Escolar Documentos
Profissional Documentos
Cultura Documentos
An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000. An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory. An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.
and end user. The network administrator can access most trees in the forest including a specific end user's domain. However, the end user, while able to access his or her own domain, cannot access other trees. It is important to note that active directories are a great way to organize a large organization or corporation's computers' data and network. Without an active directory, most end users would have computers that would need to be updated individually and would not have access to a larger network where data can be processed and reports can be created. While active directories can be technical to a good extent and require considerable expertise to navigate, they are essential to storing information and data on networks.
Because the DHCPDISCOVER message is a broadcast message, and broadcasts only cross other segments when they are explicitly routed, you might have to configure a DHCP Relay Agent on the router interface so that all DHCPDISCOVER messages can be forwarded to your DHCP server. Alternatively, you can configure the router to forward DHCP messages and BOOTP message. In a routed network, you would need DHCP Relay Agents if you plan to implement only one DHCP server. For DHCP to operate, all of client computers should be able to contact the DHCP server. DHCP relies on the network topology, and is in turn relied on by all TCP/IP based hosts within your networking environment. Therefore, if your network has multiple segments, you have to perform either of the following: y y y
Place a DHCP server on each segment Place a DHCP Relay Agent on each segment Configure your routers to forward broadcast messages.
The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If you have no configured DHCP Relay Agent, your clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet. To enable clients
to obtain IP addresses from a DHCP server on a remote subnet, you have to configure the DHCP Relay Agent on the subnet that contains the remote clients, so that it can relay DHCP broadcast messages to your DHCP server. The systems that can use the DHCP Relay Agent are: y y y
Windows NT Server Windows 2000 Server Windows Server 2003
In routed networks, you need to either enable your routers to forward DHCP broadcast messages or configure a DHCP Relay Agent for the following resons: y y
The router will drop DHCP broadcast messages if it is not configured to forward them, and no DHCP Relay Agent exists. The DHCP lease process would not be able to place. The initial message sent by the DHCP client is a broadcast message.
1. 2. 3. 4. 5. 6. 7. 8.
Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. Expand the IP Routing node in the console tree. Right-click the DHCP Relay Agent node and then select New Interface from the shortcut menu. Select the interface that is on the same subnet as the DHCP clients. Click OK. In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox is selected on the General tab. You can change the Hop-Count Threshold and Boot Threshold values. Click OK.
How to view statistical information on the operation of the DHCP Relay Agent
1. 2. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. Select the DHCP Relay Agent node, and view the statistical information that is displayed in the details pane of the Routing And Remote Access console: Received requests Received replies Discarded requests Discarded replies
o o o o
y y y y y y
Hostnames in the DNS database can be distributed between multiple servers The database has an unlimited size. Extensible data types Together with supporting host name to IP address mappings, different data types are supported as well. No degrade in performance as more servers are added . the database is scalable. Distribution of administration . naming can be managed individually for each partition. From the days of Windows NT Server 4.0, DNS has been included with the operating system. DNS is the primary name registration and resolution service in Windows 2000 and Windows Server 2003, and provides the following features and services:
y y
A hierarchically distributed and scalable database. Provides name registration, name resolution and service location for Windows 2000 and Windows Server 2003 clients. Locates domain controllers for logon.
1. Right-click My Computer, and select Properties from the shortcut menu. 2. Click the Computer Name tab to verify the computer.s name. y NetBIOS name: A unique name used to identify a NetBIOS resource on the network. The NetBIOS name is resolved to an IP address for communication to occur. Host name: A host name is assigned to a computer to identify a host in a TCP/IP network. The host name can be described as being the alias that is assigned to a node, to identify it. When the host name is used and not the IP address, the host name has to be resolved to an IP address for IP communication to occur. The HOSTS file is a text file that contains host names to IP addresses mappings. The HOSTS file is stored locally. Fully qualified domain name (FQDN): This is the DNS name that is used to identify a computer on the network. FQDNs have to be unique. The FQDN usually consists of the following:
1. Host name 2. Primary DNS suffix 3. Period y DNS Name: A DNS name is name that can include a number of labels that are segregated by a dot. When a DNS name displays the entire path, it is known as the Fully Qualified Domain Name (FQDN). Alias: This is name used instead of another name. The Canonical Name (CNAME) is an alias name in DNS.
y Nickname: This is another name used for a host. It is usually an abbreviated version of the FQDN. A nickname has to be unique for each node if you want to map it the FQDN. y Primary DNS suffix: Computers running in a Windows Server 2003 network are assigned primary DNS suffixes for name registration and name resolution purposes. The primary DNS suffix is also referred to as the primary domain name, or domain name. Connection-specific DNS suffix: This is a DNS suffix which is assigned to an adapter. The connection-specific DNS suffix is called the adapter DNS suffix. The name differences between the NetBIOS naming system and DNS namespace are noted below: y y y y A NetBIOS name cannot be greater than 16 characters. With DNS, up to 255 characters can be used for names. The NetBIOS naming system is a flat naming system. The namespace used by DNS is a hierarchical space, or hierarchical system. The DNS naming system is called the domain namespacef. If you decide to use a private domain namespace, and there is no interaction with the Internet, it does not have to be unique.
