Windows 2000 basics
Download
1 / 117

asgard.kent - PowerPoint PPT Presentation


  • 299 Views
  • Uploaded on

Windows 2000 Basics Larry Passo MCSE+I, MCT, CCNA, CCDA Kevin Orbaker MCSE, MCT Windows 2000 Versions Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server Windows 2000 Professional Up to 2 processors Up to 4GB RAM

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'asgard.kent' - jaden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows 2000 basics l.jpg

Windows 2000 Basics

Larry Passo

MCSE+I, MCT, CCNA, CCDA

Kevin Orbaker

MCSE, MCT


Windows 2000 versions l.jpg
Windows 2000 Versions

  • Windows 2000 Professional

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server


Windows 2000 professional l.jpg
Windows 2000 Professional

  • Up to 2 processors

  • Up to 4GB RAM

  • Upgrade from 9x or NT 3.51/4.0 Workstation

  • Desktop performance


Windows 2000 server l.jpg
Windows 2000 Server

  • Up to 4 processors

  • Up to 4GB RAM

  • Active Directory

  • Terminal Services


Windows 2000 advanced server l.jpg
Windows 2000 Advanced Server

  • Up to 8 processors

  • Up to 8GB RAM

  • Network Balancing

  • Load Balancing

  • Clustering


Windows 2000 datacenter server l.jpg
Windows 2000 Datacenter Server

  • Up to 32 processors

  • Up to 64GB RAM

  • OLTP (OnLine Transaction Processing)

  • OEM Versions Only


New features l.jpg
New Features

  • Plug and Play

  • Increased hardware support

  • Offline folders

  • Synchronization manager

  • IE 5.0


New features8 l.jpg
New Features

  • ACPI power management

  • FAT32 support

  • Hard Disk Defrag Utility


Security features l.jpg
Security Features

  • Kerberos v5

  • Encrypting File System (EFS)

  • IPSec

  • Smart Card support

  • Secondary logon service (Run As)

  • RADIUS (Remote Authentication Dial-In User Service)


Radius terminology l.jpg
Radius Terminology

  • Dialup clients

  • Radius clients

    • RAS

    • NAS

  • Radius servers


Management features l.jpg
Management Features

  • Nested Like Groups (Native Mode Only)

  • MMC

  • Group Policies

  • Windows Scripting Host (WSH)


Management features12 l.jpg
Management Features

  • Remote Installation Services

  • Remote Storage (automatic archiving)

  • Terminal Server

    • administrative installation

    • application installation


File features l.jpg
File Features

  • Distributed File System (Dfs)

  • Disk Quotas

  • Volume mount points

  • NTFS v5

    • Inheritable permissions



Active directory ad l.jpg
Active Directory (AD)

  • Directory

  • Directory Service


Namespace l.jpg
Namespace

  • A group of names that are defined according to a defined naming method

    • NetBIOS

      • 15 Characters

      • Letters/Numbers/Special


Hierarchical namespace l.jpg
Hierarchical Namespace

  • A multi-level namespace with rules that allow the namespace to be partitioned.

    • DNS

      • www.mycompany.com


Domain l.jpg
Domain

  • A security boundary

  • A replication boundary

  • A logical concept


Slide19 l.jpg
Tree

  • One or more domains

  • Contiguous hierarchical namespace


Forest l.jpg
Forest

  • One or more trees

  • Non-contiguous namespace


Organizational unit ou l.jpg
Organizational Unit (OU)

  • An collection of objects in a domain that share common administration

  • Different OUs in the same domain may have different administrators

  • Have hierarchical structure


Slide22 l.jpg
Site

  • One or more, well connected, IP subnets

  • Relates physical WAN infrastructure to logical domain structure

  • Fast and reliable


Object l.jpg
Object

Distinct named set of attributes

  • User

  • Printer

  • File


Schema l.jpg
Schema

  • Defines the structure of Active Directory

    • Object class

    • Attributes

  • Can be extended


Distinguished name l.jpg
Distinguished Name

  • The absolute address of an object

  • CN=JamesSmith,CN=Users,DC=Microsoft,DC=com

  • The JamesSmith user account in the microsoft.com domain


Relative distinguished name l.jpg
Relative Distinguished Name

  • The address of an object relative to any specific place in a forest

  • CN=JamesSmith,CN=Users

  • A user account that is located in the current domain


Domain controller dc l.jpg
Domain Controller (DC)

  • Windows 2000 Server with AD

  • Contains information about all the objects in a domain

  • No more PDCs or BDCs


Global catalog l.jpg
Global Catalog

  • A partial replica of every domain in AD (entire forest)

  • Knowledge of the existence of all objects but not all of the attributes of those objects

