fault-tolerance as there is a parity stripe block for each row across a hard disk. The parity and data information are always arranged so that they are on separate hard disks. Works with a minimum of three drives and a maximum of thirty-two. (RAID level five)

• Disk striping with parity cannot be used on the boot and system partitions unless it is provided separately from Windows by a specialized hardware controller.

• The Disk Management tool will allow you to continue using any Stripe sets on basic disks that existed on your system from NT4 prior to an upgrade to W2K, but it will not allow you to create any new ones, unless they are on dynamic volumes.

Recover System State data and user data using

Emergency Repair Disk

• Windows NT 4 users - the RDISK utility is gone, ERDs are now made exclusively with the backup utility. It has been changed from a repair disk to a boot disk which lets you run repair tools on the CD (KB# Q216337)

• To make an ERD, run ntbackup, choose Emergency Repair Disk and insert a blank formatted floppy into the A: drive. You will also have the option to copy registry files to the repair directory - it is a good idea to do so (%systemroot%\repair\regback). Also use backup to copy these registry files to a tape or Zip disk. (KB# Q231777)

• ERD contains the following files: autoexec.nt, config.nt and setup.log

Windows Backup

• Windows 2000 Backup is launched through Start > Accessories > System Tools > Backup or by running ntbackup from the Start menu (KB# Q241007)

• Users can back up their own files and files they have read, execute, modify, or full control permission for

• Users can restore files they have write, modify or full control permission for

• Administrators and Backup Operators can backup and restore all files regardless of permissions

• To restore System State data,  start Backup, click the Restore tab and check the box next to System State to restore it along with any other data you have selected. If you do not specify a location for it, it will overwrite your current System State data.

Running NTBackup from the command line

Safe Mode

Files used in the Windows 2000 boot process (KB# Q114841)

* Optional - only if system partition is on SCSI disk with BIOS disabled

BOOT.INI switches (KB# Q239780)

• /basevideo - boots using standard VGA driver

• /fastdetect=[comx,y,z] - disables serial mouse detection or all COM ports if port not specified. Included by default

• /maxmem:n - specifies amount of RAM used - use when a memory chip may be bad

• /noguiboot - boots Windows without displaying graphical startup screen

• /sos - displays device driver names as they load

• /bootlog - enable boot logging

• /safeboot:minimal - boot in safe mode

• /safeboot:minimal(alternateshell) - safe mode with command prompt

• /safeboot:network - safe mode with networking support (KB# Q236346)

Booting in Safe Mode (KB# Q202485)

• Enter safe mode by pressing F8 during operating system selection phase

• Safe mode loads basic files/drivers, VGA monitor, keyboard, mouse, mass storage and default system services. Networking is not started in safe mode. (KB# Q199175)

• Enable Boot Logging - logs loading of drivers and services to ntbtlog.txt in the windir folder

• Enable VGA Mode - boots Windows with VGA driver

• Last Known Good Configuration - uses registry info from previous boot. Used to recover from botched driver installs and registry changes.

• Recovery Console - only appears if it was installed using winnt32 /cmdcons or specified in the unattended setup file.

• Directory Services Restore Mode - only in Server, not applicable to Win2000 Professional.

• Debugging Mode - again, only in Server

• Boot Normally - lets you boot, uh, normally. ;-)

Windows 2000 Control Sets (KB# Q142033)

• Found under HKEY_LOCAL_MACHINE\System\Select - has four entries

• Current- CurrentControlSet. Any changes made to the registry modify information in CurrentControlSet

• Default - control set to be used next time Windows 2000 starts. Default and current contain the same control set number

• Failed - control set marked as failed when the computer was last started using the LastKnownGood control set

• LastKnownGood - after a successful logon, the Clone control set is copied here

Recovery Console

• Insert Windows 2000 CD into drive, change to i386 folder and run winnt32 /cmdcons (KB# Q216417)

• After it is installed, it can be selected from the "Please Select Operating System to Start" menu

• When starting Recovery Console, you must log on as Administrator. (KB# Q239803)

• Can also be run from Windows 2000 Setup, repair option.

• Allows you to boot to a "DOS Prompt" when your file system is formatted with NTFS

• Looks like DOS, but is very limited. By default, you can copy from removable media to hard disk, but not vice versa - console can't be used to copy files to other media (KB# Q240831). As well, by default, the wildcards in the copy command don't work (KB# Q235364). You can't read or list files on any partition except for system partition.