Each node in the DNS domain tree or DNS hierarchy is identified by a FQDN. This is a DNS domain name that specifies the node.s location in relation to the DNS domain tree/hierarchy. A domain name can be defined as the list of labels along the path from the root of the DNS domain tree/hierarchy to a particular node. The FQDN is the entire list of labels for a specific node. Each domain registered in DNS is connected to a DNS name server. The DNS server of a domain provides authoritative replies to queries for that particular domain. Internet Corporation for Assigned Names and Numbers (ICANN) manages the DNS root of the Internet domain namespace. ICANN manages the assignment of globally unique identifiers which are key to the operation of Internet. This includes the following components: y y y y Internet domain names IP addresses Port numbers Protocol parameters Below the root DNS domain are the top-level domains. These top-level domains are also managed by ICANN. The top-level domains managed by ICANN are: y o o o y o o o o y Organizational domains: Organizational domains have the following characteristics: Organizational domains can be used globally. They are named via a three-character code. The code defines the main function of the organizations of the DNS domain. Geographical domains: Geographical domains have the following characteristics: Geographical domains are usually used by organizations not residing in the United States. They are named via a two-character country and region codes. The codes were established by the International Organization for Standardization (ISO) 3166. The codes identify a country, such as .uk for the United Kingdom Reverse domains: These domains are used for IP address to name mappings. This is called reverse lookups. The additional top-level domains defined by ICANN in late 2000 are: y .aero; for the air transportation industry
y y y y y y
.biz; for businesses .coop; for cooperatives .info; for information .museum; for museums .name; for individual names .pro; for credentialed professions such as attorneys. The common top-level domain names used are:
y y y y y y y y y y y
.com; commercial organizations .edu; for educational institutes. .gov; for government. .int; for international organizations. .mil; for military organizations .net; for Internet providers, and networking organizations .org; non-commercial organizations .uk; United Kingdom .us; United States .ca; Canada .jp; Japan
o o o
Provide a pointer (referral) to another DNS server that can assist in resolving the query Respond that the information is unavailable Respond that the information does not exist A DNS server is authoritative for the contiguous portion of the DNS namespace over which it resides. The following types of DNS servers exist:
Primary DNS server: This DNS server owns the zones defined in its DNS database, and can make changes to these zones. Secondary DNS server: This DNS server obtains a read-only copy of zones via DNS zone transfers. A secondary DNS server cannot make any changes to the information contained in its read-only copy. A secondary DNS server can however resolve queries for name resolution. Secondary DNS servers are usually implemented for the following reasons: Provide redundancy: It is recommended to install one primary DNS server, and one secondary DNS server for each DNS zone (minimum requirement). Install the DNS servers on different subnets so that if one DNS server fails, the other DNS server can continue to resolve queries. Distribution of DNS processing load: Implementing secondary DNS servers assist in reducing the load of the primary DNS server. Provide fast access for clients in remote locations: Secondary DNS servers can also assist in preventing clients from transversing slow links for name resolution requests. DNS zones: A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority, or is authoritative. A zone is a portion of a namespace . it is not a domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for multiple DNS zones. Zone files store resource records for the zones over which a DNS server has authority. DNS client: This is a machine that queries the DNS server for name resolution. To issue DNS requests to the DNS server, DNS resolvers are used. Queries:The types of DNS queries which can be sent to a DNS server are: Recursive queries Iterative queries
y y
y o o
DNS resolvers: These are programs that use DNS queries to request information from the DNS servers. In Windows Server 2003, the DNS Client service performs the function of the DNS resolver. A DNS resolver can communicate and issue name queries to remote DNS servers, or to the DNS server running locally. When a DNS resolver receives a response from a DNS server, the resolver caches the information locally. The local cache is then used if the same information is requested. Resource records: The DNS database contains resource records (entries) that are used to resolve name resolution queries sent to the DNS server. Each DNS server contains the resource records it needs to respond to name resolution queries for the portion of the DNS namespace for which it is authoritative. Root servers: A root server performs the following functions when a query cannot be resolved from the local zone files: Returns an authoritative answer for a particular domain. Returns a referral to another DNS server that can provide an authoritative answer
o o
querying the other DNS servers, recursion actually ends up making the initial DNS server a DNS client! In order to perform recursion, root hints assist the DNS server in determining where in the DNS namespace it should commence searching for the queried name. Root hints is a collection of resource records which the DNS Server service utilizes to locate DNS servers who are authoritative for the root of the DNS domain namespace structure. If you are using Windows Server 2003 DNS, a preconfigured root hints file named Cache.dns already exists. The file can be found in the WINDOWS\System32\Dns directory. Cache.dns contains the addresses of root servers in the Internet DNS namespace, and is preloaded to memory when the DNS Server service initiates. If however recursion is disabled for the DNS server, and the DNS server cannot find a match for the queried name in its zone information, or in its cache; the client begins to perform iterative queries. The root hint referrals from the DNS server are used for iterative queries. When a client performs iterative queries, the client sends repeated requests to different DNS servers to resolve the queried name. The events that occur to resolve a name requested in a query are explained below: 1. The resolver sends a recursive DNS query to its local DNS server, to request the IP address of a particular name. 2. Because the local DNS server cannot refer the resolver to a different DNS server, the local DNS server attempts to resolve the requested domain name. 3. The local DNS server checks its zones. 4. If it finds no zones for the requested domain name, the local DNS server sends an iterative query for the requested name to the root DNS server. 5. The root DNS server is authoritative for the root domain. It responds with an IP address of a name server for the specific top-level domain. 6. The local DNS server next sends an iterative query for the requested name to this name server who in turn replies with the IP address of the particular name server servicing the requested domain name. 7. The local DNS server then sends an iterative query for the requested name to the particular name server servicing the particular domain. 8. The name server responds with the requested IP address. 9. The IP address is returned to the resolver.
The different query response types which can be returned from the DNS server are: y Authoritative answer: This is a positive response which is returned to a client. The authority bit set in the DNS message indicates that the reply was received from a DNS server that has direct authority for the name queried in the message. Positive answer: This response type returns the queried resource record that corresponds to the name and record type queried in the original query. Referral answer: A referral response is returned if the DNS server does not support recursion. A referral contains additional resource records for resolving the request. Negative answer: A negative answer is returned to the client when the following events occur: The name queried does not exist in the DNS namespace. This information is obtained from an authoritative server. The authoritative server indicated that the name queried does exist in the DNS namespace. However, there are no resource records of this type present for the requested name.
y o
o o
The FAT file system was initially introduced with the MS-DOS operating system (OS) when hard disks were generally much smaller, and the structure of folders was not as intricate as it is in networks today. The FAT file system continues to be supported by each Microsoft OS since its advent. The initial FAT file system could only support a maximum partition size of 2GB. What this meant was that where a computer's hard disk drive was greater than 2GB, you had to partition the drive into a number of smaller partitions, with each partition size not exceeding 2GB. The FAT file system protects files by storing two copies of the file allocation table on the FAT volume. In cases where one copy of the file allocation table is corrupt, the other copy of the file allocation table is utilized. The file allocation table's location is specified in the BIOS Parameter Block (BPB) of the FAT boot sector. It is also stored on the volume in a specified byte offset. This ensures that any files necessary to start the system can be found. The actual numbers in the names of the different FAT file systems are associated with the number of bits utilized for a file allocation table entry. For instance, FAT12 utilizes a 12-bit file allocation table entry, FAT16 utilizes a 16-bit file allocation table entry, and FAT32 utilizes a 32-bit file allocation table entry. FAT16 works effectively on small disks and uncomplicated folder structures, while FAT32 works effectively on large disks that have intricate folder structures. FAT16 in MS-DOS, Windows 3.x, Windows 95, Windows 98 and Windows 2000 operates in the identical manner with each OS. FAT32 was introduced with Windows 98's second release (OSR2). FAT32 operates the same in the Windows 98 OSR2 and Windows 2000.
The root folder holds an entry for each file and folder stored on the FAT16 volume and has its maximum number of table entries set at 512 for each disk drive. A file's or folder's entry contains the information listed below: y y y y y y y y y Name: This is in 8.3 format Attribute: 8 bits Create time: 24 bits Create date: 16 bits Last access date: 16 bits Last modified time: 16 bits Last modified date: 16 bits Starting cluster number in the file allocation table: 16 bits File size: 32 bits The Attribute byte in a folder indicates what kind of entry it is and is generally controlled by the OS. Four bits of the attribute byte can be enabled or disabled by the user. These are: y Archive, System, Hidden, Read-only Files are allocated the first available location on the FAT16 volume. The first cluster's address utilized by the file i the starting cluster number in the file allocation table. Clusters also have a pointer to the next cluster in the file. The cluster at the end of the file however contains a hex indicator which indicates that this particular cluster is the end of the file. A few disadvantages associated with the FAT16 file system are summarized below: y y y The FAT16 file system has no local security for the file system or compression features. The boot sector is not backed up. The root folder can only have a maximum of 512 entries which means that files which have long names can greatly decrease the number of entries available. FAT16 does not work well with volume sizes that are large.
