Windows 2000 basics
1 / 117

asgard.kent - PowerPoint PPT Presentation

  • Uploaded on

Windows 2000 Basics Larry Passo MCSE+I, MCT, CCNA, CCDA Kevin Orbaker MCSE, MCT Windows 2000 Versions Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server Windows 2000 Professional Up to 2 processors Up to 4GB RAM

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'asgard.kent' - jaden

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows 2000 basics l.jpg

Windows 2000 Basics

Larry Passo


Kevin Orbaker


Windows 2000 versions l.jpg
Windows 2000 Versions

  • Windows 2000 Professional

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Windows 2000 professional l.jpg
Windows 2000 Professional

  • Up to 2 processors

  • Up to 4GB RAM

  • Upgrade from 9x or NT 3.51/4.0 Workstation

  • Desktop performance

Windows 2000 server l.jpg
Windows 2000 Server

  • Up to 4 processors

  • Up to 4GB RAM

  • Active Directory

  • Terminal Services

Windows 2000 advanced server l.jpg
Windows 2000 Advanced Server

  • Up to 8 processors

  • Up to 8GB RAM

  • Network Balancing

  • Load Balancing

  • Clustering

Windows 2000 datacenter server l.jpg
Windows 2000 Datacenter Server

  • Up to 32 processors

  • Up to 64GB RAM

  • OLTP (OnLine Transaction Processing)

  • OEM Versions Only

New features l.jpg
New Features

  • Plug and Play

  • Increased hardware support

  • Offline folders

  • Synchronization manager

  • IE 5.0

New features8 l.jpg
New Features

  • ACPI power management

  • FAT32 support

  • Hard Disk Defrag Utility

Security features l.jpg
Security Features

  • Kerberos v5

  • Encrypting File System (EFS)

  • IPSec

  • Smart Card support

  • Secondary logon service (Run As)

  • RADIUS (Remote Authentication Dial-In User Service)

Radius terminology l.jpg
Radius Terminology

  • Dialup clients

  • Radius clients

    • RAS

    • NAS

  • Radius servers

Management features l.jpg
Management Features

  • Nested Like Groups (Native Mode Only)

  • MMC

  • Group Policies

  • Windows Scripting Host (WSH)

Management features12 l.jpg
Management Features

  • Remote Installation Services

  • Remote Storage (automatic archiving)

  • Terminal Server

    • administrative installation

    • application installation

File features l.jpg
File Features

  • Distributed File System (Dfs)

  • Disk Quotas

  • Volume mount points

  • NTFS v5

    • Inheritable permissions

Active directory ad l.jpg
Active Directory (AD)

  • Directory

  • Directory Service

Namespace l.jpg

  • A group of names that are defined according to a defined naming method

    • NetBIOS

      • 15 Characters

      • Letters/Numbers/Special

Hierarchical namespace l.jpg
Hierarchical Namespace

  • A multi-level namespace with rules that allow the namespace to be partitioned.

    • DNS


Domain l.jpg

  • A security boundary

  • A replication boundary

  • A logical concept

Slide19 l.jpg

  • One or more domains

  • Contiguous hierarchical namespace

Forest l.jpg

  • One or more trees

  • Non-contiguous namespace

Organizational unit ou l.jpg
Organizational Unit (OU)

  • An collection of objects in a domain that share common administration

  • Different OUs in the same domain may have different administrators

  • Have hierarchical structure

Slide22 l.jpg

  • One or more, well connected, IP subnets

  • Relates physical WAN infrastructure to logical domain structure

  • Fast and reliable

Object l.jpg

Distinct named set of attributes

  • User

  • Printer

  • File

Schema l.jpg

  • Defines the structure of Active Directory

    • Object class

    • Attributes

  • Can be extended

Distinguished name l.jpg
Distinguished Name

  • The absolute address of an object

  • CN=JamesSmith,CN=Users,DC=Microsoft,DC=com

  • The JamesSmith user account in the domain

Relative distinguished name l.jpg
Relative Distinguished Name

  • The address of an object relative to any specific place in a forest

  • CN=JamesSmith,CN=Users

  • A user account that is located in the current domain

Domain controller dc l.jpg
Domain Controller (DC)

  • Windows 2000 Server with AD

  • Contains information about all the objects in a domain

  • No more PDCs or BDCs

Global catalog l.jpg
Global Catalog

  • A partial replica of every domain in AD (entire forest)

  • Knowledge of the existence of all objects but not all of the attributes of those objects