• There are four set variables: allowwildcards, allowallpaths, allowremovablemedia and nocopyprompt

• Can be used to disable services that prevent Windows from booting properly (KB# Q244905)
  

Startup and Recovery Settings

• Accessed through Control Panel > System applet > Advanced tab > Startup and Recovery

• Memory dumps are always saved with the filename memory.dmp (KB# Q192463)

• Small memory dump needs 64K of space. Found in %systemroot%\minidump

• In order to perform a recovery, the paging file must be on the system partition and the pagefile itself must be at least 1 MB larger than the amount of RAM installed for Write debugging information option to work

• Use dumpchk.exe to examine contents of memory.dmp (KB# Q156280)

Manage, Configure, and Troubleshoot Storage Use

Monitor, configure, and troubleshoot disks and volumes

Windows 2000 supports both Basic and Dynamic storage. In basic storage you divide a hard disk into partitions. Windows 2000 recognizes primary and extended partitions. A disk initialized for  basic storage is called a Basic disk. It can contain primary partitions, extended partitions and logical drives. Basic volumes cannot be created on dynamic disks. Basic volumes should be used when dual-booting between Windows 2000 and DOS, Windows 3.x, Windows 95/98 and all version of Windows NT. (KB# Q175761)

Dynamic storage (Windows 2000 only) allows you to create a single partition that includes the entire hard disk. A disk initialized for dynamic storage is called a Dynamic disk. Dynamic disks are divided into volumes which can include portions of one, or many, disks. These can be resized without needing to restart the operating system. (KB# Q225551)

There are three volume types

• Simple volume - contains space from a single disk

• Spanned volume - contains space from multiple disks (maximum of 32). First fills one volume before going to the next. If a volume in a spanned set fails, all data in the spanned volume set is lost. Performance is degraded as disks in spanned volume set are read sequentially.

• Striped set- contains free space from multiple disks (maximum of 32) in one logical drive. Increases performance by reading/writing data from all disks at the same rate. If a disk in a stripe set fails, all data is lost.

Dynamic Volume States

Dynamic Volume Limitations

• Cannot be directly accessed by DOS, Win95/98 or any versions of Windows NT if you are dual-booting as they do not use the traditional disk organization scheme of partitions and logical volumes. MBR on dynamic disks contains a pointer to disk configuration data stored in the last 1 MB of space at the end of the disk. (KB# Q197738)

• Dynamic volumes which were upgraded from basic disk partitons cannot be extended, especially the system volume which holds hardware-specific files required to start Windows 2000 and the boot volume. Volumes created after the disk was upgraded to dynamic can be extended. (KB# Q222188)

• When installing Windows 2000, if a dynamic volume is created from unallocated space on a dynamic disk, Windows 2000 cannot be installed on that volume. (KB# Q216341)

• Not supported on portable computers or removable media. (KB# Q232463)

• A boot disk that has been converted from basic to dynamic cannot be converted back to basic. (KB# Q217226)

Translation of terms between Basic and Dynamic Disks

To manage disks on a remote computer you must create a custom console focused on another computer. Choose Start > Run and type mmc. Press Enter. On console menu click Add/Remove Snap-in. Click Add. Click Disk Management then click Add. When Choose Computer dialog box appears choose the remote system.

Disk information is now stored on the physical disk itself, facilitating moving hard drives between systems. As managing disk numbering can become quite complex, the dmtool.exe utility has been provided. (KB# Q222470)

When using the Disk Management Snap-in Tool

• Whenever you add a new disk in a computer it is added as Basic Storage

• Every time you remove or add a new disk to your computer you must choose Rescan Disks

• Disks that have been removed from another computer will appear labeled as Foreign. Choose "Import Foreign Disk" and a wizard appears to provide instructions.

• For multiple disks removed from another computer, they will appear as a group. Right-click on any of the disks and choose "Add Disk".

• Disks can be upgraded from Basic to Dynamic storage at any time but must contain at least 1 MB of unallocated space for the upgrade to work.

Configure data compression

• Files and folders on NTFS volumes can have their compression attributes set through My Computer or Windows Explorer.

• Compact is the command-line version of the real-time compression functionality used in Windows Explorer. It can be used to display or alter the compression attributes of files or folders on NTFS volumes (does NOT work on FAT or FAT32 volumes). Its switches are

Monitor and configure disk quotas

• Windows 2000 now supports disk-based quotas. Quotas can be set on NTFS volumes, but not on FAT or FAT32 volumes.

• Quotas cannot be set on individual folders within a NTFS volume, but must instead be set on the entire volume. A physical disk can be divided into multiple logical volumes with different quotas set for each. (KB# Q183322)

• By default, quotas are not enabled. Right-click the volume that you want to protect, click the Quota tab and select "Enable quota management"

• Users exceeding their quota will still be able to write to the volume unless "Deny disk space to users exceeding quota limit" is selected. (Do not enforce quotas on a system partition as W2K writes a fair amount of data to the disk while booting and you may render your system unbootable - save this for data partitions only).

• Quotas can only be set on an individual basis, they cannot be assigned to groups. To select multiple users CTRL+click on the names you want to asign quotas to. You can choose to issue users a warning before they reach their disk usage limit. (Hopefully MS will fix this so quotas can be assigned to groups in the future).

Recover from disk failures

ARC paths in BOOT.INI (KB# Q113977 & Q119467)

The Advanced Risc Computing (ARC) path is located in the BOOT.INI and is used by NTLDR to determine which disk contains the operating system. (KB# Q102873)

multi(0)disk(0)rdisk(0)partition(1). These are the lowest numbers that an ARC path can have.

Remote Storage (KB# Q234776 & Q234692)

• Not installed by default. Added through Control Panel > Add/Remove Programs > Windows Components > Remote Storage.