FAT32 does however need 4 bytes in the file allocation table to store cluster values. This has led to the revision or expansion of internal data structures, on-disk data structures and published APIs. A few disadvantages associated with the FAT32 file system are summarized below: y Like the FAT16 file system, the FAT32 file system includes no local security for the files system or compression features. The MS-DOS, Windows 95, and Windows NT 4.0 OSs are unable to access or read FAT32 partitions. Both FAT16 and FAT32 partitions do not scale well - the file allocation table increases in size as the volume grows.
y y
An Overview of NTFS
y In order to store data on a local partition on a Windows server, you have to format it with a file system. The system that you use influences the manner in which data is stored on the disk. It also specifies the security that can be defined for folders and files stored on the partitions. Although Windows servers offer support for the File Allocation Table (FAT) file system, NT file system (NTFS), and CDFS (Compact Disc File System), the file systems generally utilized by local partitions is the FAT file system and NTFS file system. y
The FAT partitions utilized by operating systems such as Microsoft DOS, Windows 95, Windows 98, and Windows Me do not allow you to specify security for the file system after a user has logged on. What this means is that any data stored in a FAT partition is available to each user that shares the same computer. The FAT file system also includes no support for file compression, or encryption. You cannot store Macintosh files on FAT partitions. Because Windows 2000, Windows XP and Windows Server 2003 support FAT32, you may choose to configure FAT32 partitions if you need dual-boot capability to Windows 95, Windows 98 and Windows Me.
NTFS partitions on the other hand enable you to specify security for the file system after a user has logged on. NTFS permissions control the access users and groups have to files and folders on NTFS partitions. You can set an access level for each particular user to the folders and files hosted on NTFS partitions. You can allow access to the NTSF files and folders, or you can deny access to the NTFS files and folders. In this manner,NTFS supports local security. The NTFS file system also includes other features such as encryption, disk quotas, file compression, mounted drives, NTFS change journal, and multiple data streams. You can also store Macintosh files on NTFS partitions.
NTFS 4.0: This is the version of NTFS utilized with Windows NT 4.0. Even though it supports access control on files and folders, it does not support the majority of Windows 2000 and Windows Server 2003 file system features. It does however include support for file compression.
NTFS 5.0: This version of NTFS supports all the previously mentioned features of the NTFS file system. NTFS version 5.0 is utilized with Windows 2000 and Windows Server 2003.Windows NT 4.0 systems that are running Service Pack 4 or later are able to access NTFS 5.0 files and folders.
The key differences between NTFS 4.0 and NTFS 5.0 are summarized below: y
Maximum volume size:
y y
NTFS 4.0: 32 GB NTFS 5.0: 2 terabytes on Master Boot Record (MBR) disks, and 18 exabytes on GUID Partition Table (GPT) disks.
y y
NTFS 4.0: 32 GB NTFS 5.0: With NTFS 5.0, file size is limited by the size of the volume.
y y
y y
Support for encryption, disk quotas, sparse files, remote storage and Active Directory structures:
y y
on NTFS partitions. You can specify access permissions on files and folders which control which users can access the NTFS files and folders. You can also specify what level of security is allowed for users or group. NTFS enables you to specify more precise permissions that what share permissions enable. You can only specify share permissions on folders. NTFS permissions can be set for folers and files. On NTFS partitions, permissions are applied to users who access the computer locally, and who access a NTFS folder which has been shared over the network.
By default, permissions of NTFS volumes are inheritable. What this means is that files and subfolders inherit permissions from their associated parent folder. You can however, configure files and subfolders not to inherit permissions from their parent folder. You can specify NTFS permissions at the file level and the folder level. The NTFS permissions that can be set at the folder level are listed below: y
Full Control: Enables a user to view or change a folders attributes, permissions and take ownership. A user is also able to create, modify and delete folders. Users can also traverse folders and execute files that contain programs stored in a folder. The Full Control permissions allow users to compress files as well.
y y y y y
Read and Execute: The rights enabled by this permission include traversing folders and executing files in the folders, listing a folders content, and viewing the attributes of folders. Write: Users are able to create new folders, new subfolders and new files in the folders. A user is also able to change a folders attributes. List Folder Contents: Users are able to transverse folders, list the contents of the folder, and view a folders attributes. Modify: A user can change the properties of a folder, create new folders, and also delete folders. Read: This permission enables a user to view the folder, and any subfolders and files stored within the folder.
The NTFS permissions that can be set at the file level are listed below:
y y y y y
Full Control: Enables a user to view or change a files attributes, create and delete files, compress files, view the attributes of files, and add data to files. A user can also execute files. Read and Execute: The rights enabled by this permission include executing files in the folders, and viewing the attributes of files. Write: Users are able to create new files, change a files attributes, write data to files, view file ownership and permissions, and overwrite files Modify: A user can change the properties of a file, create new files, delete files, write data to files, and view the attributes of files. Read: This permission enables a user to view files and the files attributes.
With Windows Server 2003, basic NTFS permission settings are assigned for five default users and groups when a new NTFS partition is created. The users/groups and the default permissions created for them are summarized below:
y y y y y
Administrators: Full Control Allow System: Full Control Allow Users: Read Allow, Read and Execute Allow, List Folder Contents Allow Creator Owner: Have no default permissions set Everyone: Have no default permissions set
Before you can apply NTFS permissions, you have to format the disk partition as an NTFS partition. NTFS permissions are applied through Windows Explorer. You simply have to right-click the particular file or folder that you want to control access to and select Properties from the shortcut menu. The Properties dialog box of NTFS files and folders contains a Security tab. This the tab utilized to apply NTFS permissions.
How to configure NTFS permissions for files and folders on NTFS partitions
1. 2. 3. 4. 5. 6.
Navigate to Windows Explorer Right-click the particular file or folder that you want to control access to, and click Properties from the shortcut menu. When the Properties dialog box of the folder/file opens, click the Security tab If you want to specify new ermissions, click the Add button. The Select Users, Computers, Or Groups dialog box opens next. In the Enter The Object Names To Select section of the dialog box, insert the name of the user/group that you want to specify permissions for. Click OK When the Security tab appears, highlight the user or group in the topmost box, and then set the permissions that should be applied for that particular user or group. Click OK.
7.
8.
y y
Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Replace permission entries on all child objects with entries shown here that apply to child objects.
When you clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here checkbox, a security dialog box is displayed. The security dialog box allows you to either completely remove the existing inherited permissions, or change the existing inherited permissions to explicit permissions.
y y y
The Change button can be used to modify the set of users or groups stored in the Name box. You can use the Allow checkbox and Deny checkbox to change the permission entries. The Apply Onto drop-down list box can be used to apply the special permissions to specific objects.
y y y y y y y y y
Full Control: The user can perform all the NTFS special permissions listed below Traverse Folder/Execute File: Traverse Folder enables users to navigate through folders and files beneath the location at which the permission is applied. Execute File enables application programs to be run. List Folder/Read Data: List Folder either allows or denies the names of files and subfolders of a folder to be viewed. Read Data enables the data within the files to be read. Read Attributes: Either allows or denies the attributes of folders and files to be read. Read Extended Attributes: Either allows or denies the extended attributes of folders and files to be read. Create Files/Write Data: Create Files allows or denies new files to be created within folders. Write Data either allows or denies changes to be made to files, and to overwrite files. Create Folders/Append Data: Either allows or denies new subfolders to be created within a folder, and allows or denies changes to be made to the end of a file. Write Attributes: Allows the attributes on a subfolder and file to be changed. Write Extended Attributes: Allows the extended attributes on a subfolder and file to be changed
y y y y y
Delete Subfolders and Files: Allows files and subfolders to be deleted even though the elete permission is not granted on the subfolder or file. Delete: Enables file or folders to be deleted. Read Permissions: Allows the permissions that have been applied to folders and files to be viewed. Change Permissions: Allows the permissions that have been applied to folders and files to be changed. Take Ownership: Allows the user to modify the owner of the file or folder.
y y y
Individual user permissions Permissions inherited from parent folders Permissions inherited from group membership
You can view the effective permissions of a user on the Effective Permissions tab on the Advanced Security Settings dialog box.