  • Global Catalog servers are also DCs

Group types l.jpg
Group Types

  • Security Groups

  • Distribution Groups

Security groups l.jpg
Security Groups

  • Domain Local Group

  • Domain Global Group

  • Universal Group (native mode only)

  • Like groups may be nested in native mode

Lightweight directory access protocol ldap l.jpg
Lightweight Directory Access Protocol (LDAP)

  • A protocol used to access AD

  • The preferred access protocol

  • A simplified version of DAP from X.500

Changes to domain model l.jpg
Changes to domain model

  • DNS and TCP/IP are now mandatory

  • Automatic, two-way, transitive trusts

  • Hierarchical

Delegate management l.jpg
Delegate Management

  • Use OUs within a domain to delegate administrative control over objects

    • Users

    • Printers

    • Computers

  • OUs can take the place of multiple domains

Delegate management35 l.jpg
Delegate management

Accounting OU contains Printers located in accounting.

Accountant Joe delegated printer management.






Extending schema l.jpg
Extending Schema

  • New types of objects and/or attributes can be created

  • Existing objects can be extended to include new attributes

  • Exchange 2000 extends AD

    • Forestprep

    • Setup

Testing environment l.jpg
Testing Environment

  • Build it to your needs

    • Domain Model

    • Simulate site speeds

  • Global Catalog Servers

    • Replication traffic vs. Authentication traffic

Implementation and migration planning l.jpg
Implementation and Migration Planning

  • Determine your migration path

    • In place upgrade vs. Parallel migration

  • Software validation

  • DNS naming definitions

Justification to management l.jpg
Justification to Management

  • Why should you implement today?

    • Decrease TCO

    • Eliminate most reboots

    • Increased uptime

  • Shrinking Support for NT 4.0

Mixed mode l.jpg
Mixed Mode

  • Default configuration

  • Supports NT BDCs

  • All DC’s support Win9x/NT authentication

  • More Overhead

Native mode l.jpg
Native Mode

  • No support for NT 4.0 BDCs

  • Allows for legacy member servers and desktops

  • Increases functionality

    • Speed, Universal Groups, nesting of like groups

  • Conversion to native is one way

Ou design l.jpg
OU Design

  • OUs are defined within domains

  • Reflects organizational divisions

  • Designed to make logical organizations of the business model

  • Consider the implications of:

    • Inheritance of Group Policy

    • Inheritance of Security

  • OUs typically change from domain to domain

Example ou design l.jpg















Example OU Design

Domain design l.jpg
Domain Design

  • Single domain

  • Tree

  • Forest

Single domain advantages l.jpg
Single Domain Advantages

  • Simple to implement

  • Effective for large and small organizations

  • Delegate administration with OUs

  • No trusts required

  • Can move objects between OUs

Single domain disadvantages l.jpg
Single Domain Disadvantages

  • Can’t limit replication traffic

  • Single security policy

Multiple domain l.jpg
Multiple Domain

Multiple domain advantage l.jpg
Multiple Domain Advantage

  • Unlimited scalability

  • Two-way transitive trusts

  • Can break up administrative through domains and OUs

  • Multiple security policies

Multiple domain disadvantage l.jpg
Multiple Domain Disadvantage

  • Increased complexity

  • Increased GC replication traffic

  • Cannot easily move objects between domains

    • Requires third-party solutions

Forest53 l.jpg

Forest guidelines l.jpg
Forest Guidelines

  • Don’t create a multiple trees without a solid business reason

  • If a company is diverse, multiple trees may be the best model

Forest advantages l.jpg
Forest Advantages

  • Noncontiguous namespace

    • Acquiring a new company

    • Planning for splitting a company

Forest disadvantage l.jpg
Forest Disadvantage

  • Noncontiguous namespace

  • Increased GC replication traffic

  • Increased management complexity!

Intrasite replication l.jpg
Intrasite Replication

  • Frequent

  • Uncompressed

  • Can’t be scheduled

  • RPC Only

Intersite replication l.jpg
Intersite Replication

  • Compressed

  • Scheduled

  • RPC or SMTP

Global catalog server l.jpg
Global Catalog Server

  • Determine authentication and replication needs

  • Replicating extended information

    • Which extended attributes should be included

  • Requires additional memory

Global catalog server logon l.jpg
Global Catalog Server – Logon

  • Client machine contacts the cached domain controller (DC)

  • DC looks at the IP address of client machine

  • If the client is not on the local subnet, the DC checks the GC to see if there is a DC more local to the client

  • Client notified if the cached DC isn’t the closest DC

  • Avoids WAN traffic when possible

Operations masters l.jpg
Operations Masters

  • Schema master

  • Domain naming master

  • RID master

  • PDC Emulator

  • Infrastructure master

Schema master l.jpg
Schema master

  • One per forest

  • Controls all updates and changes to the schema

Domain naming master l.jpg
Domain Naming Master

  • One per forest

  • Controls addition or removal of domains from the forest

Rid master l.jpg
RID Master

  • One per domain

  • Allocates sequences of RIDs to the DCs in a domain

Pdc emulator l.jpg
PDC Emulator

  • One per domain

  • Sends updates to BDCs

  • Receives preferential replication of password changes from DCs

    • What if replication hasn’t been received yet?