• Remote storage moves eligible files from your local hard disk volumes to a remote storage location. When the space on your local, or managed, volume falls below the threshold you specify, remote storage automatically removes the content from the original file and sends it to the remote storage location. The file still appears on your local drive, but the file size is zero since the file actually resides in a remote location.

• When the file is needed again, remote storage recalls the file and caches it locally so it can be accessed.

• Response time is slower than if the file were stored on your local volume.

• You specify the files or the parameters for the files that should be stored remotely so that your most commonly used files remain on your local volume.

Removable Storage (KB# Q250468)

• Removable storage allows you to store data on removable disks such as Zip disks and CD-ROMs.

• Removable storage can use jukeboxes or individual media drives, which can be grouped together in media pools.

• Removable storage works by configuring libraries to keep track of the location where data is stored (e.g., a Zip disk is removed and put in another location, the library remembers that disk and the data on it.)

Configure and Troubleshoot Windows 2000 Network Connections:

Internet Connection Sharing (ICS) (KB# Q237254)

• Enabled through Control Panel > Network and Dial-up Connections. Right-click the connection you want to share and choose Properties. On the Shared Access tab, select "Enabled shared access for this connection".

• If you want the connection to dial automatically whenever it is accessed, select the "Enable on-demand dialing" box.

• This feature should not be used in a network with other Windows 2000 Domain Controllers, DNS servers, DCHP servers, gateways or computers configured for static IP addresses.

• The machine with ICS enabled will have its LAN adapter's address set to 192.168.0.1. It becomes a DHCP server assigning addresses in the 192.168.0.x range to other machine's on the network that are configured as DHCP clients. It assigns them 192.168.0.1 as their gateway and uses Network Address Translation (NAT) to route information between the machines on the intranet and its valid connection to the Internet.

• This technology is intended for home use and use in small offices in peer-to-peer network environments. Corporate users should consider a more robust product such as MS Proxy Server 2.0.

Virtual Private Networks (VPNs)

• PPTP - Point to Point Tunneling Protocol. Creates an encrypted tunnel through an untrusted network. Supported by Windows 95, Windows 98 and Windows NT 4.0.

• L2TP - Layer Two Tunneling Protocol. Works like PPTP as it creates a tunnel, but it does not provide data encryption. Security is provided by using an encryption technology like IPSec. Only supported on Windows 2000 at this time.

Network Protocols

TCP/IP protocol

Miscellaneous

• Is an industry-standard suite of protocols

• It is routable and works over most network topologies

• It is the protocol that forms the foundation of the Internet

• Installed by default in Windows 2000

• Can be used to connect dissimilar systems

• Uses Microsoft Windows Sockets interface (Winsock)

• IP addresses can be entered manually or provided automatically by a DHCP server

• DNS is used to resolve computer hostnames to IP addresses

• WINS is used to resolve a NetBIOS name to an IP address

• Subnet mask - A value that is used to distinguish the network ID portion of the IP address from the host ID

• Default gateway - A TCP/IP address for the host (typically a router) which you would send packets for routing elsewhere on the network

Automatic Private IP Addressing

Windows 98 and Windows 2000 support this new feature. When "Obtain An IP Address Automatically" is enabled, but the client cannot obtain an IP address, Automatic Private IP addressing takes over:

• IP address is generated in the form of 169.254.x.y (where x.y is the computer's identifier) and a 16-bit subnet mask (255.255.0.0)

• The computer broadcasts this address to its local subnet

• If no other computer responds to the address, the first system assigns this address to itself

• When using the Auto Private IP, it can only communicate with other computers on the same subnet that also use the 169.254.x.y range with a 16-bit mask.

• The 169.254.0.0 - 169.254.255.255 range has been set aside for this purpose by the Internet Assigned Numbers Authority

Troubleshooting (KB# Q102908)

• Ipconfig and Ipconfig /all - displays current TCP/IP configuration (KB# Q223413)

• Nbtstat - displays statistics for connections using NetBIOS over TCP/IP

• Netstat - displays statistics and connections for TCP/IP protocol

• Ping - tests connections and verifies configurations

• Tracert - check a route to a remote system

• Common TCP/IP problems are caused by incorrect subnet masks and gateways

• If an IP address works but a hostname won't check DNS settings

Authentication protocols

• EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accomodate new technologies. MD5-CHAP and EAP-TLS are two examples of EAP

• EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards

• MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm

• RADIUS - Remote Authentication Dial-in User Service. Specification for vendor-independant remote user authentication. Windows 2000 Server can act as a RADIUS client or server.

• MS-CHAP (v1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. v2 is supported in Windows 2000 and NT4 and Win 95/98 (with DUN 1.3 upgrade) for VPN connections. MS-CHAP cannot be used with non-Microsoft clients

• SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data

• CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients

• PAP - Password Authentication Protocol. Sends username and password in clear text

Other protocols

• DLC is a special-purpose, non-routable protocol used by Windows 2000 to talk with IBM mainframes, AS400s and Hewlett Packard printers.

