Server 2003 slides

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. SkillSolvePUTTING SKILLS INTO PLACE Ruth Cundy Sales Manager
  • 2. Quality training centre in a picturesquelocation Purpose-built classrooms in a stunning barn conversion complex Well-specified hardware PC for every delegate – hands-on training Official Curriculum Microsoft courses Comfortable break-out area Fully air-conditioned Easy access from main Motorways and Railway Station Ample on site parking
  • 3. Microsoft education specialist Focus on excellence in providing Microsoft skills: Technical professionals End user desktop training Microsoft Certified Partner Microsoft Certified Technical Education Centre
  • 4. Technical TrainingClustering Public schedule ofInternet Microsoft/Cisco/Citrix/Macromed ia technical training coursesExchange Server 2003 Bespoke One CompanySQL Server training coursesSMS 2003 Compressed to enable lessWindows 2003 time out of the workplaceWindows 2000 Project-managed trainingMicrosoft .NET programmesCisco Total flexibilityCitrixMacromedia
  • 5. VUE testing centre Delegates can take tests at the training centre in which they learn, making the experience more comfortable
  • 6. SkillSolve PUTTING SKILLS INTO PLACE Ian GeerckeMicrosoft Certified Trainer & Consultant
  • 7. Windows Server 2003 Ian Geercke
  • 8. Agenda The Windows Server 2003 Family New Active Directory Features New Group Policy Features Accessing Resources Internet Information server 6.0 System Security and Backup New DNS Features Questions
  • 9. The Windows Server 2003 Family Use for Web servers Use for small businesses and departments as domain controllers and member servers Use for medium and large organizations as application servers and domain controllers, and for clustering Use for mission-critical solutions for databases, enterprise resource planning software, high-volume real-time transaction processing, and server consolidation
  • 10. New Active Directory Features in Windows Server 2003
  • 11. New Active Directory FeaturesOverview Members of the Anonymous Logon group are no longer in the Everyone group Multiple selection of user objects Drag-and-drop functionality Saved queries Ability to add additional domain controllers using backup media Universal group membership caching Secure LDAP traffic Different location option for user and computer accounts Multiple Active Directory Application Partitions Active Directory quotas
  • 12. New Domain-Wide and Forest-Wide ActiveDirectory Features Domain controller rename tool Domain rename Forest trusts Forest restructuring Defunct schema objects Global catalog replication improvements Replication enhancements User access control to resources between domains or forests
  • 13. Types of Trusts Forest 1 Forest Forest Forest 2 Trust Trust Forest Forest (root) Domain D (root) Domain E Domain A Domain B Domain P Domain Q Shortcut Trust Shortcut Trust Realm Realm External External Domain F Domain C Trust Trust Trust Trust Kerberos realm
  • 14. How Trusts Work Across ForestsForest 1 Forest 2 Forest trust 6 Global Global catalog catalog nwtraders.msft contoso.msft 4 2 5 Seattle 3 7 8 1 Vancouver 9 vancouver.nwtraders.msft seattle.contoso.msft
  • 15. Forest Trust Authentication Two types of Inter-Forest Authentication: Forest-Wide – traditional trust where the user needs to provide an Access Token with sufficient rights Selective – The resource server’s Computer Account must also have the “Allowed to Authenticate” permission explicitly set for the User or Group attempting access across the trust
  • 16. What Is SID Filtering? Used with external trusts Blocks spoofing with the SIDHistory attribute. Prevents attacks from malicious users with domain administrator privileges in the trusted domain Enabled on all new outgoing external trusts by default Impacts universal group access between forests
  • 17. New Active Directory ReplicationFeaturesUniversal group membership cachingPartial attribute set replicationLinked value replicationReplica domain controller deploymentNew Net Logon service and DNS settingsInter-Site Topology Generator enhancements
  • 18. What Is Universal Group MembershipCaching? At first logon, the local At first logon, the local Universal groups Universal groups domain controller requests domain controller requests information from the information from the global catalog server global catalog server User’s cached User’s cached universal group universal group Large site After the first logon, the local After the first logon, the local domain controller uses the cached domain controller uses the cached copy of the universal group copy of the universal group membership Small site membership
  • 19. LDAP Traffic Signing Administrative tools running on computers with Windows XP Professional or Windows Server 2003 will sign all LDAP traffic to and from the domain Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with
  • 20. System State Data Backup andRestoration First step for installing a domain controller from backup media Can be placed on Tape, CD, DVD or Shared resource Restore on computer being promoted to domain controller