  • Global Catalog servers are also DCs


Group types l.jpg
Group Types

  • Security Groups

  • Distribution Groups


Security groups l.jpg
Security Groups

  • Domain Local Group

  • Domain Global Group

  • Universal Group (native mode only)

  • Like groups may be nested in native mode


Lightweight directory access protocol ldap l.jpg
Lightweight Directory Access Protocol (LDAP)

  • A protocol used to access AD

  • The preferred access protocol

  • A simplified version of DAP from X.500



Changes to domain model l.jpg
Changes to domain model

  • DNS and TCP/IP are now mandatory

  • Automatic, two-way, transitive trusts

  • Hierarchical


Delegate management l.jpg
Delegate Management

  • Use OUs within a domain to delegate administrative control over objects

    • Users

    • Printers

    • Computers

  • OUs can take the place of multiple domains


Delegate management35 l.jpg
Delegate management

Accounting OU contains Printers located in accounting.

Accountant Joe delegated printer management.

CORP

OPS

MFG

ACCT

HR


Extending schema l.jpg
Extending Schema

  • New types of objects and/or attributes can be created

  • Existing objects can be extended to include new attributes

  • Exchange 2000 extends AD

    • Forestprep

    • Setup



Testing environment l.jpg
Testing Environment

  • Build it to your needs

    • Domain Model

    • Simulate site speeds

  • Global Catalog Servers

    • Replication traffic vs. Authentication traffic


Implementation and migration planning l.jpg
Implementation and Migration Planning

  • Determine your migration path

    • In place upgrade vs. Parallel migration

  • Software validation

  • DNS naming definitions


Justification to management l.jpg
Justification to Management

  • Why should you implement today?

    • Decrease TCO

    • Eliminate most reboots

    • Increased uptime

  • Shrinking Support for NT 4.0


Mixed mode l.jpg
Mixed Mode

  • Default configuration

  • Supports NT BDCs

  • All DC’s support Win9x/NT authentication

  • More Overhead


Native mode l.jpg
Native Mode

  • No support for NT 4.0 BDCs

  • Allows for legacy member servers and desktops

  • Increases functionality

    • Speed, Universal Groups, nesting of like groups

  • Conversion to native is one way


Ou design l.jpg
OU Design

  • OUs are defined within domains

  • Reflects organizational divisions

  • Designed to make logical organizations of the business model

  • Consider the implications of:

    • Inheritance of Group Policy

    • Inheritance of Security

  • OUs typically change from domain to domain


Example ou design l.jpg

executive

admin

resources

resources

users

users

corporate

computers

temporary

corporate

computers

temporary

printers

printers

Example OU Design

company.org


Domain design l.jpg
Domain Design

  • Single domain

  • Tree

  • Forest



Single domain advantages l.jpg
Single Domain Advantages

  • Simple to implement

  • Effective for large and small organizations

  • Delegate administration with OUs

  • No trusts required

  • Can move objects between OUs


Single domain disadvantages l.jpg
Single Domain Disadvantages

  • Can’t limit replication traffic

  • Single security policy


Multiple domain l.jpg
Multiple Domain

company.org

na.company.org

euro.company.org

asia.company.org


Multiple domain advantage l.jpg
Multiple Domain Advantage

  • Unlimited scalability

  • Two-way transitive trusts

  • Can break up administrative through domains and OUs

  • Multiple security policies


Multiple domain disadvantage l.jpg
Multiple Domain Disadvantage

  • Increased complexity

  • Increased GC replication traffic

  • Cannot easily move objects between domains

    • Requires third-party solutions



Forest53 l.jpg
Forest

widgets.org

gidgets.net

fidgets.com


Forest guidelines l.jpg
Forest Guidelines

  • Don’t create a multiple trees without a solid business reason

  • If a company is diverse, multiple trees may be the best model


Forest advantages l.jpg
Forest Advantages

  • Noncontiguous namespace

    • Acquiring a new company

    • Planning for splitting a company


Forest disadvantage l.jpg
Forest Disadvantage

  • Noncontiguous namespace

  • Increased GC replication traffic

  • Increased management complexity!


Intrasite replication l.jpg
Intrasite Replication

  • Frequent

  • Uncompressed

  • Can’t be scheduled

  • RPC Only


Intersite replication l.jpg
Intersite Replication

  • Compressed

  • Scheduled

  • RPC or SMTP


Global catalog server l.jpg
Global Catalog Server

  • Determine authentication and replication needs

  • Replicating extended information

    • Which extended attributes should be included

  • Requires additional memory


Global catalog server logon l.jpg
Global Catalog Server – Logon

  • Client machine contacts the cached domain controller (DC)

  • DC looks at the IP address of client machine

  • If the client is not on the local subnet, the DC checks the GC to see if there is a DC more local to the client

  • Client notified if the cached DC isn’t the closest DC

  • Avoids WAN traffic when possible


Operations masters l.jpg
Operations Masters

  • Schema master

  • Domain naming master

  • RID master

  • PDC Emulator

  • Infrastructure master


Schema master l.jpg
Schema master

  • One per forest

  • Controls all updates and changes to the schema


Domain naming master l.jpg
Domain Naming Master

  • One per forest

  • Controls addition or removal of domains from the forest


Rid master l.jpg
RID Master

  • One per domain

  • Allocates sequences of RIDs to the DCs in a domain


Pdc emulator l.jpg
PDC Emulator

  • One per domain

  • Sends updates to BDCs

  • Receives preferential replication of password changes from DCs

    • What if replication hasn’t been received yet?