• Appletalk must be installed to allow Windows 2000 Professional to communicate with Apple printers. Do not confuse this with File and Print Services for Macintosh which allow Apple clients to use resources on a Microsoft network (only available on Server).

• NWLink is Microsoft's implementation of Novell's IPX/SPX protocol. It is adequate for small to medium sized networks and requires less administrative overhead than TCP/IP. It is routable.

• NetBEUI is used soley by Microsoft operating systems and is non-routable (it is broadcast-based)

Install and configure network services

Domain Name Service (DNS) (KB# Q217769)

• Resolves hostnames to IP addreses.

• Active Directory cannot run without it.

• A records are also called forward lookups or host records. An A record maps a domain name to an IP address.

• Start Of Authority (SOA) records names the primary DNS server for a domain, provides an e-mail address for the admin (note: "." used instead of "@" in e-mail address), and specifies how long its okay to cache its data. Keeps track of data changes through serial numbers. (KB# Q163971)

• NS records designate which servers are Name Servers in the domain.

• CNAME (Canonical Name) Records or Aliases used to provide an alias for the hostname of the server. For example, a Web server at brainbuzz.com may have the hostname "jaxx", but its CNAME alias allows it to respond to "www.brainbuzz.com". (KB# Q168322)

• MX (Mail Exchange) records allow an admin to designate which machines receive mail in a domain by order of preference (a lower number equals higher preference).

• PTR (Pointer) records are also called reverse records or reverse lookups. Allow an IP address to be resolved to a host name. Creates ".in-addr.arpa" entries. (KB# Q164213)

• SRV records allow DNS to identify server types. (KB# Q232025 & Q178169)

• A Standard Primary zone stores a master copy of the zone in a text file. It's used to exchange DNS data with other servers that use text-based storage methods.

• A Standard Secondary zone creates a copy of an existing zone - used for load balancing and fault-tolerance.

• An Active Directory Integrated zone stores its data in Active Directory rather than on the local machine. Provides greater fault-tolerance and secure updates.

• Zones can be configured for Dynamic Updates. Resource records will then be updated by the DHCP clients and or server without administrator intervention. (KB# Q228803 & Q222463)

• There are two zone transfer types, full zone transfer (AXFR) and incremental zone transfer (IXFR)
  

  1. AXFR - supported by most DNS implementations. When the refresh interval expires on a secondary server it queries its primary using an AXFR query. If serial numbers have changed since the last copy, a new copy of the entire zone database is transferred to the secondary. (KB# Q164017)

  2. IXFR - Also uses serial numbers, but only transfers information that has changed rather than the entire database. The server will only transfer the full database if the sum of the changes is larger than the entire zone, the client serial number is lower than the serial number of the olds version of the zone on the server or the server responding to the IXFR request doesn't recognize that type of query.
     

• A caching DNS server simply resolves requests and caches data from resolved requests until its TTL exprires. (KB# Q167234)

• Use nslookup to troubleshoot problems with DNS. (KB# Q200525)

Dynamic Host Configuration Protocol (DHCP) (KB# Q169289)

New features NT4 Admins should be aware of

• Automatic Private IP Addressing - When a DHCP server is unavailable, W2K can assign itself a temporary IP address in the 169.254.x.y range.

• DHCP Relay Agent - is only available as part of Windows 2000 Server family now - it is not part of Windows 2000 Professional.

• DNS Integration - DHCP can now register the addresses it assigns with the Windows 2000 DNS servers that support dynamic update (KB# Q191290)

• Enhanced Monitoring - The new DHCP MMC console snap-in provides a graphical display of statistical data.

• Expanded Scope Support - Superscope and multicast scopes are now supported. (KB# Q186341 & Q161571)

• Option Class Support - Used to separate different types of clients each having similar or special configuration needs. There are vendor-defined and user-defined option classes. (KB# Q240247)

• Resource Record Re-registration - DHCP clients automatically re-register in DNS upon renewal of their lease.

• Rogue DHCP Server Detection - Prevents unauthorized DHCP servers from creating address assignment conflicts.

Process for DHCP address assignment

1. Client broadcasts DHCPDISCOVER to all nearby DHCP servers.

2. Server(s) respond with DHCPOFFER message containing IP address and release time.

3. Client chooses offer it likes best and broadcasts back a DHCPREQUEST to confirm the IP address.

4. Server finalizes process by returning a DHCPACK to acknowledge the request.

Supporting DHCP

• DHCP server can provide default gateway, DNS, WINS, proxy and browser auto-config info (IE5 and higher) in addition to IP address and subnet mask.

• DHCP servers must be authorized to assign addresses. Whenever it first comes online, it sends out a DHCPINFORM message. Other servers will respond with a DHCPACK message providing the name of the directory domain they belong to. If the first DHCP server (as part of a workgroup) detects another DHCP server that is a member of a domain, the first server assumes it is unauthorized and cannot service requests for addresses.