1. 2. 3. 4. 5. 6.
Open Windows Explorer Right-click the particular file or folder and choose Properties from the shortcut menu When the Properties dialog box of the file/folder opens, click the Security tab To open the Advanced Security Settings dialog box, click the Advanced button When the Advanced Security Settings dialog box opens, click the Effective Permissions tab. To specify the user or group that you want to determine effective permissions for, click Select, and enter the name of the particular user or group. Click OK The effective permissions for the user or group that you have chosen to view are displayed next.
7.
y y y
Was the file moved to an NTFS volume or a partition that is not NTFS formatted such as FAT partitions Was the file copied to a different location on the identical NTFS volume, or was it copied to a different NTFS volume Was the file moved or copied
You can use the rules detailed next to determine whether an NTFS file that is moved or copied would retain its prior permissions:
y y y y
Files that are copied or moved to FAT partitions do not retain any of their prior NTFS permissions in the new location. Files that are moved from one folder to a different location on the identical NTFS volume keep all its prior NTFS permissions. Files that are copied from one folder to a different location on the identical NTFS volume inherit the NTFS permissions of the destination location or folder. Files that are moved from one location or folder to a folder on a different NTFS volume inherit the NTFS permissions of the destination location or folder.
1. 2. 3. 4. 5. 6. 7.
Right-click the folder or file you want to set auditing for and choose Properties, from the shortcut menu. Click the Security ta when the Properties dialog box of the file or folder opens. Click the Advanced button When the Advanced Security Settings dialog box opens, click the Auditing tab. Click the Add button to open the Select User, Computer, Or Group dialog box. Insert the names of the users or groups whose actions you want to track. Click OK. When the Auditing Entry For Data dialog box is displayed, select the events that should be audited.
For clients to access shadow copies, they need to have the Previous Versions Client software installed. The software can be found in the %windir%\system32\clients\twclient folder. The software can be distributed or deployed via Group Policy, Systems Management Server (SMS), or you can create a share so that clients can download the necessary software. You can enable shadow copies through the Computer Management console which can be accessed through the Administrative Tools folder. Shadow copies are enabled from the Shared Folders folder in the left pane of the Computer Management console. To navigate to the Shared Folders folder, expand System Tools. To open the Shadow Copies dialog box, right-click Shared Folders, select All Tasks, and then click the Configure Shadow Copies option on the shortcut menu. This is the location where you manage and configure the volume shadow copies feature. Te Shadow Copies dialog box is made up of the following panes:
The uppermost pane of the Shadow Copies dialog box is where you enable shadow copies for the particular volume. To enable shadow copies, click the Enable button. If you do not want a volume to use shadow copies, click the Disable button. To change the configuration settings of existing enabled shadow copies, click the Settings button to open the Settings dialog box. The Settings dialog box is divided into the following two sections: Storage Area: This is where you change the storage location of shadow copies, and the amount of space used to store shadow copies. Schedule: This where you configure how often, or when shadow copies are to be created. The settings which you can configure for enabled shadow copies on the Settings dialog box are:
o o o
Location on this volume drop-down list box: This drop-down list box is used to specify the volume on the server on which the shadow copies are to be stored. In cases where only one volume exists, then this is the volume which is automatically selected, and you are unable to select other volumes. Details button: Click this button to view information on the disk space available, and the total disk space. Maximum Size - No limit option: To specify that unlimited disk space can be used to store shadow copies, click the No limit option under the Maximum Size option. Maximum Size - Use Limit option: To specify the disk space which can be used to store shadow copies, click the Use Limit option under the Maximum Size option, and then set how much disk space, in megabytes (MB) can be used to store shadow copies. Schedule button: To specify the interval when shadow copies are created, click the Schedule button. The intervals which can be set for when shadow copies are created are Daily Weekly Monthly Once
o
At System Startup At Logon When idle The bottom pane of the Shadow Copies dialog box displays a list of all the existing shadow copies which have been created.
o o
o o o o
o o
After you have configured the schedule for the shadow copies, click OK. To close the Shadow Copies dialog box, click OK.
o o o o o
o o
o o
y o
To copy a previous version of a particular file to a different location, click the Copy button on the Previous Versions tab. When the Copy Items dialog box opens, specify the location to which you want to copy the previous version of the file. To replace the current version of a particular file with a previous version of the file, click the Restore button on the Previous Versions tab. Click Yes, to the message which appears, warning you that current version the file will be replaced with this particular previous version of the file. To access shadow copies from a client that has the Previous Versions Client software installed,
o o o o
Open Windows Explorer. Right-click the particular network share, and then click Properties from the shortcut menu. Click the Previous Versions tab. Click the previous version which you want to work with, and then select one of the following buttons: Click View to view a previous file version. Click Copy to copy the shadow copy to a different location. Click Restore to replace the existing version with a previous version.
How to install the Previous Versions Client software and view files from shadow copies
o o Open Windows Explorer. Navigate to the system32\clients\twclient folder on the server to access the Windows Installer package. Double-click the Windows Installer package. The Previous Versions Client Wizard launches next. On the initial page of the Wizard, click Next to install the Previous Versions Client software. Once the Previous Versions Client software is installed, access the Properties of the particular folder or file through a shared folder. Click the Previous Versions tab. Choose the previous version of the file that you want to work with, and click the View button.
o o o
o o
o o o o
o o
On the Shadow Copies tab, using the Select A Volume listing choose the volume. The Shadow Copies Of Selected Volume area displays all the shadow copies of the volume which you have selected. Select the shadow copy that must be deleted, and click the Delete Now button.
o o o o
o o o o o o
Shadow copies should not be utilized as a replacement for regular backups. You should therefore continue to perform regular backups of the system. Shadow copies should not be utilized on dual boot computers because a previous version could become corrupted if the computer is booted to an operating system OS which is not Windows Server 2003. Enable shadow copies on computers running only Windows Server 2003. Be careful when determining the amount of hard disk space needed for shadow copies. If you configure the limit too small, you could have an insufficient quantity of shadow copies created. When shadow copies are enabled, remember that mounted drives are excluded when shadow copies are created. When you define the schedule for shadow copies, base it on when users make changes to files. For instance, it would be unnecessary to schedule shadow copies to be created over the weekend if files are not modified during this time frame. It is recommended to not schedule shadow copies to take place at an interval greater than once per hour. The interval or frequency for which you configure shadow copies to be created affects how space is utilized. You have to restore a shadow copy to change the contents of a shadow copy. A file that is restored keeps its file permissions. If you recover a deleted file, the file's permissions are the default permissions of the directory. Before you disable shadow copies on a volume, delete the shadow copies schedule.
