Windows Server 2003 Editions

Enterprise Edition of Windows Server 2003 includes support for eight processors, 32 GB of RAM, eight-node clustering (including clustering based on a Storage Area Network (SAN) and geographically dispersed clustering) and availability for 64-bit Intel Itanium-based computers, on which scalability increases to 64 GB of RAM and 8-way SMP.

Datacenter Edition, which is available only as an OEM version as part of a high-end server hardware package with support on 32-bit platforms for 32-way SMP with 64 GB of RAM and on 64-bit platforms for 64-way SMP with 512 GB of RAM. There is also a 128-way SMP version that supports two 64-way SMP partitions.

64-bit editions of Windows Server 2003, which run on Intel Itanium-based computers, provide for higher CPU clock speeds and faster floating-point processor operations than the 32-bit editions of Windows. Some features of the 32-bit editions are not available in the 64-bit editions. Most notably, the 64-bit editions do not support 16-bit Windows application, real-mode applications, POSIX applications, or print services for Apple Macintosh clients.

Dynamic disks provide more options than basic disks. Dynamic disks can be configured to use disk mirroring (RAID-1), disk spanning, striped volumes (RAID-0), and RAID-5 volumes. Basic disks do not have these options, they can be configured as simple or extended partitions only.

Disk management can be performed in two ways. The first is through the disk management console and the second is through the command-line interface. Both can be used to convert disks from basic to dynamic and back. The Initialize And Convert Disk Wizard, which runs whenever a new disk is installed on a server, can be used to initialize a hard disk and convert it from basic to dynamic.

Only users with Administrator privileges, members of the Backup Operators group or users that have been especially delegated the appropriate authority are able to convert disks from basic to dynamic and back again. All disks can be converted from basic to dynamic. However, if a basic disk has data on it when the conversion takes place, it cannot be extended to span other disks as a native dynamic disk can. A converted dynamic disk, however, can be mirrored, which means that the operating system volume can be provided with fault tolerance.

Any disks to be converted must contain as least 1mb of unallocated space. Disk administrator automatically reserves this space (other 3rd party disk programs may not).

To convert dynamic disks back into basic disks, you must remove all volumes on the dynamic disk (includes all data within it).

If a server has multiple operating systems installed the administrator should consider not converting the boot or system partitions to dynamic disks. A conversion to dynamic will mean that the server cannot boot into any other operating system than the one that performed this conversion.

Volume mounting involves mounting a volume off a folder located on another volume. This mounted volume can be hosted on a disk that is either basic or dynamic. This enables a volume to appear to store more information than its actual physical capacity. It has the advantage of meaning that folders that require a great deal of capacity can be mounted on separate larger hard disk drives as not to fill the entire original volume.

• Basic storage is the default in Windows Server 2003, so all new disks are basic disks until you convert them to dynamic.

• Dynamic disks do not offer advantages over basic disks in a computer that will have only one disk drive.

• The behaviour of the LDM database also makes it difficult to transfer a dynamic disk used for starting the operating system to another computer when the original computer fails.

• Dynamic disks are not supported for removable media (usb & firewire), and are not supported on laptops.

• Basic disks are supported for removable media

• Basic storage is the industry standard, so basic drives are accessible from many operating systems, including MS-DOS, all versions of Microsoft Windows, and most non-Microsoft operating systems.

• Dynamic disks are not supported on hard disk drives with a sector size less than 512 bytes

To convert a dynamic disk to a basic disk you must remove all volumes (and data) from the dynamic disk before it is changed back.

Dynamic Volume

Previously called sets (mirror sets and stripe sets) under Windows NT. Dynamic volumes are the only volume that you can create on dynamic disks. 2003 Server can be installed on a dynamic volume but this volume must of been converted from basic to dynamic beforehand (as partition table is needed).

Windows Server 2003 only supports formatting partitions or volumes larger than 32gb as NTFS (not as FAT32).

You are able to install a fresh copy of Windows server 2003 onto a basic partition and onto a dynamic volume if the volume was originally a basic partition that was upgraded to dynamic, because Windows Server 2003 can only be installed on a disk that contains a partition table.

If you upgrade to Windows NT4 to Windows Server 2003 without backing up data stored on mirror sets or stripe sets with parity on basic disks, the operating system will not mount those volumes. But you can install from the Server 2003 installation cdrom the \support\tools folder, the ftonline.exe command line tool. ftonline will mount fault tolerant volume sets stored on basic disks. *Read only access is permitted to the data so it can be copied onto Dynamic fault tolerant volumes.

Monitoring server hardware is generally done by using the Device Manager MMC. There are also other areas of the system, such as specific Control Panel add-ins or separate utilities such as WINMSD, which can be used to monitor and report on hardware attached to the server.

Device Manager, found in the Computer Management console or as its own MMC in the Administrative Tools program group is the first port of call for hardware management. It will display the operating status of all hardware connected to the system. Non-Plug and Play devices can be viewed by selecting the Show Hidden Devices option from the view menu.

The WINMSD utility, launched from the command line or Run menu, also provides an overview of the hardware that is installed on a particular Windows Server 2003 system.

Some devices, such as modems and display adapters, are best managed through their individual Control Panel application rather than with the Device Manager.

WMI is a management system that collects data from computer systems. The control interface of WMI Control snap-in allows for adjustment of permissions beyond the default of the local administrator to manage computers across the network. While WMI is capable of configuring many different types of system behaviour including users, groups, and services. WMIC is capable of reporting running services, installed applications, and publishing Event Viewer data to CSV or HTML files for ease of distribution and analysis.

Windows Management Instrumentation (WMI) The Microsoft implementation of Web-Based Enterprise Management Initiative to establish standards of data in Enterprise Management

There are three ways to increase the read/write performance of disks on a Windows Server 2003 system.

The first is to implement disk striping (RAID-0). Disk striping uses 2 or more disks. In disk striping data is written to several disks at the same time. The start of a file may be written to one disk, while at the same time the middle of a file is written to a second disk and at the same time the end of the file is written to a third disk. Similarly the start, middle, and end of a file can be read simultaneously off all disks. Performing these operations in parallel brings a great performance benefit. The downside to RAID-0 is that if one of the disks that comprise the striped volume fails, all data on that volume is lost. Data should be hosted only on those volumes that need to be read and written quickly but that do not require fault tolerance. In disk striping, data can be written to or read from multiple disks making up the volume at one time. In a simple volume, only one disk can be written to or read simultaneously. Disk striping offers the best read/write performance.

The second way to increase the read/write speed of disks is to implement disk striping with parity, which is also known as RAID-5. The benefit of this method over disk striping is that the method is fault-tolerant. If one of the disks that comprise the RAID-5 volume is lost, the data can still be recovered by using the parity information stored on the other disks. RAID-5 is the safest way to increase the read/write performance of disks. The technique is easy to implement in the disk management console with three or more dynamic disks. RAID-5 must generate parity information while writing to the disks, something that disk striping (RAID-0) does not need to do. RAID-5 parity generation provides some latency, making this method slower than disk striping.