Infrastructure master l.jpg
Infrastructure master

  • One per domain

  • Updates group to users references when group memberships are changed

  • Should not be a GC


Slide67 l.jpg
Demo

  • FSMO Management



Dns primer l.jpg
DNS Primer

  • A zone is a subtree of the DNS tree

    • Administered separately

    • Common zone is second level (microsoft.com)

    • Zones can be divided into sub zones

    • A name server can manage one or more zones


Dns primer70 l.jpg
DNS Primer

  • Domain or Zone?

    • “microsoft” is the zone

    • “microsoft.com” is the domain


Dns primer71 l.jpg
DNS Primer

  • Internet is one name space (.)

    • Drive root (\)

  • Top Level Domains (TLD)

    • .com, .net, .org, .mil

  • Second Level Domains

    • .microsoft.com

  • Fully Qualified Domain Name (FQDN)

    • www.microsoft.com


Dns primer72 l.jpg
DNS Primer

  • The directory is the zone file

  • The directory service resolves a FQDN to an IP address in the directory

  • Single master replication of directory

  • MSDNS is fully RFC compliant


Dns server types l.jpg
DNS Server Types

  • Three server types

    • Primary

      • Hosts zone information

      • Only one per zone

    • Secondary

      • Obtains database via zone transfer

      • One or more per zone

    • Caching only


Dns naming l.jpg
DNS Naming

  • Use Internet-standard characters

    • “A”-“ Z”, “a”-“z”, “0”-“9”, and “-” (RFC 1123)

    • Microsoft DNS supports wider range

  • Users not exposed to domain names

    • E-mail style login name doesn’t have to be related to domain name

    • Most interaction is query to global catalog

  • Admins exposed to domain names


Dns locater service l.jpg
DNS Locater Service

  • Domain controllers dynamically register Service Location records

    • SRV resource record (RFC 2052)

    • Maps (service) --> (hosts offering service)

    • General rendezvous mechanism

    • Analogous to SMTP and the MX record

  • NETLOGON service sends updates

    • Dynamic update protocol (RFC 2136)


Dns locater records l.jpg
DNS Locater Records

  • SRV records are named like

    • ldap.tcp.<domain name>.

    • i.e. ldap.tcp.nt.microsoft.com.

    • More like that, all ending in

      <domain name>

  • DNS server that owns <domain name>

    • MUST support the SRV record

    • SHOULD support dynamic update


Dns requirements for ad l.jpg
DNS Requirements for AD

  • Must support SRV records(RFC 2052)

    • Bind 8.1.1

  • Should support DDNS(RFC 2136)

    • Windows 2000 DNS

    • Bind v8.1.2


Ad and dns l.jpg
AD and DNS

  • AD integration (optional)

    • Single replication topology

    • Per-property replication

    • Secure replication

    • Multi-master replication

    • Simplified management

    • Support for non Win2K DNS servers

    • ACL maintained authority control DNS Models


Single zone l.jpg
Single zone

  • Example.com internal

  • Example.com external


Dual zone l.jpg
Dual Zone

  • Example.com internal

  • Corp.example.com external


Zone requirements l.jpg
Zone requirements

  • “_msdcs.example.com”“_tcp.example.com”“_udp.example.com”“_sites.example.com”


Dns name registration l.jpg
DNS Name Registration

  • DDNS registration process

SOA Query

SOA Response

Assertion update

ACK/NACK

Registration


Dns name registration83 l.jpg
DNS Name Registration

  • DNS registration process

    • Win2K Client / Win2K DHCP Server

      • Client DHCP service responsible

      • Client updates A RR

      • DHCP server updates PTR RR

    • Win2K Client / NT4 DHCP Server

      • Client update A and PTR RR


New features of windows 2000 dns l.jpg
New Features of Windows 2000 DNS

  • DNS registration process

    • NT4 Client / Win2K DHCP Server

      • DHCP Serve update A and PTR RR

    • Win2K Client (Static)