• DHCP in W2K is configured to enable dynamic update of dynamic DNS servers by default. Here are the available options (KB# Q228803)
  

  1. Update DNS only if client requests (default option) - updates forward and reverse lookup zones based on type of request DHCP client makes during the lease process. W2K clients will propose that they update the A record while the DHCP server updates the PTR record (KB# Q251370)

  2. Always Update DNS - updates forward and reverse lookup zones when a client acquires a lease, regardless of the type of lease request

  3. Discard forward lookups when lease expires - removes A record entries when the lease expires (even if client is offline or unavailable)

  4. Enable updates for DNS clients that do not support dynamic update - DHCP server registers A and PTR records on behalf of older Windows clients and non-Windows clients that do not support dynamic updates.
     

• To create a superscope, open DHCP Manager and right-click the name of the server you want to create a superscope for, and choose New Superscope. A wizard will appear - choose the scopes you want to create a superscope from.

• Multicast scopes are created as with above except you would choose New Multicast Scope. Multicast is used by conferencing and collaborative applications to send information to several computers at once by using a single directed message.

• W2K supports two types of option classes
  

  1. Vendor-defined - assigned to classes that are identified by vendor type (e.g., a specific brand of computer).

  2. User-defined - assigned to clients that require a common configuration that is not based on vendor type (e.g., one group whose Internet access is being monitored could be directed to a proxy server while other groups are not)
     

• DHCP relies on broadcast traffic which cannot cross routers unless they have been specifically configured to pass BOOTP or as DHCP relay agents. W2K Server includes a DHCP Relay Agent (installs as a service) to help DHCP broadcasts through routers. (KB# Q120932)

Windows Internet Name Service (WINS) (KB# Q185786)

• WINS resolves NetBIOS names to IP addresses. They do not need to be authorized.

• Is used to reduce the number of B-node broadcasts on a network.

• It is only needed in mixed-mode networks for NT4 compatibility. Its functionality has been superceded by enhanced DNS functionality in W2K

• The Computer Browser service from previous versions of NT has been superceded by Active Directory. Computer Browser service is only maintained for backwards compatibility. (KB# Q188001)

• For WINS clients in a W2K network it is now possible to specify up to 12 WINS servers for increased fault-tolerance.

• WINS is managed using the WINS snap-in for MMC.

• WINS stores all entries in a database. The Owner of a record is the WINS server that originated it. When database verification is enabled (every 24 hours by default), entries should be verified against the owner server rather than randomly selected partners.

• Static entries can be made in the WINS database for computers that cannot register dynamically in WINS.

• Use jetpack.exe utility to compact WINS databases, found in the %systemroot%\system32\wins directory (KB# Q145881)

• The database is replicated between push/pull partners. A push partner lets its pull partner know that enough changes have occurred in the database that it should request updates to its database.

• Enabling WINS lookup in DNS allows the DNS server to query the WINS database when it is unable to resolve a hostname to an IP address. (KB# Q173161)

• Setting up a WINS proxy agent on a subnet allows B-node broadcasts to be relayed through routers and reach the WINS server. (KB# Q121004)

Configure, monitor, and troubleshoot Remote Access (KB# Q160699)

Inbound connections

Multilink Support (KB# Q235610)

• Multilinking allows you to combine two or more modems or ISDN adapters into one logical link with increased bandwidth. (KB# Q233171)

• BAP (Bandwidth Allocation Protocol) and BACP (Bandwidth Allocation Control Protocol) enhance multilinking by dynamically adding or dropping links on demand. Settings are configured through RAS policies. (KB# Q244071)

• Enabled from the PPP tab of a RAS server's Properties dialog box. (KB# Q233151)

Setting Callback Security

• Using callback allows you to have the bill charged to your phone number instead of the number of the user calling in. Also used to increase security

• For roving users like a sales force, choose "Allow Caller to Set The Callback Number" (less secure)

Remote Access Policies

• Remote Access policies are stored on the server, not in Active Directory.

• Default remote access policy denies all connection attempts unless user account is set to Allow. In Native mode, every account is set to Control access through Remote Access Policy. If this is changed to Grant remote access permission all connections are accepted.

• Control access through Remote Access Policy is not available on domain controllers in mixed-mode. While connections are intially accepted, they must still meet policy requirements or be disconnected. (KB# Q193897)

• On a stand-alone server, policies are configured through Local Users and Groups > Dial-in > Properties. On an AD-based server, they are configured through Active Directory Users and Computers > Dial-in > Properties.

• Caller ID verification requires specialized answering equipment and a driver that passes Caller ID info to RRAS. If Caller ID is configured for a user but you do not have the proper equipment/drivers installed, the user is denied access.

• Callback options let you specify, no callback, set by caller, and alway callback to. The last option provides the greatest level of security. Letting the user specify the callback number provides little in the way of security but allows users such as a travelling sales force with laptops to avoid long-distance charges by having the RRAS server call them back.

• A static IP can be assigned to a user when their connection is made.

• Applying static routes allows an admin to define a series of static IP routes that are added to the routing table of the RRAS server (used for demand-dial routing between RRAS servers).