The final way of increasing the read/write speed of disks is to make sure that the files stored on them are relatively free of fragmentation. Fragmentation naturally occurs on hard disk drives as files are written and deleted. Because hard disks allocate free space as it becomes available, a newly written file may be stored at disparate locations across the hard disk drive. The less contiguous a file is on the hard disk drive, the longer it takes to be read or written. Defragmentation is the process by which files are rearranged on the hard disk so that they are continuous rather than fragmented. This is performed either by using the Disk Defragmenter console or by using the DEFRAG command-line utility.

If the recommendation is to defragment, click Defragment. You can defragment any type of volume: FAT or NTFS, basic or dynamic. The volume can have open files, but open files may not be efficiently defragmented and may slow the process. Disk Defragmenter will move files around the drive in an attempt to collect all clusters of a file into contiguous clusters.

To completely defragment a volume, the volume must have at least 15% percent free space. If the volume contains less then 15 percent free space, then the volume will be only partially defragmented.

Use CHKNTFS /c to start chkdsk on reboot of server, if volume is dirty.

A signed driver is one that has a digital certificate attached from Microsoft that guarantees that the driver has been tested on a wide variety of configurations and has been deemed reliable. Windows Server 2003 can be configured to look for this particular digital certificate and refuse to install drivers that have not met with Microsoft’s approval. Administrators can override any signing settings by manually setting this option in the System Properties. The options include Block, Warn, and Ignore. Block disallows the installation of unsigned drivers, Warn allows the installation but produces a message that must be approved notifying the administrator that the user is about to install unsigned drivers, and Ignore produces no warning and simply installs the drives regardless of whether they have been digitally signed.

The resources that a hardware device uses can be configured in the Device Manager by selecting the device and, from the Action menu, selecting Properties. Newly installed hardware can sometimes conflict with other hardware on the system and these conflicts can best be resolved by adjusting resources such as I/O range and IRQ.

Device drivers and operating system files included with Windows 2000 or higher have a Microsoft digital signature. The digital signature indicates that a particular driver or file was not altered or overwritten by another program’s installation process. Device drivers provided by vendors outside of Windows 2000 or higher may or may not be signed. You can control how the computer responds to these unsigned driver files during their installation. These settings are configurable through Control Panel by selecting System, the Hardware tab on the Systems Properties dialog box, and then Driver Signing to access the Driver Signing Options Properties page on an individual computer. The options for unsigned driver installation behaviour are:

Devices and their drivers require system resources to communicate with and process data through the operating system. These resources are configured automatically by Windows Server 2003, sometimes in a shared capacity with other devices within the system. In circumstances where resources must be statically configured, Device Manager allows for some control of the resources assigned for use by a device. If configuration is not available, the resources used by a device and its driver cannot be configured manually.

To configure a resource assignment manually, the Use Automatic Settings check box must first be cleared, then the resources can be set (such as I/O settings). Any resources set manually make both the resource and device unavailable for automatic configuration, limiting the ability of Windows Server 2003 to make adjustments. This may cause problems with other devices.

Device Manager provides a view of the hardware that is installed on your computer. You can use Device Manager to update the drivers for hardware devices and modify settings related to devices. Device Manager is accessible through the Control Panel by selecting System, the Hardware tab on the Systems Properties dialog box, and then Device Manager to access the Device Manager Properties page, or as part of the Computer Management console, accessible from Administrative Tools.

You can use Device Manager to manage devices only on a local computer. On a remote computer, Device Manager will work only in read-only mode.

A list of devices, drivers, and system configuration can be printed through the Print command on the Action menu in Device Manager or output to a comma-separated-values (CSV) file using the Driverquery command-line utility,

Administrators have the ability to install any device and its associated drivers. Users, on the other hand, have very limited ability to install devices on the computer. By default, users can install only PnP devices, with the following considerations:

• The device driver has a digital signature.

• No further action is required to install the device, requiring Windows to display a user interface.

• The device driver is already on the computer. If any of these conditions is not met, the user cannot install the device unless delegated additional administrative authority.

• If a PnP device requires no additional user interaction for installation, and the driver is already on the computer, a default user can connect and use the device. This applies to any universal serial bus (USB), parallel, IEEE 1394 device, especially printers. The Load And Unload Device Drivers user right, configurable through Group Policies, does not apply to PnP drivers, and need not be enabled for a user to install a PnP device.

Occasionally, a new driver will not function properly and cannot be kept in the configuration for the device. If the replaced driver was performing properly, then rolling back to the previous driver can be accomplished through Device Manager. Windows Server 2003 automatically backs up the driver that is being replaced through the update driver process, making it available through the Roll Back Driver option.

Locate Non-Plug and Play devices in the Device Manager by opening it, going to the view menu and selecting the Show Hidden Devices option. Note the different devices that are displayed when Show Hidden Devices is enabled and disabled.

USB Devices share electrical power. The root USB hub is given a certain amount of power and any USB devices connected to it (max of 127 devices) must share the power. To view power allocations open the device manager, expand the entry for USB controllers, right click the USB root rub and then choose properties, click the power tab.

Windows Server 2003 provides up to 500 milliamps of power for any and all connected USB devices. Each device can be no more than 5 meters away from the USB port.

Windows 2003 server only supports daisy chained USB hubs up to five (5) levels deep in one continuous chain.

*Note that with Writable CD ROMS - the ability to write to them is disabled by default. The IMAPI CD Burning COM Service must be enabled.

Local User Profiles

By default, user profiles are stored locally on the system in the %Systemdrive%\Documents and Settings\%Username% folder. They operate in the following manner:

• When a user logs on to a system for the first time, the system creates a profile for the user by copying the Default User profile. The new profile folder is named based on the logon name specified in the user’s initial logon.

• All changes made to the user’s desktop and software environment are stored in the local user profile. Each user has their individual profiles, so settings are user-specific.

• The user environment is extended by the All Users profile, which can include shortcuts in the desktop or start menu, network places, and even application data. Elements of the All Users profile are combined with the user’s profile to create the user environment. By default, only users of the Administrators group can modify the All Users profile.

Mandatory user profiles

• As you switch a domain to an advanced domain functional level, remember that it is a one time option that CANNOT be reversed. You can only upgrade (raise) functional levels, you can never downgrade (lower) to previous levels.

Before you can raise the forest functional level to Windows Server 2003 level, all domain controllers within the entire forest must be running the Windows Server 2003 operating system. All domains within the forest must also be operating at either the Windows 2000 native or the Windows Server 2003 domain functional level. Any DC's operating at the Windows 2000 native level will be automatically raised to the Windows Server 2003 domain functional level at the time that the forest functional level is raised to Windows Server 2003.

• Local groups can include members from any domain within a forest, from trusted domains in other forests, and from trusted down-level domains.

• A local group has only machine wide scope; it can grant resource permissions only on the machine on which it exists.

Using the Active Directory, it could be difficult to know exactly which groups a user belongs to, whether directly or indirectly. Fortunately, Windows Server 2003 adds the DSGET command, which solves the problem.