  • 21. Domain Renaming Renaming Domain Controllers Change the Domain Name System (DNS) and NetBIOS names of a DC Use NetDom.exe Renaming Domains Change the Domain Name System (DNS) and NetBIOS names of a Domain Forest restructuring Allows you to move a domain anywhere within the forest in which it resides (except the forest root domain) Use the domain rename utility (Rendom.exe) to rename or restructure a domain
  • 22. Active Directory Application Partitions Location in the Directory to store Application Data Program installs would normally create partitions Use NTDSUTIL or VB scripts to create partitions manually Can be replicated to: All DCs in the Forest All DCs in a particular Domain Any individual DCs anywhere in the Forest
  • 23. What Is an Application Directory Partition? Contains: Definitions and rules for Definitions and rules for creating and manipulating creating and manipulating objects and attributes objects and attributesForest Schema Information about the Active Information about the Active Directory structure Directory structure Configuration Information about domain- Information about domain-Domain specific objects specific objects <Domain>Configurablereplication Information about applications Information about applications <Application>
  • 24. Active Directory Quotas Configuration Active Directory quotas Limit the number of objects that a security principal can own in a partition Helps prevent scripts running that create large number of objects (either accidentally or maliciously) Are specified and administered for each directory partition separately Can assign quotas for any security principal If security groups are not assigned a quota, then the default quota on partition governs security principal
  • 25. Group Policy
  • 26. Resultant Set of Policies Makes planning, implementation and troubleshooting of Group Policy easier Group Policy Modelling Use the Group Policy Management Console Simulate the policy settings with different scenarios Group Policy Results Use the Group Policy Management Console Check which Policies are currently applied to a User or Computer Run from a Windows 2003 Server or Windows XP Use on Windows 2000 and 2003 Domains
  • 27. Group Policy Management Console
  • 28. What Are Software Restriction Policies?You can use software restriction policies to: Allow all programs to run unless explicitly prohibited Allow no programs to run unless explicitly enabledRule types Hash rule Certificate rule Evaluated before the path rule, e.g. to allow only signed scripts to run Path rule Internet zone rule
  • 29. Terminal Services ComputerManagement Using Group Policy
  • 30. Terminal Services User Management UsingGroup Policy
  • 31. New Software Distribution PolicyOptions Option DescriptionInstall thisapplication at Allows an assigned application to be fully installed at logonlogon Limits the application of a GPO to computers that meet criteriaWMI filtering that you specify in the WMI filter
  • 32. New Group Policy Security Features Feature DescriptionAutoenrollment of Allows an administrator to automate the issuance of useruser certificates certificates Allows an administrator to require the use of Triple Data Encryption Standard (3DES) encryption for Encrypting File3DES encryption System (EFS) encryption and for Transport Layer Security (TLS) communications Allows an administrator to use Group Policy to automaticallyWireless network configure the security settings on client computers thatpolicies connect to the organization’s wireless network
  • 33. Accessing Resources
  • 34. Shared Folder Permissions Permission Allows the user to: Read View data in files and attributes (Default, applied View file names and subfolder names to the Everyone group) Run program files Change Add files and subfolders (Includes all Read Change data in files permissions) Delete subfolders and files Includes all Read and Change permissions Full Control Enables you to change NTFS files and folders permissions
  • 35. Changes to the Default Root DirectoryPermissions Windows 2000 Windows Server 2003
  • 36. Special Permissions on NTFS Files andFolders Windows 2000 Windows Server 2003
  • 37. Effective Permissions on NTFS Files andFolders
  • 38. Internet Information Server 6.0
  • 39. Changes in Internet InformationServices 6.0 Change Description New mode of IIS 5.0 isolation mode (legacy) operation Worker process isolation mode (new) IIS 6.0 is not installed on members of Windows Server 2003 family by default Security When installed, it is set to highly secure and “locked” mode by default Metabase is now a pair of plain-text, XML- Metabase formatted files: MetaBase.xml and MBSchema.xml
  • 40. Secure Installation of IIS 6.0 IIS component IIS 4.0 IIS 5.0 IIS 6.0Components that areenabled, disabled or Static file support unavailable given a ASP default installation. Server-side includes Internet Data Connector WebDAV --- Index Server ISAPI Internet Printing ISAPI --- CGI FrontPage Server Extensions --- Password Change Functionality enabled SMTP disabled FTP --- not available ASP.NET --- --- * depends BITS --- * * NNTP ---