o o o o
IPSec Overview
IPSec is a suite of protocols which was designed by Internet Engineering Task Force (IETF) to protect data by signing and encrypting data before it is transmitted over public networks. The IETF Request for Comments (RFCs) 2401-2409 defines the IPSec protocols with regard to security protocols, security associations and key management, and authentication and encryption algorithms. IPSec is a framework of open standards for encrypting TCP/IP traffic within networking environments. IPSec works by encrypting the information contained in IP datagrams through encapsulating. This in turn provides network level data integrity, data confidentiality, data origin authentication, and replay protection. The primary features of IPSec are: y Authentication; protects the private network and the private data it contains. IPSec secures private data from man-in-the-middle attacks, from attackers attempting to access the network, and from an attacker changing the contents of data packets. Encryption; conceals the actual content of data packets so that it cannot be interpreted by unauthorized parties. IPSec can be used to provide packet filtering capabilities. It can also authenticate traffic between two hosts and encrypt traffic passed between the hosts. IPSec can be used to create a virtual private network (VPN). IPSec can also be used to enable communication between remote offices and remote access clients over the Internet. IPSec operates at the network layer to provide end-to-end encryption. This basically means that data is encrypted at the source computer sending the data. All intermediate systems handle the encrypted
portion of the packets as payload. Intermediate systems such as routers merely forward the packet to its end destination. Intermediate systems do not decrypt the encrypted data. The encrypted data is only decrypted when it reaches the destination. IPSec interfaces with the TCP/UDP transport layer and the Internet layer, and is applied transparently to applications. IPSec is transparent to users as well. This basically means that IPSec can provide security for most of the protocols within the TCP/IP protocol suite. When it comes to applications, all applications that use TCP/IP can enjoy the security features of IPSec. You do not have to configure security for each specific TCP/IP based application. By using rules and filters, IPSec can receive network traffic and select the required security protocols, determine which algorithms to use, and can apply cryptographic keys required by any of the services. The security features and capabilities of IPSec can be used to secure the private network and private confidential data from the following y y y y Denial-of-service (Dos) attacks Data pilfering. Data corruption. Theft of user credentials In Windows Server 2003, IPSec uses the Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol to provide data security on: y y y y y y Client computers Domain servers Corporate workgroups Local area networks (LANs) Wide area networks (WANs) Remote offices The security functions and features provided by IPSec are summarized below: y Authentication; a digital signature is used to verify the identity of the sender of the information. IPSec can use Kerberos, a preshared key, or digital certificates for authentication. Data integrity; a hash algorithm is used to ensure that data is not tampered with. A checksum called a hash message authentication code (HMAC) is calculated for the data of the packet. When a packet is modified while in transit, the calculated HMAC changes. This change will be detected by the receiving computer. Data privacy; encryption algorithms are utilized to ensure that data being transmitted is undecipherable. Anti-replay; prevents an attacker from resending packets in an attempt to gain access to the privatenetwork. Nonrepudiation; public key digital signatures are used to prove message origin.
y y
Dynamic rekeying; keys can be created during data sending to protect segments of the communication with different keys. Key generation; the Diffie-Hellman key agreement algorithm is used to enable two computers to exchange a shared encryption key. IP Packet filtering; the packet filtering capability of IPSec can be used to filter and block specific types of traffic, based on either of the following elements or on a combination of them: IP addresses Protocols Ports
o o o
o o o o o o o o o y
Kerberos 5 authentication is the default authentication method used by IPSec policies to verify the identity of computers. IPSec is backward compatible with the Windows 2000 Security Framework. If a local policy or Active Directory based policy cannot be applied to a computer, you now have the option of creating a persistent policy for the specific computer. The characteristics of persistent policies are: Persistent policies can only be configured through the Netsh command-line utility. Persistent policies are always positive. Persistent policies cannot be overridden. In Windows Server 2003 IPSec deployments, only Internet Key Exchange (IKE) traffic is exempt from IPSec. Previously, Resource Reservation Protocol (RSVP) traffic, Kerberos traffic, and IKE traffic was exempt from IPSec. IPSec in Windows Server 2003 includes support for the Group 3 2048-bit Diffie-Hellman key exchange. The Group 3 key is much stronger and more complex than the previous Group 2 1024-bit Diffie-Hellman key exchange. If however you need backward compatibility with Windows 2000 and Windows XP, then you have to use the Group 2 1024-bit Diffie-Hellman key exchange. IPSec ESP packets can pass over Network Address Translation (NAT) through User Datagram ProtocolEncapsulating Security Payload (UDP-ESP) encapsulation in Windows Server 2003 IPSec deployments.
y y
o o o y
o o o
Internet Key Exchange (IKE): The IKE protocol is used by computers to create a security association (SA) and to exchange information to generate Diffie-Hellman keys. IKE manages and exchanges cryptographic keys so that computers can have a common set of security settings. Negotiation occurs on which authentication method, and encryption algorithm and hashing algorithm the computers will use. IPSec Driver: The IPSec driver performs a number of operations to enable secure network communication, including the following: Creates IPSec packets Generates checksums. Initiates the IKE communication Adds the AH and ESP headers Encrypts data before it is transmitted. Calculates hashes and checksums for incoming packets. IPSec Policies: IPSec policies define when and how data should be secured, and defines which security methods to use for securing data. IPSec policies contain a number of elements: Actions. Rules Filter lists Filter actions. IPSec Policy Agent: This is a service running on a computer running Windows Server 2003 that accesses IPSec policy information. The IPSec Policy Agent accesses the IPSec policy information in either the Windows registry or in Active Directory. Oakley key determination protocol: The Diffie-Hellman algorithm is used for two authenticated entities to negotiate and be in agreement on a secret key. Security Association (SA): A SA is a relationship between devices that define how they use security services and settings. Triple Data Encryption (3DES): This is a strong encryption algorithm used on client machines running Windows, and on Windows Server 2003 computers. 3DES uses 56-bit keys for encryption.
o o o o o o y
o o o o y
The security association (SA) contains the following: y The policy agreement which dictates which algorithms and key lengths the two computers will use to secure data. The security keys used to secure data communication. The security parameters index (SPI). With IPSec, two separate SAs are established for each direction of data communication: y y One SA secures inbound traffic. One SA secures outbound traffic. In addition to the above, there is a unique SA for each IPSec security protocol. There are therefore basically two types of SAs: y ISAKMP SA: When traffic flow is two directional and IPSec needs to establish a connection between computers, an ISAKMP SA is established. The ISAKMP SA defines and handles security parameters between the two computers. The two computers agree on a number of elements to establish the ISAKMP SA: Determine which connections should be authenticated. Determine the encryption algorithm to use. Determine the algorithm to verify message integrity. After the above elements have been negotiated between the two computers, the computers use the Oakley protocol to agree on the ISAKMP master key. This is the shared master key which will be used with the above elements to enable secure data communication. After a secured communication channel is established between the two computers, the computers start to negotiate the following elements: o o o Determine whether the Authentication Header (AH) IPSec protocol should be used for the connection. Determine the authentication protocol which should be used with the AH protocol for the connection. Determine whether the Encapsulating Security Payload (ESP) IPSec protocol should be used for the connection. Determine the encryption algorithm which should be used with the ESP protocol for the connection. IPSec SA: IPSec SAs pertain to the IPSec tunnel and IP packet, and define security parameters to use during a connection. The IPSec SA is derived from the above four elements just negotiated between the two computers. To secure and protect data, IPSec uses cryptography to provide the following capabilities: y Authentication: Authentication deals with verifying the identity of the computer sending the data, or the identity of the computer receiving the data. The methods which IPSec can use to authenticate the sender or receiver of data are:
y y
o o o
o y
Digital certificates: Provides the most secure means of authenticating identities. Certificate authorities (CAs) such as Netscape, Entrust, VeriSign, and Microsoft provide certificates which can be used for authentication purposes. Kerberos authentication: A downside of using the Kerberos v5 authentication protocol is that the identity of the computer remains unencrypted up to the point that the whole payload is encrypted at authentication. Pre-shared keys; should be used when none of the former authentication methods can be used. Anti-replay ensures that the authentication data cannot be interpreted as it is sent over the network. In addition to authentication, IPSec can provide nonrepudiation. With nonrepudiation, the sender of the data cannot at a later stage deny actually sending the data.