• Order of policy resolution is
  

  1. User initiates connection with RRAS

  2. RRAS checks for policy that matches

  3. If policy matches, RRAS checks user account for dial-in permissions. If no policy match found, connection is denied.

  4. If permission is set to allow access, user is granted access and profile for the policy is applied. If permission set to Control access through Remote Access Policy, policies permission settings determine access.

  5. While user is connected, RRAS matches the connection to settings of user account and policy profile.  As long as they match the connection stays alive (e.g., profile settings allow one hour maximum connection time. When user goes over an hour, the policy no longer matches and the user is disconnected).
     

• The three components of a remote access policy are its conditions, permissions and profile
  

  1. Conditions - a list of parameters such as the time of day, user groups, IP addresses or Caller IDs that are matched to the parameters of the client connecting to the server. The first policy that matches the parameters of the inbound connection is processed for access permissions and configuration.

  2. Permissions - connections are allowed based on a combination of the dial-in properties of a user's account and remote access policies. The permission setting on the remote access policy works in partnership with the user's dial-in permissions in Active Directory providing a wide range of flexibility when assigning remote access permissions.

  3. Profile - settings such as authentication and encryption protocols which are applied to the connection. If connection settings do not match user's dial-in settings, the connection is denied.

Remote Access Profiles

• Dial-in constraints - idle time before disconnect, max session time, days and times allowed, phone numbers, and media types (VPN, ISDN, etc.)

• IP - used to configure TCP/IP packet filtering.

• Multilink - multilink and BAP are configured here. Configure to disconnect a line if bandwidth falls below a present threshold. Can be set to require BAP. (KB# Q233151 & Q233171)

• Authentication - define authentication protocols required for connections using this policy (e.g., SmartCards would need EAP-TLS).

• Encryption - used to specify the types of encryption that are allowed/required/prohibited.

Install, configure, monitor and troubleshoot Terminal Services (TS) (KB# Q243202)

Installing TS

• Added through Control Panel > Add/Remove Programs > Windows Components.

• TS can be enabled during an unattended installation by setting TSEnable=On in the [Components] section of the answer file. If the ApplicationServer key is not added then TS is installed in Remote Administration mode.

• TS Services include: TS Client Creator, creates floppies for installing TS Client, TS Configuration, used to manage TS protocol and server configuration, TS Licensing, manages Client Access Licenses, and TS Manager, used to manage and monitor sessions and processes on the server running TS.

• TS uses RDP or RDP-TCP (Remote Desktop Protocol over TCP/IP). This is a presentation protocoal and it sends input from the terminal to the server and returns video from the server back to the terminal. It has been optimized for low-speed (modem) connections and is suitable for deployment in a RAS dial-up environment.

Remote server administration using TS (KB# Q243212 & Q238162)

• Remote Administration Mode allows Administrators to manage any number of Windows 2000 Servers from a single desktop. Admins have complete access to the remote system to perform tasks such as software installation, administrative functions, etc., as if they were logged on at the local console.

• Remote Administration Mode allows a maximum of 2 concurrent connections to be made per server by an Administrator. Memory and CPU utilization settings remain unaffected and application compatibility settings are completely disabled.

• There are no licensing requirements for using the Remote Administration Mode.

• If another Admin is in session on the same server you are working on, you may overwrite each other's work. Use the quser command to see if other Admins are in session.

• Do not use for tasks that require reboots (e.g., you reboot a server in another city and it fails to come back up because a floppy is in the A: drive - oops)

Configuring TS for application sharing (Application Server Mode)

• Users can be assigned a specific Terminal Services profile. If one is not available TS will then try to load a user's Roaming Profile. If the two previous are not available TS will load the standard Windows 2000 Profile.

• Best practice is to remove default Home Directories created by Windows 2000 for each user and create TS specific network Home Directories on a file server. All application specific files (eg., .INI) are written to these directories.

• A Temp folder is created for each user by default. Use the flattemp.exe tool or the Terminal Services Configuration Tool to change the location of the temporary folders or disable them and force all users to share one Temp folder (flattemp /disable). (KB# Q243555)

• Remember that all TS users log on locally in a virtual console on your server and have access to your local drives. Use NTFS on all volumes to prevent users from getting into places where they don't belong.

• Remote Control - is similar to Shadowing in Citrix MetaFrame. Allows an administrator to view and take control of  a user's session as needed for help desk support. By design, this does not work from the console. (KB# Q232792)

• RDP-TCP Permissions..... (KB#s Q243554, Q225038 & Q224395)

• By default, users will be prompted for a password unless it is changed in the properties for RDP-TCP. (KB# Q247174)

• Sessions will disconnect when the connection is broken but will continue executing a user's processes by default. To prevent system resources being taken up by these processes set your sessions to reset on broken so that all processes are abruptly terminated when connections are broken.

• TS cannot be clustered, but it can be load-balanced using Network Load Balancing. This causes a group of servers to appear as a single virtual IP address (KB# Q243523). Alternately you can use round-robin DNS resolution to load balance your TS servers. (KB# Q168321)

• Automatic Printer redirection is supported for all 32-bit Windows clients - TS will detect printers attached locally to the client and create corresponding print queues in the user's session. When user disconnects print queues and any print jobs are terminated. (KB#s Q238841, Q221509 & Q239088)

• Printers must be manually redirected for 16-bit Windows clients and Windows based terminals.