  • 41. What’s New in IIS 6.0? IIS 4.0 IIS 5.0 IIS 6.0Platform Windows NT 4.0 Windows 2000 Windows Server 2003Architecture 32-bit 32-bit 32-bit and 64-bitMetabase Binary Binary XMLconfigurationSecurity • Windows • Windows • Windows authentication authentication authentication • SSL • SSL • SSL • Kerberos • Kerberos • Security wizard • Passport supportRemote HTMLA • HTMLA • Remote Administrationadministration • Terminal Services Tool (HTML) • Remote DesktopCluster support In Windows NT 4.0 IIS clustering Windows supportMail Support SMTP SMTP SMTP & POP3IPv6 Support IPv4 IPv4 IPv4 and IPv6
  • 42. What’s New in IIS 6.0? IIS 4.0 IIS 5.0 IIS 6.0Metabase structure Binary XMLUpdating IISconfiguration Reboot the server Restart IIS On the flyEditing Text editors MetaEdit.exe ADSI scripts ADSI scripts Metabase ExplorerMetabasedisaster recovery Automatic History Not automatic Simplified Backup and RestoreCopying settings All non-machine-specific Metabase is machine-specific properties can be copied to any other IIS 6.0 server
  • 43. Architecture in IIS 6.0 Isolate the core Web server from individual Web applications and applications from each other – HTTP Queuing Application poolsINETINFO.exe SVCHOST.exe W3WP.exe W3WP.exe W3WP.exe Metabase W3SVC W3Core W3Core W3Core FTP All Apps All Apps ASP.NET Apps SMTP W3 Config Mgr .NET App ISAPI Filters ISAPI Filters Domain W3 Process Mgr NNTP User mode Kernel mode HTTP.SYS
  • 44. What Are Application Application PoolPools? W3WP.exe A grouping of one or more URLs served by a worker W3Core process All Apps Allow you to: Apply configuration ISAPI settings to groups of Filters applications Isolate applications by site, customer, level of User mode functionality, or reliability Kernel mode requirements HTTP.SYS
  • 45. What Are Web Gardens? Web Garden Web Gardens: Are application pools that W3WP.exe use more than one worker process W3Core Enhance performance by providing robust processing All Apps of requests and reduced contention for resources Use multiple worker processes for an application ISAPI pool, smoothing applications Filters that may get stuck on one process User mode Kernel mode HTTP.SYS
  • 46. System Security and Backup
  • 47. Microsoft Baseline Security Analyzer
  • 48. Scanning Modes
  • 49. Software Update Services Software that downloads all critical updates Windows Update and security patches to servers and client Web site computers as soon as the updates are posted to the Windows Update Web siteTest client computers Automatic Updates Server running Software Update Services LAN Test server Internet Automatic Updates
  • 50. Software Update Services ProcessServer-Side Processes Client-Side Processes 1. Start - 4. Automatic Updates Software Update on client checks Services server Software Update runs Services server scheduled synch 5. Is Administrator logged on? Yes? administrator sees status balloon, can defer 2. Testing? installation Yes? No? 6. Scheduled install job begins Test new packages Yes? 7. Do any packages System reboots require a restart? No? No? 8. Finish - 3. Admin approves new packages AU waits for next scheduled check
  • 51. Guidelines for Testing Content for aSoftware Update Services Environment Set up a test server running Software Update Services Connect a test client computer that complies with the baseline configuration of your corporate desktops Install the update, then test all corporate applications Approve Software Update Services to distribute the update to the client computers
  • 52. Device Driver Rollback After updating device drivers, you might encounter problems such as stop errors or startup problems If a problem occurs, you can revert to the previous version by using a Device Manager feature called Roll Back Driver You cannot: Roll back beyond one driver version Roll back printer drivers Simultaneously roll back drivers for all functions of a multifunction device Why use device driver rollback: If a problem occurs immediately after you update a device driver, you can restore the previous version by using device driver rollback
  • 53. Automated System Recovery What is Automated System Recovery? How to Back Up System Data Using ASR How to Recover from a Server Failure Using ASR
  • 54. What Is Automated System Recovery? A recovery option in the Backup utility that contains two parts: ASR backup and ASR restore Can back up the operating system Does not include data files Creates a floppy disk, which contains information about: Backup location data Disk configurations (including basic and dynamic volumes) How to accomplish a restore procedure You can choose the All information on this computer option to back up all data including system data
  • 55. Restoring a Server using AutomatedSystem Recovery Boot the server from the original Windows 2003 CD During the boot press F2 when asked if this is an ASR Recovery Insert the Boot Floppy created during the ASR backup when prompted OS drive will be reformatted and the OS re-installed