From a users computer, logged on as the user, you use the Run As command with your administrative credentials to load the Active Directory Users And Computers snap-in, and then you add the user to the Department’s FINANCEADMIN group, which has delegated administrative permissions for the user accounts in the Finance OU. You then close the Active Directory Users And Computers snap-in.

When the user attempts to reset a user’s password in the Finance OU, he is denied access.

What additional step do you need to take in order for the user to be able to perform the delegated administrative duties?

The group membership will not take effect until the users credentials are re-evaluated and a new token assigned that contains his new group membership. This token assignment occurs only at logon. Because the user was logged on to his computer at the time of the group membership change, his token does not contain the SIDs associated with his new group membership.

Adding or deleting members from a group is also accomplished through Active Directory Users And Computers. Right-click any group, and choose Properties.

The following explains the member configuration tabs of the Properties dialog box.

Members     -    Adding, removing, or listing the security principals that this container holds as members

Member Of     -    Adding, removing, or listing the containers that hold this container as a member

Windows Server 2003 supports a number of powerful command-line tools to facilitate the management of Active Directory. The following is a list, and brief description, of each tool:

LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be performed against the Active Directory. A utility program called LDIFDE is included in Windows Server 2003 to support batch operations based on the LDIF file format standard. LDIFDE is a command-line utility, available on all Windows Server 2003 editions. From a command prompt or command shell, you run the LDIFDE utility with the appropriate command switches.

Use by typing ldifde /? at the command prompt.

• -i Turn on Import mode (The default is Export)

• -f filename Input or Output filename

• -s servername The server to bind to

• -c FromDN ToDN Replace occurrences of FromDN to ToDN

• -v Turn on Verbose mode

• -j path Log File Location

• -t port Port Number (default = 389)

• -? Help

Most database programs have the built-in capacity to export their data into a Comma-Separated-Value (CSV) file, which LDIFDE can import. For CSV files, however, it should be noted that some elements in object creation are mandatory, and errors will result during the import if elements are missing from the file. Group creation, however, has only the required elements of a distinguished name (CN=User) and location (DC=Domain, DC=OU)

The DSADD command is used to add objects to Active Directory. To add a group, use the syntax dsadd group GroupDN… The GroupDN… parameter is one or more distinguished names for the new user objects. If a DN includes a space, surround the entire DN with quotation marks. The GroupDN… parameter can be entered one of the following ways:

• By piping a list of DNs from another command, such as dsquery.

• By typing each DN on the command line, separated by spaces.

• By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.

The DSADD GROUP command can take the following optional parameters after the DN parameter:

• -secgrp {yes | no} determines whether the group is a security group (yes) or a distribution group (no). The default value is yes.

• -scope {l | g | u} determines whether the group is a domain local (l), global (g, the default), or universal (u).

• -samid SAMName

• desc Description

• -memberof GroupDN... specifies groups to which to add the new group.

• -members MemberDN... specifies members to add to the group.

You can add -s, -u, and -p parameters to specify the domain controller against which DSADD will run, and the user name and password the credentials that will be used to execute the command.

• {-s Server | -d Domain}

• -u UserName

• -p {Password

Modifying Groups with DSMOD. The DSMOD command is used to modify objects in Active Directory. To modify a group, use the syntax dsmod group GroupDN… The command takes many of the same switches as DSADD, including -samid, -desc, -secgrp, and -scope. Typically, though, you won't be changing those attributes of an existing group. Rather, the most useful switches are those that let you modify the membership of a group, specifically

• -addmbr Member... adds members to the group specified in Group

• -rmmbr Member... removes members from the group specified in Group where, as with all directory service commands, the DN is the full, distinguished name of another Active Directory object, surrounded by quotes if there are any spaces in the DN.

CSVDE is a command-line utility that allows you to import or export objects in Active Directory from (or to) a comma-delimited text file (also known as a comma-separated value text file), which can be  easily read in Notepad and Microsoft Excel. The command’s basic syntax is:

To delete a computer with DSRM, type: DSRM ObjectDN

Where ObjectDN is the distinguished name of the computer, such as “CN=Desktop15, OU=Desktops,DC=contoso,DC=com.”

When a computer is disjoined from a domain—when an administrator changes the membership of the computer to a workgroup or to another domain, the computer attempts to delete its computer account in the domain. If it is not possible to do so because of lack of connectivity, networking problems, or credentials and permissions, the account will remain in Active Directory. It may appear, immediately or eventually, as disabled. If that account is no longer necessary, it must be deleted manually. If a computer is taken offline or is not to be used for an extended period of time, you may disable the account. Such an action reflects the security principle, that an identity store allow authentication only of the minimum number of accounts required to achieve the goals of an organization. Disabling the account does not modify the computer’s SID or group membership, so when the computer is brought back online, the account can be enabled. The context menu, or Action menu, of a selected computer object exposes the Disable Account command. A disabled account appears with a red “X” icon in the Active Directory Users And Computers snap-in.

While an account is disabled, the computer cannot create a secure channel with the domain. The result is that users who have not previously logged on to the computer, and who therefore do not have cached credentials on the computer, will be unable to log on until the secure channel is re-established by enabling the account. To enable a computer account, simply select the computer and choose the Enable Account command from the Action or shortcut menus.

The Reset Account command is available in the Action and context menus when a computer object is selected. The DSMOD command can also be used to reset a computer account, with the following syntax:

dsmod computer ComputerDN -reset

The NETDOM command, included with the Windows Server 2003 Support Tools in the CD-ROM’s Support\Tools directory, also enables you to reset a computer account.

Computer accounts, and the secure relationships between computers and their domain are robust. In the rare circumstance that an account or secure channel breaks down, the symptoms of failure are generally obvious. The most common signs of computer account problems are Messages at logon indicate that a domain controller cannot be contacted; that the computer account may be missing; or that the trust (another way of saying "the secure relationship") between the computer and the domain has been lost.

This time, we pipe the results of the DSQUERY command to the input of DSMOD. The DSMOD COMPUTER -RESET command will reset each of those accounts.

Account Lockout Threshold - This policy configures the number of invalid logon attempts that will trigger account lockout. The value can be in the range of 0 to 999. A value that is too low (as few as three, for example) may cause lockouts due to normal, human error at logon. A value of 0 will result in accounts never being locked out. The lockout counter is not affected by logons to locked workstations.

Account Lockout Duration - This policy determines the period of time that must pass after a lockout before Active Directory will automatically unlock a user’s account. The policy is not set by default, as it is useful only in conjunction with the Account Lockout Threshold policy. Although the policy accepts values ranging from 0 to 99999 minutes, a low setting (5 to 15 minutes) is sufficient to reduce attacks significantly without unreasonably affecting legitimate users who are mistakenly locked out. A value of 0 will require the user to contact appropriate administrators to unlock the account manually.

Reset Account Lockout Counter After - This setting specifies the time that must pass after an invalid logon attempt before the counter resets to zero. The range is 1 to 99999 minutes, and must be less than or equal to the account lockout duration.