Configuring applications for use with TS

• Do not use the following types of applications with TS; multimedia applications, streaming applications, multimedia intensive games or applications that require special hardware to operate (like barcode scanners) unless the hardware can be connected to the terminal as a keyboard type device. TS does not recognize devices that connect to a parallel or serial port at this time.

• Some applications may require special installation or execution scripts to modify the app's performance in a multi-user environment.

• MS recommends that applications be installed using Add/Remove Programs in Control Panel. If you are installing the application directly, put TS into install mode by typing change user /install at a command prompt. Typing change user /execute turns off install mode. (KB# Q238840 & Q238357)

The TS Client is available for the following Windows operating systems

• 16-bit Windows for Workgroups with MS TCP/IP-32

• 32-bit Windows 95/98, Windows NT 3.51, Windows NT 4.0, or Windows 2000 Professional.

• Windows CE-based handheld and terminal devices

• Use the Citrix MetaFrame add-on product for Terminal Services for non-Windows clients.

Configuring TS Clients

• Windows 3.11 and Windows 95 clients should have at least 8 MB of RAM. Windows 98 clients should have at least 24 MB of RAM and Windows 2000 Pro needs 32 MB or more.  10 MB of hard drive space is needed if client bitmap caching is enabled.

• By default, all RDP client software is stored in the %systemroot%\system32\clients\tsclient directory when TS is installed.

• Clients can be deployed via a file share for installation over the network or by using Terminal Services Client Creation from the Administrative Tools menu to create a client image that can be installed from a floppy disk.

TS Licensing (needed in addition to OS licenses, Windows 2000 Server/Microsoft BackOffice Client Access Licenses and application licenses)
(KB#s Q244749, Q237811, Q232520, Q239107 & Q237801)

• Built-in Licenses - clients running Windows 2000 are automatically licensed as Windows 2000 clients.

• Terminal Server Client Access Licenses - purchased for known, non-Windows 2000 clients connecting to TS.

• Terminal Services Internet Connector Licenses - used to allow anonymous access to TS by clients across the Internet. Based on concurrent connections.

• Temporary Licenses - issued when there are no valid licenses left to give. License server tracks issuance and expiration.

Implement, Monitor, and Troubleshoot Security

Encrypt data on a hard disk using Encrypting File System (EFS) (KB# Q223316 & Q230520)

About EFS

• Only works on Windows 2000 NTFS partions (NTFS v5).

• Encryption is transparent to the user.

• Uses public-key encryption. Keys that are used to encrypt the file are encrypted by using a public key from the user's certificate.The list of encrypted file-encryption keys is kept with the encrypted file and is unique to it. When decrypting the file encryption keys, the file owner provides a private key which only he has. (KB# Q241201 & Q230490)

• If the owner has lost his private key, an appointed recovery system agent can open the file using his/her key instead. (KB# Q242296)

• There can be more than one recovery agent, but at least one public recovery key must be present on the system when the file is encrypted.

• EFS resides in the Windows OS kernel and uses the non-paged memory pool to store file encryption keys - this means no one will be able to extract them from your paging file.

• Encrypted files can be backed up using the Backup Utility, but will retain their encrypted state as access permissions are preserved. (KB# Q227825 & Q223178)

• Microsoft recommends creating an NTFS folder and encrypting it. In the Properties dialog box for the folder click the General tab then the Advanced button and select the "Encrypt Contents To Secure Data" check box. The folder isn't encrypted, but files placed in it will be automatically encrypted. Uncheck the box if you want to decrypt the file.

• Default encryption is 56-bit. North Americans can upgrade to 128-bit encryption.

• Compressed files can't be encrypted and vice versa. (KB# Q223093)

• You can't share an encrypted files

• Use the Cipher command to work with encrypted files from the command line. (KB# Q229530) & Q229546)

• The efsinfo.exe utility in the W2K Resource Kit allows an administrator to determine information about encrypted files (KB# Q243026)

Using the CIPHER command

Implement, configure, manage and troubleshoot policies in a W2K environment

Local & System policy

System Policies are a collection of user environment settings that are enforced by the operating system and cannot be modified by the user. User profiles refer to the environment settings that users can change.

System Policy Editor (poledit.exe) - Windows NT 4, Windows 95 and Windows 98 all use the System Policy Editor (poledit.exe) to specify user and computer configuration that is stored in the registry.

• Not secure because settings can be changed by a user with the Registry Editor (regedit.exe). Settings are imported/exported using .ADM templates.

• Are considered "undesirabley persistant" as they are not removed when the policy ends.

• Windows 2000 comes with system.adm (system settings), inetres.adm (Internet Explorer settins) and conf.adm (NetMeeting settings) although the latter is not loaded by default.

Group Policy snap-in (gpedit.msc) - Exclusive to Windows 2000 and supercedes the System Policy Editor. Uses Incremental Security Templates.