Infrastructure master l.jpg
Infrastructure master

  • One per domain

  • Updates group to users references when group memberships are changed

  • Should not be a GC

Slide67 l.jpg

  • FSMO Management

Dns primer l.jpg
DNS Primer

  • A zone is a subtree of the DNS tree

    • Administered separately

    • Common zone is second level (

    • Zones can be divided into sub zones

    • A name server can manage one or more zones

Dns primer70 l.jpg
DNS Primer

  • Domain or Zone?

    • “microsoft” is the zone

    • “” is the domain

Dns primer71 l.jpg
DNS Primer

  • Internet is one name space (.)

    • Drive root (\)

  • Top Level Domains (TLD)

    • .com, .net, .org, .mil

  • Second Level Domains


  • Fully Qualified Domain Name (FQDN)


Dns primer72 l.jpg
DNS Primer

  • The directory is the zone file

  • The directory service resolves a FQDN to an IP address in the directory

  • Single master replication of directory

  • MSDNS is fully RFC compliant

Dns server types l.jpg
DNS Server Types

  • Three server types

    • Primary

      • Hosts zone information

      • Only one per zone

    • Secondary

      • Obtains database via zone transfer

      • One or more per zone

    • Caching only

Dns naming l.jpg
DNS Naming

  • Use Internet-standard characters

    • “A”-“ Z”, “a”-“z”, “0”-“9”, and “-” (RFC 1123)

    • Microsoft DNS supports wider range

  • Users not exposed to domain names

    • E-mail style login name doesn’t have to be related to domain name

    • Most interaction is query to global catalog

  • Admins exposed to domain names

Dns locater service l.jpg
DNS Locater Service

  • Domain controllers dynamically register Service Location records

    • SRV resource record (RFC 2052)

    • Maps (service) --> (hosts offering service)

    • General rendezvous mechanism

    • Analogous to SMTP and the MX record

  • NETLOGON service sends updates

    • Dynamic update protocol (RFC 2136)

Dns locater records l.jpg
DNS Locater Records

  • SRV records are named like

    • ldap.tcp.<domain name>.

    • i.e.

    • More like that, all ending in

      <domain name>

  • DNS server that owns <domain name>

    • MUST support the SRV record

    • SHOULD support dynamic update

Dns requirements for ad l.jpg
DNS Requirements for AD

  • Must support SRV records(RFC 2052)

    • Bind 8.1.1

  • Should support DDNS(RFC 2136)

    • Windows 2000 DNS

    • Bind v8.1.2

Ad and dns l.jpg
AD and DNS

  • AD integration (optional)

    • Single replication topology

    • Per-property replication

    • Secure replication

    • Multi-master replication

    • Simplified management

    • Support for non Win2K DNS servers

    • ACL maintained authority control DNS Models

Single zone l.jpg
Single zone

  • internal

  • external

Dual zone l.jpg
Dual Zone

  • internal

  • external

Zone requirements l.jpg
Zone requirements

  • “”“”“”“”

Dns name registration l.jpg
DNS Name Registration

  • DDNS registration process

SOA Query

SOA Response

Assertion update



Dns name registration83 l.jpg
DNS Name Registration

  • DNS registration process

    • Win2K Client / Win2K DHCP Server

      • Client DHCP service responsible

      • Client updates A RR

      • DHCP server updates PTR RR

    • Win2K Client / NT4 DHCP Server

      • Client update A and PTR RR

New features of windows 2000 dns l.jpg
New Features of Windows 2000 DNS

  • DNS registration process

    • NT4 Client / Win2K DHCP Server

      • DHCP Serve update A and PTR RR

    • Win2K Client (Static)