Data integrity: Data integrity deals with ensuring that the data received at the recipient has not been tampered with. A hashing algorithm is used to ensure that the data is not modified as it is passed over the network. The hashing algorithms which can be used by IPSec are: Message Digest (MD5); a one-way hash that results in a 128-bit hash which is used for integrity checking. Secure Hash Algorithm 1 (SHA1); a 160-bit secret key to generate a 160-bit message digest which provides more security than MD5. Data confidentiality: IPSec ensures data confidentiality by applying encryption algorithms to data before it is sent over the network. If the data is intercepted, encryption ensures that the intruder cannot interpret the data. To ensure data confidentiality, IPSec can use either of the following encryption algorithms: Data Encryption Standard (DES); the default encryption algorithm used in Windows Server 2003 which uses 56-bit encryption. Triple DEC (3DES); data is encrypted with one key, decrypted with another key, and encrypted again with a different key. 40-bit DES; the least secure encryption algorithm.
o o
o o o o o o
Data is transmitted using unprotected IP datagrams from a computer on the private network. When the packets arrive at the router, the router encapsulates the packet using IPSec security protocols. The router then forwards the packet to the router at the other end of the connection. This router checks the integrity of the packet. The packet is decrypted. The data of the packet is then added to unprotected IP datagrams and sent to the destination computer on the private network. Transport Mode: This is the default mode of operation used by IPSec in which only the IP payload is encrypted through the AH protocol or ESP protocol. Transport mode is used for end-to-end communication security between two computers on the network.
IPSec Components
The primary two components installed when IPSec is deployed are: y IPSec Policy Agent: This is a service running on a computer running Windows Server 2003 that accesses IPSec policy information. The IPSec Policy Agent accesses the IPSec policy information in either the Windows registry or in Active Directory. The main functions which the IPSec Policy Agent provides are listed below: The IPSec Policy Agent passes information to the IPSec driver. The IPSec Policy Agent accesses IPSec policy information from the local Windows registry when the computer does not belong to a domain. The IPSec Policy Agent accesses IPSec policy information from the Active Directory when the computer is a member of a domain. The IPSec Policy Agent scans IPSec policies for any configuration changes. IPSec driver: The IPSec driver performs a number of operations to enable secure network communication, including the following: Creates IPSec packets Generates checksums. Initiates the IKE communication Adds the AH and ESP headers Encrypts data before it is transmitted. Calculates hashes and checksums for incoming packets
o o
o y
o o o o o o
y y
o o y
y y
Data integrity Data confidentiality The primary difference between the AH protocol and the ESP protocol is that the ESP protocol provides all the security services provided by the AH protocol, together with data confidentiality through encryption. ESP can be used on its own, and it can be used together with the AH protocol. In transport mode, the ESP protocol only signs and protects the IP payload. The IP header is not protected. If the ESP protocol is used together with the AH protocol, then the entire packet is signed. ESP inserts an ESP header and ESP trailer, which basically encloses the payload of the IP datagram. All data after the ESP header to the point of the ESP trailer, and the actual ESP trailer is encrypted. The fields within an ESP header, together with the role performed by each field are listed here:
Security Parameters Index (SPI); indicates the correct security association for the communication through a combination of the following: IPSec security protocol. Destination IP address Sequence Number; used to provide IPSec anti-replay protection for the communication. The sequence number commences at 1, and is incremented by 1 in each ensuing packet. Packets that have the same sequence number and security association are discarded. The fields within an ESP trailer, together with the role performed by each field are listed here:
o o y
y y y y
Padding; required by the encryption algorithm to ensure that byte boundaries are present. Padding Length; indicates the length (bytes) of the padding which was used in the Padding field. Next Header; used to specify the type of IP payload through the IP protocol ID. Authentication Data; holds the integrity check value (ICV) calculated by the sending computer to provide data integrity and authentication. The receiving computer calculates the ICV over the IP header, AH header, and IP payload, and then compares the two ICV values.
Traffic to block Security filters can be grouped into a filter list. There is no limit to the number of filters which can be included in a filter list. IPSec policies uses IP filters to ascertain whether an IP security rule should be used in a packet. You can use a security method to specify the manner in which an IPSec policy should deal with traffic matching an IP filter. Security methods are also referred to as filter actions. The filter actions result in either of the following events:
y y y
Drops traffic Allows Traffic Negotiates security. To apply security in your network, IPSec policies are used. The IPSec policies define when and how data should be secured. The IPSec policies also determine which security methods to use when securing data at the different levels in your network. You can configure IPSec policies so that different types of traffic are affected by each individual policy. IPSec policies can be applied at the following levels within a network:
y y y y y
Active Directory domain Active Directory site Active Directory organizational unit Computers Applications The different components of an IPSec policy are listed here:
IP filter; informs the IPSec driver on the type of inbound traffic and outbound traffic which should be secured. IP filter list; used to group multiple IP filters into a single list in order to isolate a specific set of network traffic. Filter action; used to define how the IPSec driver should secure traffic. Security method; refers to security types and algorithms used for the key exchange process and for authentication. Connection type: identifies the type of connection which the IPSec policy impacts. Tunnel setting; the tunnel endpoint's IP address/DNS name. Rule; a grouping of the following components to secure a specific subset of traffic in a particular manner: IP filter Filter action.