• Should only be applied to Windows 2000 systems that have been clean installed onto an NTFS partition. NTFS computers that have been upgraded from NT4 or earlier, only the Basic security templates can be applied.

• Settings can be stored locally or in AD. Are secure and cannot be changed by users - only Administrators.

• More flexible than System Policies as they can be filtered using Active Directory.

• Settings are imported/exported using .INF files. The Group Policy snap-in can be focused on a local or remote system.

Incremental Security Templates for Windows 2000 (KB# Q234926)

*sv.inf is for a member server, *.dc.inf is for a domain controller.

Local Groups

Local Group Policy

• There are two types of Group Policy objects: local Group Policy objects and non-local Group Policy Objects. Each Windows 2000 system can have only one local Group Policy object.

• Order of application is Local, Site, Domain and Organizational Unit. Local Policies have the least precedence whereas OU Policies have the highest.

Non-local Group Policy (stored in Active Directory)

• Can be linked to a site with AD Sites and Services and applies to all domains at the site

• When applied to a domain it affects all users and computers in the domain and (by inheritance) all users and computers in Organizational Units.

Config.pol, NTConfig.pol and Registry.pol

• Windows 2000 uses the registry.pol format. Two files are created, one for Computer Configuration (stored in the \Machine subdirectory) and one for User Configuration (stored in the \User subdirectory).

• Registry.pol files can be used with Windows 95/98, Windows NT 4.0 and Windows 2000 as it is a text file embedded with binary strings. NTConfig.pol is a binary file whereas Config.pol is a text file.

• .POL files can be viewed using the regview.exe tool from the W2K Resource Kit. Viewing them does not apply them to the registry.

Implement, configure, manage, and troubleshoot auditing

Auditing can be enabled by clicking Start > Programs > Administrative Tools > Local Security Policy. In the Local Security Settings window double-click Local Policies and then click Audit Policy. Highlight the event you want to audit and on the Action menu, click Security. Set the properties (success or failure) for each object as desired then restart computer for new policies to take effect.

Implement, configure, manage, and troubleshoot local accounts (KB# Q217050)

• Resides only on the computer where the account was created in its local security database. If computer is part of a peer-to-peer workgroup, accounts for that user will have to be created on each additional machine that they wish to log onto locally. Local accounts cannot access Windows 2000 domain resources and should not be created on computers that are part of a domain.

• Domain user accounts reside in AD on domain controllers and can access all resources on a network that they have been accorded priveleges for.

• Built in user accounts are Administrator (used for managing the local system) and Guest (for occasional users - disabled by default)

• Usernames cannot be longer than 20 characters and cannot contain the following illegal characters: " / \ [ ] : ; | = , + * ? < >

• User logon names are not case sensitive. You can use alphanumeric combinations to increase security, if desired.

• Passwords can be up to 128 characters but Microsoft recommends limiting them to about eight characters.

• The same characters that are considered illegal in usernames are also verbotten for use in passwords

• User accounts are added and configured through the Computer Management snap-in.

• Users should be encouraged to store their data in their My Documents folder which is automatically created within their profile folder and is the default location that Microsoft applications use for storing data.

• Creating and duplicating accounts requires only two pieces of information: username and password. Disabling an account is typically used when someone else will take the user's place or when the user might return.

• Delete an account only when absolutely necessary for space or organization purposes.

• When copying a user account, the new user will stay in the same groups that the old user was a member of. The user will keep all group rights that were granted through groups, but lose all individual rights that were granted specifically for that user.

Implement, configure, manage, and troubleshoot Account Policy

Accessed through Administrative Tools > Local Security Policy > Account Policies. There are two choices, Password Policy and Account Lockout Policy

Password policy (default settings)

• Enforce password history = 0 days

• Maximum password age = 42 days

• Minimum password age = 0 days

• Minimum password length = 0 characters

• Passwords must meet complexity requirements = Disabled

• Store password using reversible encryption for all users in the domain = Disabled

Account lockout policy (default settings)

• Account lockout duration = not defined (suggested is 30 minutes)

• Account lockout threshold = 0 invalid login attempts/disabled (suggested is 5 attempts)

• Reset account lockout after = not defined

Miscellaneous

• Enforcing password complexity requires users to enter passwords at least 6 characters long that include upper and lowercase, numbers and punctuation. (KB# Q161990 & Q225230)

• Every failed login attempt increments the logon counter by one. When the counter reaches the threshold, the account is locked out for the specified duration. If the time between attempts exceeds the value specifed for the counter reset policy, the counter is set back to zero.

• MS recommends storing passwords using reversible encryption (MD5-CHAP) to increase security when setting up a RRAS server for dial-in or VPN users.

Implement, configure, manage, and troubleshoot security using the Security Configuration Tool Set

• The Security Configuration and Analysis snap-in is used to troubleshoot security in Windows 2000.

• The security database (e.g., mysecuresv.mdb) is compared to an incremental template such as hisecsv.inf and the results displayed in the right hand pane. The log of the analysis will be placed in %systemroot%\security\logs\mysecure.log

• There is a text based version of this tool that can be run from the command line - secedit.exe.