      • Client update A and PTR record

    • RAS Client treated as Static

      • Client update A and PTR record

      • Attempts to remove A and PTR when closing connection



New features of windows 2000 dns86 l.jpg
New Features of Windows 2000 DNS

  • Scavenging

    • Dynamic update requires maintenance

    • Defined scavenge criteria

      • No-refresh and refresh intervals


New features of windows 2000 dns87 l.jpg
New Features of Windows 2000 DNS

  • Unicode Character Support

    • Supports NetBIOS namespace

    • Allowed per server or zone

    • Interoperability is unknown with non-UTF-8-aware DNS servers


Dns performance l.jpg
DNS Performance

  • Performance

    • Dual Pentium II 400

      • 900 Queries/ses

      • 100 Dynamic registrations/sec

      • 35% CPU Utilization

    • More than 2,200,000,000 and 270,000,000 dynamic registrations in 19 days


Dns and wins l.jpg
DNS and WINS

  • WINS still required for down-level clients

  • Applications may still be NetBIOS only

  • WINS improvements

    • Improved reporting

    • Improved management

    • Improved performance



Encryption l.jpg
Encryption

Two types:

  • Symmetric

  • Asymmetric


Symmetric encryption l.jpg
Symmetric Encryption

Same key used for encryption and decryption

  • DES

  • Triple DES (3DES)


Asymmetric encryption l.jpg
Asymmetric Encryption

  • Different keys used for encryption and decryption

    • One private key, one public key

    • RSA, PGP

  • Referred to as “Public Key (PKI)”


Principles of encryption l.jpg
Principles of Encryption

  • What do you know?

  • What can you find out?

  • What do you want to do?

  • What did you not do?




What do you want to do l.jpg
What Do You Want To Do?

  • Digital Signature

    • Start with the sender’s private key

  • Digital Envelope

    • Start with the recipient’s public key


What did you not do l.jpg
What Did You Not Do?

  • Digital Signature

    • Guarantees origin

    • Doesn’t protect contents

  • Digital Envelope

    • Conceals content

    • Doesn’t guarantee origin


Certificates l.jpg
Certificates

  • To send an encrypted message to anyone you need their public key

  • How can you get securely get their public key?

  • Certificate Authorities

  • X.509 based certificates


Ipsec l.jpg
IPSec

  • Both ends authenticate before transmission

  • Encrypts data transmission

  • Authentication methods

    • Kerberos

    • Certificates

    • Text-based key (authentication only)


Enabling ipsec l.jpg
Enabling IPSec

  • Chose a default policy

  • Choose an authentication method


Ipsec policies l.jpg
IPSec Policies

  • Client

    • Respond Only

  • Server

    • Request Security

    • Require Security


Kerberos components l.jpg
Kerberos Components

  • Kerberos Server

  • Ticket Granting Server

  • Ticket Granting Ticket



Kerberos authentication l.jpg
Kerberos Authentication

  • Client sends request to Kerberos server

  • Kerberos sends valid user

    • Session key between the client and TGS, encrypted w/client's secret key

    • TGT, encrypted w/Kerberos’ secret key

  • The client decrypts the TGT with its secret key


Kerberos authentication106 l.jpg
Kerberos Authentication

  • To obtain a ticket for a service

    • Client encrypts a request using session key from Kerberos

    • TGS decrypts request and, if valid, returns a ticket for the service



When to upgrade l.jpg
When To Upgrade

  • Member servers and client workstations

    • upgrade anytime

  • Domain Controllers

    • PDC always first


Plan for disaster l.jpg
Plan for Disaster

  • Before upgraded the PDC

    • Install new NT 4.0 BDC

    • Force replication

    • Take box offline

    • Save for a rainy day


Upgrade path l.jpg
Upgrade Path

  • Install NEW DC

  • Upgrade NT 4.0 BDCs

  • Upgrade clients

  • Convert to native mode (someday)


Upgrading clients l.jpg
Upgrading Clients

  • NT 4.0 Boxes

    • Upgrade to Windows 2000

  • Windows 9x

    • Install new Windows 2000 Professional


Native mode112 l.jpg
Native Mode

  • Client authentication issues

    • Non-AD aware clients must be authenticated by the PDC emulator

  • Improved performance


Directory services client l.jpg
Directory Services Client

For Windows 9x/NT 4.0 clients

www.microsoft.com/windows2000/adclients


Directory services client114 l.jpg
Directory Services Client

  • Supported features

    • Site Awareness

    • ADSI Interface

    • Dfs fault tolerant client

    • WAB Client

    • NTLM v2.0


Directory services client115 l.jpg
Directory Services Client

  • Unsupported features

    • Kerberos

    • Group Policy / IntelliMirror

    • IPSec or L2TP

    • Mutual Authentication


What s new in windows xp l.jpg
What’s New in Windows XP

  • This is not the Xbox

  • All beta versions are known as “Whistler”

    • XP Home Edition

    • XP Professional

    • Windows .NET Server products



ad