      • Client update A and PTR record

    • RAS Client treated as Static

      • Client update A and PTR record

      • Attempts to remove A and PTR when closing connection

New features of windows 2000 dns86 l.jpg
New Features of Windows 2000 DNS

  • Scavenging

    • Dynamic update requires maintenance

    • Defined scavenge criteria

      • No-refresh and refresh intervals

New features of windows 2000 dns87 l.jpg
New Features of Windows 2000 DNS

  • Unicode Character Support

    • Supports NetBIOS namespace

    • Allowed per server or zone

    • Interoperability is unknown with non-UTF-8-aware DNS servers

Dns performance l.jpg
DNS Performance

  • Performance

    • Dual Pentium II 400

      • 900 Queries/ses

      • 100 Dynamic registrations/sec

      • 35% CPU Utilization

    • More than 2,200,000,000 and 270,000,000 dynamic registrations in 19 days

Dns and wins l.jpg

  • WINS still required for down-level clients

  • Applications may still be NetBIOS only

  • WINS improvements

    • Improved reporting

    • Improved management

    • Improved performance

Encryption l.jpg

Two types:

  • Symmetric

  • Asymmetric

Symmetric encryption l.jpg
Symmetric Encryption

Same key used for encryption and decryption

  • DES

  • Triple DES (3DES)

Asymmetric encryption l.jpg
Asymmetric Encryption

  • Different keys used for encryption and decryption

    • One private key, one public key

    • RSA, PGP

  • Referred to as “Public Key (PKI)”

Principles of encryption l.jpg
Principles of Encryption

  • What do you know?

  • What can you find out?

  • What do you want to do?

  • What did you not do?

What do you want to do l.jpg
What Do You Want To Do?

  • Digital Signature

    • Start with the sender’s private key

  • Digital Envelope

    • Start with the recipient’s public key

What did you not do l.jpg
What Did You Not Do?

  • Digital Signature

    • Guarantees origin

    • Doesn’t protect contents

  • Digital Envelope

    • Conceals content

    • Doesn’t guarantee origin

Certificates l.jpg

  • To send an encrypted message to anyone you need their public key

  • How can you get securely get their public key?

  • Certificate Authorities

  • X.509 based certificates

Ipsec l.jpg

  • Both ends authenticate before transmission

  • Encrypts data transmission

  • Authentication methods

    • Kerberos

    • Certificates

    • Text-based key (authentication only)

Enabling ipsec l.jpg
Enabling IPSec

  • Chose a default policy

  • Choose an authentication method

Ipsec policies l.jpg
IPSec Policies

  • Client

    • Respond Only

  • Server

    • Request Security

    • Require Security

Kerberos components l.jpg
Kerberos Components

  • Kerberos Server

  • Ticket Granting Server

  • Ticket Granting Ticket

Kerberos authentication l.jpg
Kerberos Authentication

  • Client sends request to Kerberos server

  • Kerberos sends valid user

    • Session key between the client and TGS, encrypted w/client's secret key

    • TGT, encrypted w/Kerberos’ secret key

  • The client decrypts the TGT with its secret key

Kerberos authentication106 l.jpg
Kerberos Authentication

  • To obtain a ticket for a service

    • Client encrypts a request using session key from Kerberos

    • TGS decrypts request and, if valid, returns a ticket for the service

When to upgrade l.jpg
When To Upgrade

  • Member servers and client workstations

    • upgrade anytime

  • Domain Controllers

    • PDC always first

Plan for disaster l.jpg
Plan for Disaster

  • Before upgraded the PDC

    • Install new NT 4.0 BDC

    • Force replication

    • Take box offline

    • Save for a rainy day

Upgrade path l.jpg
Upgrade Path

  • Install NEW DC

  • Upgrade NT 4.0 BDCs

  • Upgrade clients

  • Convert to native mode (someday)

Upgrading clients l.jpg
Upgrading Clients

  • NT 4.0 Boxes

    • Upgrade to Windows 2000

  • Windows 9x

    • Install new Windows 2000 Professional

Native mode112 l.jpg
Native Mode

  • Client authentication issues

    • Non-AD aware clients must be authenticated by the PDC emulator

  • Improved performance

Directory services client l.jpg
Directory Services Client

For Windows 9x/NT 4.0 clients

Directory services client114 l.jpg
Directory Services Client

  • Supported features

    • Site Awareness

    • ADSI Interface

    • Dfs fault tolerant client

    • WAB Client

    • NTLM v2.0

Directory services client115 l.jpg
Directory Services Client

  • Unsupported features

    • Kerberos

    • Group Policy / IntelliMirror

    • IPSec or L2TP

    • Mutual Authentication

What s new in windows xp l.jpg
What’s New in Windows XP

  • This is not the Xbox

  • All beta versions are known as “Whistler”

    • XP Home Edition

    • XP Professional

    • Windows .NET Server products