• General tab Description, Office, Telephone Number, Fax, Web Page, E-mail

• Account tab UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires

• Address Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region

• Profile Profile Path, Logon Script, and Home Folder

• Organization Title, Department, Company, Manager

Enforce Password History - When this policy is enabled, Active Directory maintains a list of recently used passwords, and will not allow a user to create a password that matches a password in that history. The result is that a user, when prompted to change his or her password, cannot use the same password again. The policy is enabled by default, with the maximum value of 24.

Maximum Password Age - This policy determines when users will be forced to change their passwords. Passwords that are unchanged or infrequently changed are more vulnerable to being cracked and utilized by attackers to impersonate a valid account. The default value is 42 days.

Minimum Password Age - When users are required to change their passwords even when a password history is enforced they can simply change their passwords several times in a row to circumvent password requirements and return to their original passwords. The Minimum Password Age policy prevents this possibility by requiring that a specified number of days must pass between password changes. Of course, a password can be reset at any time in Active Directory by an administrator or support person with sufficient permissions. But the user cannot change their password more than once during the time period specified by this setting.

Minimum Password Length - This policy specifies the minimum number of characters required in a password. The default in Windows Server 2003 is seven.

The Sessions node of the Shared Folders snap-in allows you to monitor the number of users connected to a particular server and to disconnect the user. The Open Files node enumerates a list of all open files and file locks for a single server, and allows you to close one open file or disconnect all open files. Before you perform any of these actions, you can send a console message by right-clicking the Shares node to the user. Messages are sent by the Messenger Service using the computer name, not the user name. The default state of the Messenger service in Windows Server 2003 is disabled. The Messenger service must be configured for Automatic or Manual startup and must be running before a computer can send console messages.

The sharing tab of a folder’s properties dialog box in Windows Explorer is available only when you configure a share while logged on to a computer interactively or through terminal services. You cannot share a folder on a remote system using Windows Explorer. Therefore,  the creation, properties, configuration, and management of a shared folder using the Shared Folders snap-in, which can be used on both local and remote systems.

When you open the Shared Folders snap-in, either as a custom MMC console snap-in or as part of the Computer Management or File Server Management consoles. Notice that Windows Server 2003 has several default administrative shares already configured. These shares provide connection to the system directory (typically, C:\Windows) as well as to the root of each fixed hard disk drive. Each of these shares uses the dollar sign ($) in the share name. The dollar sign at the end of a share name configures the share as a hidden share that will not appear on browse lists, but that you may connect to with a Universal Naming Convention (UNC) in the form \\servername\sharename$. Only administrators can connect to the administrative shares.

C$, ADMIN$, FAX$, IPC$, PRINT$

The not hidden administrative shares are, NETLOGON, SYSVOL

To share a folder on a computer, connect to the computer using the Shared Folders snap-in by right-clicking the root Shared Folders node and choosing Connect To Another Computer. Once the snap-in is focused on the computer, click the Shares node and, from the shortcut or Action menu, choose New Share. The important pages and settings exposed by the wizard are

• The Folder Path page Type the path to the folder on the local hard drives so, for example, if the folder is located on the server’s D drive, the folder path would be D:\foldername.

• The Name, Description, and Settings page Type the share name. If your network has any down-level clients (those using DOS-based systems), be sure to adhere to the 8.3 naming convention to ensure their access to the shares. The share name will, with the server name, create the UNC to the resource, in the form \\servername\sharename. Add a dollar sign to the end of the share name to make the share a hidden share. Unlike the built-in hidden administrative shares, hidden shares that are created manually can be connected to by any user, restricted only by the share permissions on the folder.

• The Permissions page Select the appropriate share permissions.

While share permissions are not as detailed as NTFS permissions, they have: Read, Change, and Full Control.

The effective set of share permissions is the cumulative result of the Allow permissions granted to a user and all groups to which that user belongs. If, for example, you are a member of a group that has Read permission and a member of another group that has Change permission, your effective permissions are Change. However, a Deny permission will override an Allow permission. If, on the other hand, you are in one group that has been allowed Read access and in another group that has been denied Full Control, you will be unable to read the files or folders in that share.

Share permissions define the maximum effective permissions for all files and folders beneath the shared folder. Permissions can be further restricted, but cannot be broadened, by NTFS permissions on specific files and folders. A user’s access to a file or folder is the most restrictive set of effective permissions between share permissions and NTFS permissions on that resource.

If you want a group to have full control of a folder and have granted full control through NTFS permissions, but the share permission is the default (Everyone: Allow Read) or even if the share permission allows Change, that group’s NTFS full control access will be limited by the share permission.

Share permissions have significant limitations, including the following:

• Share permissions apply only to network access through the Client for Microsoft Networks; they do not apply to local or terminal service access to files and folders, nor to other types of network access, such as File Transfer Protocol (FTP)

• Share permissions do not replicate through file replication service (FRS).

• Share permissions are not included in a backup or restore of a data volume.

• Share permissions are lost if you move or rename the folder that is shared.

• Share permissions are not granular; they provide a single permissions template that applies to every file and folder beneath the shared folder. You cannot enlarge access to any folder or file beneath the shared folder; and you cannot further restrict access without turning to NTFS permissions.

• You cannot configure auditing based on share permissions.

• Share permissions have three levels of access, Read / Change / Full control

The default share permission in Windows Server 2003 sets Everyone: Allow Read and Administrators: Allow Full Control as the default share permission.

When installing Terminal Server, you will be given the choice of Full Security and Relaxed Security. Full Security, the default, protects certain operating system files and shared program files. Older applications may not function in this more secure configuration, at which point you may choose Relaxed Security. The setting can be changed at any time using the Server Settings in the Terminal Server Configuration console.

The technology of Terminal Services and Remote Assistance is so closely tied that both services use the same network port: 3389, which must be open through any firewall for the Remote Assistance session to succeed.

If the Terminal Server is a Domain Controller, and the Default Domain Controller Group Policy has not been enabled to allow remote connections by the Remote Administrative Users group. The Local Group Policy on Domain Controllers forbids non-administrator remote connections. You will receive a message "The local policy of this system does not permit you to logon interactively" and must be changed. The easiest way to change the Local Policy is to override it with a change to the Default Domain Controller Group Policy to allow Remote connections by the Remote Administrative users group.

As part of your Terminal Server deployment, you must install a Terminal Server License Server, preferably on a server that is not a terminal server. Use Add/Remove Programs to install Terminal Server Licensing. You will be asked whether the server should be an Enterprise License Server or a Domain License Server.

• An Enterprise License Server is the most common configuration, and the server can provide licenses to terminal servers in any Windows 2000 or Windows Server 2003 domain within the forest.

• Use a Domain License Server when you want to maintain a separate license database for each domain, or when terminal servers are running in a workgroup or a Windows NT 4 domain.

• Load balancing technology such as Network Load Balancing (NLB) or DNS round-robin. The load balancing solution will distribute client connections to each of the terminal servers.