y y
y y y o o
o o o
y y
y y
6. If the WINS server locates the NetBIOS name in the WINS database during its search, and the NetBIOS name has an active state, the associated IP address is returned to the client. Queried service lookups are also returned. This is called a positive response, and is sent in the form of a POSITIVE NAME QUERY RESPONSE message to the client. 7. If the WINS server locates the NetBIOS name in the WINS database during its search but the NetBIOS name has a state other than the active state, a negative response is returned to the client, wherein the client is informed that the requested NetBIOS name is unavailable. The client is not forced to transmit a broadcast for NetBIOS name resolution. 8. If the WINS server cannot locate the NetBIOS name in the WINS database during its search, a negative response is returned to the client. This takes the form of a NEGATIVE NAME QUERY RESPONSE message. The client is then forced to transmit a broadcast for NetBIOS name resolution. 9. The WINS server sends the client a number of WAIT FOR ACKNOWLEDGEMENT RESPONSE messages if it cannot immediately respond to the request. This prevents clients from timing out while they wait for a response from the WINS server. 10. If a clientis configured to use a primary WINS server and a secondary WINS server, the client uses the secondary WINS server if the primary WINS server fails to respond to its request. The client proceeds to send NAME QUERY REQUEST messages to the secondary WINS server for name resolution. Because WINS client registrations are not permanent, registration information can become outdated. The validity of the WINS client registrations is determined by the time to live interval of the WINS servers. WINS clients use a three step process to ensure that registration information in the WINS database remains current: y o WINS Name Registration: A WINS client is configured with the IP address of one or two WINS servers: Primary WINS server: The WINS client registers its NetBIOS name and IP address with the primary WINS server when the client initially starts. To do this, the WINS client sends a NAME REGISTRATION REQUEST message directly to the configured primary WINS server. The NAME REGISTRATION REQUEST message includes the time that the NetBIOS name is registered to the client. This is defined as the Time to Live (TTL). The WINS server then stores the NetBIOS name to IP address mapping in the WINS database. If the primary WINS server is unavailable, the WINS client tries two more times to register with the primary WINS server before attempting to register with a secondary WINS server. Secondary WINS server: When a client is configured with the IP address of two WINS servers, the secondary WINS server is only attempted for WINS name registration after the client unsuccessfully tried to contact the primary WINS server. When either the primary WINS server or secondary WINS server receives a WINS name registration request, the WINS server first searches its database to determine whether the requested name exists. The client is successfully registered with the WINS server if the name which the client is registering does not exist in the WINS database. If the name already exists in the database, the WINS server sends a NAME QUERY REQUEST message to the owner of the particular record to determine whether the name is still active. If the current owner responds with a POSITIVE NAME QUERY RESPONSE, the WINS server sends the new client a NEGATIVE NAME REGISTRATION RESPONSE message. In this case, the WINS server denies name registration to the new client. If the current owner responds with a NEGATIVE NAME QUERY RESPONSE, the WINS server purges the existing record from its database, and assigns the name to the new client. WINS Name Renewal: The NetBIOS names in the WINS database are registered for only a specific period of time. This is called the TTL period. The default TTL periodis 6 days. This basically means that
the NetBIOS name registrations with the WINS server is only temporary. WINS clients therefore have to renew their names in order to remain current in the WINS database. As mentioned earlier, the WINS database is dynamically updates. Clients can both register their names and un-register their names. This is done at the configured time intervals, and is dependant on the TTL interval of registered names. The TTL interval is reset when the following events occur: o Whenever a WINS client restarts, it registers its name with the WINS server. This results in the TTL interval being reset. If however the WINS client remains logged on the network for half of the TTL interval, its starts sending NAME REFRESH REQUEST messages to the WINS server. The WINS server replies with a POSITIVE NAME REFRESH RESPONSE message that resets the TTL interval. If however the WINS server replies to a WINS client with a NEGATIVE NAME REFRESH RESPONSE message, the client has to register a different NetBIOS name with the WINS server. The existing name registration is then cancelled. If the primary WINS server is unavailale when the client attempts name renewal, the client repeats it request for name renewal for each 10 minutes until an hour has passed. At this stage, the client will use a secondary WINS server if one is configured. If the secondary WINS server fails to respond, the client also repeats it request for name renewal at 10 minutes intervals until an hour has passed. This process of switching WINS servers to attempt name renewal continues until either of the following events occur: o o y The name is eventually renewed. TTL interval finally expires WINS Name Release: The WINS name release process occurs when WINS clients perform the following events: Shuts down the computer. Stops a NetBIOS service or application. When these events occur, the computer sends a NAME RELEASE REQUEST message to the WINS server. The message indicates that the registered NetBIOS name should be expired in the WINS database. The name is released when the WINS server returns a POSITIVE NAME RELEASE RESPONSE message. In this case, the WINS server located the NetBIOS name and IP address in the WINS database, and they matched to that of the sending client. A NEGATIVE NAME RELEASE RESPONSE message is sent when the record for the NetBIOS name in the WINS database holds a different IP address to that of the sending WINS client. NetBIOS clients use the Enhanced h-node (hybrid) type for name resolution querying. Enhanced h-node type uses the p-node type (peer-to-peer) and b-node type (broadcasts), and DNS to resolve NetBIOS names to IP addresses. Enhanced h-node type is the default node type used for Windows 2000, Windows XP, and Windows Server 2003 NetBIOS clients who have a configured WINS server for name resolution. The order in which Enhanced h-node type clients resolve NetBIOS name are: y y y y NetBIOS name cache. Primary WINS server Secondary WINS server Broadcasting name resolution method.
o o
y y y y
y y o o o
How to install the WINS service using Control Panel/Add or Remove Programs
1. Click Start, and then click Control Panel. 2. Click Add or Remove Programs. 3. Click Add/Remove Windows Components to start the Windows Component Wizard. 4. In Window Components page, in the Components list, click Networking Services. Click the Details button. 5. In the Networking Services dialog box, select the Windows Internet Name Service (WINS) checkbox. 6. Click OK, and then click Next. 7. The WINS service installation process starts. 8. Click Finish.
How to install the WINS service using Control Panel/Network Connections window
1. Click Start, and then click Control Panel. 2. Click Network Connections. 3. Right-click Network Connections and select Open from the shortcut menu. 4. Click Advanced, and choose Optional Networking Components. 5. Install the WINS service through the Windows Optional Networking Components Wizard.
The MMC console used to configure the WINS server is the WINS console. The WINS console is automatically added to the Administrative Tools Menu when you install the WINS service. Through the WINS console, you can perform the following functions: y y y View information on the configured WINS servers on the network. Perform WINS configuration tasks, and management tasks. View the contents of the WINS database, and locate entries in the database. To open the WINS console, 1. Click Start, Administrative Tools, and then click WINS As mentioned previously, you should implement redundancy in your WINS design so that your WINS servers can push or pull database information between each other. This ensures that all WINS database information is similar for all your WINS servers. The mechanism which can be used to implement redundancy in your WINS design is WINS replication. If all the information in the WINS databases is the same, you can configure NetBIOS clients with the IP addresses of numerous WINS server. This ensures that WINS can still be used for name resolution if one of the WINS servers has a failure.
To replicate among each other, the WINS servers in your network have to be configured as replication partners. This can be done manually, or automatically: y Manually configuring WINS server replication partners is done by an administrator. You have to know the WINS server name or the IP address of the WINS server that you want to configure as a replication partner. Automatically creating WINS replication partners takes place through the Automatic Partner Configuration feature of Windows 2000 and Windows Server 2003.
2. In the console tree, select Replication Partners 3. Select the replication partner whose replication method you want to view in the Details pane. 4. Right-click on the specific replication partner, and then select Properties from the shortcut menu. 5. When the Properties dialog box for the specific replication partner opens, click the Advanced tab.
o o
NetBIOS name IP address With Windows 2000 WINS, you can locate entries in the WINS database using the following search criteria:
o o
Record name Record owner. With Windows Server 2003 WINS, you can locate entries in the WINS database using the following search criteria:
o o o o y
Record name Record owner Record type Use a combination of the above. Add WINS records to the WINS database: Name to IP address mappings can be added to the WINS database: Dynamically: This happens when a WINS client registers or renews NetBIOS names with the WINS server. Manually: An administrator can manually add name to IP addresses mappings to the WINS database. Remove WINS records from the WINS database: This occurs: Dynamically: WINS clents release their NetBIOS names with the WINS server. Manually: An administrator can manually delete name to IP address mappings from the WINS database. Verify WINS database consistency:Through verification of the consistency of the WINS records, you can ensure that the WINS database only contains current WINS entries. Checking database consistency assists you in identifying incorrect WINS records in the WINS database. Reconcile WINS records: This is the process whereby WINS records are verified, or validated. This ensures that the integrity of the records in the WINS database is maintained. Manually compact the WINS database: You would need to manually compact the WINS database to maintain the database size. The WINS database grows as more WINS clients are added to it. Back up and restore the WINS database The WINS database is named wins.mdb, and is located in the following folder by default:
o y o o y
%systemroot%\system32\wins
2. In the console tree, right-click the WINS server whose WINS database records you want to view, and then select Display Records from the shortcut menu.