  • 56. What Are Shadow Copies? View the read-only contents of network folders as they existed at various points of time Use shadow copies to: Recover files that were accidentally deleted Recover files that were accidentally overwritten Allow Backup of open files Allow version checking while working on documents Are enabled on a per volume basis, not on specific shares Are not a replacement for regular backups When storage limits are reached, the oldest shadow copy is deleted and cannot be retrieved To change the storage volume, delete the shadow copies first
  • 57. Previous Versions Client Software forShadow Copies Previous Versions client software for Shadow Copies of Shared Folders is installed on the server %systemroot%system32clientstwclientx86 directory Place the client software on a shared resource and send an e- mail with instructions on how to download and use Client view of shadow copies Use if users work with files that are located in shared folders on your network Use to access previous versions of files
  • 58. Shadow Copy Scheduling Default shadow copy schedule is 7:00 A.M. and noon Create a shadow copy schedule based on: Do most workers work in the same time zone? Does your organization need more than the default of two shadow copies daily? How often can additional copies be made before additional storage will be needed? Deploy a schedule and test it on a small group
  • 59. Restore Files and Folders from ShadowCopies A Shadow copy is restored using previous versions of files and folders If… ThenNo previous versions are The file has not changed since the oldest copy waslisted madeRestoring a previous Shadow copy deletes the current versionversion of a folderRestoring a file File permissions are not changedThe Previous Versions tabdoes not appear in Shadow copy may not be enabledPropertiesCopying a file File permissions are set to default
  • 60. DNS
  • 61. Understanding New DNS Features What Is an Application Directory Partition? Application Directory Partition Replication Application Directory Partition Creation DNS Application Directory Partition Management What Is a Conditional Forwarder? DNS Zone Types What Are the Differences Between Conditional Forwarders and Stub Zones?
  • 62. What Is an Application Directory Partition? Contains: Definitions and rules for Definitions and rules for creating and manipulating creating and manipulating objects and attributes objects and attributesForest Schema Information about the Active Information about the Active Directory structure Directory structure Configuration Information about domain- Information about domain-Domain specific objects specific objects <Domain>Configurablereplication Information about applications Information about applications <Application>
  • 63. Application Directory PartitionReplication DC DC / DNS Domain topologyDomain controllers DNS directory application partitionand DNS servers Schema and configuration topology DC / DNS DC
  • 64. Application Directory Partition Creation Created when the computer is promoted to be a domain controller Storage zone options Standard zone storage Directory-integrated zone storage
  • 65. DNS Application Directory PartitionManagement Tools Description Ntdsutil command- Allows you to add or delete an application directory line tool partition, or add or remove a partition replica, by changing replication notification times LDAP Permits low-level access to a directory from applications written in the C and C++ languages Active Directory COM-based interface that supports multiple directories Service Interfaces and multiple languages such as C++, C#, Java, (ADSI) Visual Basic, and Microsoft Visual Basic Scripting Edition (VBScript) DNS console Allows you to change zone type and zone replication scope DNSCmd tool Allows you to create and manage zones and directory partitions
  • 66. What Is a Conditional Forwarder? Type Description A DNS server that other internal DNS servers designate Forwarder to forward queries for resolving external or offsite DNS domain names A DNS server used to forward queries according to domain names Settings on the DNS server consist of domain names for which the DNS server will forward queries and Conditional DNS server IP addresses for the domain names forwarder specified Cannot use a domain name in a conditional forwarder if the DNS server hosts a primary, secondary, or stub zone for that domain name
  • 67. DNS Zone Types Zones Description Read/write Read/write copy of a DNS database Primary Read-only copy of a DNS database Read-only Secondary Copy with limited Copy of a zone containing limited records Stub records
  • 68. What Are the Differences BetweenConditional Forwarders and Stub Zones? Item Description A conditional forwarder setting configures the DNS Conditional server to forward a query it receives to a DNS forwarder server depending on the DNS name contained in the query A stub zone keeps the DNS server hosting a parent Stub zone zone aware of all the DNS servers authoritative for a child zone
  • 69. Questions?