• A Terminal Services Session Directory. You must enable the Terminal Services Session Directory, which is installed by default on Windows Server 2003 Enterprise and Datacenter Editions, using the Services console in Administrative Tools. It is best practice to enable the session directory on a server that is not running Terminal Server. The Terminal Services Session Directory maintains a database that tracks each user session on servers in the cluster. The computer running the session directory creates a Session Directory Computers local group, to which you must add the computer accounts of all servers in the cluster.

• Terminal server connection configuration. Finally, you must direct the cluster’s servers to the session directory. This process involves specifying that the server is part of a directory, the name of the session directory server, and the name for the cluster, which can be any name you wish as long as the same name is specified for each server in the cluster. These settings can be specified in the Server Settings node of Terminal Server Configuration, or they can be set using a GPO applied to an OU that contains the computer objects for the cluster’s terminal servers.

When a user connects to the terminal server cluster, the following process occurs:

• When the user logs on to the terminal server cluster, the terminal server receiving the initial client logon request sends a query to the session directory server.

• The session directory server checks the username against its database and sends the result to the requesting server as follows:

  • If the user has no disconnected sessions, logon continues at the server hosting the initial connection.

  • If the user has a disconnected session on another server, the client session is passed to that server and logon continues.

• When the user logs on to a new or disconnected session, the session directory is updated.

Security can be configured for files and folders on any NTFS volume by right-clicking the resource and choosing Properties (or Sharing And Security) then clicking the Security tab. The interface that appears can been called the Permissions dialog box, or the Security Settings dialog box, or the Security tab or the Access Control List editor (ACL editor).

The ACL editor has three dialog boxes, each of which supports different and important functionality.

• The first dialog box provides a view of the resource’s security settings or permissions, allowing you to select each account that has access defined and to see the permissions templates assigned to that user, group, or computer. Each template shown in this dialog box represents a bundle of permissions that together allow a commonly configured level of access.

  • For example, to allow a user to read a file, several granular permissions are needed. To mask that complexity, you can simply apply the Allow:Read & Execute permissions template and, behind the scenes, Windows sets the correct file or folder permissions. To view more details about the ACL, click Advanced, which exposes the second of the ACL editor’s dialog boxes.

   

• The Advanced Security Settings For Docs dialog box. This dialog box lists the specific access control entries that have been assigned to the file or folder. The listing is the closest approximation in the user interface to the actual information stored in the ACL itself. The second dialog also enables you to configure auditing, manage ownership, and evaluate effective permissions.

• If you select a permission in the Permission Entries list and click Edit, the ACL editor’s third dialog box appears. This Permission Entry For Docs dialog box, lists the detailed, most granular permissions that comprise the permissions entry in the second dialog box’s Permissions Entries list and the first dialog box’s Permissions For Users list.

It is possible to use the cacls command via a command line to view permissions assigned to a file / folder. For example, if you wish to view the total permissions assigned to a folder on the c:\ drive, called "documents", type:

C:\>cacls documents

C:\Documents ACEMECORP\Joe:(OI)(CI)(DENY)(special access:)

READ_CONTROL

FILE_READ_DATA

FILE_READ_EA

FILE_READ_ATTRIBUTES

ACMECORP\Sales:(OI)(CI)(DENY)(special access:)

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_WRITE_EA

FILE_WRITE_ATTRIBUTES

 

The rules that determine effective permissions are as follows:

File permissions override folder permissions. Each resource maintains an ACL that is solely responsible for determining resource access. Although entries on that ACL may appear because they are inherited from a parent folder, they are nevertheless entries on that resource’s ACL. The security subsystem does not consult the parent folder to determine access at all. So you may interpret this rule as: The only ACL that matters is the ACL on the resource.

Configuring auditing entries in the security descriptor of a file or folder does not, in itself, enable auditing. Auditing must be enabled through policy. Once auditing is enabled, the security subsystem begins to pay attention to the audit settings, and to log access as directed by those settings.

Audit policy may be enabled on a stand-alone server using the Local Security Policy console, and on a domain controller using the Domain Controller Security Policy console. Select the Audit Policy node under the Local Policies node and double-click the policy, Audit Object Access. Select Define These Policy Settings and then select whether to enable auditing for successes, failures, or both.

Once audit entries have been configured on files or folders, and auditing object access has been enabled through local or group policy, the system will begin to log access according to the audit entries. You can view and examine the results using Event Viewer and selecting the Security log,

Sorting will be better served by filtering the event log, which can be done by choosing the Filter command from the View menu, or alternatively by selecting the Security log, then Properties from the Action or shortcut menus, and then clicking the Filter tab. The Filter tab enables you to specify criteria including the event type, category, source, date range, user, and computer.

You have the option to export the Security log by selecting the Save Log File As command from the log’s context menu. The native event log file format takes a .evt extension. You can open that file with Event Viewer on another system. Alternatively, you can save the log to tab- or comma-delimited file formats.

Additional counters can be added or removed by choosing Add (Ctrl+I) on the toolbar, or right-clicking anywhere in the details pane and choosing Add Counters from the shortcut menu. In the Add Counters dialog box, you can select any of the available counters for either the local computer or any remote computer on your network. Counters are arranged and available for use based on the type of object, the counter in the object category, and the instance of the counter.

Software Update Services (SUS) is a client-server application that enables a server on your intranet to act as a point of administration for updates. You can approve updates for SUS clients, which then download and install the approved updates automatically without requiring local administrator account interaction.

Per-server licensing requires a User or Device CAL for each concurrent connection. If a server is configured with 1,000 CALs, the 1,001st concurrent connection is denied access. CALs are designated for use on a particular server, so if the same 1,000 users require concurrent connections to a second server, you must purchase another 1,000 CALs.

Per server licensing is advantageous only in limited access scenarios, such as when a subset of your user population accesses a server product on very few servers. Per server licensing is less cost-effective in a situation where multiple users access multiple resources on multiple servers. If you are unsure which licensing mode is appropriate, select Per Server. The license agreement allows a no-cost, one-time, one-way conversion from Per Server to Per Device or Per User licensing when it becomes appropriate to do so.

For example, a developer who uses a laptop and two desktops would require only one Windows User CAL. A fleet of 10 Tablet PCs that are used by 30 shift workers would require only 10 Windows Device CALs. The total number of CALs equals the number of devices or users, or a mixture thereof, that access servers. CALs can be reassigned under certain, understandable conditions— for example a Windows User CAL can be reassigned from a permanent employee to a temporary employee while the permanent employee is on leave. A Windows Device CAL can be reassigned to a loaner device while a device is being repaired.

There are two utilities that will help you track and manage software licensing:

• Licensing in Control Panel The Control Panel Choose Licensing Mode tool, manages licensing requirements for a single computer running Windows Server 2003. You can use Licensing to add or remove CALs for a server running in per-server mode; to change the licensing mode from Per Server to Per Device or Per User; or to configure licensing replication.

• Licensing in Administrative Tools The Licensing administrative tool, allows you to manage licensing for an enterprise by centralizing the control of licensing and license replication in a site-based model.