4. You can specify search parameters on each tab. When the search of the WINS database is performed, it will include the data specified on each tab. 5. You can filter the search by: o o o Matching name pattern Matching IP address Matching IP address based on subnet mask.
6. You can select the Enable result caching checkbox if you want the search results cached locally on the machine running the query.
y y y
When you add static mappings to the WINS database, they by default override any conflicting dynamically added WINS record. You can however configure this to not occur through enabling the Overwrite unique static mappings at this server(migrate on) option. When the option is enabled for a WINS server, all manually configured static mappings in the database are handled as dynamically added WINS records. The option can be configured differently (enabled/disabled) for each WINS server. When WINS entries or records are added to the WINS database, they are structured in a way that enables you to sort the records according to field name. The field names in the WINS database are: y Record Name; this is the registered NetBIOS name that defines a unique name, group, internet group or multihomed computer. Type;this is the service identifier, and its associated hexadecimal value. IP Address;this is the IP address associated with the NetBIOS name. State; records can be in either of the following states: Active: Signifies that the NetBIOS name is currently being used on the network. Released: Signifies that the NetBIOS name of the record has been released from the WINS database. Tombstoned: Signifies a record that is flagged to be deleted when the following extinction interval occurs. Static;indicates static entry. Owner; indicates the WINS record's owner. Version; this is a unique number assigned to a registered record that is used during replication to determine the most current version of the record. Expiration; indicates when (date, time) the lease of a record is due to expire.
y y y o o o y y y
How to configure the Overwrite unique static mappings at this server (migrate on) option for a WINS server
1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, select Active Registrations, right-click it and then select Properties from the shortcut menu. 3. On the General tab, enable the Overwrite unique static mappings at this server (migrate on) checkbox. 4. Click OK.
For records in the local WINS database that match WINS records pulled from the other WINS databases, the local WINS record is time stamped with the record owner's database. For a WINS record where the remote WINS record has a higher version ID, the following occurs: The local WINS record is set to be deleted The remote WINS record is added to the local WINS database. You can perform WINS database consistency checks:
y o o
y y
Manually Automatically (scheduling) You can perform two types of WINS database consistency checks:
Database consistency: The local WINS database's consistency is verified with other WINS server databases. Version consistency: This consistency check takes place on each WINS server in your WINS topology, to determine whether each WINS server has the highest version ID number on each of its owned WINS records. WINS servers do not have ownership of any WINS records which were added to their databases through WINS replication.
3. When the Properties dialog box of the WINS server opens, click the Database Verification tab. 4. Select the Verify database consistency every: checkbox. 5. In the Hours box, enter how often database verification should occur. 6. Use the Begin Verifying At: boxes to set when database verification should start. 7. Enter the appropriate value in the Maximum number of records verified each period box. 8. Select whether you want the database should be verified against: o o Owner servers Randomly selected partners
9. Click OK.
9. Click OK to start the verification of the WINS record(s). 10. The Checking Names Registrations window displays the results of the name record verification process.
7. Click the WINS tab. 8. Click the Add button to add the IP address of the WINS server(s). 9. In the TCP/IP WINS Server dialog box, enter the address of your WINS server and click Add. 10. Verify that the WINS server you specified is displayed in the list on the Advanced TCP/IP Settings dialog box. 11. After adding all the WINS servers, use the arrow buttons to define precedence for your WINS servers. The WINS servers at the top of the list are used before those close to the bottom of the list. 12. Click OK on the Advanced TCP/IP Settings dialog box. 13. Click OK on the Internet Protocol (TCP/IP) Properties dialog box. 14. Click OK on the Local Area Connection Properties dialog box.
Enable LMHOSTS Lookup; informs the client to search for a configured LMHOSTS file in the %systemroot%\system32\drivers directory. NetBIOS setting options determine whether a client is configured for NetBIOS use: Default: The vendor specific setting in DHCP is used to determine if the client is enabled/disabled for NetBIOS use. The Disable NetBIOS over TCP/IP (NetBT) DHCP option disables the client for NetBIOS use. Enable NetBIOS over TCP/IP: This setting enables NetBIOS use. Disable NetBIOS over TCP/IP: This setting disables NetBIOS use.
y o
o o
To configure DHCP for WINS support, 1. Click Start, Administrative Tools, and then click DHCP. 2. The DHCP console opens. 3. In the console tree, right-click Server Options and then select Configure Options from the shortcut menu. 4. When the Server Options dialog box opens, select the 044 WINS/NBNS Servers option or the 046 WINS/NBT Node Type option.
SharePoint Services is a web-based solution for storing and sharing documents, and communicating. It has the following built-in features:
y y y y y
Lists (announcements, contacts, events, common interest links, tasks) Libraries of documents (files, pictures, forms) Discussion boards Surveys Security (access permissions)
SharePoint Services runs on a server that is accessible from the web. The server is maintained by Computing Services. Beneficially, additional software is not necessary on workstations; another benefit is ease of use.
It is expected that each site has an administrator, and the administrator is responsible for setting up the site, for security, and training. Additional information may be obtained from sharepoint.uark.edu.
When Version History is selected, a list of the previous versions of the document appears. The user can open an old version, restore a version (replacing the current version), or delete an old version.
y y
When a file is deleted from a library, all previous versions are deleted. Versions can be created for all file types except HTML files that contain images or embedded objects (in which case the MHTML format (.mht) must be used).
When versioning is enabled, versions are automatically created whenever a document is updated in a document library. Versions are created in the following situations:
y y
y y
When a user checks out a file, makes changes, and checks the file back in. When a user opens a file, makes changes, and then saves the file for the first time. Note: If the user saves the file again, without closing the file, a new version is not created. If the user closes the application he or she is using to edit the file, and then opens it and saves the file again, another version is created. When a user restores an old version of a file (and does not check it out). When a user uploads a file that already exists, in which case the current file becomes an old version.
Lists
In SharePoint you can create lists for:
y y y y y y
Links of useful web links for your project/team Announcements Contacts Events Tasks Issues
From the SharePoint top navigation bar, click Create. Under the Lists and Custom Lists headings try creating a couple of different list types.
Discussion Boards
A discussion board provides a place for newsgroup style discussions. From the SharePoint top navigation bar, click Create. Click the Discussion Board link on the Create page.
Surveys
Surveys can be created in SharePoint for groups/projects. This is easy to do, by creating various types of questions using menus. Click Create from the SharePoint top navigation bar, and click the SurveyLink. Try creating a survey with a couple different types of questions.
Help!
Click the Help link on the SharePoint top navigation bar for further information.