The License Logging service, which runs on each Windows Server 2003 computer, assigns and tracks licenses when server resources are accessed. To ensure compliance, licensing information is replicated to a centralized licensing database on a server in the site. This server is called the site license server. A site administrator, or an administrator for the site license server, can then use the Microsoft Licensing tool in Administrative Tools program group to view and manage licensing for the entire site. This new license tracking and management capability incorporates licenses not just for file and print services, but for IIS, for Terminal Services, and for BackOffice products such as Exchange or SQL Server.

•  %Systemroot%\System32\Cpl.cfg contains the purchase history for your organization.

•  %Systemroot%\Lls\Llsuser.lls contains user information about the number of connections.

•  %Systemroot%\Lls\Llsmap.lls contains license group information. After all files have been copied, restart the License Logging service.

Administering Site Licenses Once you have identified the site license server for a site, you can view the licensing information on that server opening Licensing from the Administrative Tools program group. The Server Browser tab page of Licensing allows you to manage any server in any site or domain for which you have administrative authority. You can locate a server and, by right-clicking it and choosing Properties, manage that server’s licenses. For each server product installed on that server, you can add or remove per-server licenses. You can also, where appropriate, convert the licensing mode. When a user disconnects from the server product, the License Logging service makes the license available to another user.

The server properties also allow you to configure license replication, which can be set on a server using its Licensing properties in Control Panel. By default, license information is replicated from a server’s License Logging Service to the site license server every 24 hours, and the system automatically staggers replication to avoid burdening the site licensing server. If you want to control replication schedules or frequency, you must manually vary the Start At time and Start Every frequency of each server replicating to a particular site license server.

To manage Per Device or Per User licensing, click Licensing from the Administrative Tools program group, then choose the New License command from the License menu. In the New Client Access License dialog box, select the server product and the number of licenses purchased. Licenses are added to the pool of licenses. As devices or users connect to the product anywhere in the site, they are allocated licenses from the pool, with one license for each device or user. After a pool of licenses is depleted, license violations occur when additional devices or users access the product.

License Groups Per Device or Per User licensing requires one CAL for each device. However, the License Logging service assigns and tracks licenses by user name. When multiple users share one or more devices, you must create license groups, or else licenses will be consumed too rapidly. A license group is a collection of users who collectively share one or more CALs. When a user connects to the server product, the License Logging service tracks the user by name, but assigns a CAL from the allocation assigned to the license group.

• 10 users share a single handheld device for taking inventory. A license group is created with the 10 users as members. The license group is assigned one CAL, representing the single device they share.

• 100 students occasionally use a computer lab with 10 computers. A license group is created with the 100 students as members, and is allocated 10 CALs.

To create a license group, click the Options menu and, from the Advanced menu, choose New License Group. Enter the group name and allocate one license for each client device used to access the server. The number of licenses allocated to a group should correspond to the number of devices used by members of the group.

If the user chooses to send an e-mail or file request for Remote Assistance, a password will be required as a shared secret for the Remote Assistance session. The user let's the expert know what the password is in a separate communication such as a telephone call or secure e-mail.

• Remote Assistance supports Universal Plug and Play (UPnP) to Traverse Network Address Translation devices. This is helpful on smaller, home office networks, as Windows XP Internet Connection Sharing (ICS) supports UPnP. However, Windows 2000 ICS does not support UPnP.

• Remote Assistance will detect the Internet IP address and TCP port number on the UPnP NAT device and insert the address into the Remote Assistance encrypted ticket. The Internet IP address and TCP port number will be used to connect through the NAT device by the helper or requester workstation to establish a Remote Assistance session. The Remote Assistance connection request will then be forwarded to the client by the NAT device.

• Remote Assistance will not connect when the requester is behind a non-UPnP NAT device when e-mail is used to send the invitation file. When sending an invitation using Windows Messenger, a non-UPnP NAT device will work if one client is behind a NAT device. If both the helper and requester computers are behind non-UPnP NAT devices, the Remote Assistance connection will fail.

The Terminal Services service enables Remote Desktop, Remote Assistance, and Terminal Server for application sharing. The service is installed by default on Windows Server 2003, configured in Remote Desktop for remote administration mode. Remote Desktop mode allows only two concurrent remote connections, and does not include the application sharing components of Terminal Server. Therefore, Remote Desktop operates with very little overhead on the system, and with no additional licensing requirements.

To enable Remote Desktop connections on a Windows Server 2003 computer, open the System properties from Control Panel. On the Remote tab, select Allow Users To Connect Remotely To This Computer.

If the Terminal Server is a Domain Controller, you must also configure the Group Policy on the Domain Controller to allow connection through Terminal Services to the Remote Desktop Users group. By default, Non-Domain Controller servers will allow Terminal Services connections by this group.

To connect to and manage another system using the MMC - Computer Management console, you must launch the console with an account that has administrative credentials on the remote computer. If your credentials do not have elevated privileges on the target computer, you will be able to load the snap-in, but will not be able to read information from the target computer. You can use Run As, or secondary logon, to launch a console with credentials other than those with which you are currently logged on.

When you’re ready to manage the remote system, you may open an existing console with the snap-in loaded, or configure a new MMC with a snap-in that you configure for remote connection when you build the console. If you configure an existing Computer Management console, for example, follow these steps:

• Open the Computer Management console by right-clicking My Computer and choosing Manage from the shortcut menu.

• Right-click Computer Management in the tree pane and choose Connect To Another Computer.

• type the name or IP address of the computer or browse the network for it, and then click OK to connect.

During a new printer setup, Windows Server 2003 loads drivers onto the print server that support that printer for clients running Windows Server 2003, Windows XP, and Windows 2000. Printer drivers are platform-specific. If other platforms will be connecting to the shared logical printer, install the appropriate drivers on the server, so that Windows clients will download the driver automatically when they connect. Otherwise, you will be prompted for the correct drivers on each individual client.

Client computers running Windows NT, Windows 2000, Windows XP, and Windows Server 2003 download the driver when they first connect to the shared printer. They also verify that they have the current printer driver each time they print and, if they do not, they download the updated driver. For these client computers, you need only update printer drivers on the print server. Client computers running Windows 95 or Windows 98 do not check for updated printer drivers, once the driver is initially downloaded and installed. You must manually install updated printer drivers on these clients.

A printer pool is one logical printer that supports multiple physical printers, either attached to the server, attached to the network, or a combination thereof. When you create a printer pool, users’ documents are sent to the first available printer. The logical printer representing the pool automatically checks for an available port. Printer pooling is configured from the Ports tab of the printer’s Properties dialog box. To set up printer pooling, select the Enable Printer Pooling check box, and then select or add the ports containing print devices that will be part of the pool. The driver used by the printer pool must be compatible with all printers to which the pool directs print jobs.

To achieve a multiple logical printer-single port structure, additional printers use the same port as an existing logical printer. The printer name and share name are unique. After the new printer has been added, open its properties and configure the drivers, ACL, printing defaults, and other settings of the new logical printer. To configure high priority for the new logical printer, click the Advanced tab and set the priority, in the range of 1 (lowest) to 99 (highest). Assuming that you assigned 99 to the executives’ logical printer, and 1 to the printer used by all users, documents sent to the executives’ printer will print before documents queued in the users’ printer. An executive’s document will not interrupt a user’s print job. However, when the printer is free, it will accept jobs from the higher-priority printer before accepting jobs from the lower-priority printer. To prevent users from printing to the executives’ printer, configure its ACL and remove the print permission assigned to the Everyone group, and instead allow only the executives’ security group print permission.

If a print server disappears from the network, its printer object is removed from the Active Directory. The printer Pruner service confirms the existence of shared printers represented in Active Directory by contacting the shared printer every eight hours. A printer object will be pruned if the service is unable to contact the printer two times in a row. A print server will automatically recreate the printer objects for its printers when the machine starts, or when the spooler service is restarted.

Logical printers that are shared on computers running Windows NT 4 or Windows NT 3.51 are not published on the AD automatically, but can be manually published using the Active Directory Users And Computers MMC console. Simply right-click the OU or other container in which you want to create the printer and choose New Printer.

If a printer is malfunctioning, you can send documents in the queue for that printer to another printer connected to a local port on the computer, or attached to the network. This is called redirecting print jobs. It allows users to continue sending jobs to the logical printer, and prevents users with documents in the queue from having to resubmit the jobs.

To redirect a printer, open the printer’s Properties dialog and click the Ports tab. Select an existing port or add a port. The check box of the port of the malfunctioning printer is immediately cleared unless printer pooling is enabled, in which case you must manually clear the check box. Because print jobs have already been prepared for the former printer, the printer on the new port must be compatible with the driver used in the logical printer. All print jobs are now redirected to the new port. You cannot redirect individual documents. In addition, any documents currently printing cannot be redirected.

After selecting Print Queue as the performance object for the System Monitor, a list of all available performance counters is provided. You can select any counter and click Explain to learn about that particular performance metric. Some of the most used counters are:

• Bytes Printed/Sec The number of bytes of raw data per second that are sent to the printer. Low values for this counter can indicate that a printer is underutilized, either because there are no jobs, print queues are not evenly loaded, or the server is too busy. This value varies according to the type of printer.

• Job Errors Number of job errors. Job errors are typically caused by improper port configuration; check port configuration for invalid settings. A printing job instance will increment this counter only once, even if it happens multiple times. Also, some print monitors do not support job error counters, in which case the counter will remain at 0.

• Jobs The number of jobs being spooled.

• Total Jobs Printed The number of jobs sent to the printer since the spooler was started.

• Total Pages Printed The number of pages printed since the spooler was started. This counter provides a close approximation of printer volume, although it may not be perfect, depending on the type of jobs and the document properties for those jobs.

When quotas are enabled, the quota manager tracks the files on a volume that are owned by a user. It then compares the calculated total of disk usage by that user to limits that have been configured by an administrator and, when those limits are reached, notifies the user that the volume is near quota, or prevents the user from writing to the disk, or both.

Disk Quotas can be implemented per-volume and per-user only. You cannot implement quotas on a per-folder or per-group basis. Quotas are supported only on NTFS volumes.

Administrators have No Limit configured as their quota entry. That enables administrators to install the operating system, services, applications, and data without exceeding a quota.

Print queues can be monitored on the server or remotely. They can also be monitored through the Performance console. The Performance console is able to be used to generate an "at-a-glance" report of the current number of print jobs assigned to any one particular print server. This will allow an administrator to decide if the printing load should be shared among other servers if things seem to be taking an amount of time.

The Performance console has two snap-ins configured: System Monitor and Performance Logs And Alerts. The System Monitor is designed for real-time reporting of data to a console interface, and can be reported in graph, histogram, or numeric form. The Performance Logs And Alerts snap-in is designed to write data to a file (log) and report counter values that breach a threshold (alert). Logs written by Performance Logs And Alerts can be loaded into System Monitor for analysis, and exported to various file types (such as CSV and HTML) for reporting purposes.

Task manager

Task Manager provides dynamic views into current performance of your computer as it relates to running processes and applications. With configurable refresh intervals and selectable columns of data, the Task Manager shows the processor, memory, and I/O usage by processes. Applications can be started or ended from the Applications tab, and processes can be elevated in priority or terminated, including child processes, from the Processes tab. The Performance tab gives an aggregate view of processor and memory use on the computer. The Networking tab does the same for network utilization and basic configuration data. The Users tab, if available, will allow for logoff of a local session or disconnection of a remote session. Remote sessions can also have messages sent to the connected user.

WMI

WMI is a utility that uses a database of management information collected by running on each Windows Server 2003 computer. The command line interface for WMI is WMIC, which uses a series of aliases, verbs, switches and parameters to change configuration on or get information from a computer system. WMIC can connect to any computer remotely, so long as the user initiating the connection has sufficient privileges on the remote computer. The local administrator on a computer has permission to connect remotely, so Domain Administrators each have the ability to perform remote administration with WMI and WMIC. For archiving and reporting purposes, WMI data can be output through WMIC to CSV or HTML pages. Multiple computers can have commands issued to them either from the command line or from a text file. With the exception of needing to include the WMIC command at the beginning of each line, issuing commands from a batch file in non-interactive mode is no different from using WMIC in interactive mode.

The interactive mode of WMIC by started by typing wmic at a command line, pressing Enter, and then typing exit or quit to leave. Non-interactive mode consists of a single-line command beginning with WMIC either at a command line or in a batch file.

Network Counters Network counters report data from the network interface cards (NICs) installed in the computer, and from the segment on which the NICs communicate. The following counters are useful in measuring the performance of a computer on the network:

When monitoring %Network Utilization, for example, 30% utilization is the maximum recommended for an unswitched Ethernet network. This means that a 10 megabyte (MB) Ethernet network becomes bottlenecked when its throughput exceeds 3 MB per second. If the value of the counter is above 40%, data collisions begin to hamper the performance of the network.

Disk Counters The PhysicalDisk object counters provide data on activity for each of the hard disk storage devices, and the LogicalDisk object counters provide data on defined volumes (C:\, D:\, and so on) in your system. Monitoring LogicalDisk free space and PhysicalDisk performance counters will provide useful data. The following are important counters for Physical and Logical Disk monitoring:

IIS 6.0 is not automatically installed with Windows Server 2003, you must use the ADD/Remove programs applet in the Control Panel to install the IIS components you require for each server. After installation of IIS 6.0 has completed, you may open the Internet Information Services (IIS) Manager console from the Administrative Tools group.

Metabase configuration backups

Authentication is the process of evaluating credentials in the form of a user name and password. By default, all requests to IIS are serviced by impersonating the user with the IUSR_computername account. Before you begin restricting access of resources to specific users, you must create domain or local user accounts and require something more than this default, Anonymous authentication.

You may configure the following authentication methods on the Directory Security tab of the server, a Web (or FTP) site, a virtual directory, or a file:

FTP Authentication Options

Once authentication has been configured, permissions are assigned to files and folders. A common way to define resource access with IIS is through NTFS permissions. NTFS permissions, because they are attached to a file or folder, act to define access to that resource regardless of how the resource is accessed. IIS also defines permissions on sites and virtual directories. Although NTFS permissions define a specific level of access to existing Windows user and group accounts, the directory security permissions configured for a site or virtual directory apply to all users and groups.

To create an ASR set, open the Backup Utility from the Accessories program group, or by clicking Start, then Run, and typing Ntbackup.exe. If the Backup And Restore Wizard appears, click Advanced Mode. Then, from the Backup Utility’s Welcome tab, or from the Tools menu, select ASR Wizard. Follow the instructions. It will request a 1.44 megabyte (MB) floppy disk to create the ASR floppy.

The backup created by the ASR Wizard includes disk configuration information for each disk in the computer, a System State backup, and a backup of files including the driver cache. The backup set is sizable. On a standard installation of Windows Server 2003, the ASR backup size will be more than 1 gigabyte (GB).

To restore a system using Automated System Recovery, restart using the Windows Server 2003 CD-ROM, just as if you were installing the operating system on the computer. After loading initial drivers, the system will prompt you to press F2 to perform an Automated System Recovery. Press F2 and follow the instructions on your screen. Automated System Recovery will prompt you for the system’s ASR floppy, which contains two catalogues, or lists, of files required to start the system. Those files will be loaded from the CD-ROM. Automated System Recovery will restore remaining critical files, including the system’s registry, from the system’s ASR backup set. There is a restart during the process.

ASR only saves the Server 2003 operating system configuration. Any data files that are stored on the operating system drive volume (usually c: )are destroyed during an ASR restore.

Using VSS, Windows Server 2003 automatically caches copies of files as they are modified. If a user deletes, overwrites, or makes unwanted changes to a file, you can simply restore a previous version of the file. It is designed to facilitate quick recovery from simple, day-to-day problems, not recovery from significant data loss.

The Shadow Copies feature for shared folders is not enabled by default. To enable the feature, open the Properties dialog box of a drive volume from Windows Explorer or the Disk Management snap-in. On the Shadow Copies tab, select the (NTFS) volume and click Enable. Once enabled, all shared folders on the volume will be shadowed; specific shares on a volume cannot be selected. You can, however, manually initiate a shadow copy by clicking Create Now.

■ Schedule You can configure a schedule that reflects the work patterns of your users, ensuring that enough previous versions are available without prematurely filling the storage area and thereby forcing the removal of old versions. Remember that when a shadow copy is made, any files that have changed since the previous shadow copy are copied. If a file has been updated several times between shadow copies, those interim versions will not be available.

You can then choose to Restore the file to its previous location or Copy the file to a specific location.

Unlike a true restore operation, when you restore a file with Previous Versions, the security settings of the previous version are not restored. If you restore the file to its original location, and the file exists in the original location, the restored previous version over-writes the current version and uses the permissions assigned to the current version. If you copy a previous version to another location, or restore the file to its original location but the file no longer exists in the original location, the restored previous version inherits permissions from the parent folder.

If a file has been deleted, open the Properties of the parent folder, click the Previous Versions tab and locate a previous version of the folder that contains the file you want to recover. Click View and a folder window will open that displays the contents of the folder as of the time at which the shadow copy was made. Right-click the file and choose Copy, then paste it into the folder where you want the file to be recreated.

The Shadow Copy Client uses CIFS (Common Internet File Sharing).

In addition, the following are included in the System State when the corresponding services have been installed on the system:

To back up the System State in the Backup Utility, include the System State node (tick box) as part of the backup selection.

If you prefer to use the command line, use Ntbackup with the following syntax:

Ntbackup backup systemstate /J "backup job name"

System state & Directory Services Mode

You must have the Backup Files And Directories user right, or NTFS Read permission to back up a file. Similarly, you must have the Restore Files And Directories user right, or NTFS Write permission to the target destination, to restore a file.

Privileges are assigned to both the Administrators and Backup Operators groups, so the minimum required privileges can be given to a user, a group, or a service account by nesting the account in the Backup Operators group on the server.

Users with the Restore Files And Directories user right can remove NTFS permissions from files during restore. In Windows Server 2003, they can additionally transfer ownership of files between users. Therefore, it is important to control the membership of the Backup Operators group and to physically secure backup tapes.

Backup options are configured by choosing the Options command from the Tools menu. Many of these options configure defaults that are used by the Backup Utility and the command-line backup tool, Ntbackup. Those settings can be overridden by options of a specific job. General Options The General tab of the Options dialog box includes the following settings:

• Verify Data After The Backup Completes The system compares the contents of the backup media to the original files and logs any discrepancies. This option obviously adds a significant amount of time for completing the backup job. Discrepancies are likely if data changes frequently during backup or verification, and it is not recommended to verify system backups because of the number of changes that happen to system files on a continual basis.

The Ntbackup command provides the opportunity to script backup jobs on Windows Server 2003. Its syntax is

The command’s first switch is backup, which sets its mode—you cannot restore from the command line. That switch is followed by a parameter that specifies what to back up. You can specify the actual path to the local folder, network share, or file that you want to back up. Alternatively, you can indicate the path to a backup selection file (.bks file) to be used with the syntax @selectionfile.bks. The at (@) symbol must precede the name of the backup selection file.

• /V:{yes | no} Verifies the data after the backup is complete.

• Manage backup storage media.

The Recovery Console is a text-mode command interpreter that allows you to access to the hard disk of a computer running Windows Server 2003 for basic troubleshooting and system maintenance. It is particularly useful when the operating system cannot be started, as the Recovery Console can be used to run diagnostics, disable drivers and services, replace files, and perform other targeted recovery procedures.

You can start the Recovery Console by booting with the Windows Server 2003 CD-ROM and, when prompted, pressing R to choose the repair and recover option. However, when a system is down you will typically want to recover the system as quickly as possible, and you may not want to waste time hunting down a copy of the CD-ROM or waiting for the laboriously long restart process. Therefore, it is recommended to pro-actively install the Recovery Console.

Once the Recovery Console has started, you will be prompted to select the installation of Windows to which you wish to log on. You will then be asked to enter the Administrator password. You must use the password assigned to the local Administrator account, which, on a domain controller, is the password configured on the Directory Services Restore Mode Password page of the Active Directory Installation Wizard.

The Recovery Console cannot be used to remove or create disk mirrored sets.

• Listsvc Displays the services and drivers that are listed in the registry as well as their startup settings. This is a useful way to discover the short name for a service or driver before using the Enable and Disable commands.

• Enable/Disable Controls the startup status of a service or driver. If a service or driver is preventing the operating system from starting successfully, use the Recovery Console’s Disable command to disable the component, then restart the system and repair or uninstall the component.

• Diskpart Provides the opportunity to create and delete partitions using an interface similar to that of the text-based portion of Setup. You can then use the Format command to configure a file system for a partition.

• Bootcfg Enables you to manage the startup menu. Can be used with the /EMS command (Emergency Management Services) to access the server via a COM Port via Terminal Emulation programs.

Restore backup data.

Schedule backup jobs.